对defcon quals 2018 web部分wp的学习

我好菜啊.jpg

Easy Pisy

题目给了附件,里面是两个pdf跟签名,题目也给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# sign.php
<?php

include 'common.php';

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
print highlight_string(file_get_contents("sign.php"), TRUE);
exit(0);
}

$keys = get_keys();
$privkey = $keys[0];
$pubkey = $keys[1];

if ($privkey === FALSE || $pubkey === FALSE) {
die("Could not load keys. Contact admin.<br/>");
}

$file_info = $_FILES['userfile'];
check_uploaded_file($file_info);

$text = pdf_to_text($file_info['tmp_name']);
print "Extracted text: \"$text\"<br/>";

$execute_query = "EXECUTE ";
$echo_query = "ECHO ";
if (substr($text, 0, strlen($execute_query)) === $execute_query) {
print "I don't sign EXECUTE commands. Go away.<br/>";
} else if (substr($text, 0, strlen($echo_query)) === $echo_query) {
print "I'm OK with ECHO commands. Here is the signature: <br/>";
$data = file_get_contents($file_info['tmp_name']);
openssl_sign($data, $signature, $privkey);
print bin2hex($signature);
} else {
print "I can't recognize the command type. Go away.<br/>";
}

?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# execute.php
<?php

include 'common.php';

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
print highlight_string(file_get_contents("execute.php"), TRUE);
exit(0);
}

$keys = get_keys();
$privkey = $keys[0];
$pubkey = $keys[1];

$file_info = $_FILES['userfile'];
check_uploaded_file($file_info);

$data = file_get_contents($file_info['tmp_name']);
$signature = hex2bin($_POST['signature']);
if (openssl_verify($data, $signature, $pubkey)) {
print 'Signature is OK.<br/>';
} else {
die('Bad signature.');
}

$text = pdf_to_text($file_info['tmp_name']);
print "Text: \"$text\"<br/>";

$execute_query = "EXECUTE ";
$echo_query = "ECHO ";
if (substr($text, 0, strlen($execute_query)) === $execute_query) {
$payload = substr($text, strlen($execute_query));
print "About to execute: \"$payload\".<br/>";
$out = shell_exec($payload);
print "Output: $out";
} else if (substr($text, 0, strlen($echo_query)) === $echo_query) {
$payload = substr($text, strlen($echo_query));
print "About to echo: \"$payload\".<br/>";
echo $payload;
} else {
print "I can't recognize the command type. Go away.<br/>";
}

?>

流程是在sign.php中识别pdf中的内容,并且将文件签名,在execute.php中识别pdf并验证签名。但是只有ECHO才能被签名。因为openssl_signopenssl_verify如果没有指定摘要算法的话是默认为SHA-1,这里就是针对SHA-1算法的缺陷。谷歌在去年搞了个大新闻,实现了SHA-1的碰撞 https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

简单来说就是能生成两个不同的文件,但是两个文件的sha-1值是一样的。然后再来讲下RSA-SHA1的签名,简单来说,先讲文件进行sha-1生成摘要,再对这个摘要进行签名。然后两个文件的sha-1一样,可想而知签名值也一样。于是利用工具https://github.com/nneonneo/sha1collider,生成两个PDF,其中一个内容为`ECHO XXX另一个为EXECUTE cat flag`,生成签名后执行就得到flag了

这题起先踩坑了,因为openssl_verify在使用算法不一致的时候会返回-1,在php的if中,-1也是true,测试的时候签名算法为DSA的时候输入RSA的签名是可以返回-1的,但是RSA却不行。坑了好久

sbva

题目给了账号和密码,登录进去却报Incompatible browser detected.猜想是检测了UA,于是改UA,但是不知道怎么改,用burp抓包发现在302页面

1
2
3
4
5
6
7
8
9
10
11
12
<html>
<style scoped>
h1 {color:red;}
p {color:blue;}
</style>
<video id="v" autoplay> </video>
<script>
if (navigator.battery.charging) {
console.log("Device is charging.")
}
</script>
</html>

这题是个推理题,首先他使用了scoped属性,然后查了下,发现目前的chrome都不支持而且FF也只有FF21-FF54支持,那就是FF的老版本了,然后他使用了navigator.battery,再查一下,发现FF42后就改为navigator.getBattery()并且在FF52移除,可以,锁定FF42,改一波UA为Mozilla/5.0 (windows nt 6.1; wow64; rv:42.0) Gecko/20100101 Firefox/42.0拿到flag

浏览器支持搜索https://caniuse.com/

PHP Eval White-List

在二进制选手逆.so文件之际,上去测试了下,看代码应该是hook了eval函数,然而system可以执行,ls了下当前目录,没有flag,然后貌似只有当前目录的权限,不能列上层目录,但是cd是可以,然后猜测system(../flag),然后就出flag了。这…

shellql

bin爷爷正在教我