MISC流量分析题

CTF 评论
# 1.流量分析1 拉入科来流量分析

很明显应该在http request和response里面

明显发现有select from flag 字样 而且有%25

所以应该是进行了两层url编码

解析一下

1
2
3
4
5
6
7
8
9
from urllib import parse

encoded_str  = '/index.php?url=gopher://127.0.0.1:80/_POST%20%2Fadmin.php%20HTTP%2F1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2Fx-www-form-urlencoded%250d%250aContent-Length%3A%2078%250d%250a%250d%250aid%253D1%2529%2520and%2520if%2528%2528ascii%2528substr%2528%2528select%2520flag%2520from%2520flag%2529%252C1%252C1%2529%2529%253D%252740%2527%2529%252Csleep%25283%2529%252C0%2529%2520--%2520'
# s1 ="%29%2C1%2C1%29%29%3D%2740%27%29%2C"
# wd = parse.quote(keyword.encode('utf-8'))
# ress = parse.quote(wd.encode('gb2312'))
decode_str = parse.unquote(encoded_str)
dedecode_str = parse.unquote(decode_str)
print(dedecode_str)

输出为

1
2
3
4
5
6
7
/index.php?url=gopher://127.0.0.1:80/_POST /admin.php HTTP/1.1
Host: localhost:80
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 78

id=1) and if((ascii(substr((select flag from flag),1,1))='40'),sleep(3),0)

分析这行sql语句意思,如果选择字符ascii等于40,那么延迟3秒

应该是进行sql盲注

2.流量分析2

拉入科来

用get方法获取html页面

过滤一下

1
srcip=39.105.136.196 and protocol=http

生成flag为 flag{17uajil}

3.easycap

拉入科来

点开看 每个额外数据都有

字符

写代码

1
2
3
4
5
6
7
8
9
import pyshark
from datetime import timedelta
import re 

cap = pyshark.FileCapture("d5ba8f87969145059170a222f01e7883.pcap", tshark_path="D:\Program Files\Wireshark\\tshark.exe")
print(cap)
for pkt in cap:
    if(int(pkt.length)==67):
        print(bytes.fromhex(pkt.tcp.payload).decode('utf-8'),end='')

简单解码解析,组装输出payload值

4.流量分析

拉入进行流量分析,筛选http协议

显然是盲注攻击

筛选数据包,如果sql注入攻击失败,返回http_response 数据包大小为661

注入成功返回数据包大于661

所以进行筛选

写代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import pyshark
from datetime import timedelta
import re 

cap = pyshark.FileCapture("4d7c14206a5c4b74a0af595992bbf439.pcapng", display_filter='http', tshark_path="D:\Program Files\Wireshark\\tshark.exe")
# print(cap)
flagit = ['.'*40 for _ in range(40)]
p1 = r'flag%20limit%200,1\),(\d+),1\)'
p2 = r',1\)\)=(\d+)%23'

for pkt in cap:
    if int(pkt.length) < 600: # 当包长度小于 650 时为请求包,记录uri 和 时间
        time_s = pkt.sniff_time
        url = pkt.http.request_full_uri
    else:
        if(int(pkt.length) > 661):
            k = re.findall(p1,str(url))
            d = re.findall(p2,str(url))
            print(int(k[0]))
            flagit[int(k[0])-1]=chr(int(d[0]))
flag =''
print(flag.join(flagit))
print(flag)

1
flag{c2bbf9cecdaf656cf524d014c5bf046c}

Hong ChuanSecurity & Computer Network & Vulnerability Detection

个人简介。