百度杯战国

CTF-百度杯战国

part1 流量包分析注入

描述

内容隐藏在pacp包中.打开pacp包,发现所有http头部的user-aghet存在sqlmap关键字,所以提取所有的http包,然后提取出sqlmap的注入字段.

解析json文件

首先,发现cookie中存在user是进行了编码的payload.经过判断,是先rot13编码,然后base64编码.经过处理后,得到一些列payload.
提示: sqlmap 找到正确字符时会进行 != 判断

import json
import base64

fp = open(r"C:\Users\lhy\Desktop\1.json", 'r')
c = json.load(fp)
print(c[1]['_source']['layers']['http']['http.user_agent'])

u_e = []
for i in c:
    agent = i['_source']['layers']['http']['http.user_agent']
    if 'sqlmap' in agent:
        cookie = i['_source']['layers']['http']['http.cookie']
        cookie = cookie.split(";")[0]
        cookie_en = cookie.split("=")[-1]
        u_e.append(cookie_en)


def rot13(message):
    res = ''
    for item in message:
        if (item >= 'A' and item <= 'M') or (item >= 'a' and item <= 'm'):
            res += chr(ord(item) + 13)
        elif (item >= 'N' and item <= 'Z') or (item >= 'n' and item <= 'z'):
            res += chr(ord(item) - 13)
        else:
            res += item
    return res


s = ""
for test in u_e:
    try:
        test = test.replace("%3D", "=")
        test = test.replace("%3d", "=")
        test = rot13(test)
        test = base64.b64decode(test)
        # assert isinstance(test, bytes)
        test = test.decode("utf8", errors='ignore')
        if (test.find('!=') != -1) and (test.find('message') != -1):
            test = test.split("!=")[-1]
            test = test.split(",")[0]
            # print(test)
            s += chr(int(test))
    except:
        continue
print(s)

# 2my_password_is_ilovedaliang0balabalabala1!

经过判断,message为 my_password_is_ilovedaliang

part2 md5碰撞

描述

下载内容后,上传.提示它添加了slat.于是添加它的密码作为salt,给出提示,no same file.
扫描文件,发现文件备份 .***.php.swp
下载内容,源码为

balablablab
balablablab
balablablab
$salt = isset($_REQUEST['postfix_salt'])?$_REQUSET['postfix_salt']:'ilovedaliang';
$real_mdt = mdt(file_get_contents("./certification.txt").$salt);
balablablab
balablablab
balablablab

它做md5的比较其实是: ==你上传的文件与服务的的certification.txt+$salt的md5比较==.

解决

所以可以通过certification.txt生成两个前缀相同,后面不一样且md5相同的文件.原理(md5碰撞)

使用工具,fastcoll_v1.0.0.5.exe

fastcoll_v1.0.0.5.exe -p certification.txt

然后上传一个文件,同时把第二个文件的后面增加的内容添加到参数postfix中.
注意:该如何将那些内容添加到参数.
首先,我传了其中某个文件,然后将文件结尾内容发送到了decoder中,然后将这些内容进行url编码.

part3

php反序列化漏洞
cve-2016-5771 https://www.cdxy.me/?p=682

part4

命令注入
直接看了writeup.发现是命令注入.拿到shell后分析下.

应该发生在第二句话.