目录
目录
[CISCN2019 华东南赛区]Web11
[BJDCTF2020]EasySearch
[De1CTF 2019]SSRF Me
[CSCCTF 2019 Qual]FlaskLight
模板注入过滤 globals,拼接绕过
[HITCON 2017]SSRFme
[RootersCTF2019]I_
二个方法都可以 lipsum
[CISCN2019 华东南赛区]Web11
打开界面,好熟悉可能是做过一道类似的题,是通过ip进行注入的题目
最下面给出了smarty模板注入
会随着我的x-Forwarded-for的改变而改变,用if标签
{if system(‘cat /flag’)}{/if}
[BJDCTF2020]EasySearch
打开界面源码,什么都没有发现,试一下万能密码之类的登录,只返回fail
那么尝试一下扫目录,发现index.php.swp然后访问
发现页面源码,看完代码,只要密码经过md5加密的前六位6d0bc1相同,便可成功登陆
那么构建脚本
2020666
一般这种界面都存在ssti注入,可能是cxk或者ip那里,
搜索一下,shtml的信息,补充一下什么是ssi注入,SSI 注入全称Server-Side Includes Injection(服务端包含注入),ssi可以赋予html静态页面的动态效果,通过ssi执行命令,返回对应的结果,当在 站目录中发现了.stm .shtm .shtml或在界面中发现了
{$what}
Welcome, {{username}}
{%$a%}
就容易产生ssi注入,此处问题的其注入格式为:。
username=&password=2020666
[De1CTF 2019]SSRF Me
打开界面,整理一下python源码,表面是一道ssrf题,其实是一道python flash框架审计题
- #! /usr/bin/env python
- # #encoding=utf-8
- from flask import Flask
- from flask import request
- import socket
- import hashlib
- import urllib
- import sys
- import os
- import json
- reload(sys)
- sys.setdefaultencoding('latin1')
-
- app = Flask(__name__)
-
- secert_key = os.urandom(16)
-
- class Task:
- def __init__(self, action, param, sign, ip):
- self.action = action
- self.param = param
- self.sign = sign
- self.sandbox = md5(ip)
- if(not os.path.exists(self.sandbox)):
- os.mkdir(self.sandbox)
-
- def Exec(self):
- result = {}
- result['code'] = 500
- if (self.checkSign()):
- if "scan" in self.action:
- tmpfile = open("./%s/result.txt" % self.sandbox, 'w')
- resp = scan(self.param)
- if (resp == "Connection Timeout"):
- result['data'] = resp
- else:
- print resp
- tmpfile.write(resp)
- tmpfile.close()
- result['code'] = 200
- if "read" in self.action:
- f = open("./%s/result.txt" % self.sandbox, 'r')
- result['code'] = 200
- result['data'] = f.read()
- if result['code'] == 500:
- result['data'] = "Action Error"
- else:
- result['code'] = 500
- result['msg'] = "Sign Error"
- return result
-
- def checkSign(self):
- if (getSign(self.action, self.param) == self.sign):
- return True
- else:
- return False
-
- @app.route("/geneSign", methods=['GET', 'POST'])
- def geneSign():
- param = urllib.unquote(request.args.get("param", ""))
- action = "scan"
- return getSign(action, param)
-
- @app.route('/De1ta',methods=['GET','POST'])
- def challenge():
- action = urllib.unquote(request.cookies.get("acti
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!