[GKCTF 2021]easycms
It is a static web page. Nothing you click on is useful (except for friend links). Use dirsearch to scan it.
Scanned/.admin
then visitadmin.php
The URL behind this referer
is after base64 decoding /admin.php
. I originally wanted to change it directly and /flag
found that it didn't work. I could only try to log in from
I originally planned to crack the account password directly, but I tried a weak password admin
and 12345
succeeded directly.
At first I tried to upload files, but the upload kept failing, so I had to try another method.
Click 设计-->主题
and then select a theme, click 自定义
, there is a导出主题
Just put something in there
After clicking Save, a file will be downloaded to us. Copy the download link of the file.
+
http://node4.anna.nssctf.cn:28640/admin.php?m=ui&f=downloadtheme&theme=L3Zhci93d3cvaHRtbC9zeXN0ZW0vdG1wL3RoZW1lL2RlZmF1bHQvMS56aXA=
You can see theme
that it is the ciphertext after base64 encryption, and decode it to get
/var/www/html/system/tmp/theme/default/1.zip
Guessing it may exist 任意文件下载
, change the content after the theme to /flag
the base-encrypted string to get the payload:
http://node4.anna.nssctf.cn:28640/admin.php?m=ui&f=downloadtheme&theme=L2ZsYWc=
After downloading, it is a compressed package. Change the file extension to .txt
or open it directly notepad++
to get the flag.
postscript
Since it was a CVE, I looked around to see if there were any other ways to play, and then played again following the other masters’ methods.
[Code Audit] There is a command execution vulnerability in Chanzhi Enterprise Portal System v7.7
The steps to log in to the administrator backend are the same.
It can be seen from 设计-->高级
here that the code can be edited, but we are prompted to create a file
Then go to WeChat settings in settings, write something and save it
Click Completed Access, enter ../../../system/tmp/kzgi.txt/0
the last txt name here as the original ID, which is the file prompted by the previous modified template, and enter the rest as you like.
? ? ? ? , OK, sent, can’t call
The above is pure clown behavior, please do not imitate it.