The notes to the Spring and Autumn based i
Log
Title given login box and password, using universal password injection, finds that the user name may be injected but the password section not injected
according to given prompts speculation may be performed blind
using 1 'or database () regexp' ^ a '# regular blind found can
then discover the source code of the class is user_n3me username, guess field name is user_n3me
be blind discovery Note the account
the same token, password of class to p3ss_w0rd, note the password md5, decoding can
log on, find tips .bctfg1t login. php index.php, the latter two are php page login page and prompt
access .bctfg1t, found 403, g1t is git written language is 1337, suspected git source code leak, visit /.bctfg1t/config successfully
identified as git source code leak, direct on the tools gitdumper
after downloading the source code, view the file (note, we should \ removed) with git cat-file -p object file directory
parse out a php, containing a web site, access is obtained flag
Goodbye CMS
upper left corner of the site broke the absolute path, sweeping out the background scanning tool, found Qi Bo CMS, visit flag.php findings suggest that the flag is here
to guess by sql injection load_file read flag.php
found an Internet search userinfo injection vulnerabilities
according to vulnerability, to register a user, and note the uid and email (here abbreviated as xxx)
construct a POST:
url: xxx / Member / UserInfo the Job = Edit & the STEP = 2?
the Data:
truename = 1% 0000 & Limitword [000 ] = & email = xxx @ qq.com & provinceid =, address = (select user ()) where uid = xxx% 23
findings suggest that modification is successful, access to personal home page, find information appears in the address column
and then read directly using the same method flag .php
truename 1% = 0000 & Limitword [000] & Email = = = xxx @ qq.com & provinceid, address = (load_file (/var/www/html/flag.php)) the WHERE uid = xxx% 23
prompted an error, and no changes succeed, the /var/www/html/flag.php transcoded to hex, successfully modified
and then address bar nothing. . . View source results were found, flag hidden in a comment
SQLI
enter the page, review the source code found login.php id = 1, were injected into the test found to be invalid?
BP capture, access the root directory, which has found a packet header there page:? L0gin.php id = 1
visit found the real page
by modifying the value of the id field is found in table 2 have
found that the content of a later be truncated when using order by 1,2, comma suspected filtered
using -1 'union slecelt * from (select 1) a join (select 2) b # for bypass (this statement is equivalent to union select 1,2)
found echo 2, i.e., the second field may be a normal echo
-1 'union slecelt * from (select 1) a join (sqlinject) b # for conventional injection to
the pits to note:
BP's repeater module does not automatically automatically encoded as spaces for 20%, but if you do not convert url encoding, the statement will fail
gift
into the page, review the source code, find the picture src =? user = 123
later renamed admin, unchanged, visit admin directory, suggesting hello admin
prompted, to github search c62, found that users
follow the prompts to download the zip package, prompt date is the password, after rapid blasting fcrackzip, get SECRET_KEY
Internet search and found the relevant django deserialization vulnerability
after performing POC get cookie, cookie when access can be replaced
fuzzing
review source not found, not found in the scan list
bp capture found response contains: hint: ip, Large internal network
added in the X-Forwarded-For the request: 10.1.1.1 (A para IP)
all the way Forward found 403, re-request, put repeator (because behind all need XFF), add X-Forwarded-For: 10.1.1.1
return to Me your Key information Show
? access m4nage.php key = 1 invalid
guess is that after post submission, into a post, Tip:
Key IS not right, MD5 (Key) === "1b4167610ba3f2ac426a68488dbd89be", and at the Key *** IS ichunqiu, at the IS * in [A-Z0-9]
after blasting three to write the script, get key, submit, prompted xx00xxoo.php, access, prompt:
Source code GUESS IS in at The x0.txt.Can you at The Key
at The the AUTHCODE (Flag) IS 1b30q3dC / mR3412z3EXCCSNJrkEtPgDUf / vBP5vnsRoboLqsZ6qM + ewE1b1l5tpgpUlvI62WZxJIWRExy0y + lgQrI3Iv6Lc
access x0.txt, get some php source
copy down php into the environment, according to the function authcode ($ string, $ operation = 'DECODE', $ key = '', $ expiry = 0)
Written in the last echo authcode ( '1b30q3dC / mR3412z3EXCCSNJrkEtPgDUf / vBP5vnsRoboLqsZ6qM + ewE1b1l5tpgpUlvI62WZxJIWRExy0y + lgQrI3Iv6Lc', 'DECODE', 'ichunqiu105'); (key here is the bursting out before key)