[D3CTF2021]记录
难到自闭,所以就只能叫做记录了。。。最简单的8-bit-pub看了两天头都给打蒙了,剩下的题基本上就不想看了
开始对着wp复现
8-bit-pub
前端好看,反手进行一个下载
给了源码,主要看一下就三点,以admin身份登录,admin拥有发邮件功能,shvl很可疑的原型链污染库
横向移动
[UnionCTF2021]Cr0wnAir
[UnionCTF2021]Cr0wnAir
最近天天被外国比赛暴打。。。。这次UnionCTF两个web,一个sqlite的union注入,零过滤,百度的payload都能打通,还有就是这个题,还蛮有意思的,后面这步利用感觉还比较实用,学习了
源码
贴一部分
checkin.js
const pattern = {
firstName: /^\w{1,30}$/,
lastName: /^\w{1,30}$/,
passport: /^[0-9]{9}$/,
ffp: /^(|CA[0-9]{8})$/,
extras: [
{sssr: /^(BULK|UMNR|VGML)$/},
],
};
function isSpecialCustomer(passport, frequentFlyerNumber) {
return false;
}
function createToken(passport, frequentFlyerNumber) {
var status = isSpecialCustomer(passport, frequentFlyerNumber) ? "gold" : "bronze";
var body = {"status": status, "ffp": frequentFlyerNumber};
return jwt.encode(body, config.privkey, 'RS256');
}
.....
if (jpv.validate(data, pattern, { debug: true, mode: "strict" })) {
if (data["firstName"] == "Tony" && data["lastName"] == "Abbott") {
var response = {msg: "You have successfully checked in! Please remember not to post your boarding pass on social media."};
} else if (data["ffp"]) {
var response = {msg: "You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer."};
for(e in data["extras"]) {
if (data["extras"][e]["sssr"] && data["extras"][e]["sssr"] === "FQTU") {
var token = createToken(data["passport"], data["ffp"]);
var response = {msg: "You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer. Your loyalty has been rewarded and you have been marked for an upgrade, please visit the upgrades portal.", "token": token};
}
}
DiceCTF2021
DiceCTF2021
好像比justCTF简单不少。。。起码有萌新能做出来的题了呜呜
但是怎么感觉外国比赛这么喜欢XSS
BabierCSP
对标justCTF的BabyCSP,确实更baby了,justCTF那个题完全不会。。。
因为设置了default-src,fetch这些函数的请求的源也受到CSP控制,fetch就发不出去,一开始在这卡了
然后用windows.location.href跳转就行了
这个题nonce是不变的,那不就是无过滤XSS吗。一开始以为是题写歪了想考参考链接里面先知那个吞下面nonce的点的,后来测了一下发现这个必须是可控点和有nonce的script连在一起才行,不然之间的任意一个右尖括号都能把你给闭合了而无法吞下正确的nonce