MidnightCTF2022
MidSunCTF
啥都没做出来 感觉这学期水平没啥长进 主要是精力有点分散了 不过路还很长 加油~
retro
Check out my homepage in cyber space
尝试一下读文件 (后来想了下 这个想法可能是愚蠢的 或许这种方法只适合在特定的场合中使用)
1 | <iframe src="./" height="1600px" width="800px"> |
1 | Apache/2.4.53 (Unix) |
1 | <script>x=new XMLHttpRequest;x.onload=function({document.write(this.responseText)};x.open("GET","file:///.htpasswds");x.send();</script> |
学习别人的解法
引用:https://scavengersecurity.com/posts/midnightsunctf-retro/
在 /cgi-bin/showimg.cgi?./1.gif 这个接口似乎有问题
但是 只能以 .gif 结尾 所以 我们要想办法来绕过?
怎么绕过?
看了两篇writeup 他们似乎风轻云淡的说 可以通过长度限制来绕过
但究竟是为什么?
这可能要从这题的环境说起
The environment is set up as follows:
- We don’t have ability to upload files
- It doesn’t have a database (具体怎么看出来的我不太清楚)
- The data isn’t saved anywhere server-side and there are no cookies.
如果按这个思路想下去 可以判断出(引用大佬分析)
The points we came across with the testing is the following one:
- The user request is stored in a large buffer
- The extension comparison is successfully checked with this buffer
- The request is formatted into a smaller buffer so the exceeded characters are not included.
- If we exploit the buffer size differences, with correct length, final path may be clean of the mandatory
.gifextension so we’re able to get any file in the server independent to the extension.
so 可以构造一个截断的payload 来实现任意文件读取 ( 很难想到
最终下载方式如下
1 | curl http://retro-01.hfsc.tf:8080/cgi-bin/showimg.cgi\?/////////////////////////////////////////////////../../../../../../usr/local/apache2/cgi-bin/color.cgi/.gif -o color.cgi |
之后对CGI文件进行分析
留一个思考的问题 : 如何判断一个端点容易受到文件包含的攻击