到学校有点水了,因为为了绩点,很多课都没逃,都在努力听(除了一些水到不行到课)国外的ctf比较有意思而且值得去做,以下是我的一些记录。
1、Background
urlcheck1
源码:
import os, re, requests, flaskfrom urllib.parse import urlparse
app = flask.Flask(__name__)app.flag = '***CENSORED***'app.re_ip = re.compile('\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z')
def valid_ip(ip): matches = app.re_ip.match(ip) if matches == None: return False
ip = list(map(int, matches.groups())) if any(i > 255 for i in ip) == True: return False # Stay out of my private! if ip[0] in [0, 10, 127] \ or (ip[0] == 172 and (ip[1] > 15 or ip[1] < 32)) \ or (ip[0] == 169 and ip[1] == 254) \ or (ip[0] == 192 and ip[1] == 168): return False return True
def get(url, recursive_count=0): r = requests.get(url, allow_redirects=False) if 'location' in r.headers: if recursive_count > 2: return '🤔' url = r.headers.get('location') if valid_ip(urlparse(url).netloc) == False: return '🤔' return get(url, recursive_count + 1) return r.text
@app.route('/admin-status')def admin_status(): if flask.request.remote_addr != '127.0.0.1': return '🥺' return app.flag
@app.route('/check-status')def check_status(): url = flask.request.args.get('url', '') if valid_ip(urlparse(url).netloc) == False: return '🥺' return get(url)
关键代码:
def admin_status(): if flask.request.remote_addr != '127.0.0.1': return '🥺' return app.flag
一道典型的ssrf题目,思路也非常清晰,访问内网的admin_status路由即可获得flag,但这道题用
remote_addr
要求ip不能为127.0.0.1,但其实ip的表示法有很多,我们可以使用八进制的ip来bypass
推荐阅读文章:
http://www.manongjc.com/detail/13-sfiyyfhuolweeda.html
urlcheck v2
源码:
import os, re, time, ipaddress, socket, requests, flaskfrom urllib.parse import urlparse
app = flask.Flask(__name__)app.flag = '***CENSORED***'
def valid_ip(ip): try: result = ipaddress.ip_address(ip) # Stay out of my private! return result.is_global except: return False
def valid_fqdn(fqdn): return valid_ip(socket.gethostbyname(fqdn))
def get(url, recursive_count=0): r = requests.get(url, allow_redirects=False) if 'location' in r.headers: if recursive_count > 2: return '🤔' url = r.headers.get('location') if valid_fqdn(urlparse(url).netloc) == False: return '🤔' return get(url, recursive_count + 1) return r.text
@app.route('/admin-status')def admin_status(): if flask.request.remote_addr != '127.0.0.1': return '🥺' return app.flag
@app.route('/check-status')def check_status(): url = flask.request.args.get('url', '') if valid_fqdn(urlparse(url).netloc) == False: return '🥺' return get(url)
拿到flag的思路还是一样,不同的是这回但这一次使用ipaddress库检查了IP地址
按照我们输入的流程,可以将代码改写成
furl = urlparse(url).netlocip = socket.gethostbyname(furl)is_global = ipaddress.ip_address(ip).is_global
仔细读代码,上面的代码完成了两个DNS解析,首先是检查是否私有,然后是第二次请求资源,这里我们可以使用 dns rebingding attack了
DNS rebinding attack的基本概念是在TTL为0的特定ip之间快速更改映射到dns域中的ip(生存时间),即没有dns缓存,以便针对不同的dns请求获得不同的ip
使用此方法,我们可以在valid_fqdn检查中获得主机ip作为公共地址,并在服务器发出的请求中获得localhost ip
这里我们用一个国外师傅写好的在线工具
https://lock.cmpxchg8b.com/rebinder.html
将绑定ip设置为8.8.8.8和127.0.0.1
推荐阅读:
http://bendawang.site/2017/05/31/关于DNS-rebinding的总结/
https://blog.csdn.net/liuyuyang1023/article/details/84582882
Angular of the Universe
You know, everything has the angular. A bread, you, me and even the
universe. Do you know the answer?
首先po出源码:
server { listen 8080 default_server;
root /var/www/html;
server_name _;
location / { proxy_pass http://app; proxy_set_header Host $host; } location /debug { # IP address restriction. # TODO: add allowed IP addresses here allow 127.0.0.1; deny all; } }
通过题目介绍我们猜测:访问到flag的方法是/debug/flag 首先只允许127.0.0.1,但却并没有什么ssrf利用位点。这里面比较有意思的一个点就是proxy_pass
我查阅了nginx proxy_pass的相关资料:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
nginx的位置之类的判断是在解释/../等之后做出的。如果题不将/添加到proxy_pass的末尾,则解释之前的URL照原样传递
我刚才做到这道题的时候就卡在这里了,我的想法就是bypass这个debug机制,使用url编码的形式%64ebug,但是还是访问拒绝了,我搜索资料发现
特定nginx规则不易受到路径遍历的影响,curl 正在重写有关/URL的请求,如在输出中所示,这时候我们可以使用
这指示libcurl不要吞掉URL路径部分中可能存在的“ /../”或“ /./”序列,
明白了,flag可能是在这个目录下的其他文件但我们不知道具体是什么,那么我们就很好构造了
这里我们使用 \绕过Nginx限制。node.js将/ \ debug / answer转化为/ debug / answer
curl --path-as-is 'http://universe.chal.ctf.westerns.tokyo/debug/answer'
2、flag
在文件server.ts里面,我们可以找到这么一段代码
server.get('/api/true-answer', (req, res) => { console.log('HIT: %s', req.ip) if (req.ip.match(/127\.0\.0\.1/)) { res.json(`hello admin, this is true answer: ${process.env.FLAG2}`) } else { res.status(500).send('Access restricted!') } });
Angular HTTP模块使用其服务器主机名构造目标URL,该服务器主机名源自HTTP请求中的Host标头
参考链接:
https://github.com/angular/angular/blob/10.1.x/packages/platform-server/src/http.ts#L119
参考GACTF,还有很久以前的Tctf,我们在自己的服务器上写一个跳转到:127.0.0.1/api/true-answer即可
当Angular尝试匹配路径时,它将解析从PROTOCOL + HOST + PATH创建的URL
curl 'http://universe.chal.ctf.westerns.tokyo' -H 'Host: \debug\answer'
由于我们将\ debug \ answer作为主机注入,因此Angular解析http:// \ debug \ answer \并将路径检索为/ debug / answer,还是成功拿到了flag
Angular of Another Universe##
这个和第一个很像,下载文件之后发现多了一个Apathe文件夹
配置文件如下:
Order Allow,Deny Deny from all
ProxyRequests Off ProxyPreserveHost on ProxyPass / http://nginx:8080/
so,现在的渲染是 Apache -> Nginx -> Express -> Angular
不仅如此 其实还做了点小变动 req.path.includes('debug') -> req.path.includes('/debug')
这题的方法还是跟上题一样通过/debug/answer获得flag
我当时的思路还是闭塞了,当时一直想着怎么转换\,但是忽略了很多东西,我询问了一个外国的师傅
Why not try to read the official documentation
恍然大悟,于是连忙翻看Angular文档,边看边翻译(我太菜了)
https://angular.io/api/router/RouterOutlet#description
(primary:%64ebug/answer),别忘了前面要加/
curl --path-as-is 'http://another-universe.chal.ctf.westerns.tokyo/(primary:debug/answer)'
bfnote
开局一看到框框,我就知道了,又是熟悉的xss题目,其实思路已经有了,肯定是要提交一个exp,分享然后带出来cookies,google ctf 2020就有这种题目
这题只有18个师傅做出来,上一道只有8道(QAQ),是真的做不出来,上一题没提示我也做不出来,所以我收集别的师傅的wp来复现一下
写wp的师傅说这个是爆的一个洞
<form><math><mtext>form><form><mglyph><style><img src=x onerror=alert()>
而刚才js里面对这个的防护只是删除了form子代的math标签
var elms = ["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header"
,"hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"];
for(let el of elms){ let p = `<${el}>")),
this[t]="");
}
}])&&l(t.prototype,r),n&&l(t,n),e;
}(),U={
"ue-table-interlace-color-single":"#fcfcfc",
"ue-table-interlace-color-double":"#f7faff"
},I=function(){
function e(t){
!function(e,t){
if(!(e instanceof t))throw new TypeError("Cannot call a class as a function");
}(this,e),h(this,"_nodes",[]),h(this,"_firstPageNodes",[]),h(this,"_delayNodes",[]),
this._config=t;
}
var t,r,n;
return t=e,(r=[{
key:"set",
value:function(){
var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:[];
this._nodes=e;
}
},{
key:"len",
value:function(){
return this._nodes.length;
}
},{
key:"get",
value:function(){
var e=[];
return this._nodes.length?(e=this._nodes,this._nodes=[]):this._delayNodes.length?(e=this._delayNodes,
this._delayNodes=[]):this._config.container&&(e=this._config.container.querySelectorAll("*")),
e;
}
},{
key:"delay",
value:function(){
var e=this;
this._nodes.forEach(function(t){
return e._delayNodes.push(t);
}),this._nodes=[];
}
},{
key:"addFirstPageNode",
value:function(e){
this._firstPageNodes.push(e);
}
},{
key:"showFirstPageNodes",
value:function(){
this._firstPageNodes.forEach(function(e){
return e.style.visibility="visible";
}),this._firstPageNodes=[];
}
}])&&c(t.prototype,r),n&&c(t,n),e;
}(),z=r(0),J=r.n(z),V=r(1),K=r.n(V);
K.a.windowtext=[0,0,0];
var $=new RegExp(Object.keys(K.a).map(function(e){
return"(^|[\\s,()]+)".concat(e,"([\\s,()]+|$)");
}).join("|"),"ig"),H=/rgba?\([^)]+\)/i,R=/rgba?\([^)]+\)/gi,Q=function(e){
return e.replace(N,"");
},G=function(e){
return Q(e).replace($,function(e){
return"rgb(".concat(K.a[e.replace(/(^[\s,()]+)|([\s,()]+$)/g,"").toLowerCase()].toString(),")");
});
},W=function(e){
var t=G(e);
return H.test(t)?t:"";
},X=function(e){
return(299*e[0]+587*e[1]+114*e[2])/1e3;
},Y=function(){
function e(t){
var r,n,a,o=t.config,i=t.tnQueue,s=t.bgStack,l=t.cssUtils;
!function(e,t){
if(!(e instanceof t))throw new TypeError("Cannot call a class as a function");
}(this,e),a=0,(n="_idx")in(r=this)?Object.defineProperty(r,n,{
value:a,
enumerable:!0,
configurable:!0,
writable:!0
}):r[n]=a,this._config=o,this._tnQueue=i,this._bgStack=s,this._cssUtils=l,this._defaultDarkTextColorRgb=J()(this._config.defaultDarkTextColor).rgb().array(),
this._defaultDarkBgColorRgb=J()(this._config.defaultDarkBgColor).rgb().array(),this._defaultDarkBgColorHSL=J()(this._config.defaultDarkBgColor).hsl().array(),
this._defaultDarkTextColorBrightness=X(this._defaultDarkTextColorRgb),this._defaultDarkBgColorBrightness=X(this._defaultDarkBgColorRgb),
this._defaultDarkBgColorHslBrightness=this._defaultDarkBgColorHSL[2],this._maxLimitOffsetBrightness=this._defaultDarkTextColorBrightness-this._defaultDarkBgColorBrightness;
}
var t,r,n;
return t=e,(r=[{
key:"_adjustBrightnessByLimit",
value:function(e,t){
var r=e/X(t),n=Math.min(255,t[0]*r),a=Math.min(255,t[1]*r),o=Math.min(255,t[2]*r);
return 0===a||255===n||255===o?a=(1e3*e-299*n-114*o)/587:0===n?n=(1e3*e-587*a-114*o)/299:0!==o&&255!==a||(o=(1e3*e-299*n-587*a)/114),
J.a.rgb(n,a,o);
}
},{
key:"_adjustTextBrightness",
value:function(e,t){
var r=t.rgb().array(),n=t.alpha(),a=X(r)*n+this._defaultDarkBgColorBrightness*(1-n),o=e.rgb().array(),i=e.hsl().array(),s=e.alpha(),l=X(o),u=Math.abs(a-l);
if(l>=250)return e;
if(u>this._maxLimitOffsetBrightness&&a<=this._defaultDarkBgColorBrightness+2)return this._adjustBrightnessByLimit(this._maxLimitOffsetBrightness+a,o).alpha(s);
if(u>=65)return e;
if(a>=100){
if(i[2]>50){
i[2]=90-i[2];
var c=J.a.hsl.apply(J.a,p(i)).alpha(s);
return this._adjustTextBrightness(c,t);
}
return this._adjustBrightnessByLimit(Math.min(this._maxLimitOffsetBrightness,a-65),o).alpha(s);
}
if(i[2]<=40){
i[2]=90-i[2];
var h=J.a.hsl.apply(J.a,p(i)).alpha(s);
return this._adjustTextBrightness(h,t);
}
return this._adjustBrightnessByLimit(Math.min(this._maxLimitOffsetBrightness,a+65),o).alpha(s);
}
},{
key:"_adjustBackgroundBrightness",
value:function(e){
var t=e.rgb().array(),r=e.hsl().array(),n=e.alpha(),a=X(t),o=e;
return 0===r[1]&&r[2]>40||a>250?o=J.a.hsl(0,0,Math.min(100,100+this._defaultDarkBgColorHslBrightness-r[2])):a>190?o=this._adjustBrightnessByLimit(190,t).alpha(n):r[2]<22&&(r[2]=22,
o=J.a.hsl.apply(J.a,p(r))),o.alpha(n).rgb();
}
},{
key:"_adjustBrightness",
value:function(e,t,r){
var n,a=e.alpha(),o="";
if(r.isBgColor){
if(t.getAttribute(A)&&a>=.05&&t.removeAttribute(A),n=this._adjustBackgroundBrightness(e),
!r.hasInlineColor){
var i=t.getAttribute(B)||this._config.defaultLightTextColor,s=n||e,l=this._adjustBrightness(J()(i),t,{
isTextColor:!0,
parentElementBgColorStr:s
});
o+=l.newColor?this._cssUtils.genCssKV("color",l.newColor):this._cssUtils.genCssKV("color",i);
}
}else if(r.isTextColor||r.isBorderColor){
var u=r.parentElementBgColorStr||r.isTextColor&&t.getAttribute(S)||this._config.defaultDarkBgColor,c=J()(u);
t.getAttribute(A)||(n=this._adjustTextBrightness(e,c));
}else r.isTextShadow&&(n=this._adjustBackgroundBrightness(e));
return{
newColor:n&&e.toString()!==n.toString()&&n.alpha(a).rgb(),
extStyle:o
};
}
},{
key:"convert",
value:function(e){
var t=this,r=e.nodeName;
if(this._config.whitelist.tagName.indexOf(r)>-1)return"";
var n,a,o=e.style,i="",s="",l=!1,u=!1,c=!1,h=(o.cssText&&o.cssText.split(";")||[]).map(function(e){
var t=e.indexOf(":");
return[e.slice(0,t).toLowerCase(),e.slice(t+1)].map(function(e){
return(e||"").replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,"");
});
}).filter(function(e){
var t=b(e,2),r=t[0],o=t[1];
return"color"===r?l=!0:/background/i.test(r)&&(u=!0,"background-position"===r?n=o:"background-size"===r&&(a=o)),
(/background/i.test(r)||/^(-webkit-)?border-image/.test(r))&&/url\([^\)]*\)/i.test(o)&&(c=!0),
["-webkit-border-image","border-image","color","background-color","background-image","background","border","border-top","border-right","border-bottom","border-left","border-color","border-top-color","border-right-color","border-bottom-color","border-left-color","-webkit-text-fill-color","-webkit-text-stroke","-webkit-text-stroke-color","text-shadow"].indexOf(r)>-1;
}).sort(function(e,t){
var r=b(e,1)[0],n=b(t,1)[0];
return"color"===r||"background-image"===r&&"background-color"===n||0===n.indexOf("-webkit-text")?1:-1;
});
if(T.indexOf(r)>-1&&!u){
var f=function(e){
var t=null;
return Array.prototype.some.call(e.classList,function(e){
return!!U[e]&&(t=U[e],!0);
}),t;
}(e);
f||(f=e.getAttribute("bgcolor")),f&&(h.unshift(["background-color",J()(f).toString()]),
u=!0);
}
if("FONT"===r&&!l){
var g=e.getAttribute("color");
g&&(h.push(["color",J()(g).toString()]),l=!0);
}
var p,m="",y="",v=0;
if(h.some(function(e,t){
var r=b(e,2),n=r[0],a=r[1];
if(0!==n.indexOf("-webkit-text"))return v=t,!0;
switch(n){
case"-webkit-text-fill-color":
m=W(a);
break;
case"-webkit-text-stroke":
var o=a.split(" ");
2===o.length&&(y=W(o[1]));
break;
case"-webkit-text-stroke-color":
y=W(a);
}
return!1;
}),m&&(l?h[h.length-1]=["-webkit-text-fill-color",m]:(h.push(["-webkit-text-fill-color",m]),
l=!0)),v&&(h.splice(0,v),y&&h.unshift(["-webkit-text-stroke-color",y])),h.forEach(function(r){
var s=b(r,2),h=s[0],f=s[1],g=f,p=!1;
f=G(f);
var m,y=/^background/.test(h),v="text-shadow"===h,k=["-webkit-text-stroke-color","color","-webkit-text-fill-color"].indexOf(h),w=/^border/.test(h),_=/gradient/.test(f),x="",M=[];
if(!c&&H.test(f)&&(_&&(f.replace(R,function(e){
return M.push(e);
}),m=function(e){
if(!e||e.length<1)return"";
if(1===e.length)return e[0];
for(var t=e.shift(),r=e.pop();r;)t=J()(t).mix(J()(r)),r=e.pop();
return t;
}([].concat(M))),f=f.replace(R,function(r){
_&&(r=m,p=!0);
var n=t._adjustBrightness(J()(r),e,{
isBgColor:y,
isTextShadow:v,
isTextColor:k>-1,
isBorderColor:w,
hasInlineColor:l
}),a=n.newColor;
if(x+=n.extStyle,y||k>0){
var o=y?S:B,i=y?O:j,s=a?a.toString():r;
d(e).forEach(function(e){
e.setAttribute(o,s),e.setAttribute(i,r),y&&J()(s).alpha()>=.05&&e.getAttribute(A)&&e.removeAttribute(A);
});
}
return a&&(p=!0),a||r;
}).replace(/\s?!\s?important/gi,"")),x&&(i+=x),!(e instanceof SVGElement)){
var C=/^background/.test(h),P=/^(-webkit-)?border-image/.test(h);
if((C||P)&&/url\([^\)]*\)/i.test(f)){
p=!0;
var T=e.getAttribute(O)||t._config.defaultLightBgColor;
if(f=f.replace(/^(.*?)url\(([^\)]*)\)(.*)$/i,function(r){
var o=r,s="",l="",c="";
return"1"!==e.getAttribute(A)&&d(e).forEach(function(e){
return e.setAttribute(A,"1");
}),C?(o="linear-gradient(".concat("rgba(0,0,0,0.1)",", ").concat("rgba(0,0,0,0.1)","),").concat(r),
c=t._cssUtils.genCssKV(h,"".concat(o,",linear-gradient(").concat(T,", ").concat(T,")")),
n&&(s="top left,".concat(n),i+=t._cssUtils.genCssKV("background-position","".concat(s)),
c+=t._cssUtils.genCssKV("background-position","".concat(s,",top left"))),a&&(l="100%,".concat(a),
i+=t._cssUtils.genCssKV("background-size","".concat(l)),c+=t._cssUtils.genCssKV("background-size","".concat(l,",100%"))),
t._bgStack.push(e,c)):!u&&t._bgStack.push(e,t._cssUtils.genCssKV("background-image","linear-gradient(".concat("rgba(0,0,0,0.1)",", ").concat("rgba(0,0,0,0.1)","),linear-gradient(").concat(T,", ").concat(T,")"))),
o;
}),!l){
var E=e.getAttribute(j)||t._config.defaultLightTextColor;
i+=t._cssUtils.genCssKV("color",E),d(e).forEach(function(e){
return e.setAttribute(B,E);
});
}
}
}
p&&(N.test(g)&&(o[h]=Q(g)),_?t._bgStack.push(e,t._cssUtils.genCssKV(h,f)):i+=t._cssUtils.genCssKV(h,f));
}),i){
L&&e.setAttribute("data-style",o.cssText);
var k="".concat("js_darkmode__").concat(this._idx++);
e.classList.add(k),s+=i?this._cssUtils.genCss(k,i):"";
}
return p="",e.childNodes.forEach(function(e){
3===e.nodeType&&(p+=e.nodeValue.replace(/\s/g,""));
}),p.length>0&&(this._config.delayBgJudge?this._tnQueue.push(e):this._bgStack.contains(e,function(e){
s+=t._cssUtils.genCss(e.className,e.cssKV);
})),s;
}
}])&&v(t.prototype,r),n&&v(t,n),e;
}(),Z=new RegExp("".concat("js_darkmode__","[^ ]+"),"g"),et={
hasInit:!1,
error:null,
mode:"",
whitelist:{
tagName:["MPCPS","IFRAME"]
},
needJudgeFirstPage:!0,
delayBgJudge:!1,
container:null,
cssSelectorsPrefix:"",
defaultLightTextColor:"#191919",
defaultLightBgColor:"#fff",
defaultDarkTextColor:"#a3a3a3",
defaultDarkBgColor:"#191919"
},tt=new D(et,"".concat("js_darkmode__","text__")),rt=new F(et,"".concat("js_darkmode__","bg__")),nt=new q(et),at=new I(et),ot=new Y({
config:et,
tnQueue:tt,
bgStack:rt,
cssUtils:nt
}),it=null,st=function(e){
var t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{
type:"dom"
};
if(t.force&&(nt.isFinish=!1),!nt.isFinish)try{
(et.mode?"dark"===et.mode:e.matches)?("dom"===t.type?at.get().forEach(function(e){
if(e.className&&"string"==typeof e.className&&(e.className=e.className.replace(Z,"")),
et.needJudgeFirstPage){
var t=e.getBoundingClientRect(),r=t.top,n=t.bottom;
0>=r&&0>=n?nt.addCss(ot.convert(e),!1):r>0&&P>r||n>0&&P>n?(at.addFirstPageNode(e),
nt.addCss(ot.convert(e),!0)):(et.needJudgeFirstPage=!1,nt.writeStyle(!0),at.showFirstPageNodes(),
nt.addCss(ot.convert(e),!1));
}else nt.addCss(ot.convert(e),!1);
}):"bg"===t.type&&tt.forEach(function(e){
return rt.contains(e,function(e){
nt.addCss(nt.genCss(e.className,e.cssKV),!1);
});
}),nt.writeStyle()):(et.needJudgeFirstPage=!1,et.delayBgJudge=!1,null===et.container&&"dom"===t.type&&at.len()&&at.delay());
}catch(e){
console.error(e),"function"==typeof et.error&&et.error(e);
}
};
}]);
});
