开学前最后的放纵
Reference
打开后发现访问了/check_from_google,伪造Referer为www.google.com,done
MyFileUploader
上传个php,被waf
1
2
| File: test
There is no .png/.jpg/.gif in that file name |
把文件名改成test,png.php,这回上传成功了,告诉我路径为uploads/test.png,访问uploads发现有个文件夹为Don't open里面有个htaccess
1
2
| Options +Indexes
AddType application/x-httpd-php .cyb3r |
懂了,上传文件test.cyb3r,成功上传个webshell
Dictionary of obscure sorrows
发现有很多word.php?page=xxx,直接访问word.php提示Missing RDN inside ObjectClass(document)搜了下可能是ldap注入,然后找到了ladp注入相关的ctf题解https://lorexxar.cn/2016/02/28/ldpai/
访问word.php?page=*)(description=no*拿到flag
hiddenDOM
查看源码
1
2
3
4
5
6
| <script>
var _0x3bc3=["\x6D\x61\x69\x6E\x5F\x66\x6F\x72\x6D","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x69\x6E\x70\x75\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x6E\x61\x6D\x65","\x65\x78\x70\x72\x65\x73\x73\x69\x6F\x6E","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x74\x79\x70\x65","\x74\x65\x78\x74","\x70\x6C\x61\x63\x65\x68\x6F\x6C\x64\x65\x72","\x2F\x3C\x5B\x5E\x3C\x3E\x5D\x7B\x31\x2C\x7D\x68\x69\x64\x64\x65\x6E\x5B\x5E\x3C\x3E\x5D\x7B\x31\x2C\x7D\x3E\x2F"];var _frss=document[_0x3bc3[1]](_0x3bc3[0]);var _xEger=document[_0x3bc3[3]](_0x3bc3[2]);_xEger[_0x3bc3[6]](_0x3bc3[4],_0x3bc3[5]);_xEger[_0x3bc3[6]](_0x3bc3[7],_0x3bc3[8]);_xEger[_0x3bc3[6]](_0x3bc3[9],_0x3bc3[10])
</script>
<a href='/var/www/html/flag.txt' hidden >-_-</a>
|
美化下js
1
2
3
4
5
6
| var _0x3bc3 = ["main_form", "getElementById", "input", "createElement", "name", "expression", "setAttribute", "type", "text", "placeholder", "/<[^<>]{1,}hidden[^<>]{1,}>/"];
var _frss = document[_0x3bc3[1]](_0x3bc3[0]);
var _xEger = document[_0x3bc3[3]](_0x3bc3[2]);
_xEger[_0x3bc3[6]](_0x3bc3[4], _0x3bc3[5]);
_xEger[_0x3bc3[6]](_0x3bc3[7], _0x3bc3[8]);
_xEger[_0x3bc3[6]](_0x3bc3[9], _0x3bc3[10])
|
处理下就变成了
1
2
3
4
5
| var _frss = document["getElementById"]("main_form");
var _xEger = document["createElement"]("input");
_xEger["setAttribute"]("name", "expression");
_xEger["setAttribute"]("type", "text");
_xEger["setAttribute"]("placeholder", "/<[^<>]{1,}hidden[^<>]{1,}>/");
|
相当于
1
2
3
4
5
| <form action="index.php" id="main_form" style="position:sticky;">
<input type="text" name="target" placeholder="Find hidden elements (URL)" style="background-color:#d1d1d1; color:#717d85;"> <br />
<input type="submit" class="button" style="margin-top: 10px" value="Check"> <br />
<input type="text" name="expression" placehoder="/<[^<>]{1,}hidden[^<>]{1,}>/">
</form>
|
并且这个正则匹配开头为<中间为hidden结尾为>的内容,让target为本身就可以发现框框里的内容就为
1
2
3
| <body background="hidden.jpg" style="background-size:cover;">
<input type="text" name="target" placeholder="Find hidden elements (URL)" style="background-color:#d1d1d1; color:#717d85;">
<a href='/var/www/html/flag.txt' hidden >
|
将expression改为/*/发现所有内容全部输出
所以访问target=file:///var/www/html/flag.txt&expression=/.*/拿到flag