内部赛-2023第三届网络安全攻防大赛团队赛③-决赛 WriteUp
RDG
zoo eatvm linknode 通防
wrappter
main.py
@login_required
@app.route('/admin/console')
def admin():
file_content = None
waf.py
class WAF:
sanitizer_list_req = []
sanitizer_list_res = []
@classmethod
def sanitizer_add_req(cls, func):
cls.sanitizer_list_req.append(func)
return func
@classmethod
def sanitizer_add_res(cls, func):
cls.sanitizer_list_res.append(func)
return func
eazy_login
直接把上传文件内容替换.
package com.web.chal;
import java.nio.charset.StandardCharsets;
/* loaded from: chal.war:WEB-INF/classes/com/web/chal/Utils.class */
public class Utils {
public static String sqlFilter(String input) {
return input.replaceAll("(?i)(select|or|in|,|union|and)", "");
}
public static boolean fileFilter(byte[] content) {
String s = new String(content, StandardCharsets.UTF_8);
if (s.contains("<%!")) {
return false;
}
for (byte b : content) {
if (b < 32 || b > 126 || b == 40 || b == 41 || b == 36) {
return false;
}
}
for (int i = 0; i < content.length; i++) {
content[i] = 48;
}
return true;
}
}
CTF
arp-2
tshark -r a.pcapng -Y "arp" -T fields -e frame.len > out.txt
32替换为1.30替换为0. 二进制转字符串.
Tough_SQL
tshark -r a.pcapng -Y "http.response && frame.len==1423" -T fields -e http.response_for.uri -e > out.txt
过滤出长度为1423的数据. 类似这种, 1423是返回为True的判断语句..1436是返回为False的判断语句.
http://192.168.77.130:8002/vul/sqli/sqli_blind_b.php?name=flag'!=!(ascii(mid((select%20base%20from%20xorcode.xorbase),1,1))%3E79)!=!'1&submit=%E6%9F%A5%E8%AF%A2
http://192.168.77.130:8002/vul/sqli/sqli_blind_b.php?name=flag'!=!(ascii(mid((select%20base%20from%20xorcode.xorbase),1,1))%3E82)!=!'1&submit=%E6%9F%A5%E8%AF%A2
http://192.168.77.130:8002/vul/sqli/sqli_blind_b.php?name=flag'!=!(ascii(mid((select%20base%20from%20xorcode.xorbase),1,1))%3E84)!=!'1&submit=%E6%9F%A5%E8%AF%A2
http://192.168.77.130:8002/vul/sqli/sqli_blind_b.php?name=flag'!=!(ascii(mid((select%20base%20from%20xorcode.xorbase),2,1))%3E79)!=!'1&submit=%E6%9F%A5%E8%AF%A2
然后提取一下符合的最大值即可.
import re
f = open('out.txt', 'r', encoding='utf8')
cur = 1
old_value = 0
while line := f.readline():
m = re.search(r'(?P<num>\d+),\d+\)\).*?3E(?P<value>\d+)', line)
num = int(m.group('num'))
value = int(m.group('value'))
if num == cur:
old_value = max(old_value,value + 1)
else:
print(chr(old_value),end='')
old_value = value + 1
cur += 1
print(chr(old_value), end='')
# UllXUENYDFkLXlxZI2xydCAja3Mte35mdH14Kn0zZmZnYTRuOTo4bD8g
找规律。
import base64
data = 'UllXUENYDFkLXlxZI2xydCAja3Mte35mdH14Kn0zZmZnYTRuOTo4bD8g'
t = base64.b64decode(data)
for a, b in zip(t, b'flag'):
print(a ^ b, end=',')
print()
# 52,53,54,55 有规律
for i in range(len(t)):
print(chr((i + 52) ^ t[i]), end='')
# flag{a6b7cbfc-07df-4e24-806e-b4534b9acb7c}
