第二轮修出来了,侥幸拿了二等奖,第一次接触awdp和isw能做到这个程度已经还行了,明年争取进决赛qwq
主要漏洞就是用户反序列化漏洞,修改成更加严格的形式即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
| <?php
declare(strict_types=1);
require_once __DIR__ . "/lib/User.php";
require_once __DIR__ . "/lib/Util.php";
$uploadsDir = "/var/www/html/uploads/";
$user = null;
if (isset($_COOKIE['user'])) {
$cookieUser = $_COOKIE['user'];
try {
$user = unserialize($cookieUser);
if (!$user instanceof User) {
throw new \InvalidArgumentException("Invalid user type");
}
} catch (\Exception $e) {
// 反序列化失败,使用默认用户
$user = new User("guest");
}
}
if (!$user instanceof User) {
$user = new User("guest");
setcookie("user", serialize($user), time() + 86400, "/");
}
$msg = "";
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {
$f = $_FILES['file'];
if ($f['error'] === UPLOAD_ERR_OK) {
// === 修复2: 路径遍历防护 ===
$name = Util::safeUploadName($f['name'] ?? 'upload.bin');
// 额外检查是否包含路径遍历字符
if (str_contains($name, '..') || str_contains($name, '/')) {
$msg = "Invalid filename: path traversal detected.";
} else {
if (!Util::isAllowedUploadExtension($name)) {
$msg = "Upload failed: disallowed extension.";
} else {
// 规范化路径,确保在 uploadsDir 内
$baseDir = realpath(rtrim($uploadsDir, '/'));
$dstPath = rtrim($uploadsDir, '/') . '/' . ltrim($name, '/');
if (realpath($dstPath) && str_starts_with(realpath($dstPath), $baseDir)) {
if (move_uploaded_file($f['tmp_name'], $dstPath)) {
// === 修复3: 限制上传文件权限 ===
chmod($dstPath, 0644); // 只读,防止执行
$msg = "Uploaded: " . $name;
} else {
$msg = "Upload failed.";
}
} else {
$msg = "Path traversal detected after normalization.";
}
}
}
} else {
$msg = "Upload error: " . (string)$f['error'];
}
}
if (!isset($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
$files = Util::listUploads($uploadsDir);
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>MediaDrive</title>
<link rel="stylesheet" href="/assets/style.css"/>
</head>
<body>
<div class="app">
<header class="topbar">
<div class="brand">
<div class="dot red"></div><div class="dot yellow"></div><div class="dot green"></div>
<span class="brand-title">MediaDrive</span>
<span class="badge">Preview & Convert</span>
</div>
<div class="actions">
<a class="btn ghost" href="/profile.php">Preferences</a>
</div>
</header>
<main class="content">
<section class="card">
<div class="card-head">
<h2>Upload</h2>
<p class="muted">Upload a file, then preview it.</p>
</div>
<?php if ($msg !== ""): ?>
<div class="toast"><?= Util::h($msg) ?></div>
<?php endif; ?>
<form class="upload" method="post" enctype="multipart/form-data">
<input class="file" type="file" name="file" required />
<button class="btn primary" type="submit">Upload</button>
</form>
<div class="hint">
Current user: <b><?= Util::h($user->name) ?></b> · Encoding: <b><?= Util::h($user->encoding) ?></b>
</div>
</section>
<section class="card">
<div class="card-head">
<h2>My Files</h2>
<p class="muted">Click preview to open a file.</p>
</div>
<?php if (count($files) === 0): ?>
<div class="empty">No files yet. Upload one to get started.</div>
<?php else: ?>
<div class="table">
<div class="row head">
<div>Name</div><div>Size</div><div>Updated</div><div>Actions</div>
</div>
<?php foreach ($files as $it): ?>
<div class="row">
<div class="mono"><?= Util::h($it['name']) ?></div>
<div><?= Util::h(Util::niceSize((int)$it['size'])) ?></div>
<div><?= date("Y-m-d H:i:s", (int)$it['mtime']) ?></div>
<div class="row-actions">
<a class="btn small" href="/preview.php?f=<?= urlencode($it['name']) ?>">Preview</a>
<a class="btn small ghost" href="/download.php?f=<?= urlencode($it['name']) ?>">Download</a>
</div>
</div>
<?php endforeach; ?>
</div>
<?php endif; ?>
</section>
</main>
<footer class="footer">
<span class="muted">MediaDrive · Internal tool</span>
<a class="muted" href="/health.php">health</a>
</footer>
</div>
</body>
</html>
|
profile.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
| <?php
declare(strict_types=1);
require_once __DIR__ . "/lib/User.php";
require_once __DIR__ . "/lib/Util.php";
$user = null;
if (isset($_COOKIE['user'])) {
$cookieUser = $_COOKIE['user'];
try {
$user = unserialize($cookieUser);
if (!$user instanceof User) {
throw new \InvalidArgumentException("Invalid user type");
}
} catch (\Exception $e) {
error_log("Cookie unserialize failed: " . $e->getMessage());
$user = new User("guest");
}
}
if (!$user instanceof User) {
$user = new User("guest");
setcookie(
"user",
serialize($user),
time() + 86400,
"/"
);
}
$msg = "";
$allowed = ["UTF-8", "GBK", "BIG5", "ISO-2022-CN-EXT"];
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$enc = (string)($_POST['encoding'] ?? "UTF-8");
if (!in_array($enc, $allowed, true)) {
$msg = "Unsupported encoding";
} else {
$user->encoding = $enc;
setcookie("user", serialize($user), time() + 86400, "/");
$msg = "Saved";
}
}
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Preferences · MediaDrive</title>
<link rel="stylesheet" href="/assets/style.css"/>
</head>
<body>
<div class="app">
<header class="topbar">
<div class="brand">
<div class="dot red"></div><div class="dot yellow"></div><div class="dot green"></div>
<a class="brand-title link" href="/">MediaDrive</a>
<span class="badge">Preferences</span>
</div>
<div class="actions"></div>
</header>
<main class="content">
<section class="card">
<div class="card-head">
<h2>Preview Encoding</h2>
<p class="muted">Choose how filenames are converted before preview.</p>
</div>
<?php if ($msg !== ""): ?>
<div class="toast"><?= Util::h($msg) ?></div>
<?php endif; ?>
<form method="post" class="prefs">
<label class="label">Encoding</label>
<select class="select" name="encoding">
<?php foreach ($allowed as $e): ?>
<option value="<?= Util::h($e) ?>" <?= $user->encoding === $e ? "selected" : "" ?>>
<?= Util::h($e) ?>
</option>
<?php endforeach; ?>
</select>
<div class="row-actions">
<button class="btn primary" type="submit">Save</button>
<a class="btn ghost" href="/">Back</a>
</div>
<div class="hint">
Stored in <span class="mono">user</span> cookie.
</div>
</form>
</section>
</main>
</div>
</body>
</html>
|
渗透-isw1
工具扫出是shiro框架
用工具利用
第一个flag在根目录
