[awdp学习笔记] fix部分
发布时间:
目录
第六届强网杯
第六届青少赛线下AWDP, 参考末心师傅的文档1, fix部分主要题目有四道:
ezdja
经典的python类DJango框架, 文件结构为:
- app01
- 主要的app文件
- easypy
- static
- 前端文件
- templates
- 前端文件
- manage.py (服务脚本)
- requirements.txt
服务脚本用于定义Django框架, 直接找到app01/myfunc.py, 很容易可以找到简单的sql注入的waf:
def waf(sql):
blacklists = ['union select', 'sleep', 'benchmark', 'columns', 'load_file', 'local', 'outfile', 'dumpfile', 'file']
for blacklist in blacklists:
if blacklist in sql:
print(blacklist)
return False
return True
除此之外还有其他几个waf函数, 那么要想防止注入, 需要从可能的注口下手, 在vim中直接进行:/waf搜索找到对应的位置, 检查到在index类中存在一段函数:
sql = "select * from app01_user where username = '"+login_username+"';"
xiaoxi = ""
if waf(login_username):
cursor.execute(sql)
result = cursor.fettchall()
if result:
xiaoxi = result[0][3]
else:
xiaoxi = "No NO N0!"
很暴力的一个方法, 顺便学了一手, 除了eval以外execute函数也应该是一个要被重点检查的函数.
陌心师傅提供了一个基本的修复方法, 直接增强waf(这大概需要考察web手在处理手段的基本素养了, 多出题还是有好处的):
def waf(sql):
blacklists = ["union select", "sleep", "benchmark","columns","load_file","local","outfile","dumpfile","file","union","select",
"select","and","*","x09","x0a","x0b","x0c","x0d","xa0","x00","x26","x7c","or","into","from","where","join","sleexml","extractvalue","+","regex","copy","read","file","create","grand","dir","insert","link","server","drop","=",">","<",";"]
for blacklist in blacklists:
if blacklist in sql:
print(blacklist)
return False
return True
上了php的通防脚本, 防御成功了, 有时间我也写点自己的逆天想法(所以现在先鸽着).
found_cms
easygo
golang会编译为二进制文件, 需要有强大的patch技巧, 这里只进行记录:
IDA64打开easygo文件, 找到loc_49B5DE处汇编显示:
loc__49B5DE:
xchg ax, ax
call main_backdoor
jmp short loc_49B5E9
继续追踪, 发现有调用cat /flag和/bin/bash两个部分, 既然是AWDP, 不难想象出官方的EXP, 直接暴力修改db部分, 将cat /flag修改为echo 1234, 个人思考了一下, 直接用retdec逆出来然后暴力改文件可能也是可以的?
PHP通防
function wafrce($str){
return !preg_match("/openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|scandir|assert|pcntl_exec|fwrite|curl|system|eval|assert|flag|passthru|exec|chroot|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore/i", $str);
}
function wafsqli($str){
return !preg_match("/select|and|\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleexml|extractvalue|+|regex|copy|read|file|create|grand|dir|insert|link|server|drop|=|>|<|;|\"|\'|\^|\|/i", $str);
}
function wafxss($str){
return !preg_match("/\'|http|\"|\`|cookie|<|>|script/i", $str);
}
function waf($s){
if (preg_match("/select|flag|union|\\$|'|"|--|#|\0|into|alert|img|prompt|set|/*|x09|x0a|x0b|x0c|x0d|xa0|%|<|>|^|x00|#|x23|[0-9]|file|=|or|x7c|select|and|flag|into|where|x26|'|"|union|`|sleep|benchmark|regexp|from|count|procedure|and|ascii|substr|substring|left|right|union|if|case|pow|exp|order|sleep|benchmark|into|load|outfile|dumpfile|load_file|join|show|select|update|set|concat|delete|alter|insert|create|union|or|drop|not|for|join|is|between|group_concat|like|where|user|ascii|greatest|mid|substr|left|right|char|hex|ord|case|limit|conv|table|mysql_history|flag|count|rpad|&|*|.|/is",$s)||strlen($s)>50){
header("Location: /");
die();
}
}
参考文献
【强网杯】第六届强网杯青少年线下赛AWDP复盘[EB/OL].个人博客.https://moxin1044.github.io/articles/57061.html.2024.10.28. ↩