2018年XNUCA部分WriteUp
虐心+被侮辱智商
WEB ezdotso <?php $param = array ();parse_str ($_SERVER ['QUERY_STRING' ]);if (isset ($action )){ switch ($action ){ case "php_info" : echo call_user_func_array ("php_info" ,$param ); break ; case "cmd" : if (isset ($cmd )){ if (is_string ($cmd )){ if (strlen ($cmd )>9 ){ die (); } $pat1 = "/[^0-9a-zA-Z \/\*]/" ; if (preg_match ($pat1 , $cmd )>0 ){ die (); } $pat2 = "/^[a-zA-Z]+ [0-9a-zA-Z\/\*]+$/" ; if (preg_match ($pat2 , $cmd )==0 ){ die (); } system ("busybox " . $cmd ); } } break ; default : echo call_user_func_array ("hello" ,$param ); break ; } }else { show_source (__FILE__ ); }
action 变量为 cmd 时,将会对 cmd 变量进行两次正则过滤,过滤之后将会使用 busybox
执行linux shell命令。要使程序正常运行下去,则cmd变量必须为字符串,且长度不能超过9。为了过第一个正则判断,则该字符串必须由两部分组成,且中间使用空格隔开,第一部分为大小写字母以及数字开头,第二部分含有 * 或者 / 两个符号。为了过第二个正则判断,则该第一部分为一个或一个以上大小写字母,第二部分以大小写字母或者 * 或者 / 这两个符号结尾。使用PHP模拟判断过程,可以发现诸如 ls /
; ls *
等命令+一个参数的 shell 命令均可以通过条件判断。执行 ls /
时发现在 / 根目录下,有一个 flag 文件,使用 cat /flag
即可读取文件内容。
Payload:?action=cmd&cmd=cat /flag
Flag:flag{433b246d-71de-4dfe-b6dc-624f991e2d0f}
Blog 题目是OAuth2.0 认证缺陷攻击
you can login in the blog services by your username or auth by auth2.0, try to hack it.http://106.75.66.211:8000/
提交的链接只允许 http://106.75.66.211:8000 开头, 并且长度有限制 已登录用户可以通过下面任意跳转http://106.75.66.211:8000/main/login?next=//baidu.com
未绑定oauth的用户可以点击绑定跳转到绑定界面 但是返回链接没有对用户做确认. 只要点击绑定返回的连接 就会被绑定成
攻击链:
建立一个 oauth 账号
建立一个 blog 账号
点击绑定新账号, 使用 burp 拦截回调链接
在自己的服务器写下如下代码
<?php header('location: http://106.75.66.211:8000/main/oauth/?state=OnmJVKIR0V&code=*********')
提交 http://106.75.66.211:8000/main/login?next=//xxxx 给管理员
使用oauth 重新登录 blog 即成为管理员
Flag:flag{30b1651e8445120f66d93c8c5edff507}
Crypto Warm Up 共模攻击
看流量包 Alice, Dave 的N相同
import gmpy2n = 25118186052801903419891574512806521370646053661385577314262283167479853375867074736882903917202574957661470179148882538361560784362740207649620536746860883395110443930778132343642295247749797041449601967434690280754279589691669366595486824752597992245067619256368446164574344449914827664991591873150416287647528776014468498025993455819767004213726389160036077170973994848480739499052481386539293425983093644799960322581437734560001018025823047877932105216362961838959964371333287407071080250979421489210165485908404019927393053325809061787560294489911475978342741920115134298253806238766543518220987363050115050813263 e1 = 7669 e2 = 6947 message1 = 22917655888781915689291442748409371798632133107968171254672911561608350738343707972881819762532175014157796940212073777351362314385074785400758102594348355578275080626269137543136225022579321107199602856290254696227966436244618441350564667872879196269074433751811632437228139470723203848006803856868237706401868436321225656126491701750534688966280578771996021459620472731406728379628286405214996461164892486734170662556518782043881759918394674517409304629842710180023814702447187081112856416034885511215626693534876901484105593275741829434329109239483368867518384522955176807332437540578688867077569728548513876841471 message2 = 20494665879116666159961016125949070097530413770391893858215547229071116025581822729798313796823204861624912909030975450742122802775879194445232064367771036011021366123393917354134849911675307877324103834871288513274457941036453477034798647182106422619504345055259543675752998330786906376830335403339610903547255965127196315113331300512641046933227008101401416026809256813221480604662012101542846479052832128788279031727880750642499329041780372405567816904384164559191879422615238580181357183882111249939492668328771614509476229785062819586796660370798030562805224704497570446844131650030075004901216141893420140140568 gcd, s, t = gmpy2.gcdext(e1, e2) if s < 0 : s = -s message1 = gmpy2.invert(message1, n) if t < 0 : t = -t message2 = gmpy2.invert(message2, n) plain = gmpy2.powmod(message1, s, n) * gmpy2.powmod(message2, t, n) % n print hex (plain)0x464c41477b673030645f4c75636b5f265f486176335f46756e7d
Flag:flag{g00d_Luck_&_Hav3_Fun}
部分题目下载Github下载