Facebook Twitter Linkedin YouTube VK Xing

hctf线下

第一次打线下,虽然提前准备了一些东西,但还是太菜了,简单记录一下吧

第一天的题

预留后门

拿到ssh之后连上去打包一份www.tar.gz让队友下下来d盾扫了一下
发现/workdir/config/emmm_version.php里面存在一句话
删掉一句话并写打全场脚本,虽然很多队删掉了,但是还有可以拿一些队的分数

分析后门(其实不是

除了前面说到的后门,d盾还扫出来一些奇奇怪怪的东西
比如client/manage/emmm_userwebzz.php

<?php
$OOOOOOO0 = "\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65";
$OOOOO0OO = "=0nC7IXZ39GctVGJg4mc1RXZylgC9lgC9lQCKsTKJkQCKwyJ+YXak9CP+UGbiFGdvwjPyR3L84DZ09CP+QHcpJ3Yz9CP+ISN9QWaiZycq1DZv12PwhGcukGch9iY1x2YvQXZu5Sbt1WZuc3d39yL6AHd0hmI9MmczBiI0BXayN2chZXYq9Cd4VGdi0TZwlHdgQHcpJ3YzxjPlxWe0N3L803MzMzI6I3bs92Y7FGIpxGIsVHIlxWdk9Wbu03QDN0I6I3bs92Y7gHcyIjO0h2ZpVGatUmbpx2O4BnMyoDdodWalh2epxGIsVHIlxWdk9Wbu4jIzN3YvQHelRnI9UGc5RHIlxWe0NHP+ICcvRnI942ZpxWY2BiIlQTNi0Da0RWa3BCZ0xjPkR3L84TZsJWY09CP+IHdvwjPkR3L84TYvwTv9i+i4Sut7SukPauPismbhxmYfJSP0V2ZyFGdgIyNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxDItAiPh9CP92L6LiL5/2p5hiq5+IyauFGbi9lI9QXZnJXY0BiI2MTPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGPg0CI+E2L8gopp34jljpop76lp7jIr5WYsJ2Xi0DdldmchRHIiITPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGP+QGd84DZ09CP+YXak9CPay77l6o5+OZ6zWY54u55+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L88Jql/IslHIgjXotoXotoHIgj/YupfKpl7DZ0xjPkR3L84jdpR2L8oJvvjZklDJim/JmpL6mlH5jlDIvl7jI0h2ZpJnI942ZpxWYgYXakxjPkRHP+IHd84jc09CP+QGdvwzn8S+kZaOkUWuPkRHP+QGdvwjP2lGZvwjm8+uu6S+o0i+n0iurbeeuhmuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L801iceepfa+W+ISKoc2bsFWakpDdwlmcjNXY2Fmai0jZlJHagEGP7A3ci5mJ7A3ci5mJ7A3ci5mJ7A3ci5mJzkTM4cDMSNVNxAjM+QGd84DZ09CP+YXak9CPay77mmL5B+K6piY5TiL5+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L8MVTDB1TBC44T10Q+Sr5yKY5BC44+Sr5yKY5+QGd84DZ09CP+YXak9CPay77we65NCZ5oS554ib5D6a52WY52uL5v2L6+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L80WbtVmPkRHP+QGdvwjP2lGZvwjm8+OsneejQWut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L8g7jlzahlDZmpnInmDoimH5pnDJim/Jvkj6umTJslj4kl7jIr5WYsJ2Xi0DdldmchRHIiQXZu5Sbt1WZuc3d39yL6AHd0hmI9YWZyhGIhxjPkRHP+QGdvwjP2lGZvwjm8+ekPWOg8Wut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPiUjI9cmbpRGZhBHbsV2YgICMi0jclRmcvJGIiUCMwEjI9gGdkl2dgUGbiFGd84jIklGbvNHIDN0QjACewFjO0h2ZpJXLyVGZy9mYi0TZslHdzBiIlYDNi0Da0RWa3BCZ0xjPyRHP+ICMxISPn5WakRWYwxGblNGIiAjI9IXZkJ3biBiIlADMxISPoRHZpdHIlxmYhRHP+YXak9CP+ICa09mY6IXYlx2Yi0TZslHdzBidpRGP+EDavwTKCC446S65+ip5oyZ5NiL5GCb5vGo5h+L5k2q5My77Im45D2p5I6o5wmL5tSL6osDczJmbm8agmH6vkPYnmjYin7TMoxjPiMTY0FGZf1WbtVmI9M3chx2YgYXakxjP2lGZvwjPigHcwUjO0h2ZpVGa7gGdvJmOyFWZsNmI9UGb5R3cgYXakxzJ+0zJ0h2ZpJncld3bw1WZnkQCJkgCsciPpx2L84TYvwTv9i+i4Sut7SukPauPismbhxmYfJSP0V2ZyFGdgIyNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxjPpxGP+kGbvwjPh9CP92L6LiL5/2p5hiq5+IyauFGbi9lI9QXZnJXY0BiI2MTPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGP+kGb84Tas9CP+E2L8sZnlrrro/KnmDoim7jIr5WYsJ2Xi0DdldmchRHIiIWdsN2L0Vmbu0WbtVmL3d3dv8iOwRHdoJSPmVmcoBSY84TasxjPpx2L84TYvwTmreek9eeuWaOmuWuPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGP+kGb84Tas9CP+E2L84Ddu9mZvwzgdaOiOaut7S+r9iuPiADMwAjRGNiI9I3bs92YgQnbvZGP+IibpFWbi0DdldmchRHIiAHaw5yctNGcv9Vbt1WZvciLddCa0FGculWbkF2Jb1WbtVGJuciI9YWZyhGIhxjPpxGPnAiP9AyJ6Jmcld3bw1WZnkQCJkgCsciP2lGZvwjPh9CPh0WbtVmPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGPgknYgQWZyV2dvBlPisDewBjM6QHanlmctcmbpRGZhBHI7gHcwMjO0h2ZpVGatUmbpxGI7QHanlmc6QXYvxmZi0TZslHdzBidpRGPnAiP9AyJyV2dvBXbldSCJkQCKwyJ+YXak9CP4+Y5sWY5QmZ6Jyp5Aqo5Re65Qio5fyL5our5UCb5IOZ57A3ci5mJ7A3ci5mJsciLpcSWngSZ0FGZucyOwNnYuZyOwNnYuZSKjhyOwNnYuZyOwNnYuZiPh9CPh0WbtVmPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGPgknYgQWZyV2dvBlPiQHanlmc5B3bDJSPklGI2lGZ8cCI+0DIn4Wan9GbyV2dvBXbldSCJkQCKgSehJnchBSPgIXZ39GctVGJJkQCKsXZzxWZ9lQCKsTKncCI+0DInQHanlmcyV2dvBXbldCLncCI+0DInonYyV2dvBXbldCLncCI+0DInIXZ39GctV2JscyJg4TPgcibpd2bsJXZ39GctV2JokXYyJXYg0DIyV2dvBXblRSCJkgC7liI0QjZhhjZ0QWN5ICI90DIw8GMw8GMPBzTf1WbtVGJoYWaJkgC7V2csVWfJowOpkQCKwyJ+YXak9CP+UGbiFGdvwjPyR3L84DZ09CP+QHcpJ3Yz9CP+ISN9QWaiZycq1DZv12PwhGcukGch9iY1x2YvQXZu5Sbt1WZuc3d39yL6AHd0hmI9MmczBiI0BXayN2chZXYq9Cd4VGdi0TZwlHdgQHcpJ3YzxjPlxWe0N3L803MzMzI6I3bs92Y7FGIpxGIsVHIlxWdk9Wbu03QDN0I6I3bs92Y7gHcyIjO0h2ZpVGatUmbpx2O4BnMyoDdodWalh2epxGIsVHIlxWdk9Wbu4jIzN3YvQHelRnI9UGc5RHIlxWe0NHP+ICcvRnI942ZpxWY2BiIlQTNi0Da0RWa3BCZ0xjPkR3L84TZsJWY09CP+IHdvwjPkR3L84TYvwTv9i+i4Sut7SukPauPismbhxmYfJSP0V2ZyFGdgIyNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxDItAiPh9CP92L6LiL5/2p5hiq5+IyauFGbi9lI9QXZnJXY0BiI2MTPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGPg0CI+E2L8gopp34jljpop76lp7jIr5WYsJ2Xi0DdldmchRHIiITPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGP+QGd84DZ09CP+YXak9CPay77l6o5+OZ6zWY54u55+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L88Jql/IslHIgjXotoXotoHIgj/YupfKpl7DZ0xjPkR3L84jdpR2L8oJvvjZklDJim/JmpL6mlH5jlDIvl7jI0h2ZpJnI942ZpxWYgYXakxjPkRHP+IHd84jc09CP+QGdvwzn8S+kZaOkUWuPkRHP+QGdvwjP2lGZvwjm8+uu6S+o0i+n0iurbeeuhmuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L801iceepfa+W+ISKoc2bsFWakpDdwlmcjNXY2Fmai0jZlJHagEGP7A3ci5mJ7A3ci5mJ7A3ci5mJ7A3ci5mJzkTM4cDMSNVNxAjM+QGd84DZ09CP+YXak9CPay77mmL5B+K6piY5TiL5+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L8MVTDB1TBC44T10Q+Sr5yKY5BC44+Sr5yKY5+QGd84DZ09CP+YXak9CPay77we65NCZ5oS554ib5D6a52WY52uL5v2L6+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L80WbtVmPkRHP+QGdvwjP2lGZvwjm8+OsneejQWut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L8g7jlzahlDZmpnInmDoimH5pnDJim/Jvkj6umTJslj4kl7jIr5WYsJ2Xi0DdldmchRHIiQXZu5Sbt1WZuc3d39yL6AHd0hmI9YWZyhGIhxjPkRHP+QGdvwjP2lGZvwjm8+ekPWOg8Wut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPiUjI9cmbpRGZhBHbsV2YgICMi0jclRmcvJGIiUCMwEjI9gGdkl2dgUGbiFGd84jIklGbvNHIDN0QjACewFjO0h2ZpJXLyVGZy9mYi0TZslHdzBiIlYDNi0Da0RWa3BCZ0xjPyRHP+ICMxISPn5WakRWYwxGblNGIiAjI9IXZkJ3biBiIlADMxISPoRHZpdHIlxmYhRHP+YXak9CP+ICa09mY6IXYlx2Yi0TZslHdzBidpRGP+EDavwTKCC446S65+ip5oyZ5NiL5GCb5vGo5h+L5k2q5My77Im45D2p5I6o5wmL5tSL6osDczJmbm8agmH6vkPYnmjYin7TMoxjPiMTY0FGZf1WbtVmI9M3chx2YgYXakxjP2lGZvwjPigHcwUjO0h2ZpVGa7gGdvJmOyFWZsNmI9UGb5R3cgYXakxzJ+0zJ0h2ZpJncld3bw1WZnkQCJoALn4Tas9CP+E2L80bvovIukb7ukL5jm7jIr5WYsJ2Xi0DdldmchRHIiczM9QWamZSehxGczlGZtVncvZWPk9Wb/AHaw5Sb1J3bm9iY1x2YvQXZu5Sbt1WZv8iOwRHdoJSPmVmcoBSY84TasxjPpx2L84TYvwTv9i+i4S+vdaeooauPismbhxmYfJSP0V2ZyFGdgIiNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxjPpxGP+kGbvwjPh9CPb2Z566K6vyp5Aqo5+IyauFGbi9lI9QXZnJXY0BiIiVHbj9Cdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGP+kGb84Tas9CP+E2L8k5qnHZvnnrlmjprl7jIr5WYsJ2Xi0DdldmchRHIiQXZu5Sbt1WZuc3d39yL6AHd0hmI9YWZyhGIhxjPpxGP+kGbvwjPh9CP+QnbvZ2L8MYnmjojmb7uk/avo7jIwADMwYkRjISPy9GbvNGI052bmxjPi4Wah1mI9QXZnJXY0BiIwhGcuMXbjB3bf1WbtV2Ln4SXngGdhBnbp1GZhdyWt1WblRiLnISPmVmcoBSY84TasxzJg4TPgcieiJXZ39GctV2JJkQCKwyJ+YXak9CP+E2L8ESbt1WZ+IyauFGbi9lI9QXZnJXY0BiI0Vmbu0WbtVmL3d3dv8iOwRHdoJSPmVmcoBSY8ASeiBCZlJXZ39GU+IyO4BHMyoDdodWay1yZulGZkFGcgsDewBzM6QHanlWZo1SZulGbgsDdodWaypDdh9GbmJSPlxWe0NHI2lGZ8cCI+0DInIXZ39GctV2JJkQCKwyJ4+Y5sWY5QmZ6Jyp5Aqo5Re65Qio5fyL5our5UCb5IOZ57A3ci5mJ7A3ci5mJsciLpcSWngSZ0FGZucyOwNnYuZyOwNnYuZSKjhyOwNnYuZyOwNnYuZiPh9CPh0WbtVmPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGPgknYgQWZyV2dvB1Jg4TPgcibpd2bsJXZ39GctV2JJkQCKgSehJnchBSPgIXZ39GctVGJJkgC7lSKw8GMw8GMPBzTf1WbtVGJoQXZzNXahgCImlWCKsTbt1WZkwCMvBDMvBzTw80Xt1WblRCIsFmYvx2ZJowepgSNk1Wbt1WZg42bpR3YuVnZKowOpcSahh2ZuFGaT9SYpNXQngCdlN3Xl52b6VWbpR3X0xWdhZWZk9VZ0FGZ";
eval($OOOOOOO0("aWYoIWlzc2V0KCRveW9fbG9ja2luZykpew0KJGtleT1maWxlX2dldF9jb250ZW50cygkRW5jb2RldXJsLiJmdW5jdGlvbi9mb250LzhiYTRjM2M1ZGJkZmNmOWMyZDcyNmZlMTFmMWZhOGQ2LnR4dCIpOw0KJGtleT10cmltKCRrZXkpOw0KaWYoJGtleSE9IjhiYTRjM2M1ZGJkZmNmOWMyZDcyNmZlMTFmMWZhOGQ2Iil7DQpkaWUoIjxhIHN0eWxlPVwiY29sb3I6cmVkO2ZvbnQtc2l6ZToxNHB4XCI+6ZSZ6K+v77ya5a+G5YyZ56C05Z2PPC9hPiIpOw0KfQ0KJG95b19sb2NraW5nPSJwYXNzZWQiOw0KfQ0KZXZhbCgkT09PT09PTzAoc3RycmV2KCRPT09PTzBPTykpKTsNCg=="));
?>

看起来似乎像是shell,但其实不是,只不过是一些代码的变化而已
把eval解一下就是

<?php
$OOOOOOO0 = "base64_decode";
$OOOOO0OO = "=0nC7IXZ39GctVGJg4mc1RXZylgC9lgC9lQCKsTKJkQCKwyJ+YXak9CP+UGbiFGdvwjPyR3L84DZ09CP+QHcpJ3Yz9CP+ISN9QWaiZycq1DZv12PwhGcukGch9iY1x2YvQXZu5Sbt1WZuc3d39yL6AHd0hmI9MmczBiI0BXayN2chZXYq9Cd4VGdi0TZwlHdgQHcpJ3YzxjPlxWe0N3L803MzMzI6I3bs92Y7FGIpxGIsVHIlxWdk9Wbu03QDN0I6I3bs92Y7gHcyIjO0h2ZpVGatUmbpx2O4BnMyoDdodWalh2epxGIsVHIlxWdk9Wbu4jIzN3YvQHelRnI9UGc5RHIlxWe0NHP+ICcvRnI942ZpxWY2BiIlQTNi0Da0RWa3BCZ0xjPkR3L84TZsJWY09CP+IHdvwjPkR3L84TYvwTv9i+i4Sut7SukPauPismbhxmYfJSP0V2ZyFGdgIyNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxDItAiPh9CP92L6LiL5/2p5hiq5+IyauFGbi9lI9QXZnJXY0BiI2MTPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGPg0CI+E2L8gopp34jljpop76lp7jIr5WYsJ2Xi0DdldmchRHIiITPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGP+QGd84DZ09CP+YXak9CPay77l6o5+OZ6zWY54u55+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L88Jql/IslHIgjXotoXotoHIgj/YupfKpl7DZ0xjPkR3L84jdpR2L8oJvvjZklDJim/JmpL6mlH5jlDIvl7jI0h2ZpJnI942ZpxWYgYXakxjPkRHP+IHd84jc09CP+QGdvwzn8S+kZaOkUWuPkRHP+QGdvwjP2lGZvwjm8+uu6S+o0i+n0iurbeeuhmuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L801iceepfa+W+ISKoc2bsFWakpDdwlmcjNXY2Fmai0jZlJHagEGP7A3ci5mJ7A3ci5mJ7A3ci5mJ7A3ci5mJzkTM4cDMSNVNxAjM+QGd84DZ09CP+YXak9CPay77mmL5B+K6piY5TiL5+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L8MVTDB1TBC44T10Q+Sr5yKY5BC44+Sr5yKY5+QGd84DZ09CP+YXak9CPay77we65NCZ5oS554ib5D6a52WY52uL5v2L6+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L80WbtVmPkRHP+QGdvwjP2lGZvwjm8+OsneejQWut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L8g7jlzahlDZmpnInmDoimH5pnDJim/Jvkj6umTJslj4kl7jIr5WYsJ2Xi0DdldmchRHIiQXZu5Sbt1WZuc3d39yL6AHd0hmI9YWZyhGIhxjPkRHP+QGdvwjP2lGZvwjm8+ekPWOg8Wut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPiUjI9cmbpRGZhBHbsV2YgICMi0jclRmcvJGIiUCMwEjI9gGdkl2dgUGbiFGd84jIklGbvNHIDN0QjACewFjO0h2ZpJXLyVGZy9mYi0TZslHdzBiIlYDNi0Da0RWa3BCZ0xjPyRHP+ICMxISPn5WakRWYwxGblNGIiAjI9IXZkJ3biBiIlADMxISPoRHZpdHIlxmYhRHP+YXak9CP+ICa09mY6IXYlx2Yi0TZslHdzBidpRGP+EDavwTKCC446S65+ip5oyZ5NiL5GCb5vGo5h+L5k2q5My77Im45D2p5I6o5wmL5tSL6osDczJmbm8agmH6vkPYnmjYin7TMoxjPiMTY0FGZf1WbtVmI9M3chx2YgYXakxjP2lGZvwjPigHcwUjO0h2ZpVGa7gGdvJmOyFWZsNmI9UGb5R3cgYXakxzJ+0zJ0h2ZpJncld3bw1WZnkQCJkgCsciPpx2L84TYvwTv9i+i4Sut7SukPauPismbhxmYfJSP0V2ZyFGdgIyNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxjPpxGP+kGbvwjPh9CP92L6LiL5/2p5hiq5+IyauFGbi9lI9QXZnJXY0BiI2MTPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGP+kGb84Tas9CP+E2L8sZnlrrro/KnmDoim7jIr5WYsJ2Xi0DdldmchRHIiIWdsN2L0Vmbu0WbtVmL3d3dv8iOwRHdoJSPmVmcoBSY84TasxjPpx2L84TYvwTmreek9eeuWaOmuWuPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGP+kGb84Tas9CP+E2L84Ddu9mZvwzgdaOiOaut7S+r9iuPiADMwAjRGNiI9I3bs92YgQnbvZGP+IibpFWbi0DdldmchRHIiAHaw5yctNGcv9Vbt1WZvciLddCa0FGculWbkF2Jb1WbtVGJuciI9YWZyhGIhxjPpxGPnAiP9AyJ6Jmcld3bw1WZnkQCJkgCsciP2lGZvwjPh9CPh0WbtVmPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGPgknYgQWZyV2dvBlPisDewBjM6QHanlmctcmbpRGZhBHI7gHcwMjO0h2ZpVGatUmbpxGI7QHanlmc6QXYvxmZi0TZslHdzBidpRGPnAiP9AyJyV2dvBXbldSCJkQCKwyJ+YXak9CP4+Y5sWY5QmZ6Jyp5Aqo5Re65Qio5fyL5our5UCb5IOZ57A3ci5mJ7A3ci5mJsciLpcSWngSZ0FGZucyOwNnYuZyOwNnYuZSKjhyOwNnYuZyOwNnYuZiPh9CPh0WbtVmPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGPgknYgQWZyV2dvBlPiQHanlmc5B3bDJSPklGI2lGZ8cCI+0DIn4Wan9GbyV2dvBXbldSCJkQCKgSehJnchBSPgIXZ39GctVGJJkQCKsXZzxWZ9lQCKsTKncCI+0DInQHanlmcyV2dvBXbldCLncCI+0DInonYyV2dvBXbldCLncCI+0DInIXZ39GctV2JscyJg4TPgcibpd2bsJXZ39GctV2JokXYyJXYg0DIyV2dvBXblRSCJkgC7liI0QjZhhjZ0QWN5ICI90DIw8GMw8GMPBzTf1WbtVGJoYWaJkgC7V2csVWfJowOpkQCKwyJ+YXak9CP+UGbiFGdvwjPyR3L84DZ09CP+QHcpJ3Yz9CP+ISN9QWaiZycq1DZv12PwhGcukGch9iY1x2YvQXZu5Sbt1WZuc3d39yL6AHd0hmI9MmczBiI0BXayN2chZXYq9Cd4VGdi0TZwlHdgQHcpJ3YzxjPlxWe0N3L803MzMzI6I3bs92Y7FGIpxGIsVHIlxWdk9Wbu03QDN0I6I3bs92Y7gHcyIjO0h2ZpVGatUmbpx2O4BnMyoDdodWalh2epxGIsVHIlxWdk9Wbu4jIzN3YvQHelRnI9UGc5RHIlxWe0NHP+ICcvRnI942ZpxWY2BiIlQTNi0Da0RWa3BCZ0xjPkR3L84TZsJWY09CP+IHdvwjPkR3L84TYvwTv9i+i4Sut7SukPauPismbhxmYfJSP0V2ZyFGdgIyNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxDItAiPh9CP92L6LiL5/2p5hiq5+IyauFGbi9lI9QXZnJXY0BiI2MTPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGPg0CI+E2L8gopp34jljpop76lp7jIr5WYsJ2Xi0DdldmchRHIiITPklmZmkXYsB3cpRWb1J3bm1DZv12PwhGcu0Wdy9mZvIWdsN2L0Vmbu0WbtV2LvoDc0RHai0jZlJHagEGP+QGd84DZ09CP+YXak9CPay77l6o5+OZ6zWY54u55+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L88Jql/IslHIgjXotoXotoHIgj/YupfKpl7DZ0xjPkR3L84jdpR2L8oJvvjZklDJim/JmpL6mlH5jlDIvl7jI0h2ZpJnI942ZpxWYgYXakxjPkRHP+IHd84jc09CP+QGdvwzn8S+kZaOkUWuPkRHP+QGdvwjP2lGZvwjm8+uu6S+o0i+n0iurbeeuhmuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L801iceepfa+W+ISKoc2bsFWakpDdwlmcjNXY2Fmai0jZlJHagEGP7A3ci5mJ7A3ci5mJ7A3ci5mJ7A3ci5mJzkTM4cDMSNVNxAjM+QGd84DZ09CP+YXak9CPay77mmL5B+K6piY5TiL5+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L8MVTDB1TBC44T10Q+Sr5yKY5BC44+Sr5yKY5+QGd84DZ09CP+YXak9CPay77we65NCZ5oS554ib5D6a52WY52uL5v2L6+ICdodWayJSPudWasFGI2lGZ84DZ0xjPyRHP+IHdvwjPkR3L80WbtVmPkRHP+QGdvwjP2lGZvwjm8+OsneejQWut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPyR3L84DZ09CP+E2L8g7jlzahlDZmpnInmDoimH5pnDJim/Jvkj6umTJslj4kl7jIr5WYsJ2Xi0DdldmchRHIiQXZu5Sbt1WZuc3d39yL6AHd0hmI9YWZyhGIhxjPkRHP+QGdvwjP2lGZvwjm8+ekPWOg8Wut7S+r9iuPiQHanlmci0jbnlGbhBidpRGP+QGd84jc0xjPiUjI9cmbpRGZhBHbsV2YgICMi0jclRmcvJGIiUCMwEjI9gGdkl2dgUGbiFGd84jIklGbvNHIDN0QjACewFjO0h2ZpJXLyVGZy9mYi0TZslHdzBiIlYDNi0Da0RWa3BCZ0xjPyRHP+ICMxISPn5WakRWYwxGblNGIiAjI9IXZkJ3biBiIlADMxISPoRHZpdHIlxmYhRHP+YXak9CP+ICa09mY6IXYlx2Yi0TZslHdzBidpRGP+EDavwTKCC446S65+ip5oyZ5NiL5GCb5vGo5h+L5k2q5My77Im45D2p5I6o5wmL5tSL6osDczJmbm8agmH6vkPYnmjYin7TMoxjPiMTY0FGZf1WbtVmI9M3chx2YgYXakxjP2lGZvwjPigHcwUjO0h2ZpVGa7gGdvJmOyFWZsNmI9UGb5R3cgYXakxzJ+0zJ0h2ZpJncld3bw1WZnkQCJoALn4Tas9CP+E2L80bvovIukb7ukL5jm7jIr5WYsJ2Xi0DdldmchRHIiczM9QWamZSehxGczlGZtVncvZWPk9Wb/AHaw5Sb1J3bm9iY1x2YvQXZu5Sbt1WZv8iOwRHdoJSPmVmcoBSY84TasxjPpx2L84TYvwTv9i+i4S+vdaeooauPismbhxmYfJSP0V2ZyFGdgIiNz0DZpZmJ5FGbwNXak1Wdy9mZ9Q2bt9DcoBnLtVncvZ2LiVHbj9Cdl5mLt1Wbl9yL6AHd0hmI9YWZyhGIhxjPpxGP+kGbvwjPh9CPb2Z566K6vyp5Aqo5+IyauFGbi9lI9QXZnJXY0BiIiVHbj9Cdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGP+kGb84Tas9CP+E2L8k5qnHZvnnrlmjprl7jIr5WYsJ2Xi0DdldmchRHIiQXZu5Sbt1WZuc3d39yL6AHd0hmI9YWZyhGIhxjPpxGP+kGbvwjPh9CP+QnbvZ2L8MYnmjojmb7uk/avo7jIwADMwYkRjISPy9GbvNGI052bmxjPi4Wah1mI9QXZnJXY0BiIwhGcuMXbjB3bf1WbtV2Ln4SXngGdhBnbp1GZhdyWt1WblRiLnISPmVmcoBSY84TasxzJg4TPgcieiJXZ39GctV2JJkQCKwyJ+YXak9CP+E2L8ESbt1WZ+IyauFGbi9lI9QXZnJXY0BiI0Vmbu0WbtVmL3d3dv8iOwRHdoJSPmVmcoBSY8ASeiBCZlJXZ39GU+IyO4BHMyoDdodWay1yZulGZkFGcgsDewBzM6QHanlWZo1SZulGbgsDdodWaypDdh9GbmJSPlxWe0NHI2lGZ8cCI+0DInIXZ39GctV2JJkQCKwyJ4+Y5sWY5QmZ6Jyp5Aqo5Re65Qio5fyL5our5UCb5IOZ57A3ci5mJ7A3ci5mJsciLpcSWngSZ0FGZucyOwNnYuZyOwNnYuZSKjhyOwNnYuZyOwNnYuZiPh9CPh0WbtVmPismbhxmYfJSP0V2ZyFGdgICdl5mLt1Wbl5yd3d3LvoDc0RHai0jZlJHagEGPgknYgQWZyV2dvB1Jg4TPgcibpd2bsJXZ39GctV2JJkQCKgSehJnchBSPgIXZ39GctVGJJkgC7lSKw8GMw8GMPBzTf1WbtVGJoQXZzNXahgCImlWCKsTbt1WZkwCMvBDMvBzTw80Xt1WblRCIsFmYvx2ZJowepgSNk1Wbt1WZg42bpR3YuVnZKowOpcSahh2ZuFGaT9SYpNXQngCdlN3Xl52b6VWbpR3X0xWdhZWZk9VZ0FGZ";
if(!isset($oyo_locking)){
    $key=file_get_contents($Encodeurl."function/font/8ba4c3c5dbdfcf9c2d726fe11f1fa8d6.txt");
    $key=trim($key);
    if($key!="8ba4c3c5dbdfcf9c2d726fe11f1fa8d6"){
        die("<a style=\"color:red;font-size:14px\">错误:密匙破坏</a>");
    }
    $oyo_locking="passed";
}

date_default_timezone_set('Asia/Shanghai');

function emmmmd5(){
    global $emmm_O0O0o00o0,$emmm;
    if (!isset($emmm_O0O0o00o0)){
        $empower = array(
            'empowerlogin' => 'Powered by <a href="http://www.emmm.net" target="_blank">emmm!</a>  (c)  '.date('Y').',  哈尔滨伟成科技有限公司',
            'empower' => '<div style="float:right; line-height:30px; padding-right:20px;">Powered by <a href="http://www.emmm.net" target="_blank">emmm!</a></div>',
            'empowerbz' => '<li><a href="'.$emmm['adminpath'].'/emmm_opcms.php" target="main"><font color="#FF0000">软件授权</font></a></li><li><a href="http://www.emmm.net" target="_blank">官方网站</a></li><li><a href="http://www.emmm.net/club" target="_blank">技术论坛</a></li><li><a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=36" target="_blank">模板下载</a></li><li><a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=37" target="_blank">插件下载</a></li>',
            'empowerright'=>'<div style="clear:both;height:50px"></div><div class="emmm_data3"><h1>版权信息 (购买授权版,此信息将不在显示。)</h1><div style="clear:both"></div><table width="100%" border="0" cellpadding="10"><tr><td width="46%" style="border-right:1px #CCC solid"><table width="100%" border="0" cellpadding="5"><tr><td><div align="right">软件开发:</div></td><td><a href="http://www.emmm.net" target="_blank">哈尔滨伟成科技有限公司</a></td></tr><tr><td><div align="right">软件名称:</div></td><td>emmm</td></tr><tr><td><div align="right">软件其它常用名称:</div></td><td>傲派、傲派CMS、OPCMS</td></tr><tr><td><div align="right">专利证书:</div></td><td>2015SR078193    <a href="javascript:dialog()">[查看]</a></td></tr><tr><td><div align="right">项目负责人:</div></td><td>唐晓伟</td></tr><tr><td><div align="right">开发团队成员:</div></td><td>大鹏、超超、小娟</td></tr><tr><td><div align="right">相关链接:</div></td><td><a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=2" target="_blank">问题反馈</a> - <a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=36" target="_blank">模板下载</a> - <a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=37" target="_blank">插件下载</a></td></tr></table></td><td width="54%" valign="top"><style type="text/css">.module ul li{height:22px;line-height:22px;color:#CCC}.module ul li a{color:#333}</style><script type="text/javascript" src="https://www.emmm.net/club/api.php?mod=js&bid=5"></script></td></tr></table></div>',
        );
    }else{
        if($emmm_O0O0o00o0 == "95d4f8af44"){
            $empower = array('empowerlogin' => '','empower' => '','empowerbz' => '','empowerright' => '');
        }else{
            $empower = array(
                'empowerlogin' => '<div id="Copyright">Powered by <a href="http://www.emmm.net" target="_blank">emmm!</a>  (c)  '.date('Y').',  哈尔滨伟成科技有限公司</div>',
                'empower' => '<div style="float:right; line-height:30px; padding-right:20px;">Powered by <a href="http://www.emmm.net" target="_blank">emmm!</a></div>',
                'empowerbz' => '<li><a href="'.$emmm['adminpath'].'/emmm_opcms.php" target="main"><font color="#FF0000">软件授权</font></a></li><li><a href="http://www.emmm.net" target="_blank">官方网站</a></li><li><a href="http://www.emmm.net/club" target="_blank">技术论坛</a></li><li><a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=36" target="_blank">模板下载</a></li><li><a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=37" target="_blank">插件下载</a></li>',
                'empowerright'=>'<div style="clear:both;height:50px"></div><div class="emmm_data3"><h1>版权信息 (购买授权版,此信息将不在显示。)</h1><div style="clear:both"></div><table width="100%" border="0" cellpadding="10"><tr><td width="46%" style="border-right:1px #CCC solid"><table width="100%" border="0" cellpadding="5"><tr><td><div align="right">软件开发:</div></td><td><a href="http://www.emmm.net" target="_blank">哈尔滨伟成科技有限公司</a></td></tr><tr><td><div align="right">软件名称:</div></td><td>emmm</td></tr><tr><td><div align="right">软件其它常用名称:</div></td><td>傲派、傲派CMS、OPCMS</td></tr><tr><td><div align="right">专利证书:</div></td><td>2015SR078193    <a href="javascript:dialog()">[查看]</a></td></tr><tr><td><div align="right">项目负责人:</div></td><td>唐晓伟</td></tr><tr><td><div align="right">开发团队成员:</div></td><td>大鹏、超超、小娟</td></tr><tr><td><div align="right">相关链接:</div></td><td><a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=2" target="_blank">问题反馈</a> - <a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=36" target="_blank">模板下载</a> - <a href="http://emmm.net/club/forum.php?mod=forumdisplay&fid=37" target="_blank">插件下载</a></td></tr></table></td><td width="54%" valign="top"><style type="text/css">.module ul li{height:22px;line-height:22px;color:#CCC}.module ul li a{color:#333}</style><script type="text/javascript" src="https://www.emmm.net/club/api.php?mod=js&bid=5"></script></td></tr></table></div>',
            );
        }
    }
    return $empower;
}

文件包含

这个是抓流量发现的洞,看到client/user/index.php的253行任意文件包含

if ($_GET['img']) {
    include($_GET['img']);
}

全局搜索$_GET['img']

发现只有这有这个变量,对全局没有影响,直接删除掉即可

任意sql执行

做到这里感觉差不多了,于是想登录去后台看下,用主办方的密码登录,发现登录失败(因为密码很复杂,类似于ssh的密码,所以没考虑被修改)

这里因为后台存在一个操作数据库的功能,而且并没有做权限控制,所以这里存在搅shi现象,可以疯狂修改你的admin密码让你挂掉check,当然,你也可以选择在数据库拿到flag

分析一下代码
过了口令之后

$query = '';
    $sql = stripslashes($_POST['sql']);
    $sql = explode(';',$sql);
    foreach($sql as $op){
        $query = $db -> create($op,2);  
    }

$db->create

    public function create($o = '',$u = 1){
        if($u == 1){
            $Query = mysql_query("create table ".$o);
        }elseif($u == 2){
            $Query = mysql_query($o,$this -> conn);
        }
        return $Query;
    }

显然,任意sql语句执行,第一天线下没经验,没注意审后台,导致被别人直接删库了,而我们库又没有备份…
然后用web根目录的sql文件重装数据库,发现数据库文件是错的
一是admin的密码就是admin
二是emmm_user少了一个列,导致后面user注册疯狂出错…

晚上回去之后想到可以重装一下cms然后把库导出第二天再导入,但是第二天主办方把库权限改了…没有权限去改错的那个表…
再后来去联系主办方让加上了…终于第一次不挂check了

不过好了一轮第二轮又down了,很奇怪,因为所有的部分都没有出问题…

filebox任意文件上传

filebox中没有做权限管理,也没有做上传过滤,因此可以导致任意用户任意文件上传

filebox中利用点应该还有其他的…这里只举出一个例子

备份写shell

看到bakgo.php中的一段代码

writefile函数

        function writefile($data, $method = 'w')
        {
            global $fsqlzip, $_POST;;
            $file = "{$_POST[filename]}_pg{$_POST[page]}.php";
            $fp = fopen("$_POST[dir]/$file", "$method");
            flock($fp, 2);
            fwrite($fp, $data);
        }

显然可以通过构造filename造成文件写入

然后拿到shell,虽然会一直刷新,但直接用curl就ok

后面的引导文件内容应该也可以写shell,这里我没看就不写了

大概web1审出来的就这些了,修洞的话只用加一个权限管理就好,设置非admin无法使用这些manage的业务

不过设置好了这个也还是可以让别人downcheck的,比如疯狂访问别人的数据库重置文件,而数据库重置文件中的admin密码是错误的,而且这里没有权限控制模块,所以就导致downcheck.

后来想了想可以改一下数据库备份的配置,或者强行加身份认证模块….不过都是赛后的事了

第二天的题

mvc框架的cms
一上来打包www让队友d盾扫一下,发现一句话
删掉一句话然后手动打一波交一下flag
然后居然还拿到一血了2333
后续好像有队挖到读文件的洞了,不过没怎么看,打到后面有点累了不怎么想打了,后续有时间在看看这个mvc

最后一波掉分掉到第7,tcl ORZ

Leave a Reply

Your email address will not be published.Required fields are marked *

%d 博主赞过: